Auth and access

Commands for authentication, authorization policy, and access to external resources. For the concepts, see Auth and GitHub repo access.

auth

4kr auth <command>

Subcommand	Description
`signin`	Browser sign-in; stores auth_token in the local profile config
`token`	Print the stored profile auth token
`settings`	Show or update global auth settings
`box`	Set per-box auth override

# Sign in with Google and store a profile auth token
4kr auth signin

# Print the stored bearer token for agents/scripts
4kr auth token

# Show auth settings
4kr auth settings

# Configure deployment-time Google OAuth credentials
4kr config set google_workspace_domain example.com
4kr config set google_auth_client_id <client-id>
4kr config set google_auth_client_secret <client-secret>
4kr setup deploy

# Protect unpublished box and system domains
4kr auth settings --protect-unpublished --protect-system

# Allow an additional Google Workspace domain
4kr auth settings --allowed-domain example.com

# Require auth for one box, even if published
4kr auth box my-box --required

# Make one unpublished box public despite the global default
4kr auth box my-box --public

# Remove the per-box override
4kr auth box my-box --inherit

  https://console.cloud.google.com/auth/clients?project=<gcp_project>

  https://auth.<forkr_domain>/auth/callback

Browser sign-in; stores auth_token in the local profile config

4kr auth signin [options]

Argument / option	Description
`--port <PORT>`	Local callback port; 0 picks any free port. Defaults to `0`.
`--no-open`	Print URL instead of opening a browser
`--print-token`	Print the minted token after sign-in

token

Print the stored profile auth token

4kr auth token [options]

Argument / option	Description
`--json`	Print JSON with token and email

settings

Show or update global auth settings

4kr auth settings [options]

Argument / option	Description
`--json`	Print the JSON response.
`--protect-unpublished`	Require auth on unpublished box domains
`--no-protect-unpublished`	Do not require auth on unpublished box domains by default
`--protect-system`	Require auth on system domains such as API and dashboard
`--no-protect-system`	Do not require auth on system domains
`--allow-all-google-accounts`	Allow any Google account
`--workspace-only`	Restrict sign-in to configured domains/emails
`--allowed-domain <ALLOWED_DOMAINS>`	Replace allowed domains; repeatable
`--clear-allowed-domains`	Clear the allowed domain list
`--allowed-email <ALLOWED_EMAILS>`	Replace allowed emails; repeatable
`--clear-allowed-emails`	Clear the allowed email list

box

Set per-box auth override

4kr auth box <BOX_NAME> [options]

Argument / option	Description
`<BOX_NAME>`	Box ref.
`--required`	Require auth for this box
`--public`	Do not require auth for this box
`--inherit`	Remove this box’s auth override
`-p, --project <PROJECT>`	Target project.
`-j, --json`	Print the JSON response.

github

Manage GitHub repo grants and the per-box proxy

4kr github <command>

Subcommand	Description
`grant`	Manage reusable GitHub repo/permission grants
`attach`	Attach a grant to a box
`detach`	Detach a grant from a box
`box-grants`	List grants attached to a box
`proxy-token`	Rotate and print a box’s Forkr GitHub proxy token
`config`	Show server GitHub App configuration status

# Create the deployment GitHub App and redeploy only forkr-api
4kr setup github-app --owner example-org --deploy

# Create or update a grant
4kr github grant create work-api --repo owner/api --permission contents=read

# Attach a grant to a box
4kr github attach my-box work-api

# Clone normally inside the box after attach
4kr exec my-box -- git clone https://github.com/owner/api.git /work/api

# Print the box's Forkr proxy token for debugging
4kr github proxy-token my-box

grant

Manage reusable GitHub repo/permission grants

4kr github grant <command>

Subcommand	Description
`list`	List GitHub grants
`create`	Create or update a GitHub grant
`delete`	Delete a GitHub grant

list

List GitHub grants

4kr github grant list [options]

Argument / option	Description
`--json`	Print the JSON response.

create

Create or update a GitHub grant

4kr github grant create <NAME> [options]

Argument / option	Description
`<NAME>`	Name.
`--repo <REPOSITORIES>`	Allowed repository in owner/name form. Repeat for multiple repositories (repeatable)
`--permission <PERMISSIONS>`	Permission in name=read/write form. Repeat for multiple permissions (repeatable)
`--json`	Print the JSON response.

delete

Delete a GitHub grant

4kr github grant delete <NAME>

Argument / option	Description
`<NAME>`	Name.

attach

Attach a grant to a box

4kr github attach <BOX_NAME> <GRANT> [options]

Argument / option	Description
`<BOX_NAME>`	Box ref.
`<GRANT>`	Grant name.
`-p, --project <PROJECT>`	Target project.

detach

Detach a grant from a box

4kr github detach <BOX_NAME> <GRANT> [options]

Argument / option	Description
`<BOX_NAME>`	Box ref.
`<GRANT>`	Grant name.
`-p, --project <PROJECT>`	Target project.

box-grants

List grants attached to a box

4kr github box-grants <BOX_NAME> [options]

Argument / option	Description
`<BOX_NAME>`	Box ref.
`-p, --project <PROJECT>`	Target project.
`--json`	Print the JSON response.

proxy-token

Rotate and print a box’s Forkr GitHub proxy token

4kr github proxy-token <BOX_NAME> [options]

Argument / option	Description
`<BOX_NAME>`	Box ref.
`-p, --project <PROJECT>`	Target project.
`--json`	Print the JSON response.

config

Show server GitHub App configuration status

4kr github config

user

Manage project users

4kr user <command>

Subcommand	Description
`list`	List project users
`create`	Create a project user
`update`	Update a project user
`delete`	Delete a project user

4kr user create alice
4kr user list
4kr user delete alice

list

List project users

4kr user list [options]

Argument / option	Description
`-p, --project <PROJECT>`	Target project.
`-j, --json`	Print full JSON response

create

Create a project user

4kr user create <NAME> [options]

Argument / option	Description
`<NAME>`	Project user name
`--shell <SHELL>`	Login shell inside boxes
`-p, --project <PROJECT>`	Target project.
`-j, --json`	Print full JSON response

update

Update a project user

4kr user update <NAME> [options]

Argument / option	Description
`<NAME>`	Project user name
`--shell <SHELL>`	Login shell inside boxes
`-p, --project <PROJECT>`	Target project.
`-j, --json`	Print full JSON response

delete

Delete a project user

4kr user delete <NAME> [options]

Argument / option	Description
`<NAME>`	Project user name
`-p, --project <PROJECT>`	Target project.

​auth

​signin

​token

​settings

​box

​github

​grant

​list

​create

​delete

​attach

​detach

​box-grants

​proxy-token

​config

​user

​list

​create

​update

​delete

auth

signin

token

settings

box

github

grant

list

create

delete

attach

detach

box-grants

proxy-token

config

user

list

create

update

delete