CLI
Install and use the LatentKit command-line tool for login, runtime tests, logs, traces, routes, keys, config checks, and CI.
The LatentKit CLI is the terminal companion for the console and SDKs.
Use it when you want to:
- sign in from a terminal without copying a raw API key
- test chat, embeddings, images, speech, transcription, and video from your shell
- check which workspace, app, and credits your account is using
- inspect logs, traces, usage, providers, routes, and connections
- create, rotate, or revoke API keys from an approved account session
- run CI checks with stable exit codes and JSON output
The npm package is @latentkit/cli. The binary name is latentkit.
@latentkit/cli 0.1.0 is available on npm for Node.js 18 and later.
Install
You need Node.js 18 or newer.
npm install -g @latentkit/cli
latentkit --helpIf you do not want a global install, use:
npx @latentkit/cli --helpFirst login
Run:
latentkit loginThe CLI prints a browser URL and a short confirmation code.
- Open the URL.
- Sign in to your LatentKit account.
- Confirm the code shown in your terminal.
- Return to the terminal.
After approval, the CLI stores a local profile in your operating-system config directory:
| OS | Default config path |
|---|---|
| macOS / Linux | ~/.config/latentkit/config.json |
| Windows | %APPDATA%\latentkit\config.json |
The file stores a LatentKit account access token, not your raw runtime API key. The CLI uses that account token for control-plane commands such as logs, routes, keys, and usage.
Treat this profile as a secret. Do not commit, upload, share, or paste it into
support messages or AI prompts. Use latentkit logout to remove a profile you
no longer need.
Confirm your account
latentkit whoamiTypical output:
Account : user_...
Tenant : Example Workspace (t_...)
App : Default Router
Auth : ide_access_token
Credits : $99.70If Account is (unknown), update the CLI, log out, and sign in again. If it
continues, contact support with the CLI version and workspace name—never the
profile file or token.
Send a test request
For a quick runtime check:
latentkit chat "Say hello from LatentKit."For machine-readable output:
latentkit chat "Say hello from LatentKit." --jsonCommon runtime commands:
latentkit chat "Summarize the CAP theorem"
latentkit embed "text to embed"
latentkit image "a red bicycle" --size 1024x1024
latentkit speech "hello there" --voice alloy
latentkit transcribe ./meeting.mp3 --language en
latentkit video "a short product scene" --duration 4Your assigned route still controls provider/model selection. Do not pass provider or model selection to the runtime commands unless the command explicitly documents that option.
Choose a workspace app
List apps your account can use:
latentkit appsSet the default app for the active profile:
latentkit apps use app_123You can also pass an app for a single command:
latentkit chat "Route this" --app app_123Profiles
Profiles let you keep separate local logins for different workspaces, environments, or users.
latentkit profiles
latentkit login --profile production
latentkit profiles use production
latentkit whoami --profile production
latentkit logout --profile productionFor temporary config in tests or automation:
export LATENTKIT_CONFIG_DIR="/tmp/latentkit-config"Logs, traces, usage, and routes
Most observability and management commands need a workspace id. In CLI flags this is called --tenant.
latentkit logs --tenant t_123 --provider openai --days 7
latentkit logs get req_abc --tenant t_123
latentkit logs tail --tenant t_123 --interval 3
latentkit traces get req_abc --tenant t_123
latentkit usage --tenant t_123 --days 30
latentkit costs --tenant t_123
latentkit routes --tenant t_123
latentkit routes simulate pol_1 --tenant t_123 --endpoint chat
latentkit providers --tenant t_123
latentkit connections --tenant t_123
latentkit connections models conn_1 --tenant t_123Use logs tail while debugging a local app. It polls recent requests and deduplicates by request id.
Route publishing
Route changes are role-checked on the server. Use these commands only after you have inspected the route in the console or with routes inspect.
latentkit routes inspect pol_1 --tenant t_123
latentkit routes publish pol_1 --tenant t_123 --note "raise GPT weight"
latentkit routes rollback pol_1 ver_9 --tenant t_123Runtime API keys can send AI requests and run checks. Publishing and rollback require an account login token from latentkit login.
API key management
These commands use your account login token and enforce your workspace role on the server.
latentkit keys --tenant t_123 --app-slug default
latentkit keys create --tenant t_123 --app-slug default --label ci
latentkit keys rotate key_1 --tenant t_123
latentkit keys revoke key_1 --tenant t_123New raw API keys are shown once. Store them in a server-side secret manager immediately.
Provider connections
For managed Platform Access:
latentkit connections create --tenant t_123 --provider-def pd_openai --name "OpenAI" --type managedFor BYOK, pass the provider secret through stdin. Do not put provider secrets in shell history as flags.
printf '%s' "$OPENAI_KEY" | latentkit connections create \
--tenant t_123 \
--provider-def pd_openai \
--name "OpenAI BYOK" \
--type byokThen test or delete:
latentkit connections test conn_1 --tenant t_123
latentkit connections delete conn_1 --tenant t_123Config checks and CI
For CI, prefer a runtime API key in LATENTKIT_API_KEY. Browser login is for humans.
export LATENTKIT_API_KEY="lk_..."
latentkit ci check --jsonValidate environment and connectivity:
latentkit doctor
latentkit env validateExport and check config drift:
latentkit config export --tenant t_123 > latentkit.config.json
latentkit config validate latentkit.config.json
latentkit config diff latentkit.config.json --tenant t_123config diff exits with code 6 when drift is detected, which makes it useful in CI.
There is no config import command. Connection secrets are never exported, and route contents should be changed through explicit route and connection commands.
Credential precedence
The CLI resolves credentials in this order:
--api-key <key>LATENTKIT_API_KEY- the selected local profile from
latentkit login
Base URL resolves in this order:
--base-url <url>LATENTKIT_BASE_URL- the selected profile
https://ai.latentkit.com
Useful environment variables:
| Variable | Use |
|---|---|
LATENTKIT_API_KEY | Runtime API key for CI or server-side testing |
LATENTKIT_BASE_URL | Override the gateway base URL |
LATENTKIT_PROFILE | Pick a local profile without passing --profile |
LATENTKIT_APP_ID | Select an app for account-scoped login tokens |
LATENTKIT_CONFIG_DIR | Move the local CLI config directory |
NO_COLOR | Disable colored terminal output |
JSON output
Every command supports --json. Use it for scripts, AI agents, and CI:
latentkit whoami --json
latentkit routes --tenant t_123 --json
latentkit logs --tenant t_123 --days 1 --jsonHuman output is optimized for terminals. JSON output is the stable contract for automation.
Exit codes
| Code | Meaning |
|---|---|
0 | Success |
2 | Validation error, missing flags, or bad arguments |
3 | Authentication problem |
4 | Forbidden or insufficient workspace role |
5 | Not found |
6 | Config problem or config drift |
7 | Upstream provider or gateway failure |
8 | Rate limit |
9 | Network failure or timeout |
10 | Unsupported or disabled CLI version |
For AI agents and automation
When an AI agent uses the CLI:
- prefer
--json - do not print raw API keys or provider secrets into prompts or logs
- use
LATENTKIT_API_KEYfor CI and non-interactive environments - use
latentkit loginonly when a human can approve the browser grant - pass
--tenantexplicitly for logs, traces, routes, usage, costs, providers, and connections - store temporary profiles under
LATENTKIT_CONFIG_DIRwhen running tests - capture
request_idfrom errors and traces for debugging
Common problems
Not authenticated
Run one of:
latentkit loginor:
export LATENTKIT_API_KEY="lk_..."Missing --tenant <workspace-id>
Observability and management commands need a workspace id:
latentkit usage --tenant t_123Runtime request fails but login works
Check:
latentkit whoamilatentkit appslatentkit routes --tenant t_123- the console route and provider health
The account login can be valid while the selected app or route still lacks an eligible published route for that request.