Skip to content
CLI · Homebrew · Curl · Go Install

PortEden CLI — Manage AI Permissions From the Terminal

Mint scoped tokens, inspect access rules, tail the audit log, and connect any MCP client without leaving your shell. One binary, three install paths, every PortEden capability scriptable.

See pricing

Free tier · No credit card required

Maps to
SOC 2
GDPR
Open Source
MIT License
EU AI Act
Install in 30 Seconds

Three Install Paths. One Binary.

brew install porteden/tap/porteden

macOS + Linux. Auto-updates with `brew upgrade`.

Full install guide →
The Risk

What Goes Wrong Without PortEden

Every Token Rotation Means a Trip Through the Dashboard

Your security team rotates keys quarterly. Each rotation is a click-through marathon — log into PortEden, find the token, regenerate, paste into the right environment, repeat for ten projects. There's no way to script it, no way to commit it, no way to audit who rotated what.

The Audit Log Lives in a UI You Don't Trust to Grep

When an incident hits, the on-call engineer wants `grep`, not a date picker. A web UI that paginates 50 events at a time and hides the JSON behind a 'view details' modal is the wrong shape for the people who actually run the system at 2 a.m.

Setting Up a New MCP Client Is a Manual Copy-Paste Dance

Open Claude Desktop's config, find the right path, paste a JSON block, restart. Repeat for Cursor, ChatGPT, Gemini. Forget which servers you added last time. The CLI should write the config for you and tell you which server got registered where.

The Solution

Built For CLI

Mint and Rotate Scoped Tokens

`porteden token create --scope=email.read --user=jane@org.com --ttl=24h` returns a JWT scoped to one user, one verb set, one expiry. Pipe to a secrets manager, commit a config snippet to your IaC, rotate from CI without ever touching the dashboard.

Tail and Filter the Audit Log

`porteden audit tail --since=1h --user=jane@org.com --tool=email` streams structured events to stdout in JSON. Pipe through `jq`, ship to your SIEM, alert on anomalies. The same log you'd see in the UI, with the shape every Unix tool already understands.

Wire Any MCP Client With One Command

`porteden mcp connect claude --servers=email,calendar,drive` writes the right config to Claude Desktop's config file (or Cursor's, or your custom client's), creates a scoped token, and restarts the client. Idempotent — run it twice and nothing breaks.

Inspect and Test Access Rules

`porteden policy test --token=… --action=email.send --to=external@vendor.com` evaluates the policy locally and tells you allow / deny + which rule matched. Run it in CI before you ship a policy change. Catch over-permissive rules before they reach prod.

With and Without PortEden

The Same Workflow, Two Very Different Outcomes

Rotating a Production Token
Without
Log into the dashboard, find the token, regenerate, paste into vault. Repeat per environment. No audit of who did what.
With
`porteden token rotate prod-agent` returns the new token, expires the old one, and emits an audit event with your shell user.
Investigating an Anomalous Tool Call at 2 a.m.
Without
Log into the dashboard, navigate to audit, paginate through 50-row pages, screenshot the JSON, copy into the incident channel.
With
`porteden audit tail --since=15m | jq '.tool, .user, .redacted_count'` — already in the right shape for the post-mortem.
Onboarding a New Engineer to Claude Desktop With Drive Access
Without
Walk them through the dashboard, generate a token, copy it, open `~/Library/Application Support/Claude/claude_desktop_config.json`, paste the right block, restart Claude.
With
`porteden mcp connect claude --servers=drive` does all of it in one command. Onboarded in 30 seconds.
Checking a Policy Change Before Merging
Without
Merge the change, deploy, hope nothing broke, find out from a Slack message that the agent can no longer read its own config folder.
With
`porteden policy test --action=drive.read --folder=/agent-config` in CI fails the build before merge.
Scripting Access Across 50 Test Tenants
Without
Click through the dashboard 50 times — or write a fragile Selenium test against the UI.
With
`for tenant in $(cat tenants); do porteden token create --tenant=$tenant ...; done` — done in 90 seconds.
Try It in Your Terminal

Brew Install. Run Once. Free for Solo Use.

`brew install porteden/tap/porteden && porteden auth login` and you're connected. Free tier covers solo use; team plans add SSO and shared scopes.

See pricing

Frequently Asked Questions

What can the CLI actually do?
Mint, list, rotate, and revoke scoped tokens. Inspect and test access rules and policy groups. Tail the audit log with structured JSON output. Connect any MCP client (Claude Desktop, Cursor, ChatGPT Connectors, custom) with a single command. Inspect redaction profiles. Manage org policies if you have admin scope. Full reference: /docs/cli/commands/.
How does it authenticate?
`porteden auth login` opens your browser, you log into PortEden, the CLI exchanges the result for a refresh token stored in your OS keychain (macOS Keychain, Windows Credential Manager, libsecret on Linux). Subsequent commands mint short-lived access tokens automatically. CI uses `porteden auth token` with a service-account API key.
Does it work on Windows?
Yes — install via `winget install porteden.porteden` or download the .exe from GitHub releases. Same command surface as macOS/Linux. PowerShell completion ships in the install.
Can I use it in CI?
Yes. Use a service-account API key (created in the dashboard) and the `PE_API_KEY` env var. Every CI-driven action ends up in the audit log tagged with the service account, so you can trace which workflow rotated which token. Sample GitHub Actions workflow in /docs/cli/usage/.
What format is the audit log output?
JSON Lines. Each event is one line with fields: `timestamp`, `actor`, `tool`, `endpoint`, `args`, `redacted_count`, `outcome`, and the user the action was on behalf of. Pipe through `jq` for ad hoc queries; ship to Splunk, Datadog, or S3 for long-term retention.
Is the CLI open source?
Yes — MIT-licensed, source on GitHub at github.com/porteden/cli. The CLI talks to PortEden's hosted API, which is the part that's proprietary. You can fork the CLI, run a custom build, or vendor it into your toolchain.
How does this relate to OpenClaw?
OpenClaw is PortEden's open-source agent framework — a CLI-first agent that uses the PortEden API for tool use. The PortEden CLI is the admin/control surface for both OpenClaw and any other MCP client. Most teams install both. See /ai/openclaw/.
What does a token rotation look like under the hood?
`porteden token rotate <name>` mints a new JWT with the same scope and TTL as the old one, marks the old token's revocation timestamp 30 seconds in the future (so in-flight requests don't fail), and emits an audit event. The new token is printed to stdout — pipe to your secrets manager or paste into vault.

Keep Exploring

Ready to Manage AI Access From the Shell?

`brew install porteden/tap/porteden && porteden auth login`. That's the install. Free for solo use; team plans on /pricing/.

See pricing

Need SSO or a self-hosted control plane? Talk to sales →