talon-cli is the administrative entry point for common control-plane tasks.
Global flags
--gateway: gRPC gateway address, defaulthttp://localhost:50051--password: basic-auth password--token: bearer token--jwt-secret: shared JWT secret for short-lived admin tokens--rest: use HTTP-transcoded endpoints instead of native gRPC
Commands
auth
Mint JWTs for clients when the gateway is running with GATEWAY_JWT_SECRET.
auth root-token: unrestricted root tokenauth agent-token --namespace <ns> --agent <agent>: namespace and agent scoped tokenauth session-token --namespace <ns> --agent <agent> --session <session-id>: namespace, agent, and session scoped tokenauth channel-token --namespace <ns> --channel <channel>: namespace and channel scoped token
All token commands accept --subject and --ttl-seconds.
knowledge
Manage namespace knowledge artifacts directly by path.
knowledge getknowledge setknowledge deleteknowledge sync
apply
Apply a manifest file, optionally with template variables.
render
Render a manifest file after template substitution in YAML or JSON.
get
Fetch a resource by kind, name, and optional namespace.
delete
Delete a resource by kind, name, and optional namespace.
gen
Generate a TypeScript client SDK from manifest files.
When to use --rest
Use --rest when you want to exercise the HTTP-transcoded surface instead of native gRPC.
That is useful for:
- verifying Envoy route behavior
- debugging HTTP clients
- matching the public edge surface more closely
Notes
- The CLI is best thought of as an operator/admin tool, not the only integration surface.
- For service-to-service integrations, prefer the gateway contracts directly.