CLI
Sign in over OAuth, then browse, search, upload, and organize your Raster libraries from a terminal or CI pipeline with the Raster command-line client.
The Raster CLI is a command-line client for the REST API. It signs in over OAuth by default and covers the full asset workflow — list, search, upload, download, tag, transfer, and delete — from a terminal or a CI pipeline.
The CLI is in Alpha. Commands and flags may change before the 1.0 release.
Install
npm install -g @raster-app/cliRun a single command without installing — the command is raster:
npx -p @raster-app/cli raster whoamiAuthenticate
raster auth loginraster auth login signs you in over OAuth, tied to your user account. When a
browser is available, it opens a
browser authorization-code flow and captures the result on a local loopback
redirect. Over SSH or on a headless machine it falls back to the device
authorization grant: it prints a short user code and the URL
https://raster.app/device, which you approve in a browser on any device. Pass
--browser or --device to force either flow.
The CLI prints the authorization URL ("Visit <url>") before opening the
browser, so you can open it yourself in a browser on the same machine.
OAuth tokens are stored in ~/.config/raster/config.json with owner-only
permissions. The CLI refreshes the access token automatically before it expires
and rotates the refresh token. When the saved login can no longer refresh,
re-run raster auth login.
API keys for CI and automation
For CI and scripts, sign in with an organization API key:
raster auth login --api-key pk_...Or set RASTER_API_KEY in the environment. The active credential resolves from
the --api-key flag, then RASTER_API_KEY, then a stored OAuth token, then a
config-file apiKey. An ambient RASTER_API_KEY therefore takes precedence
over a stored OAuth session — handy for scripts and CI. raster auth status shows which credential is in use; for
an API key it also names the organization it reaches. raster auth logout
revokes the OAuth token (if any) and clears stored credentials.
Org and library
An API key is scoped to one organization and a set of libraries, so the CLI takes the org and library from the key:
--orgis optional — the organization comes from the key.--libraryis optional when the key has a single library. When the key can reach several, commands that act on one library ask you to pass--library <id>and list the choices.
Pass --org / --library to override, or to pick a library when the key spans
more than one. A key supplied via RASTER_API_KEY works without auth login.
If a key's library access changes, re-run raster auth login to refresh, or
pass --library.
A broad user-scope OAuth login reaches every organization you belong to.
Because no single org is implied, commands that act on one organization need you
to choose it: pass --org <id>, set RASTER_ORG, or set a defaultOrg in the
config file. Without a selection the command stops with a clear error. Run
raster whoami to list the organizations you can reach. An org-scoped OAuth
login and an API key resolve their single organization automatically.
Global flags
These work on every command, before or after the subcommand.
| Flag | Purpose |
|---|---|
--api-key <key> | API key (overrides RASTER_API_KEY and the config file) |
--org <organizationId> | Organization id (derived from an API key or an org-scoped OAuth login; for a broad OAuth login pass this, set RASTER_ORG, or a config defaultOrg) |
--library <libraryId> | Library id (derived from the key when it has one library) |
--json | Print the raw API payload to stdout and nothing else |
--verbose | Log each request to stderr (method, path, masked key, status, duration) |
Commands
Asset ids are always positional. --library selects the library when the key
can reach more than one. raster <command> --help lists every flag.
auth
| Command | Description | Example |
|---|---|---|
raster auth login | Sign in over OAuth (browser when available, otherwise a device code; force with --device/--browser), or validate an API key with --api-key. | raster auth login |
raster auth logout | Revoke the OAuth token (if any) and remove stored credentials. | raster auth logout |
raster auth status | Show which credential is in use and its source (issuer and scope for OAuth; the organization for an API key). | raster auth status |
whoami
raster whoamiShow the organizations, plan, and libraries the current credential can access. A
broad user-scope OAuth login lists every organization you can reach, so you can
pick one with --org. An org-scoped OAuth login and an API key show their
single organization.
libraries
| Command | Description | Example |
|---|---|---|
raster libraries ls | List libraries in the organization (--page, --page-size). | raster libraries ls |
raster libraries create --name <name> | Create a library (--slug optional). | raster libraries create --name "Brand" |
raster libraries rename --name <name> | Rename the library. | raster libraries rename --name "Brand assets" |
assets
| Command | Description | Example |
|---|---|---|
raster assets ls | List assets; filter with --tag (up to 5), page with --page/--page-size. | raster assets ls --library brand --tag sunset |
raster assets get <assetId> | Show one asset's metadata. | raster assets get asset_123 |
raster assets search <query> | Search across the organization (--library scopes to one). | raster assets search "golden hour" |
raster assets download <assetId> | Download the file (-o path, --force to overwrite). | raster assets download asset_123 -o photo.png |
raster assets upload <files...> | Upload local files (batched at 20 per request). | raster assets upload ./photos/*.png |
raster assets rm <assetIds...> | Move assets to trash (--yes skips the prompt). | raster assets rm asset_123 asset_456 |
raster assets describe <assetId> --text <text> | Set an asset's description. | raster assets describe asset_123 --text "Hero shot" |
raster assets transfer <assetIds...> --to <libraryId> | Move assets to another library. | raster assets transfer asset_123 --to archive |
tags
| Command | Description | Example |
|---|---|---|
raster tags ls | List tags in the library (--limit). | raster tags ls --library brand |
raster tags add <assetIds...> --tag <tag...> | Add tags to assets. | raster tags add asset_123 --tag launch |
raster tags rm <assetIds...> --tag <tag...> | Remove tags from assets. | raster tags rm asset_123 --tag launch |
orgs
raster orgs create --email <email> [--name <name>] [--save]Create an organization and library with no account, the anonymous flow
documented at POST /libraries. Prints
the claim URL; --save stores the minted key.
Output and scripting
Human-readable tables print to stdout; progress and notes go to stderr, so
stdout stays pipeable. Add --json for machine-readable output — e.g.
raster assets search "sunset" --json | jq '.hits[].id'.
Exit codes are stable across releases:
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | Unexpected error |
| 2 | Usage error (bad flags or arguments) |
| 3 | Authentication (missing or rejected key) |
| 4 | Not found |
| 5 | Validation or conflict |
| 6 | File too large |
| 7 | Network failure |
Environment variables
| Variable | Purpose |
|---|---|
RASTER_API_KEY | API key (overrides a stored OAuth token; sits below --api-key, above a config-file key) |
RASTER_ORG | Default organization id for an OAuth login when --org is omitted |
RASTER_CONFIG_HOME | Config directory override (default ~/.config/raster) |
RASTER_AUTH_ISSUER | OAuth authorization-server issuer (default https://raster.app; a raster.app host or localhost only) |
RASTER_OAUTH_CLIENT_ID | Pin a client id to skip dynamic client registration |