Commands for authentication, authorization policy, and access to external resources. For the concepts, see Auth and GitHub repo access.

auth

Sign in and manage who can reach your boxes
zomg auth <command>
SubcommandDescription
signinBrowser sign-in; stores auth_token in the local profile config
tokenPrint the stored profile auth token
settingsShow or update global auth settings
boxSet per-box auth override
# Sign in with Google and store a profile auth token
zomg auth signin

# Print the stored bearer token for agents/scripts
zomg auth token

# Show auth settings
zomg auth settings

# Configure deployment-time Google OAuth credentials
zomg config set google_workspace_domain example.com
zomg config set google_auth_client_id <client-id>
zomg config set google_auth_client_secret <client-secret>
zomg setup deploy

# Protect unpublished box and system domains
zomg auth settings --protect-unpublished --protect-system

# Allow an additional Google Workspace domain
zomg auth settings --allowed-domain example.com

# Require auth for one box, even if published
zomg auth box my-box --required

# Make one unpublished box public despite the global default
zomg auth box my-box --public

# Remove the per-box override
zomg auth box my-box --inherit

  https://console.cloud.google.com/auth/clients?project=<gcp_project>

  https://auth.<zomg_domain>/auth/callback

signin

Browser sign-in; stores auth_token in the local profile config
zomg auth signin [options]
Argument / optionDescription
--port <PORT>Local callback port; 0 picks any free port. Defaults to 0.
--no-openPrint URL instead of opening a browser
--print-tokenPrint the minted token after sign-in

token

Print the stored profile auth token
zomg auth token [options]
Argument / optionDescription
--jsonPrint JSON with token and email

settings

Show or update global auth settings
zomg auth settings [options]
Argument / optionDescription
--jsonPrint the JSON response.
--protect-unpublishedRequire auth on unpublished box domains
--no-protect-unpublishedDo not require auth on unpublished box domains by default
--protect-systemRequire auth on system domains such as API and dashboard
--no-protect-systemDo not require auth on system domains
--allow-all-google-accountsAllow any Google account
--workspace-onlyRestrict sign-in to configured domains/emails
--allowed-domain <ALLOWED_DOMAINS>Replace allowed domains; repeatable
--clear-allowed-domainsClear the allowed domain list
--allowed-email <ALLOWED_EMAILS>Replace allowed emails; repeatable
--clear-allowed-emailsClear the allowed email list

box

Set per-box auth override
zomg auth box <BOX_NAME> [options]
Argument / optionDescription
<BOX_NAME>Box ref.
--requiredRequire auth for this box
--publicDo not require auth for this box
--inheritRemove this box’s auth override
-p, --project <PROJECT>Target project.
-j, --jsonPrint the JSON response.

github

Manage GitHub repo grants and the per-box proxy
zomg github <command>
SubcommandDescription
grantManage reusable GitHub repo/permission grants
attachAttach a grant to a box
detachDetach a grant from a box
box-grantsList grants attached to a box
proxy-tokenRotate and print a box’s Zomg GitHub proxy token
configShow server GitHub App configuration status
# Create the deployment GitHub App and redeploy only zomg-api
zomg setup github-app --owner example-org --deploy

# Create or update a grant
zomg github grant create work-api --repo owner/api --permission contents=read

# Attach a grant to a box
zomg github attach my-box work-api

# Clone normally inside the box after attach
zomg exec my-box -- git clone https://github.com/owner/api.git /work/api

# Print the box's Zomg proxy token for debugging
zomg github proxy-token my-box

grant

Manage reusable GitHub repo/permission grants
zomg github grant <command>
SubcommandDescription
listList GitHub grants
createCreate or update a GitHub grant
deleteDelete a GitHub grant

list

List GitHub grants
zomg github grant list [options]
Argument / optionDescription
--jsonPrint the JSON response.

create

Create or update a GitHub grant
zomg github grant create <NAME> [options]
Argument / optionDescription
<NAME>Name.
--repo <REPOSITORIES>Allowed repository in owner/name form. Repeat for multiple repositories (repeatable)
--permission <PERMISSIONS>Permission in name=read/write form. Repeat for multiple permissions (repeatable)
--jsonPrint the JSON response.

delete

Delete a GitHub grant
zomg github grant delete <NAME>
Argument / optionDescription
<NAME>Name.

attach

Attach a grant to a box
zomg github attach <BOX_NAME> <GRANT> [options]
Argument / optionDescription
<BOX_NAME>Box ref.
<GRANT>Grant name.
-p, --project <PROJECT>Target project.

detach

Detach a grant from a box
zomg github detach <BOX_NAME> <GRANT> [options]
Argument / optionDescription
<BOX_NAME>Box ref.
<GRANT>Grant name.
-p, --project <PROJECT>Target project.

box-grants

List grants attached to a box
zomg github box-grants <BOX_NAME> [options]
Argument / optionDescription
<BOX_NAME>Box ref.
-p, --project <PROJECT>Target project.
--jsonPrint the JSON response.

proxy-token

Rotate and print a box’s Zomg GitHub proxy token
zomg github proxy-token <BOX_NAME> [options]
Argument / optionDescription
<BOX_NAME>Box ref.
-p, --project <PROJECT>Target project.
--jsonPrint the JSON response.

config

Show server GitHub App configuration status
zomg github config

user

Manage project users
zomg user <command>
SubcommandDescription
listList project users
createCreate a project user
updateUpdate a project user
deleteDelete a project user
zomg user create alice
zomg user list
zomg user delete alice

list

List project users
zomg user list [options]
Argument / optionDescription
-p, --project <PROJECT>Target project.
-j, --jsonPrint full JSON response

create

Create a project user
zomg user create <NAME> [options]
Argument / optionDescription
<NAME>Project user name
--shell <SHELL>Login shell inside boxes
-p, --project <PROJECT>Target project.
-j, --jsonPrint full JSON response

update

Update a project user
zomg user update <NAME> [options]
Argument / optionDescription
<NAME>Project user name
--shell <SHELL>Login shell inside boxes
-p, --project <PROJECT>Target project.
-j, --jsonPrint full JSON response

delete

Delete a project user
zomg user delete <NAME> [options]
Argument / optionDescription
<NAME>Project user name
-p, --project <PROJECT>Target project.