Skip to main content
Version: 1.19.0 (latest)

kziti CLI Reference

This page is auto-generated from the kziti CLI source. Run kziti <command> --help for the same content interactively. To regenerate this page, run python scripts/gen-cli-docs.py in the kziti repo and copy the output to docs/how-to/networking/egress/zero_trust/openziti/kziti-operations/cli-reference.mdx in the docs project.

Global options

  • --version, -V — Show version and exit.
  • --verbose, -v — Enable verbose/debug logging.
  • --profile — Use a specific profile for this command invocation.
  • --output-format, -o — Output format for list/show commands: table|json

kziti access

Manage identity access to networks, services, and service sets.

Usage:

kziti access COMMAND [ARGS]...

kziti access grant

Grant an identity access to a network, service set, or individual service.

This command adds the appropriate role attribute to the identity, allowing it to access the specified resource through existing Dial service policies.

Examples:

# Grant access to entire network
kziti access grant user-123 net-corp-a

# Grant access to service set
kziti access grant user-123 svcset-devops

# Grant access to individual service
kziti access grant user-123 svc-corp-a-gitlab

Usage:

kziti access grant [OPTIONS] IDENTITY_ID_OR_NAME RESOURCE_ID

Arguments:

  • IDENTITY_ID_OR_NAME (required) — Identity ID or name to grant access to
  • RESOURCE_ID (required) — Network ID (e.g., 'net-corp-a'), Service Set ID (e.g., 'svcset-devops'), or Service ID

kziti access list

List all access grants for an identity.

Shows all networks, service sets, and services that the identity has access to based on its role attributes, displayed in a detailed table format.

Example:

kziti access list user-123

Usage:

kziti access list [OPTIONS] IDENTITY_ID_OR_NAME

Arguments:

  • IDENTITY_ID_OR_NAME (required) — Identity ID or name to list access for

kziti access remove

Remove an identity's access to a network, service set, or individual service.

This command removes the appropriate role attribute from the identity, revoking its access to the specified resource.

Examples:

# Remove access to entire network
kziti access remove user-123 net-corp-a

# Remove access to service set
kziti access remove user-123 svcset-devops

# Remove access to individual service
kziti access remove user-123 svc-corp-a-gitlab

Usage:

kziti access remove [OPTIONS] IDENTITY_ID_OR_NAME RESOURCE_ID

Arguments:

  • IDENTITY_ID_OR_NAME (required) — Identity ID or name to revoke access from
  • RESOURCE_ID (required) — Network ID (e.g., 'net-corp-a'), Service Set ID (e.g., 'svcset-devops'), or Service ID

Options:

  • --yes, -y — Skip confirmation prompt.

kziti access who

List all identities that have access to a network, service set, or service.

Examples:

kziti access who net-corp-a
kziti access who svcset-devops
kziti access who svc-corp-a-gitlab

Usage:

kziti access who [OPTIONS] RESOURCE_ID

Arguments:

  • RESOURCE_ID (required) — Network ID (e.g., 'net-corp-a'), Service Set ID (e.g., 'svcset-devops'), or Service ID

kziti config

Manage kziti configuration.

Usage:

kziti config COMMAND [ARGS]...

kziti config init

Interactive configuration setup wizard.

Usage:

kziti config init

kziti config path

Show config file path.

Usage:

kziti config path

kziti config profiles

Manage named configuration profiles.

Usage:

kziti config profiles COMMAND [ARGS]...

kziti config profiles create

Create a new profile, optionally by cloning an existing profile.

Usage:

kziti config profiles create [OPTIONS] NAME

Arguments:

  • NAME (required) — New profile name

Options:

  • --from — Copy configuration from an existing profile

kziti config profiles delete

Delete a profile.

Usage:

kziti config profiles delete [OPTIONS] NAME

Arguments:

  • NAME (required) — Profile name to delete

Options:

  • --yes, -y — Skip confirmation prompt

kziti config profiles list

List configured profile names.

Usage:

kziti config profiles list

kziti config profiles show

Show details for one profile.

Usage:

kziti config profiles show [OPTIONS] [NAME]

Arguments:

  • NAME — Profile name (defaults to selected profile)

kziti config profiles use

Set the active profile.

Usage:

kziti config profiles use [OPTIONS] NAME

Arguments:

  • NAME (required) — Profile name to set active

kziti config set-ziti

Configure the Ziti connection for a profile.

With --host / --user / --password, creates and enrolls a new admin identity (same as 'kziti config init'). Use --identity to point to an existing identity JSON file instead.

Examples:

kziti config set-ziti --host https://ziti.example.com:1280 --user admin --password secret
kziti config set-ziti --identity /path/to/admin-kziti.json

Usage:

kziti config set-ziti [OPTIONS]

Options:

  • --host — Ziti controller URL (e.g. https://ziti.example.com:1280)
  • --user, -u — Admin username
  • --password, -p — Admin password — creates and enrolls a new admin identity
  • --identity-name — Name for the new enrolled identity (default: admin-kziti)
  • --identity, -i — Path to an existing identity JSON file (skip enrollment)
  • --profile — Profile to update (defaults to selected profile)

kziti config show

Show current configuration.

Usage:

kziti config show

kziti deploy

Deploy and manage the OpenZiti stack.

Usage:

kziti deploy COMMAND [ARGS]...

kziti deploy ha

HA cluster operations.

Usage:

kziti deploy ha COMMAND [ARGS]...

kziti deploy ha add-member

Tell the bootstrap controller to add a new member to the RAFT cluster.

Usage:

kziti deploy ha add-member [OPTIONS]

Options:

  • --target (required) — Target node, e.g. tls:ctrl2.example.com:1280
  • --install-dir — Installation directory. (default: /opt/kziti)

kziti deploy ha create-join-package

Build an encrypted, self-contained HA join package for a new node.

Usage:

kziti deploy ha create-join-package [OPTIONS]

Options:

  • --output, -o (required) — Output zip path.
  • --node-name (required) — Unique cluster node name (e.g. 'ctrl2').
  • --controller-host (required) — Joining controller FQDN.
  • --controller-ip — IP this bootstrap node should use to reach the joining controller's hostname. Required if --controller-host doesn't resolve from inside the bootstrap container (no shared DNS). Injected as a docker-compose.override.yml extra_hosts entry on THIS node.
  • --controller-port — Port the joining controller will bind and advertise. Defaults to the bootstrap's controller port. Set a different port (e.g. 1281) when both controllers run on the same machine.
  • --router, --no-router — Include an edge router (default: yes).
  • --router-host — Joining router FQDN (required if --router).
  • --router-port — Port the joining router will bind. Defaults to 3022. Set a different port (e.g. 3028) for same-machine deployments. (default: 3022)
  • --admin-user — Admin username. (default: admin)
  • --admin-password (required) — Bootstrap controller admin password (to mint the router JWT).
  • --install-dir — Installation directory. (default: /opt/kziti)

kziti deploy ha recover

Recover a cluster that's lost quorum because a joining node went down without being removed from membership first. Spins up a short-lived ephemeral peer that impersonates the dead node to restore quorum, runs remove-member, then cleans up. Preserves all edge state (users, services, routers, policies).

Usage:

kziti deploy ha recover [OPTIONS]

Options:

  • --node (required) — Node ID of the dead member to remove (e.g. ctrl2)
  • --install-dir — Installation directory. (default: /opt/kziti)

kziti deploy ha remove-member

Remove a member from the RAFT cluster. Run on a remaining cluster node.

Usage:

kziti deploy ha remove-member [OPTIONS]

Options:

  • --node (required) — Node ID to remove, e.g. ctrl2
  • --install-dir — Installation directory. (default: /opt/kziti)
  • --yes, -y — Skip confirmation prompt.

kziti deploy install

Install the OpenZiti stack.

Usage:

kziti deploy install [OPTIONS]

Options:

  • --profile — Deployment profile. (default: standard)
  • --controller-host — Controller FQDN.
  • --controller-port — Controller port. (default: 1280)
  • --router-host — Router FQDN.
  • --router-port — Router port. (default: 3022)
  • --admin-password — Admin password.
  • --admin-user — Admin username. (default: admin)
  • --trust-domain — SPIFFE trust domain.
  • --node-name — Cluster node name.
  • --enrollment-token — Router enrollment JWT.
  • --join-package — Path to HA join package zip.
  • --install-dir — Installation directory. (default: /opt/kziti)
  • --project — Compose project name (defaults to install-dir basename). Lets multiple stacks coexist on one host.
  • --ziti-tag — OpenZiti image tag. Defaults to the pinned v2 prerelease. Note: openziti/ziti-controller:latest currently points at 1.6.12, not v2 -- avoid unless you're testing v1 regression. (default: 2.0.0)
  • --enable-sni-proxy, --no-enable-sni-proxy — Enable SNI routing proxy on port 443.
  • --registry-prefix — Private registry prefix. (default: ``)
  • --registry-username — Registry username.
  • --registry-password — Registry password.
  • --yes, -y — Skip confirmation prompt.
  • --dry-run, --no-dry-run — Show plan without installing.

kziti deploy render

Render deployment files without installing.

Usage:

kziti deploy render [OPTIONS]

Options:

  • --profile — Deployment profile. (default: standard)
  • --controller-host — Controller FQDN.
  • --controller-port — Controller port. (default: 1280)
  • --router-host — Router FQDN.
  • --router-port — Router port. (default: 3022)
  • --admin-password — Admin password.
  • --admin-user — Admin username. (default: admin)
  • --trust-domain — SPIFFE trust domain.
  • --node-name — Cluster node name.
  • --enrollment-token — Router enrollment JWT.
  • --join-package — Path to HA join package zip.
  • --install-dir — Installation directory. (default: /opt/kziti)
  • --project — Compose project name (defaults to install-dir basename). Lets multiple stacks coexist on one host.
  • --ziti-tag — OpenZiti image tag. Defaults to the pinned v2 prerelease. Note: openziti/ziti-controller:latest currently points at 1.6.12, not v2 -- avoid unless you're testing v1 regression. (default: 2.0.0)
  • --enable-sni-proxy, --no-enable-sni-proxy — Enable SNI routing proxy on port 443.
  • --registry-prefix — Private registry prefix. (default: ``)
  • --registry-username — Registry username.
  • --registry-password — Registry password.
  • --output-dir — Write files to directory instead of stdout.

kziti deploy uninstall

Remove the OpenZiti stack.

Usage:

kziti deploy uninstall [OPTIONS]

Options:

  • --install-dir — Installation directory. (default: /opt/kziti)
  • --remove-data, --no-remove-data — Also remove volumes and data.
  • --yes, -y — Skip confirmation prompt.

kziti identity

Manage Ziti identities.

Usage:

kziti identity COMMAND [ARGS]...

kziti identity create

Create a new identity and write an OTT enrollment token to a .jwt file.

By default the enrollment token is saved to <name>.jwt in the current directory. Use --auto-enroll to immediately enroll the identity and save the resulting identity JSON file instead.

Identities created via this command are tagged kasm_type=manual, which marks them as operator-managed and allows them to be deleted with 'identity delete'.

Usage:

kziti identity create [OPTIONS] NAME

Arguments:

  • NAME (required) — Identity name

Options:

  • --email — Email address to store as a tag
  • --auto-enroll — Automatically enroll the identity and save JSON file
  • --output-dir — Directory to write the enrollment token JWT (or identity JSON with --auto-enroll). Defaults to current directory.
  • --admin — Grant admin privileges to the identity

kziti identity delete

Delete a Ziti identity.

Only identities created via 'kziti identity create' (tagged kasm_type=manual) can be deleted. Router identities, Kasm-managed user/workspace identities, and the default admin identity are all blocked.

Deleting an identity revokes all of its access grants and invalidates any active sessions.

Usage:

kziti identity delete [OPTIONS] IDENTITY_ID_OR_NAME

Arguments:

  • IDENTITY_ID_OR_NAME (required) — Identity ID or name to delete

Options:

  • --yes, -y — Skip confirmation prompt.

kziti identity list

List all Ziti identities.

Usage:

kziti identity list [OPTIONS]

Options:

  • --limit, -l — Max items to return (default: 100)
  • --type — Filter by identity type: user|workspace

Search identities by filter expression.

Usage:

kziti identity search [OPTIONS] QUERY

Arguments:

  • QUERY (required) — Search query (e.g. "name contains 'user'")

kziti identity show

Show details for a specific identity.

Usage:

kziti identity show [OPTIONS] IDENTITY_ID

Arguments:

  • IDENTITY_ID (required) — Identity ID

kziti network

Manage ZTNA networks.

Usage:

kziti network COMMAND [ARGS]...

kziti network create

Create a new ZTNA network.

Usage:

kziti network create [OPTIONS] NETWORK_ID NAME

Arguments:

  • NETWORK_ID (required) — Network ID (e.g., 'net-corp-a' or 'corp-a')
  • NAME (required) — Network display name (e.g., 'Corp A')

kziti network delete

Delete a ZTNA network.

Usage:

kziti network delete [OPTIONS] NETWORK_ID

Arguments:

  • NETWORK_ID (required) — Network ID to delete (e.g., 'net-corp-a')

Options:

  • --yes, -y — Skip confirmation prompt

kziti network list

List all ZTNA networks.

Usage:

kziti network list

kziti network rename

Rename an existing ZTNA network.

Usage:

kziti network rename [OPTIONS] NETWORK_ID NEW_NAME

Arguments:

  • NETWORK_ID (required) — Network ID to rename (e.g., 'net-corp-a')
  • NEW_NAME (required) — New network display name

kziti router

Manage edge routers.

Usage:

kziti router COMMAND [ARGS]...

kziti router dmz

Manage DMZ routers.

Usage:

kziti router dmz COMMAND [ARGS]...

kziti router dmz delete

Delete a DMZ router.

Usage:

kziti router dmz delete [OPTIONS] ROUTER_ID

Arguments:

  • ROUTER_ID (required) — Router ID to delete

Options:

  • --yes, -y — Skip confirmation prompt

kziti router dmz list

List all DMZ routers.

Usage:

kziti router dmz list [OPTIONS]

Options:

  • --limit, -l — Max items to return (default: 100)

kziti router dmz provision

Provision a new DMZ router.

Usage:

kziti router dmz provision [OPTIONS] NAME

Arguments:

  • NAME (required) — Router name

Options:

  • --tunneler, --no-tunneler — Enable tunneler mode (default: enabled)
  • --cost — Router cost for path selection
  • --output-dir, -d — Directory to write JWT file (default: current directory) (default: .)

kziti router list

List all Ziti edge routers.

Usage:

kziti router list [OPTIONS]

Options:

  • --limit, -l — Max items to return (default: 100)

kziti router private

Manage private routers.

Usage:

kziti router private COMMAND [ARGS]...

kziti router private delete

Delete a private router.

Usage:

kziti router private delete [OPTIONS] ROUTER_NAME_OR_ID

Arguments:

  • ROUTER_NAME_OR_ID (required) — Router name or ID to delete

Options:

  • --yes, -y — Skip confirmation prompt

kziti router private list

List all private routers.

Usage:

kziti router private list [OPTIONS]

Options:

  • --network, -n — Filter by network ID
  • --limit, -l — Max items to return (default: 100)

kziti router private provision

Provision a new private router for a network.

Usage:

kziti router private provision [OPTIONS] NETWORK_ID NAME

Arguments:

  • NETWORK_ID (required) — Network ID (e.g., 'net-corp-a' or 'corp-a')
  • NAME (required) — Router name

Options:

  • --tunneler, --no-tunneler — Enable tunneler mode (default: enabled)
  • --cost — Router cost for path selection
  • --output-dir, -d — Directory to write JWT file (default: current directory) (default: .)

kziti router show

Show details for a specific edge router.

Usage:

kziti router show [OPTIONS] ROUTER_ID

Arguments:

  • ROUTER_ID (required) — Edge router ID

kziti service

Manage Ziti services.

Usage:

kziti service COMMAND [ARGS]...

kziti service create

Create a new service.

Examples:

kziti service create corp-a gitlab gitlab.corp-a.internal 443 --alias gitlab.corp-a.zt
kziti service create corp-a ssh-bastion 10.10.5.25 22 --alias ssh.corp-a.zt
kziti service create corp-a web-app webapp.local 80,443 --alias web.corp-a.zt --service-set devops
kziti service create corp-a wiki wiki.corp-a.internal 443 --alias wiki.corp-a.zt --service-set devops --service-set infra

Usage:

kziti service create [OPTIONS] NETWORK_ID NAME DESTINATION PORTS

Arguments:

  • NETWORK_ID (required) — Network ID (e.g., 'net-corp-a' or 'corp-a')
  • NAME (required) — Service name
  • DESTINATION (required) — Destination DNS name or IP address
  • PORTS (required) — Port specification (e.g., '443', '80,443', '8000-8100')

Options:

  • --alias (required) — Alias DNS name used as the intercept address (must differ from destination).
  • --service-set, -g — Service set name (repeatable: --service-set devops --service-set infra)

kziti service delete

Delete a service and its associated configs.

Usage:

kziti service delete [OPTIONS] SERVICE_ID

Arguments:

  • SERVICE_ID (required) — Service ID or svc-<short_id> to delete

Options:

  • --yes, -y — Skip confirmation prompt

kziti service list

List all services or services for a specific network.

Usage:

kziti service list [OPTIONS]

Options:

  • --network, -n — Filter by network ID
  • --limit, -l — Max items to return (default: 100)

Search services by filter expression.

Examples:

kziti service search 'name contains "gitlab"'
kziti service search 'name = "corp-a-web"'

Usage:

kziti service search [OPTIONS] QUERY

Arguments:

  • QUERY (required) — Filter expression (e.g. 'name contains "gitlab"')

kziti service show

Show details for a specific service.

Usage:

kziti service show [OPTIONS] SERVICE_ID

Arguments:

  • SERVICE_ID (required) — Service ID

kziti service update

Rename a service.

Note: Updating destination, ports, or alias is not yet supported.

Usage:

kziti service update [OPTIONS] SERVICE_ID

Arguments:

  • SERVICE_ID (required) — Service ID to update

Options:

  • --name — New service name

kziti service-set

Manage service sets (global, cross-network groupings of services).

Usage:

kziti service-set COMMAND [ARGS]...

kziti service-set add

Add an existing service to a service set.

Example:

kziti service-set add devops svc-corp-a-wiki
kziti service-set add devops <uuid>

Usage:

kziti service-set add [OPTIONS] NAME SERVICE_REF

Arguments:

  • NAME (required) — Service set name (e.g. 'devops')
  • SERVICE_REF (required) — Service UUID or svc-<short_id>

kziti service-set create

Create a global service set.

Service sets are cross-network groupings — services from any network can belong to the same set. An identity granted access to a set gets Dial access to all services in it, regardless of which network hosts them.

Example:

kziti service-set create devops "DevOps Services"
kziti service create corp-a gitlab gitlab.internal 443 --alias gitlab.corp-a.zt --service-set devops
kziti service create corp-b wiki wiki.internal 443 --alias wiki.corp-b.zt --service-set devops
kziti access grant user-123 svcset-devops

Usage:

kziti service-set create [OPTIONS] NAME [DISPLAY_NAME]

Arguments:

  • NAME (required) — Service set name (e.g. 'devops')
  • DISPLAY_NAME — Optional human-readable label

kziti service-set delete

Delete a global service set.

Usage:

kziti service-set delete [OPTIONS] NAME

Arguments:

  • NAME (required) — Service set name to delete

Options:

  • --yes, -y — Skip confirmation prompt

kziti service-set list

List all global service sets.

Usage:

kziti service-set list

kziti service-set remove

Remove an existing service from a service set.

Example:

kziti service-set remove devops svc-corp-a-wiki
kziti service-set remove devops <uuid>

Usage:

kziti service-set remove [OPTIONS] NAME SERVICE_REF

Arguments:

  • NAME (required) — Service set name (e.g. 'devops')
  • SERVICE_REF (required) — Service UUID or svc-<short_id>

kziti service-set show

Show details and member services for a service set.

Usage:

kziti service-set show [OPTIONS] NAME

Arguments:

  • NAME (required) — Service set name

kziti status

Show connection status for the OpenZiti controller.

Usage:

kziti status

kziti ziti

OpenZiti management commands.

Usage:

kziti ziti COMMAND [ARGS]...

kziti ziti audit

Audit the live Ziti configuration for policy misconfigurations.

Checks for issues that cause routing loops, privilege escalation, or broken connectivity — including the ouroboros circuit-cycle bug, overly broad Bind policies, router identities with Dial access, and host/intercept address overlap.

Exits 0 when the configuration is clean, 1 when any ERROR is found.

Usage:

kziti ziti audit