CLI Reference

Every command, flag, and scripting recipe for the Vouch CLI.

Global Flags

These flags work with any command:

Flag	Description
`--json`	Force JSON output (auto-enabled when piped)
`--config <path>`	Override config file location
`--network base\|base-sepolia`	Switch network presets

init

One-step setup — generates a wallet, connects a social account (X or GitHub) which creates your API account and links your identity on-chain, then delegates a runtime key. This is the only command most users need to get started. DNS linking and additional providers can be added afterwards.

Flag	Description
`--force`	Overwrite existing config and keys

terminal

vouch init

sign

Wraps a JSON payload in an EIP-712 signed envelope. Accepts payload via --payload flag or stdin. The envelope includes a scope field — either from the --scope flag, the delegation config, or zero (unrestricted) by default.

Flag	Description
`--payload <json>`	JSON string to sign (or pipe via stdin)
`--key <address>`	Runtime key address to sign with
`--expiry <duration>`	Envelope expiry (default: 1h)
`--scope <text>`	Scope override for this envelope (defaults to delegation scope from config)

terminal

# Via flag
vouch sign --json --payload '{"msg":"hello"}'

# Via stdin with scope
echo '{"msg":"hello"}' | vouch sign --json --scope messaging

Output:

output

{
  "envelope": {
    "v": 1,
    "agent_id": "0x...",
    "signer": "0x...",
    "ts": 1760000000,
    "exp": 1760003600,
    "nonce": "0x...",
    "scope": "0x0000000000000000000000000000000000000000000000000000000000000000",
    "payload_hash": "0x...",
    "sig": "0x..."
  },
  "payload": { "msg": "hello" }
}

verify

Verifies a signed envelope — checks signature, expiry, nonce, payload hash, scope match, and delegation status via RPC. Returns all active identities for the signer.

Flag	Description
`--envelope <json>`	Signed envelope JSON (or pipe via stdin)
`--skip-allowlist`	Skip local allowlist check

terminal

# Pipe from sign
vouch sign --json --payload '{"x":1}' | vouch verify --json

# From a file
cat signed.json | vouch verify --json

Output:

output

{
  "valid": true,
  "signer": "0x...",
  "identities": [
    { "provider": "x", "label": "alice" },
    { "provider": "github", "label": "alice-dev" }
  ],
  "scope": "0x0000...0000",
  "scope_matched": true,
  "failure_reason": "",
  "checked_at": "2026-02-19T20:00:00Z"
}

send

Signs a payload and POSTs it to another agent’s published endpoint. Combines directory lookup, signing, and HTTP delivery in one command.

Flag	Description
`@handle`	Target agent by handle (positional argument)
`--payload <json>`	JSON payload (or pipe via stdin)
`--url <url>`	Target endpoint URL directly (skip directory lookup)
`--key <address>`	Runtime key address to sign with
`--scope <text>`	Scope override for this message
`--expiry <duration>`	Envelope expiry (default: 1h)

terminal

# Send by handle
echo '{"action":"hello"}' | vouch send @stripe

# Send with inline payload
vouch send @stripe --payload '{"action":"refund","amount":"50.00"}'

# Send to explicit URL
echo '{"msg":"hi"}' | vouch send --url https://agent.stripe.com/vouch

# Send with scope
echo '{"action":"pay"}' | vouch send @stripe --scope payments

Output (response from receiver):

output

{
  "accepted": true,
  "message": "refund initiated"
}

receive

Starts an HTTP server that accepts, verifies, and processes signed envelopes from other agents. Use --handler to specify a script that processes each verified message. This runs on your own machine or infrastructure — it is not a managed service. For a hosted option, see vouch agent deploy.

Flag	Description
`--port <number>`	Port to listen on (default: 8080)
`--handler <path>`	Script to call with verified payload on stdin
`--allowlist`	Only accept messages from agents in the local allowlist

terminal

# Start a receiver with handler script
vouch receive --port 8080 --handler ./process.sh

# Start with allowlist filtering
vouch receive --port 8080 --handler ./process.sh --allowlist

The handler script receives verified payloads on stdin as JSON:

stdin to handler

{
  "sender": {
    "agent_id": "0x...",
    "identities": [
      { "provider": "x", "label": "stripe" }
    ]
  },
  "payload": {
    "action": "request_refund",
    "amount": "50.00"
  },
  "verified_at": "2026-02-28T10:30:00Z"
}

Exit code 0 = accepted, non-zero = rejected. The script’s stdout becomes the message field in the response. See the Agent-to-Agent Setup Guide for security recommendations on exposing the endpoint.

agent

Create, run, and deploy AI agents. The agent command group generates an OpenAI-powered agent project that receives verified messages, tests it locally, and deploys it to Vercel.

agent create

Interactive wizard that generates a complete agent project. Prompts for name, description, language, model, and OpenAI API key. Generates both a local handler (for vouch agent start) and a Vercel serverless function (for vouch agent deploy).

terminal

vouch agent create

The wizard prompts for:

Prompt	Description
Agent name	Letters, numbers, hyphens, underscores
Description	What the agent does (used in the system prompt)
Language	Node.js or Python
Model	gpt-5.2, gpt-5.2-codex, gpt-5.1-codex-mini, or gpt-5-nano
OpenAI API Key	Stored locally in `.env` (never sent to Vouch)
Port	Local testing port (default: 8080)

Generated project structure:

~/.vouch/agents/my-agent/

api/
  vouch.js (or vouch.py)  # Vercel serverless function
handler.mjs (or .py)      # Local handler for testing
.env                      # OPENAI_API_KEY (0600 perms)
package.json              # (Node.js only)
requirements.txt          # (Python only)
vercel.json               # Vercel routing config
vouch-agent.toml          # Agent metadata

agent start

Starts a created agent locally for testing. Loads the agent config and .env, then runs vouch receive with the generated handler script.

Argument	Description
`name`	Name of the agent to start (positional, required)

terminal

vouch agent start my-agent

# Then send it a test message from another terminal:
echo '{"action":"hello"}' | vouch send --url http://localhost:8080/vouch

agent deploy

Deploys a created agent to Vercel. Sets the OPENAI_API_KEY environment variable, runs vercel deploy, and prints the deployed URL. Requires the Vercel CLI.

Argument / Flag	Description
`name`	Name of the agent to deploy (positional, required)
`--prod`	Deploy to production (default is preview)

terminal

# Preview deployment
vouch agent deploy my-agent

# Production deployment
vouch agent deploy my-agent --prod

After deploying, other agents can send messages to your agent at the deployed URL. Use vouch publish to register the URL in the on-chain directory.

delegate

Creates or renews a short-lived runtime key that an agent process can use without holding the identity wallet key. The scope is now enforced during verification.

Flag	Description
`--wallet-key <hex>`	Identity wallet private key
`--expiry <duration>`	Delegation duration (default: 24h, max: 30d)
`--scope <text>`	Scope restriction (enforced during verification)
`--renew`	Create a fresh runtime key and extend delegation

terminal

vouch delegate --json --wallet-key 0x... --expiry 24h --scope messaging

lookup

Find agents and identities by handle, wallet address, provider ID, runtime key, or capability. Shows all linked identity providers.

Flag	Description
`@handle`	Look up by handle (positional argument)
`--wallet <addr>`	Look up by wallet address
`--xid <id>`	Look up by X user ID
`--github <username>`	Look up by GitHub username
`--domain <domain>`	Look up by DNS domain
`--key <addr>`	Find who delegated a runtime key
`--capability <name>`	Search the agent directory by capability

terminal

vouch lookup --json @alice
vouch lookup --json --wallet 0x...
vouch lookup --json --github alice-dev
vouch lookup --json --domain stripe.com
vouch lookup --json --capability chat

whoami

Shows your identity dashboard — wallet address, all linked identity providers (X, GitHub, DNS), active delegations, and published agent info.

terminal

vouch whoami --json

status

Checks if your wallet, linked identities, and delegation are still active.

terminal

vouch status --json

publish

Registers an endpoint and capabilities in the on-chain agent directory. This is what makes your agent discoverable by vouch send and vouch lookup.

Flag	Description
`--wallet-key <hex>`	Identity wallet private key
`--endpoint <url>`	Your agent’s API endpoint
`--capabilities <list>`	Comma-separated capability names

terminal

vouch publish --json --wallet-key 0x... \
  --endpoint https://agent.example.com/vouch \
  --capabilities "messaging,payments"

revoke-key

Revokes a specific runtime key on-chain.

Flag	Description
`--wallet-key <hex>`	Identity wallet private key
`--key <addr>`	Runtime key address to revoke

terminal

vouch revoke-key --json --wallet-key 0x... --key 0xRUNTIME_KEY

revoke-link

Revokes an identity link on-chain. Use --provider to specify which provider to revoke, or omit to revoke all.

Flag	Description
`--wallet-key <hex>`	Identity wallet private key
`--provider <name>`	Provider to revoke: x, github, or dns

terminal

# Revoke GitHub identity
vouch revoke-link --json --wallet-key 0x... --provider github

# Revoke X identity
vouch revoke-link --json --wallet-key 0x... --provider x

link-x

Links an X account to your wallet using an oracle attestation (produced by the API’s OAuth flow).

Flag	Description
`--wallet-key <hex>`	Identity wallet private key
`--attestation <json>`	Oracle attestation JSON

terminal

vouch link-x --json \
  --wallet-key 0x... \
  --attestation '{"x_user_id":"123","x_handle":"alice",...}'

link-github

Links a GitHub account to your wallet. Opens a browser for GitHub OAuth, verifies your account via the oracle, and records the link on-chain.

Flag	Description
`--wallet-key <hex>`	Identity wallet private key
`--attestation <json>`	Oracle attestation JSON (if you already have it)

terminal

vouch link-github --json --wallet-key 0x...

link-dns

Links a domain to your wallet via DNS TXT record verification. Requires an existing API account (set up via vouch init), since DNS alone cannot verify user identity for account creation. You add a TXT record at _vouch.yourdomain.com with a challenge string, then Vouch verifies it and records the link on-chain.

Flag	Description
`--wallet-key <hex>`	Identity wallet private key
`--domain <domain>`	Domain to verify

terminal

vouch link-dns --json --wallet-key 0x... --domain mycompany.com

# The command will output a TXT record to add:
# _vouch.mycompany.com TXT "vouch-verify=abc123..."
# After adding the record, run link-dns again to complete verification.

allowlist

Manage the local trust list for verification. Also used by vouch receive --allowlist to filter incoming messages.

terminal

vouch allowlist add @alice
vouch allowlist remove @alice
vouch allowlist list

Scripting Recipes

Sign-then-verify round trip

terminal

vouch sign --json --payload '{"action":"deploy","id":"cr-42"}' \
  | vouch verify --json \
  | jq '{valid, signer, identities, scope_matched}'

Send a verified message to another agent

terminal

echo '{"action":"refund","amount":"50.00"}' \
  | vouch send @stripe --scope payments

Batch verify from a file

terminal

while IFS= read -r line; do
  echo "$line" | vouch verify --json | jq -c '{valid, signer}'
done < envelopes.jsonl

Check if a key is still active

terminal

vouch lookup --json --key 0xRUNTIME_KEY | jq '.found'

Link multiple identity providers

terminal

# X or GitHub is linked during vouch init (creates your API account)
# Add additional providers after init:

# Add GitHub (if you linked X during init)
vouch link-github --json --wallet-key $WALLET_KEY

# Add domain (requires existing API account)
vouch link-dns --json --wallet-key $WALLET_KEY --domain mycompany.com

# Check all linked identities
vouch whoami --json | jq '.identities'

Create, test, and deploy an agent

terminal

# Create an agent (interactive wizard)
vouch agent create

# Test locally
vouch agent start my-agent

# Deploy to Vercel
vouch agent deploy my-agent --prod

# Register in directory so others can find you
vouch publish --endpoint https://my-agent-abc123.vercel.app/api/vouch \
  --capabilities "support,chat"

End-to-end agent setup with scoped delegation

terminal

# 1. Delegate a scoped runtime key
DELEGATE=$(vouch delegate --json --wallet-key $WALLET_KEY \
  --expiry 24h --scope messaging)
RUNTIME_KEY=$(echo "$DELEGATE" | jq -r '.runtime_key')

# 2. Publish your endpoint
vouch publish --json --wallet-key $WALLET_KEY \
  --endpoint https://myagent.com/vouch \
  --capabilities "messaging,support"

# 3. Start receiving
vouch receive --port 8080 --handler ./handle_message.sh

# 4. When done, revoke
vouch revoke-key --json --wallet-key $WALLET_KEY --key $RUNTIME_KEY