CLI Reference
Scaffold projects, run local sandbox auth, seed test data, and debug webhook handlers from the terminal.
@wocha/cli is the command-line tool for Wocha developer workflows: scaffolding auth in existing projects, running a local sandbox server, validating configuration, seeding test data, testing webhooks, and migrating users from other providers.
Installation
Install globally:
pnpm add -g @wocha/clinpx @wocha/cli init --framework nextjsOr run without installing:
Verify the install:
Quick start
From your project root:
The wizard detects your framework, installs the right SDK, generates starter files, and can auto-provision an OAuth application when you provide a Management API key.
For instant local development with zero cloud setup:
Commands
wocha init
Interactive setup wizard that scaffolds Wocha auth in an existing project.
Supported frameworks: Next.js, React SPA, Vue, Nuxt, SvelteKit, Remix, Express/Node.js, and Other (Management API only).
The CLI auto-detects your stack from package.json and lockfiles, installs the matching @wocha/* package, and writes framework-specific starter files (route handlers, middleware, env files, providers).
Init modes:
| Flag | Description |
|---|---|
--sandbox | Lightweight local auth — pairs with wocha dev (no cloud account) |
--keyless | Full Docker stack (Kratos, Hydra, SpiceDB) — no Wocha account |
--cloud | Provision a free cloud dev tenant (no account required) |
--auto-provision | Create an OAuth app via the Management API |
--ai | Analyse the project and show an AI-assisted integration plan |
--yes, -y | Skip confirmation prompts |
Non-interactive example (Next.js on Wocha Cloud):
Sandbox example:
wocha dev
Starts a lightweight sandbox auth server for local development. The server exposes OIDC endpoints (/oauth/authorize, /oauth/token, /userinfo, /.well-known/jwks.json) with locally signed RS256 tokens.
Run in a separate terminal after wocha init --sandbox. Your app uses the sandbox issuer URL and pre-configured client credentials written during init.
Options:
| Option | Description |
|---|---|
--port <n> | Listen port (default: 4000) |
--framework <name> | Tailor env output for your stack |
--write-env | Write .env.local / .env with sandbox credentials if missing |
Subcommands:
Env vars written by --write-env:
Non-production only — do not use sandbox mode in staging or production.
wocha doctor
Diagnoses common integration issues without starting your app.
Checks performed:
- Required environment variables (with alias support)
- Installed
@wocha/*packages and version currency - Tenant API connectivity (
GET /api/v1/health) - Management API key validity
- Framework detection and auth route files (Next.js middleware, auth handler)
- OIDC discovery, JWKS, token, and authorization endpoints
- Local auth login route (
/api/auth/login)
Fix any failures reported before debugging in your application code.
wocha seed
Provisions organisations, users, roles, permissions, and OAuth applications from a YAML seed file. Idempotent — existing resources are skipped.
Requires: WOCHA_MANAGEMENT_API_KEY (or WOCHA_API_KEY) and WOCHA_TENANT_SLUG (or WOCHA_TENANT).
Example wocha.seed.yaml:
wocha webhook listen
Local webhook receiver with automatic public tunnel URL, temporary subscriber registration, and signature verification.
Options:
| Option | Description |
|---|---|
--port <n> | Local listen port (default: 8787) |
--events <list> | Comma-separated event filter (default: *) |
--forward-to <url> | Proxy verified webhooks to another local URL |
--tunnel-url <url> | Use a specific public tunnel URL |
Tunnel priority: existing ngrok → Cloudflare Quick Tunnel (cloudflared) → Wocha relay (tunnel.wocha.ai).
Requires: WOCHA_MANAGEMENT_API_KEY and WOCHA_TENANT_SLUG. Optional WOCHA_API_BASE_URL for self-hosted tenants.
wocha webhook test
Sends a signed test webhook payload to any endpoint — useful for unit testing handlers without a live tenant.
Supported event types include user.created, user.updated, session.created, session.revoked, org.created, connection.created, and more. Run wocha webhook test --help for the full list.
wocha migrate
Imports users from Auth0, Clerk, or Firebase into Wocha.
Options:
| Option | Description |
|---|---|
--dry-run | Preview migration without creating users |
--batch-size <n> | Users per API page (default: 100) |
The command prompts for provider credentials interactively (Auth0 domain + Management API token, Clerk secret key, or Firebase export JSON path).
Configuration
Project config (.wocha/)
CLI project state is stored under .wocha/ (there is no separate .greetrc file):
| File | Purpose |
|---|---|
.wocha/config.json | Active environment slug and project settings |
.wocha/credentials.json | Cloud dev tenant credentials (from wocha init --cloud) |
wocha.seed.yaml | Seed data for wocha seed (project root) |
Example .wocha/config.json:
Infrastructure-as-code exports live in .wocha/ when using wocha config pull (YAML files per resource type with a manifest.yaml).
Environment variables
The CLI reads from .env, .env.local, and .env.development (merged with process.env).
Common aliases accepted by wocha doctor and other commands: WOCHA_TENANT_SLUG, WOCHA_ISSUER_URL, WOCHA_MANAGEMENT_API_KEY.
Common workflows
New Next.js app (fastest path)
CI scaffolding
Webhook development loop
Staging data setup
Other commands
| Command | Description |
|---|---|
wocha cloud-dev | Create a free cloud development tenant |
wocha config pull / push | Export or apply tenant config as YAML |
wocha env list / switch | Manage deployment environments |
wocha logs tail | Stream auth events in real time |
wocha test login | Run a test OAuth login and display token claims |
wocha status | Show configuration and tenant health |
wocha upgrade | Upgrade all @wocha/* packages |
Learn more
- Getting started
- Testing library — mock providers and E2E tokens
- Webhooks overview