The Approov command line tool is used for administering the operation of your Approov service. Builds of the tool are available for Linux, MacOS and Windows. All commands require a valid management token. The general form of all commands is:
approov <command> [<management-token-path>] [option]...
A full list of valid commands can be obtained by invoking the tool with no parameters. The valid command arguments are api
, device
, devicecheck
, management
, metrics
, monitoring
, pin
, policy
, registration
, sdk
, secret
, token
, usage
and whoami
. The options available for each of those commands is provided in the following sections. Help for any command can be obtained by invoking with:
approov <command>
The management token may be specified as a path as the second parameter or, alternatively, the token may be held in the environment variable APPROOV_MANAGEMENT_TOKEN
. If specified on the command line then this overrides any environment variable token.
An Approov 1 backwardly compatible version of registration options is made available by invoking the tool with an executable name registration
(or registration.exe
for Windows). More details at Approov Legacy Registration Tool Mode.
approov api [<management-token-path>] [option]...
approov device [<management-token-path>] [option]...
approov devicecheck [<management-token-path>] [option]...
Note that the devicecheck command (apart from -get
) requires the use of an admin level management token.
approov management [<management-token-path>] [option]...
Note that the management command requires the use of an admin level management token.
approov monitoring [<management-token-path>] [option]...
Note that most monitoring commands (apart from getting the -getHealthCheckURL
) requires the use of an admin level management token.
Access to the Grafana based metrics dashboards can be initiated without any further options. Simply use:
approov metrics
approov pin [<management-token-path>] [option]...
approov policy [<management-token-path>] [option]...
approov registration [<management-token-path>] [option]...
approov sdk [<management-token-path>] [option]...
approov secret [<management-token-path>] [option]...
Note that the secret command requires the use of an administration level management token.
The 512-bit secret that is obtained with the -get
command is the one used for checking the symmetrically signed JWS tokens. If you wish to decrypt a JWE generated by Approov then the 256-bit key is obtained by performing a SHA256 hash of the secret obtained using the command.
approov token [<management-token-path>] [option]...
Access to the legacy usage and monitoring portal can be initiated without any further options. Simply use:
approov usage
This provides information about the management token being used to access the Approov service, either the one added to the APPROOV_MANAGEMENT_TOKEN
environment variable or one explicitly provided on the command line. The name of the account and the information about the user the token was issued to is provided, along with the expiry time of the token. To get this information simply use:
approov whoami