Approov CLI Tool Reference


The Approov command line tool is used for administering the operation of your Approov service. Builds of the tool are available for Linux, MacOS and Windows. All commands require a valid management token. The general form of all commands is:

approov <command> [<management-token-path>] [option]...

A full list of valid commands can be obtained by invoking the tool with no parameters. The valid command arguments are api, device, devicecheck, management, metrics, monitoring, pin, policy, registration, sdk, secret, token, usage and whoami. The options available for each of those commands is provided in the following sections. Help for any command can be obtained by invoking with:

approov <command>

The management token may be specified as a path as the second parameter or, alternatively, the token may be held in the environment variable APPROOV_MANAGEMENT_TOKEN. If specified on the command line then this overrides any environment variable token.

An Approov 1 backwardly compatible version of registration options is made available by invoking the tool with an executable name registration (or registration.exe for Windows). More details at Approov Legacy Registration Tool Mode.

API Command

approov api [<management-token-path>] [option]...

Device Command

approov device [<management-token-path>] [option]...

DeviceCheck Command

approov devicecheck [<management-token-path>] [option]...

Note that the devicecheck command (apart from -get) requires the use of an admin level management token.

Management Command

approov management [<management-token-path>] [option]...

Note that the management command requires the use of an admin level management token.

Monitoring Command

approov monitoring [<management-token-path>] [option]...

Note that most monitoring commands (apart from getting the -getHealthCheckURL) requires the use of an admin level management token.

Metrics Command

Access to the Grafana based metrics dashboards can be initiated without any further options. Simply use:

approov metrics

Pin Command

approov pin [<management-token-path>] [option]...

Policy Command

approov policy [<management-token-path>] [option]...

Registration Command

approov registration [<management-token-path>] [option]...

SDK Command

approov sdk [<management-token-path>] [option]...

Secret Command

approov secret [<management-token-path>] [option]...

Note that the secret command requires the use of an administration level management token.

The 512-bit secret that is obtained with the -get command is the one used for checking the symmetrically signed JWS tokens. If you wish to decrypt a JWE generated by Approov then the 256-bit key is obtained by performing a SHA256 hash of the secret obtained using the command.

Token Commands

approov token [<management-token-path>] [option]...

Usage Command

Access to the legacy usage and monitoring portal can be initiated without any further options. Simply use:

approov usage

Whoami Command

This provides information about the management token being used to access the Approov service, either the one added to the APPROOV_MANAGEMENT_TOKEN environment variable or one explicitly provided on the command line. The name of the account and the information about the user the token was issued to is provided, along with the expiry time of the token. To get this information simply use:

approov whoami