The Salty CLI talks to the same REST API as the SDK and MCP server. It exists for the bits a human still does once in a while: creating an API key, eyeballing usage, registering a webhook, tailing the call log when a deploy goes sideways.
Status: npm install -g salty-cli — publishing soon.
Hosts
Every command takes --api <url> or reads $SALTY_API from the environment. Defaults: https://api.trysalty.com/v1.
Login
Opens a browser, runs the standard OAuth 2.1 + PKCE flow against $SALTY_API/oauth/authorize, and stores the resulting token. Storage prefers the OS keychain (macOS Keychain / Windows Credential Vault / libsecret on Linux); if the keychain isn’t available (headless, CI), it falls back to ~/.config/salty/credentials.json with 0600 perms.
salty logout forgets credentials for the current host.
Identity + usage
salty whoami # workspace, plan, period usage
salty usage # plan + cap + last 24h breakdown
API keys
salty keys list
salty keys create --name "agent-prod" # prints sk_live_… ONCE
salty keys revoke <id>
People (and the rest of the REST surface)
salty people list [--limit 50]
salty people get <id>
salty people create --email jane@acme.com --first-name Jane --last-name Doe
companies, deals, notes, tasks, activities, and custom-objects follow the same shape via the SDK or curl — the CLI focuses on the everyday flows.
Schema
salty schema show
salty schema add-attribute \
--object person \
--key tier \
--type enum \
--values "free,pro,enterprise"
--display-name defaults to a Title-Case version of --key.
Webhooks
salty webhooks list
salty webhooks add --url https://yourapp.com/hooks/salty --events "*"
salty webhooks test <id> # sync fire, prints HTTP status + body
salty webhooks add prints the whsec_… signing secret once — store it the same way you store an API key.
Logs
salty logs tail [--limit 200]
JSON output
Every command accepts --json to dump the raw response, useful for piping into jq:
salty people list --json | jq '.data[] | select(.custom_attributes.tier == "pro")'
