Cognite CLI — command reference

All commands are available via npx @cognite/cli@latest <command> or cognite <command> when installed globally. This page documents the apps and keys command groups. For a walkthrough from scaffold to activation, see the Cognite CLI quickstart.

cognite [options] [command]

Options:
  -V, --version   output the version number
  -h, --help      display help for command

Commands:
  apps            Manage Flows custom apps — create, deploy, and manage version lifecycle
  keys            Manage code signing keys

`apps`

Manage the full lifecycle of Flows custom apps.

npx @cognite/cli@latest apps <subcommand> [options]

`apps create`

Scaffold a new Flows custom app.

npx @cognite/cli@latest apps create [directory] [options]

Argument / Option	Description
`[directory]`	Target directory (`.` for current, or a subdirectory name).
`--display-name <name>`	App display name (skips the prompt).
`--description <description>`	App description (skips the prompt).
`--org <org>`	Deployment organization (skips the prompt).
`--project <project>`	Deployment project (skips the prompt).
`--cluster <cluster>`	CDF cluster, e.g. `greenfield` (skips the prompt).
`--base-url <url>`	CDF base URL, e.g. `https://greenfield.cognitedata.com` (skips the prompt; defaults to cluster-derived URL when omitted).
`--spec-kit`	Install spec-kit slash commands (skips the prompt).
`--no-spec-kit`	Skip spec-kit installation (skips the prompt).

The following examples show typical apps create invocations.

# Interactive
npx @cognite/cli@latest apps create

# Target subdirectory
npx @cognite/cli@latest apps create my-app

# Fully non-interactive (CI/AI agents)
npx @cognite/cli@latest apps create my-app \
  --display-name "My App" \
  --description "My app" \
  --org cog-atlas \
  --project atlas-greenfield \
  --cluster greenfield \
  --base-url https://greenfield.cognitedata.com

`apps deploy`

Build and deploy your app to Cognite Data Fusion (CDF).

npx @cognite/cli@latest apps deploy [options]

Option	Description
`-d, --deployment <target>`	Deployment target — index (e.g. `0`, `1`) or project name from `app.json`.
`--skip-build`	Skip the build step.
`--interactive`	Use browser-based OIDC authentication instead of env-var credentials.
`--base-url <url>`	CDF base URL (only with `--interactive`).
`--project <project>`	CDF project name (only with `--interactive`).
`--org <org>`	Organization hint for login (only with `--interactive`).

For non-interactive deploy, set credentials using environment variables. deployClientId and deploySecretName are set per deployment in app.json. deploySecretName is the name of the environment variable that holds the client secret. Set it before deploying:

MY_CLIENT_SECRET=<your-secret> npx @cognite/cli@latest apps deploy

The following examples show typical apps deploy invocations.

npx @cognite/cli@latest apps deploy                      # First deployment target, env-var auth
npx @cognite/cli@latest apps deploy -d 1                 # Second deployment target
npx @cognite/cli@latest apps deploy -d my-project        # Deploy to project by name
npx @cognite/cli@latest apps deploy --skip-build         # Deploy without rebuilding
npx @cognite/cli@latest apps deploy --interactive        # Browser auth, prompts for target
npx @cognite/cli@latest apps deploy --interactive -d 0   # Browser auth, target chosen non-interactively

`apps status`

Show the deployment status and signatures of the current app version.

npx @cognite/cli@latest apps status [path] [options]

Argument / Option	Description
`[path]`	Path to the app folder (only `.` is currently supported; default: `.`).
`-d, --deployment <target>`	Deployment target from `app.json` (index or name).
`--interactive`	Browser-based authentication.
`--base-url <url>`	CDF base URL (only with `--interactive`).
`--project <project>`	CDF project name (only with `--interactive`).
`--org <org>`	Organization hint for login (only with `--interactive`).

The following examples show typical apps status invocations.

npx @cognite/cli@latest apps status .                     # Status using env-var auth
npx @cognite/cli@latest apps status . --interactive       # Status using browser auth

`apps publish`

Transition the current app version from DRAFT to PUBLISHED.

npx @cognite/cli@latest apps publish [path] [options]

Argument / Option	Description
`[path]`	Path to the app folder (default: `.`).
`-d, --deployment <target>`	Deployment target from `app.json`.
`--interactive`	Browser-based authentication.
`--base-url <url>`	CDF base URL (only with `--interactive`).
`--project <project>`	CDF project name (only with `--interactive`).
`--org <org>`	Organization hint (only with `--interactive`).

The following examples show typical apps publish invocations.

npx @cognite/cli@latest apps publish .                    # Publish using env-var auth
npx @cognite/cli@latest apps publish . --interactive      # Publish using browser auth

`apps activate`

Activate the current app version — publishes if needed, then sets the ACTIVE alias so users see this version.

npx @cognite/cli@latest apps activate [path] [options]

Argument / Option	Description
`[path]`	Path to the app folder (default: `.`).
`-d, --deployment <target>`	Deployment target from `app.json`.
`--interactive`	Browser-based authentication.
`--base-url <url>`	CDF base URL (only with `--interactive`).
`--project <project>`	CDF project name (only with `--interactive`).
`--org <org>`	Organization hint (only with `--interactive`).

The following examples show typical apps activate invocations.

npx @cognite/cli@latest apps activate .                   # Activate using env-var auth
npx @cognite/cli@latest apps activate . --interactive     # Activate using browser auth

`apps deactivate`

Deactivate the app by removing its active version from service.

npx @cognite/cli@latest apps deactivate [path] [options]

Argument / Option	Description
`[path]`	Path to the app folder (default: `.`).
`-d, --deployment <target>`	Deployment target from `app.json`.
`--interactive`	Browser-based authentication.
`--base-url <url>`	CDF base URL (only with `--interactive`).
`--project <project>`	CDF project name (only with `--interactive`).
`--org <org>`	Organization hint (only with `--interactive`).

The following examples show typical apps deactivate invocations.

npx @cognite/cli@latest apps deactivate .                 # Deactivate using env-var auth
npx @cognite/cli@latest apps deactivate . --interactive   # Deactivate using browser auth

`apps setup-https`

Generate trusted local HTTPS certificates using mkcert. Required for local development when your app expects an HTTPS origin.

npx @cognite/cli@latest apps setup-https [options]

Option	Description
`--cert-dir <path>`	Directory to write certificates into (default: `./certificates/mkcert`).

The following examples show typical apps setup-https invocations.

npx @cognite/cli@latest apps setup-https                         # Write certs to ./certificates/mkcert
npx @cognite/cli@latest apps setup-https --cert-dir ./certs      # Custom output directory

`apps submit`

Package the app source and open a pre-filled Zendesk form for app certification submission.

npx @cognite/cli@latest apps submit

This command:

Packages the app source into a zip archive.
Opens your browser to the Cognite certification Zendesk form.
Opens your file manager to the generated package so you can attach it.

The following example shows a typical apps submit invocation.

npx @cognite/cli@latest apps submit

`apps sign`

Sign an app bundle for Cognite certification. Defaults to .cognite-bundles/<app>-<version>.zip.

npx @cognite/cli@latest apps sign [bundle] [options]

Argument / Option	Description
`[bundle]`	Path to the bundle to sign (default: `.cognite-bundles/<app>-<version>.zip`).
`--key <path>`	Private key PEM file path.
`-s, --signing-identity <kid>`	Key ID for Keychain or file-based key lookup.
`--appid <id>`	Application ID (default: `externalId` from `app.json`).
`-i, --identifier <id>`	Alias for `--appid`.
`--app-version <version>`	App version (default: `versionTag` from `app.json`).
`--scope <org/project...>`	Deployment scope(s) (default: deployments from `app.json`).
`-r, --requirements <org/project...>`	Alias for `--scope`.
`-o, --output <path>`	Output signature file path (default: `<bundle>.<dev\|cert>.sig`).
`-v, --verbose`	Display full payload after signing.
`--as-certifier`	Counter-sign a developer signature as certifier.
`--interactive`	Enable interactive prompts (key selection, passphrase, deployment target).
`--browser-auth`	Use browser-based PKCE auth when submitting the signature.
`-d, --deployment <target>`	Deployment target from `app.json` (submit step only).
`--base-url <url>`	CDF base URL (only with `--interactive`).
`--project <project>`	CDF project name (only with `--interactive`).
`--org <org>`	Organization hint (only with `--interactive` or `--browser-auth`).

`apps skills`

Manage AI agent skills for your app. Supports Claude Code and Cursor.

npx @cognite/cli@latest apps skills <subcommand> [options]

`apps skills pull`

Pull skills into your project.

npx @cognite/cli@latest apps skills pull [options]

Option	Description
`--skill <name>`	Pull a specific skill by name (e.g. `create-client-tool`).

`apps skills list`

List the skills currently installed in your project.

npx @cognite/cli@latest apps skills list

The following examples show typical apps skills invocations.

npx @cognite/cli@latest apps skills pull                               # Pull all skills
npx @cognite/cli@latest apps skills pull --skill create-client-tool   # Pull a specific skill
npx @cognite/cli@latest apps skills list                              # List installed skills

`keys`

Manage Ed25519 code signing keys used to sign app bundles.

npx @cognite/cli@latest keys <subcommand> [options]

`keys generate`

Generate a new Ed25519 keypair for code signing. On macOS, the private key is stored in the system Keychain by default.

npx @cognite/cli@latest keys generate [options]

Option	Description
`-o, --output <path>`	Write the encrypted private key to this file path (forces file storage even on macOS).
`--no-keychain`	Skip macOS Keychain and write a passphrase-encrypted key to `~/.cognite-cli/keys/` instead.
`-e, --expires <months>`	Validity in months (1–12); skips the interactive prompt.
`--email <address>`	Email address for the key registry entry; skips the interactive prompt.
`--kid <identifier>`	Signing identity name for the registry (e.g. `jsmith-dev-001`); skips the interactive prompt.
`--force`	Overwrite an existing key without prompting for confirmation.
`--copy-link`	Copy the Zendesk registration link to the clipboard without prompting.
`--interactive`	Prompt for any required flags that are not supplied.

The following example shows a typical keys generate invocation.

npx @cognite/cli@latest keys generate \
  --email developer@example.com \
  --kid jsmith-dev-001 \
  --expires 12

`keys list`

List all local signing identities and their storage location (Keychain or file).

npx @cognite/cli@latest keys list

Documentation Index

​apps

​apps create

​apps deploy

​apps status

​apps publish

​apps activate

​apps deactivate

​apps setup-https

​apps submit

​apps sign

​apps skills

​apps skills pull

​apps skills list

​keys

​keys generate

​keys list