Skip to main content
tridentctl is the Trident command-line client. Use it to scan your local development environment for LLM API keys and SDK wiring, run promptfoo-based security evaluations with watch mode, and verify Trident agent certificates without needing an account. It communicates only with public Trident endpoints — no credentials required for cert, verify, and jwks commands.

Requirements

  • Node.js 18 or latertridentctl is an ESM Node.js script that uses the built-in fetch, crypto, and fs/promises APIs.

Install globally

Install once and use from anywhere in your terminal: 
npm install -g @trident/cli
Verify the installation: 
tridentctl --version
# 0.1.0

tridentctl --help

Use without installing

Run any command on-demand with npx — no global install required: 
npx tridentctl <command>
This is useful in CI environments where you do not want a global install or when you want to pin to the latest published version.

Set your API credentials (optional)

The init command inspects your local environment without any credentials. The cert, verify, and jwks commands also require no authentication — they hit public endpoints. If you are using tridentctl in scripts that call authenticated Trident API endpoints, set these environment variables:
VariableDescription
TRIDENT_PROJECT_PUBLIC_KEYYour project Public Key (prefix pk_live_…)
TRIDENT_PROJECT_SECRET_KEYYour project Secret Key (prefix sk_live_…)
You can find both keys in the Trident dashboard under Project Settings → API Keys. Add them to your shell profile or a .env file that your scripts load: 
export TRIDENT_PROJECT_PUBLIC_KEY="pk_live_abc123"
export TRIDENT_PROJECT_SECRET_KEY="sk_live_xyz789"

Quick test: scan your local environment

Run tridentctl init from the root of any project directory to see what Trident can detect and what it recommends you wire up: 
cd ~/my-ai-project
tridentctl init
tridentctl init reads your environment variables, .env/.env.local files, AWS credentials, gcloud config, 1Password vault, package.json dependencies, and source files — then prints a table of what it found and what to connect to Trident. It is read-only and never modifies your environment.

Override the base URL

By default, tridentctl connects to http://localhost:3000 (for local development) or the value of the VOUCH_BASE_URL environment variable. To point at the production Trident service, pass --base: 
tridentctl cert <hash> --base https://app.usetrident.dev
Or set the environment variable once: 
export VOUCH_BASE_URL=https://app.usetrident.dev
tridentctl cert <hash>

Next steps

See the Command Reference for full documentation of every command, including flags, example output, and CI usage patterns.