Lemma CLI
Install, unlock, remediate, and validate proof-first agent auth.
Install
Install the packaged CLI with pipx for isolated, repeatable local usage. This is the default path for self-serve developer onboarding.
pipx install lemma-cli
Start a Wallet Session
For local sensitive operations, start with a browser-backed wallet session so the CLI can acquire and validate proof-first auth state.
lemma session start --api-base https://lemma.id
lemma session status --api-base https://lemma.id --json
OpenClaw Starter Setup
Use the public starter-safe command when you want one browser approval, local firewall startup, and a visible allow plus kill-to-deny check.
lemma setup-openclaw --api-base https://lemma.id
lemma safety-status --firewall-url http://127.0.0.1:8787 --json
Remediation Commands
When onboarding fails, use machine-readable remediation instead of guessing from raw errors.
lemma doctor --fix --error wallet_unlock_required --api-base https://lemma.id
lemma doctor --fix --error invalid_ppid --api-base https://lemma.id
lemma doctor --fix --error E_AUTH_REQUIRED --api-base https://lemma.id
Headless / CI Authentication
For non-interactive environments, authenticate with a platform API key and operator email. Use this only where browser approval is not available.
lemma login --api-base https://lemma.id --non-interactive --platform-api-key "$LEMMA_API_KEY" --user-email "$LEMMA_ADMIN_EMAIL" --json
General Setup and CI Commands
These commands are still useful when you are wiring site configuration, audits, and launch checks around the core auth flow.
lemma setup --site-id site_demo --site-domain example.com --framework flask --json
lemma audit --project-dir . --framework flask --skip-health --json
lemma fix --project-dir . --framework flask --safe --skip-health --json
lemma ci --project-dir . --framework flask --skip-health --skip-smoke --json
Machine Output Contract
Machine-oriented commands support --json and emit consistent top-level fields:
schema_versioncommandokerror_code
Related Docs
- Quick Start -- bring-your-own runtime auth path
- Installation -- packaged CLI and reference runtime setup
- Authentication API -- proof-first and compatibility contract