C1 Interface — an agent-oriented CLI for C1, and it looks like cli. Get it?
Alpha — under active development. Commands, flags, and output formats may change without notice.
A command-line interface for the C1 API designed for AI agents. Structured output (NDJSON/JSON), built-in API docs, and auto-pagination. For a human-friendly CLI, see cone.
# Install
go install github.com/ConductorOne/c1i@latest
# Log in (opens browser)
c1i auth login --url mycompany.conductor.one
# List users
c1i users list
# Explore the API — no credentials needed
c1i docs search "access reviews"
c1i docs endpoints --filter taskc1i users list [--query <text>] [--email <email>] [--status enabled|disabled|deleted] [--page-size N] [--page-token TOKEN] [--limit N]c1i apps list [--page-size N] [--page-token TOKEN] [--limit N]c1i accounts list --app-id <id> [--status enabled|disabled|deleted] [--type user|service_account|system_account] [--unmapped-only] [--query <text>] [--page-size N] [--page-token TOKEN] [--limit N]
c1i accounts set-owner --app-id <id> --app-user-id <id> --user-id <id>c1i entitlements list [--app-id <id>] [--query <text>] [--page-size N] [--page-token TOKEN] [--limit N]c1i tasks list [--state open|closed] [--query <text>] [--assigned-to-me] [--page-size N] [--page-token TOKEN] [--limit N]
c1i tasks approve --task-id <id> [--comment <text>]
c1i tasks deny --task-id <id> [--comment <text>]
c1i tasks comment --task-id <id> --comment <text>c1i connectors list --app-id <id> [--page-size N] [--page-token TOKEN] [--limit N]c1i requests create grant --app-id <id> --entitlement-id <eid> [--user-id <uid>] [--description <text>] [--duration <duration>] [--emergency]
c1i requests create revoke --app-id <id> --entitlement-id <eid> [--user-id <uid>] [--description <text>]--user-id defaults to the authenticated user when omitted.
# GET request
c1i api --path /api/v1/apps
# POST request
c1i api --path /api/v1/search/users --body '{"pageSize":10}'
# Auto-paginate through all results (NDJSON output, one item per line)
c1i api --path /api/v1/apps --paginateWhen --paginate is used, the list array from each page is unwrapped and each item is emitted as a single line of NDJSON — the same format used by list commands. Without --paginate, the full JSON response is pretty-printed.
The docs commands require no C1 credentials — agents can use them to explore the API before authenticating.
# Search documentation
c1i docs search "access reviews"
# Fetch a documentation page
c1i docs page product/admin/campaigns
# List API endpoints (filtered)
c1i docs endpoints --filter task
# Show full request/response schema for an endpoint
c1i docs endpoint /api/v1/search/tasks
# Dump the raw OpenAPI spec
c1i docs openapi- List commands (
users list,apps list, etc.) output NDJSON (one JSON object per line). apioutputs pretty-printed JSON. With--paginate, outputs NDJSON (one list item per line).docscommands output NDJSON (search,endpoints), pretty JSON (endpoint,openapiis YAML), or plain text (page).- List commands auto-paginate by default. Pass
--page-tokento fetch a single page manually. --page-sizecontrols the per-call batch size (max 100). Use--limit Nto cap the total number of results emitted; auto-pagination stops fetching new pages once the cap is reached.
c1i requires a C1 URL. You can pass a full URL, a raw domain, or a legacy short tenant name. Set it via (in order of precedence):
--urlflagC1I_URLenvironment variable~/.c1i.yamlconfig file:url: https://mycompany.conductor.one
All of these are equivalent:
--url https://mycompany.conductor.one--url mycompany.conductor.one--url mycompany
For credential storage, see Credential sources below.
# Browser-based login (OAuth device flow)
c1i auth login
# Or store credentials directly
c1i auth login --client-id <id> --client-secret <secret>
# Check credential status (also reports the storage backend)
c1i auth status
# Show the authenticated principal: user ID, display name, email, role/permission/feature counts
c1i auth whoami # add --verbose for full roles/permissions/features arrays
# Remove stored credentials
c1i auth logoutc1i reads credentials from the first source that has them, in this order:
- Environment variables — set
C1I_CLIENT_IDandC1I_CLIENT_SECRET(alongsideC1I_URL) for non-interactive / CI use. Both must be set; if only one is set the value is ignored. - OS keyring — Keychain on macOS, Credential Manager on Windows, Secret Service (e.g. gnome-keyring, KeePassXC) on Linux. Used by default when available.
- File fallback — a
0600JSON file under your config directory (~/.config/c1i/credentials/on Linux,~/Library/Application Support/c1i/credentials/on macOS,%AppData%\c1i\credentials\on Windows). Used automatically when no OS keyring is available — typical on headless Linux servers, containers, CI runners, and WSL without a desktop environment.
c1i auth login writes to the OS keyring when it can and falls back to the
file backend transparently. c1i auth status tells you which source served
the active credentials.
# bash
c1i completion bash > /etc/bash_completion.d/c1i
# zsh
c1i completion zsh > "${fpath[1]}/_c1i"
# fish
c1i completion fish > ~/.config/fish/completions/c1i.fishc1i version # or: c1i --versionc1i is built specifically as a tool for AI agents:
- Structured output: All data commands produce NDJSON or JSON — never mixed or human-formatted output.
- Self-documenting API:
docs endpoints,docs endpoint, anddocs searchlet an agent discover and understand the C1 API without external documentation. - Predictable pagination: List commands auto-paginate;
--page-tokengives manual control, and--limit Ncaps the total number of emitted results. - Raw API escape hatch:
api --pathwith--paginatelets an agent hit any endpoint, even ones without a native command. Paginated output uses the same NDJSON format as list commands.
Apache 2.0