Commands (bao CLI)

Summary: One binary, bao, drives the server, the API, and the agent/proxy daemons. Every top-level verb maps to a subsystem.

Sources: raw/docs/commands/*.

Last updated: 2026-05-19

---

Server-lifecycle

• bao server — start the server with a config file (raw/docs/commands/server.md).
• bao operator init — initialize storage, generate the initial root token and unseal-key shards.
• bao operator unseal — provide an unseal-key share. See seal-unseal.
• bao operator seal — re-seal a running node.
• bao operator generate-root — produce a new root token with a quorum.
• bao operator step-down, bao operator raft ..., bao operator migrate, etc. (full set in raw/docs/commands/operator/).
• bao status — print seal status (raw/docs/commands/status.md).

Auth and tokens

• bao login — interactive login via any auth method (raw/docs/commands/login.md).
• bao auth enable | list | tune | disable (raw/docs/commands/auth/).
• bao token create | lookup | renew | revoke | capabilities (raw/docs/commands/token/).

Secrets

Generic data-plane:

• bao read | write | list | delete | patch — the raw verbs over arbitrary paths (raw/docs/commands/{read,write,list,delete,patch}.md).
• bao secrets enable | list | tune | move | disable (raw/docs/commands/secrets/).

Engine-specific helpers:

• bao kv ... — KV v1/v2 (raw/docs/commands/kv/).
• bao pki ... — PKI helpers (issue, sign, health-check) (raw/docs/commands/pki/).
• bao transit ... — transit operations (raw/docs/commands/transit/).
• bao ssh ... — SSH OTPs / cert issuing (raw/docs/commands/ssh.md).

Leases and policies

• bao lease renew | revoke | lookup (raw/docs/commands/lease/).
• bao policy write | read | list | delete (raw/docs/commands/policy/).
• bao namespace create | list | delete (raw/docs/commands/namespace.md). See namespaces.

Audit and plugins

• bao audit enable | list | disable (raw/docs/commands/audit/).
• bao plugin register | list | info | deregister | reload | runtime (raw/docs/commands/plugin/).

Daemons

• bao agent — run OpenBao Agent (raw/docs/commands/agent.md).
• bao proxy — run OpenBao Proxy (raw/docs/commands/proxy.md).

Diagnostics

• bao monitor — tail server logs (raw/docs/commands/monitor.md).
• bao debug — collect a debug bundle (raw/docs/commands/debug.md).
• bao path-help <path> — auto-discovered help for any path (raw/docs/commands/path-help.md).
• bao print, bao version, bao version-history (raw/docs/commands/).
• bao unwrap — unwrap a response-wrapped secret (raw/docs/commands/unwrap.md).

Token helpers

bao token-helper integration lets the CLI store tokens via an external program (e.g. keychain) instead of ~/.vault-token (raw/docs/commands/token-helper.md).

Related pages

• configuration — what bao server reads
• seal-unseal — operator init, operator unseal, operator generate-root
• agent-and-proxy — bao agent, bao proxy