clerk-cli
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseClerk CLI
Clerk CLI
The binary is a pre-authenticated gateway to Clerk's Backend API and Platform API, plus project-level tooling (auth, linking, env pulls, instance config). When the user asks anything that touches a Clerk resource, reach for first instead of hand-rolling .
clerkclerkcurlThis skill targets clerk. Iflatestdisagrees with the latest available CLI, refresh it withclerk --versionor a package runner such asclerk skill install. The binary is always the source of truth, so runbunx clerk@latestto verify anything this skill claims.clerk <command> --help
clerkclerkcurl本技能针对Clerk版本。如果latest显示的版本与最新可用CLI版本不符,请使用clerk --version或包运行器(如clerk skill install)更新。二进制文件始终是权威来源,因此可运行bunx clerk@latest来验证本技能中的任何说明。clerk <command> --help
Execution environment (prefer the host, understand the sandbox warning)
执行环境(优先使用主机环境,了解沙箱警告)
Most AI coding agents default to running shell commands in a sandbox where the
user's home directory, OS keychain, browser launch, localhost callback
binding, or network access may be blocked. The Clerk CLI depends on all of
those host capabilities:
- OS credential store: stores the OAuth token in the system keychain. A sandbox without keychain access reports "not logged in" even when the host is authenticated.
clerk auth login - Home-directory Clerk state: saved config, cached metadata, and fallback credentials live under the user's Clerk config/data directories.
- Linked project metadata: resolved from the repo's git remote plus Clerk config. Sandboxes with stripped repo state or blocked home-dir reads can misreport "not linked".
- Local files: publishable and secret keys materialized by
.env*.clerk env pull - Outbound network access to Clerk: every Backend and Platform API call.
- Browser + localhost OAuth callback: needs both.
clerk auth login
In agent mode, the CLI now does a best-effort warn-once check at the
host-sensitive library boundaries. When it detects that host-only Clerk state
or system capabilities are unavailable, it emits:
text
Host-only Clerk state or system capabilities may be unavailable in agent mode. This may be a sandboxed run.
Re-run this command on the host shell before trusting auth, link, env, or API failures.Treat that warning as authoritative. The command may continue, but any auth,
link, env, config, API, browser, or OAuth callback failure from that
invocation is untrusted until you rerun the same command on the host.
Prefer these commands on the user's host shell, not in a sandbox:
clerk doctorclerk whoamiclerk auth loginclerk linkclerk env pullclerk apps ...clerk config ...clerk api ...If a command was accidentally run in a sandbox and it reports ,
, , missing env, keychain/file permission errors,
or network failures, do not treat the result as authoritative. Rerun it on
the host before acting on it or reporting it to the user.
Not logged inauth_requirednot linked大多数AI编码代理默认在沙箱中运行shell命令,而沙箱可能会限制用户的主目录、OS密钥链、浏览器启动、本地主机回调绑定或网络访问。Clerk CLI依赖所有这些主机功能:
- OS凭证存储:会将OAuth令牌存储在系统密钥链中。如果沙箱没有密钥链访问权限,即使主机已认证,也会显示“未登录”。
clerk auth login - 主目录中的Clerk状态:已保存的配置、缓存的元数据和备用凭证存储在用户的Clerk配置/数据目录下。
- 关联项目元数据:从仓库的git远程地址和Clerk配置解析而来。如果沙箱中的仓库状态被剥离或主目录读取被阻止,可能会错误报告“未关联”。
- 本地文件:
.env*生成的可发布密钥和密钥材料。clerk env pull - 访问Clerk的出站网络:所有后端和平台API调用都需要。
- 浏览器+本地主机OAuth回调:需要这两者。
clerk auth login
在代理模式下,CLI现在会在主机敏感库边界处进行一次性的尽力检查。当检测到仅主机可用的Clerk状态或系统功能不可用时,会输出:
text
Host-only Clerk state or system capabilities may be unavailable in agent mode. This may be a sandboxed run.
Re-run this command on the host shell before trusting auth, link, env, or API failures.请将该警告视为权威信息。命令可能会继续执行,但该调用产生的任何身份验证、链接、环境、配置、API、浏览器或OAuth回调失败结果均不可信,除非在主机上重新运行相同命令。
优先在用户的主机shell中运行以下命令,而非沙箱:
clerk doctorclerk whoamiclerk auth loginclerk linkclerk env pullclerk apps ...clerk config ...clerk api ...如果命令意外在沙箱中运行并报告、、、缺少环境变量、密钥链/文件权限错误或网络故障,请勿将结果视为权威。在采取行动或向用户报告之前,先在主机上重新运行该命令。
Not logged inauth_requirednot linkedInvoking the CLI
调用CLI
Before running any command, figure out which binary to invoke and bind that choice for the rest of the session:
clerksh
undefined在运行任何命令之前,确定要调用的二进制文件,并在整个会话中保持该选择:
clerksh
undefined1. Prefer a globally installed binary when it matches the skill's target version.
1. 当全局安装的二进制文件与技能目标版本匹配时,优先使用它。
command -v clerk >/dev/null 2>&1 && clerk --version
If that prints `latest` or any version you trust, use bare `clerk` for the rest of the session.
Otherwise fall back to a package runner, in this order (matches the CLI's own `preferredRunner` logic, which prefers the runner that matches the project's lockfile):
| Project package manager | Invocation |
| ------------------------- | -------------------------------- |
| bun (`bun.lock*`) | `bunx clerk@latest` |
| npm (`package-lock.json`) | `npx -y clerk@latest` |
| pnpm (`pnpm-lock.yaml`) | `pnpm dlx clerk@latest` |
| yarn >= 2 (`yarn.lock`) | `yarn dlx clerk@latest` |
Yarn Classic (v1) has no `dlx`; treat those projects as "no preferred runner" and fall back to the first runner from the list above that's on PATH.
The published npm package is **`clerk`**, not `@clerk/cli`. Never teach `npm install -g clerk` as the primary path. If the global CLI is stale or behaves differently from this skill, either upgrade the global install or fall back to the `latest` runner form above.command -v clerk >/dev/null 2>&1 && clerk --version
如果输出显示`latest`或任何你信任的版本,则在整个会话中使用裸`clerk`命令。
否则,按以下顺序回退到包运行器(与CLI自身的`preferredRunner`逻辑一致,优先选择与项目锁文件匹配的运行器):
| 项目包管理器 | 调用方式 |
| ------------------------- | ------------------------------ |
| bun (`bun.lock*`) | `bunx clerk@latest` |
| npm (`package-lock.json`) | `npx -y clerk@latest` |
| pnpm (`pnpm-lock.yaml`) | `pnpm dlx clerk@latest` |
| yarn >= 2 (`yarn.lock`) | `yarn dlx clerk@latest` |
Yarn Classic(v1)没有`dlx`命令;将这些项目视为“无首选运行器”,并回退到PATH中存在的上述第一个运行器。
发布的npm包是**`clerk`**,而非`@clerk/cli`。切勿将`npm install -g clerk`作为主要安装方式。如果全局CLI版本过时或与本技能表现不同,请升级全局安装版本或回退到上述`latest`运行器形式。Prerequisites (run at session start)
前置条件(会话开始时运行)
Before running any other Clerk command in a session, verify the CLI is authenticated, linked, and healthy:
sh
clerk --version # confirm the binary is on PATH
clerk doctor --json # structured health check; exit 1 if anything failedAlways run first. It catches the common setup failures (not logged in, project not linked, missing keys, stale CLI version) up front, so later commands don't fail with confusing errors. In agent mode it also includes a check that warns when Clerk's host-side config / credential directories are not writable, which is the canonical signal that the current invocation is likely sandboxed.
clerk doctor --jsonHost executionEach result has , (//), , optional , optional (how to fix it), and optional (label for auto-fixable issues). Parse that and act on it, or surface it to the user. If warns, rerun the command on the host before trusting any auth/link/env/API failures from the same sandboxed run. Rerun whenever a later command starts misbehaving.
namestatuspasswarnfailmessagedetailremedyfixHost executionclerk doctor --jsonIf reports a newer CLI than this skill covers, trust first and refresh this skill bundle from its source.
clerk --versionclerk <command> --help在会话中运行任何其他Clerk命令之前,验证CLI已认证、已关联且运行正常:
sh
clerk --version # 确认二进制文件在PATH中
clerk doctor --json # 结构化健康检查;如果有任何失败则退出码为1务必先运行。它会提前发现常见的设置失败(未登录、项目未关联、缺少密钥、CLI版本过时),避免后续命令因混淆性错误而失败。在代理模式下,它还包括检查,当Clerk的主机端配置/凭证目录不可写时发出警告,这是当前调用可能处于沙箱环境的典型信号。
clerk doctor --jsonHost execution每个检查结果包含、(//)、、可选的、可选的(修复方法)和可选的(可自动修复问题的标签)。解析这些结果并采取行动,或向用户展示。如果发出警告,在信任同一沙箱运行产生的任何身份验证/链接/环境/API失败结果之前,先在主机上重新运行该命令。当后续命令开始出现异常时,重新运行。
namestatuspasswarnfailmessagedetailremedyfixHost executionclerk doctor --json如果报告的CLI版本比本技能涵盖的版本更新,请优先信任的内容,并从源更新本技能包。
clerk --versionclerk <command> --helpThe mental model
思维模型
| Layer | What it does | Commands |
|---|---|---|
| Session / project | Auth, link a repo to a Clerk app, pull env keys | |
| Instance config | Manage the configuration (social providers, session lifetimes, etc.) for a specific instance | |
| Backend API (default) | Runtime data: users, orgs, sessions, invitations, JWT templates, webhooks | |
Platform API ( | Account-level: applications, instances, billing | |
A project is "linked" to an application via . Once linked, most commands auto-resolve the target app and dev instance from the repo's git remote. To target something else, pass and/or . See references/auth.md for the full resolution order.
clerk link--app <id>--instance dev|prod|<instance_id>| 层级 | 功能描述 | 命令 |
|---|---|---|
| 会话/项目 | 身份验证、将仓库关联到Clerk应用、拉取环境密钥 | |
| 实例配置 | 管理特定实例的配置(社交提供商、会话生命周期等) | |
| 后端API(默认) | 运行时数据:用户、组织、会话、邀请、JWT模板、Webhook | |
平台API( | 账户级:应用、实例、账单 | |
通过将项目“关联”到应用。关联后,大多数命令会自动从仓库的git远程地址解析目标应用和开发实例。要定位其他资源,请传递和/或。有关完整的解析顺序,请参阅references/auth.md。
clerk link--app <id>--instance dev|prod|<instance_id>Discover endpoints - don't memorize them
发现端点 - 无需记忆
The CLI ships with the Clerk OpenAPI catalog. Always discover endpoints dynamically instead of guessing paths:
sh
clerk api ls # list every Backend API endpoint
clerk api ls users # filter by keyword (matches path, summary, tag, operationId)
clerk api ls --platform apps # list Platform API endpointsUse this before . If you don't see the endpoint you expected, it probably isn't exposed.
clerk api <path>CLI附带Clerk OpenAPI目录。始终动态发现端点,而非猜测路径:
sh
clerk api ls # 列出所有后端API端点
clerk api ls users # 按关键字过滤(匹配路径、摘要、标签、operationId)
clerk api ls --platform apps # 列出平台API端点在运行之前使用此命令。如果未找到预期的端点,可能它并未暴露。
clerk api <path>The clerk api
command (the workhorse)
clerk apiclerk api
命令(核心工具)
clerk apiclerk api--dry-runsh
undefinedclerk api--dry-runsh
undefinedGET requests
GET请求
clerk api /users # list users
clerk api /users/user_abc123 # fetch one
clerk api /users?limit=5&order_by=-created_at # query params work inline
clerk api /users # 列出用户
clerk api /users/user_abc123 # 获取单个用户
clerk api /users?limit=5&order_by=-created_at # 查询参数可直接内联
Mutating requests
变更请求
clerk api /users -d '{"email_address":["a@b.co"]}' # POST (auto-detected from body)
clerk api /users/user_abc123 -X PATCH -d '{"first_name":"A"}'
clerk api /users/user_abc123 -X DELETE
clerk api /users -d '{"email_address":["a@b.co"]}' # POST(根据请求体自动检测)
clerk api /users/user_abc123 -X PATCH -d '{"first_name":"A"}'
clerk api /users/user_abc123 -X DELETE
Body from file or stdin
从文件或标准输入读取请求体
clerk api /users --file payload.json
cat payload.json | clerk api /users
clerk api /users --file payload.json
cat payload.json | clerk api /users
Always preview mutations first
始终先预览变更
clerk api /users/user_abc123 -X DELETE --dry-run
clerk api /users/user_abc123 -X DELETE --yes # skip confirmation once you've verified
clerk api /users/user_abc123 -X DELETE --dry-run
clerk api /users/user_abc123 -X DELETE --yes # 验证后跳过确认
Target a specific app/instance
定位特定应用/实例
clerk api /users --app app_abc123 --instance prod
clerk api /users --app app_abc123 --instance prod
Include response headers when debugging
调试时包含响应头
clerk api /users --include
clerk api /users --include
Platform API (account-level, not tenant data)
平台API(账户级,非租户数据)
clerk api /v1/platform/applications --platform
For instance config, prefer the dedicated `clerk config ...` commands over raw Platform API `/config` paths. They handle dry-run, diffing, and confirmation more cleanly than the raw endpoint form.
**Always `--dry-run` a mutation before running it for real.** Then re-run without `--dry-run` (add `--yes` if you're sure). In agent mode, interactive confirmation is bypassed, so `--dry-run` is the only safety net for destructive calls.
**JSON bodies must be valid JSON.** The CLI validates and rejects malformed payloads.
**Endpoint paths may be given with or without `/v1/` prefix** - both work for Backend API calls. The CLI normalizes.
See [references/recipes.md](references/recipes.md) for concrete patterns: listing/filtering users, creating orgs, impersonation sessions, etc.clerk api /v1/platform/applications --platform
对于实例配置,优先使用专用的`clerk config ...`命令,而非原生平台API的`/config`路径。与原生端点形式相比,它们能更清晰地处理试运行、差异对比和确认操作。
**执行变更前务必使用`--dry-run`预览**。然后再不带`--dry-run`重新运行(如果确定无误可添加`--yes`)。在代理模式下,交互式确认被绕过,因此`--dry-run`是破坏性调用的唯一安全保障。
**JSON请求体必须是有效的JSON**。CLI会验证并拒绝格式错误的负载。
**端点路径可以带或不带`/v1/`前缀** - 两种形式在后端API调用中都有效。CLI会自动规范化。
有关具体模式,请参阅[references/recipes.md](references/recipes.md):列出/过滤用户、创建组织、模拟会话等。Inspecting large outputs (do not flood your context)
检查大型输出(避免占用过多上下文)
users listapps listconfig pullclerk apijqsh
undefinedusers listapps listconfig pullclerk apijqsh
undefined1. Persist the response. Use --limit 250 to maximize page size for users list.
1. 保存响应。用户列表使用--limit 250来最大化每页大小。
clerk users list --json --limit 250 > /tmp/users.json
clerk apps list --json > /tmp/apps.json
clerk api /users/user_abc123 > /tmp/user.json
clerk users list --json --limit 250 > /tmp/users.json
clerk apps list --json > /tmp/apps.json
clerk api /users/user_abc123 > /tmp/user.json
2. Inspect only what you need.
2. 仅检查所需内容。
jq '.data | length' /tmp/users.json # current page size
jq '.hasMore' /tmp/users.json # are more pages available?
jq '.data[0] | keys' /tmp/users.json # discover the user shape once
jq '.data[] | {id, email_addresses}' /tmp/users.json # project to a few fields
jq '[.data[] | select(.banned)] | length' /tmp/users.json # aggregate without reading rows
**If `jq` is not available**, fall back to Python or Node - both can stream the file without printing it whole:
```sh
python3 -c 'import json; d=json.load(open("/tmp/users.json")); print(len(d["data"]), d["hasMore"])'
node -e 'const d=require("/tmp/users.json"); console.log(d.data.length, d.hasMore)'catheadpage-${offset}.jsonjq '.data | length' /tmp/users.json # 当前页面大小
jq '.hasMore' /tmp/users.json # 是否还有更多页面?
jq '.data[0] | keys' /tmp/users.json # 一次性发现用户数据结构
jq '.data[] | {id, email_addresses}' /tmp/users.json # 提取部分字段
jq '[.data[] | select(.banned)] | length' /tmp/users.json # 聚合数据而无需逐行查看
**如果`jq`不可用**,回退到Python或Node - 两者都可以流式处理文件而无需完整打印:
```sh
python3 -c 'import json; d=json.load(open("/tmp/users.json")); print(len(d["data"]), d["hasMore"])'
node -e 'const d=require("/tmp/users.json"); console.log(d.data.length, d.hasMore)'仅当确实需要查看原始结构进行一次性调试时,才使用/查看文件。分页时,将每个页面写入单独的文件(例如),以便单独检查每个页面。
catheadpage-${offset}.jsonCore commands at a glance
核心命令概览
| Command | Purpose | Key flags |
|---|---|---|
| Scaffold Clerk into a project. | |
| OAuth browser login (stores token). Agent mode: no-op if already logged in. With no stored session it still opens a browser and binds a localhost callback, so it is not unattended; prefer | - |
| Clear stored credentials. Aliases: | - |
| Print the logged-in email. | - |
| Link this repo to a Clerk app, or remove the link. | (see |
| Write publishable + secret keys to the framework's env file (merge, not clobber). Resolves | (see |
| Fetch instance config JSON, or its JSON Schema. | (see |
| Partial update (PATCH) of instance config. Pass | |
| Full replacement (PUT) of instance config. Pass | |
| List or create Clerk applications. Defaults to JSON in agent mode. | (see |
| Interactive picker for | |
| List users via curated BAPI flags. JSON output (default when piped or in agent mode) is | |
| Create a user from curated flags or a raw BAPI body. Confirmation prompt unless | |
| Open a user's dashboard page. Agent mode requires | (see |
| Open the linked app's dashboard in a browser. Agent mode: prints a JSON descriptor instead of opening. | (see |
| Human-mode production deploy wizard. Agent mode: emits a read-only JSON handoff and tells the agent whether to ask the human to run the wizard, wait for provisioning, finish OAuth, or do nothing. | |
| Read-only deploy verification. Triggers a DNS check, reports aggregate domain and OAuth readiness, and exits | |
| Health check (CLI version, login, link, env, config, completion; plus host-execution probe in agent mode). | |
| Authenticated HTTP to Backend/Platform API. | |
| Discover endpoints from the bundled OpenAPI catalog. | (see |
| Print a shell completion script ( | - |
| Update the CLI to the latest version. | |
| Reinstall the bundled | (see |
clerk <command> --helpclerk <command> --helpsetExamples([...])--help| 命令 | 用途 | 关键标志 |
|---|---|---|
| 在项目中搭建Clerk。 | |
| OAuth浏览器登录(存储令牌)。代理模式:如果已登录则无操作。如果没有存储的会话,它仍会打开浏览器并绑定本地主机回调,因此无法无人值守;无头流程优先使用 | - |
| 清除存储的凭证。别名: | - |
| 打印登录邮箱。 | - |
| 将此仓库关联到Clerk应用,或移除关联。代理模式下 | (查看 |
| 将可发布密钥+密钥写入框架的环境文件(合并而非覆盖)。解析顺序为 | (查看 |
| 获取实例配置JSON,或其JSON Schema。 | (查看 |
| 实例配置的部分更新(PATCH)。传递 | |
| 实例配置的完全替换(PUT)。传递 | |
| 列出或创建Clerk应用。代理模式下默认为JSON输出。 | (查看 |
| 人机模式下 | |
| 通过精选的BAPI标志列出用户。JSON输出(管道传输或代理模式下默认)格式为 | |
| 通过精选标志或原始BAPI请求体创建用户。除非使用 | |
| 打开用户的仪表板页面。代理模式下需要 | (查看 |
| 在浏览器中打开关联应用的仪表板。代理模式下:打印JSON描述符而非打开浏览器。 | (查看 |
| 人机模式下的生产部署向导。代理模式下:输出只读JSON交接信息,并告知代理是否需要让用户运行向导、等待配置完成、完成OAuth或不执行任何操作。 | |
| 只读部署验证。触发DNS检查,报告域名和OAuth就绪状态汇总,仅当完成时退出码为 | |
| 健康检查(CLI版本、登录状态、关联状态、环境变量、配置、自动补全;代理模式下还包括主机执行探测)。 | |
| 向后端/平台API发起已认证的HTTP请求。 | |
| 从内置OpenAPI目录发现端点。 | (查看 |
| 打印shell自动补全脚本( | - |
| 将CLI更新到最新版本。 | |
| 从CLI重新安装内置的 | (查看 |
clerk <command> --helpclerk <command> --helpsetExamples([...])--helpAgent-mode behavior (important)
代理模式行为(重要)
The CLI auto-detects agent mode when stdout is not a TTY, or when / is set. In agent mode:
--mode agentCLERK_MODE=agent- Interactive prompts are disabled. Commands that would normally show pickers (without
link,--appwithoutunlink,--yeswithout a subcommand) either auto-resolve or exit with a usage error.userswith no args prints usage guidance and exits 0; pass an endpoint (orclerk api) explicitly. Always pass explicit flags (ls,--app) in scripted calls.--yes - Host-sensitive operations emit a sandbox warning once per invocation. Home-directory Clerk state, keychain access, networked Clerk calls, browser launch, and localhost OAuth callback setup can trigger the warning shown above. If it appears, rerun the same command on the host before trusting the result.
- If your harness does not clearly present as agent mode, force it. Use or
--mode agentwhen you want the CLI's non-interactive behavior and sandbox warning path to apply deterministically.CLERK_MODE=agent - supports deterministic agent flows. In agent mode,
linklinks directly. Withoutclerk link --app <id>, the CLI will try silent key-based autolink first; if it cannot determine the app unambiguously, it exits and tells you to pass--app.--app - never selects or creates a real Clerk app for you in agent mode unless authenticated or given a target. Pass
init(or pre-link the project) to authenticate and link a real app, or pass--app <id>to use auto-generated temporary development keys when bootstrapping a new project on a keyless-capable framework. Without either, agent mode prints manual setup guidance and exits cleanly.--keyless - requires
unlinkin agent mode. This preserves the same safety bar as other destructive commands while still letting an agent complete the unlink non-interactively.--yes - Mutations still require unless you accept per-call confirmation is impossible.
--yes - is ignored. Parse
doctor --fixoutput'sdoctor --jsonfield and act on it yourself.remedy - and
apps listdefault to JSON when piped.apps create - defaults to JSON when piped, like
users.appsandclerk users listemit JSON in agent mode. Bareclerk users create(no subcommand) is a usage error in agent mode - passclerk users,list, orcreateexplicitly.openrequires theclerk users openpositional in agent mode and prints a JSON descriptor instead of launching a browser.user-id - has an agent handoff plus a verification gate. In agent mode, bare
deployis read-only and emits a JSON handoff. It never drives the interactive wizard. Do not tell Claude or another agent to runclerk deploy, because the wizard needs interactive stdin prompts. Ask the human to run! clerk deployin a new terminal window when needed, then runclerk deployto verify completion. See references/agent-mode.md.clerk deploy status --mode agent - expands JSON into flags on any command (e.g.
--input-json <json|@file|->). Piped stdin is also accepted:clerk init --input-json '{"framework":"next","yes":true}'. Placeecho '{"yes":true}' | clerk initafter the leaf subcommand. Full rules in references/agent-mode.md.--input-json
Full matrix and sandbox details in references/agent-mode.md.
当stdout不是TTY,或设置了/时,CLI会自动检测到代理模式。在代理模式下:
--mode agentCLERK_MODE=agent- 交互式提示被禁用。通常会显示选择器的命令(不带的
--app、不带link的--yes、不带子命令的unlink)要么自动解析,要么退出并显示使用错误。不带参数的users会打印使用指南并以退出码clerk api退出;请显式传递端点(或0)。在脚本调用中始终传递明确的标志(ls,--app)。--yes - 主机敏感操作会在每次调用时发出一次沙箱警告。主目录中的Clerk状态、密钥链访问、Clerk网络调用、浏览器启动和本地主机OAuth回调设置可能会触发上述警告。如果出现警告,在信任结果之前先在主机上重新运行相同命令。
- 如果你的工具未明确呈现为代理模式,请强制设置。当你需要CLI的非交互式行为和沙箱警告路径确定生效时,使用或
--mode agent。CLERK_MODE=agent - 支持确定性代理流程。在代理模式下,
link直接关联。如果不带clerk link --app <id>,CLI会首先尝试基于密钥的静默自动关联;如果无法明确确定应用,则退出并提示传递--app。--app - 代理模式下不会为你选择或创建真实的Clerk应用,除非已认证或指定了目标。传递
init(或预先关联项目)以认证并关联真实应用,或传递--app <id>以在无密钥支持的框架上引导新项目时使用自动生成的临时开发密钥。如果两者都不传递,代理模式会打印手动设置指南并干净退出。--keyless - 代理模式下需要
unlink。这在保持与其他破坏性命令相同安全标准的同时,仍允许代理非交互式完成解除关联操作。--yes - 变更操作仍需要,除非你接受无法进行每次调用确认。
--yes - 会被忽略。解析
doctor --fix输出的doctor --json字段并自行采取行动。remedy - 和
apps list在管道传输时默认为JSON格式。apps create - 在管道传输时默认为JSON格式,与
users类似。apps和clerk users list在代理模式下输出JSON。不带子命令的裸clerk users create在代理模式下是使用错误 - 请显式传递clerk users、list或create。代理模式下open需要clerk users open参数,并打印JSON描述符而非启动浏览器。user-id - 有代理交接和验证门限。代理模式下,裸
deploy是只读的并输出JSON交接信息。它永远不会驱动交互式向导。不要让Claude或其他代理运行clerk deploy,因为向导需要交互式标准输入提示。必要时请用户在新终端窗口中运行! clerk deploy,然后运行clerk deploy验证完成。请参阅references/agent-mode.md。clerk deploy status --mode agent - 可在任何命令上将JSON扩展为标志(例如
--input-json <json|@file|->)。也接受管道标准输入:clerk init --input-json '{"framework":"next","yes":true}'。将echo '{"yes":true}' | clerk init放在叶子子命令之后。完整规则请参阅references/agent-mode.md。--input-json
完整的矩阵和沙箱详情请参阅references/agent-mode.md。
Output format and errors
输出格式和错误
- JSON output: on
--jsonandapps list. Fordoctor, the response body is the raw API JSON, so pipe intoclerk apifreely.jq - Exit codes: success,
0runtime error,1usage/validation error.2returnsdoctorif any check failed.1 - Error format: User-facing errors print a single line to stderr and set a non-zero exit code. Use for stack traces when debugging.
--verbose
- JSON输出:和
apps list使用doctor标志。对于--json,响应体是原始API JSON,因此可自由通过管道传输到clerk api。jq - 退出码:表示成功,
0表示运行时错误,1表示使用/验证错误。如果任何检查失败,2返回doctor。1 - 错误格式:面向用户的错误会向stderr打印单行信息并设置非零退出码。调试时使用查看堆栈跟踪。
--verbose
Safety rules for autonomous use
自主使用的安全规则
- Discover before acting: before
clerk api ls <keyword>.clerk api <path> - Preview mutations: on every
--dry-run,config patch,config put.api -X POST/PATCH/PUT/DELETE - Target explicitly in production: pass rather than relying on defaults, and confirm with the user before any production mutation.
--instance prod - Never commit secrets: writes to
env pull(which should be gitignored). Don't paste secret keys into code or chat..env.local - Use to diagnose before assuming the CLI is broken.
doctor --json
- 先发现再行动:运行之后再执行
clerk api ls <keyword>。clerk api <path> - 预览变更:对每个、
config patch、config put使用api -X POST/PATCH/PUT/DELETE。--dry-run - 生产环境显式定位:传递而非依赖默认值,并且在进行任何生产变更前与用户确认。
--instance prod - 切勿提交密钥:写入
env pull(应被git忽略)。不要将密钥粘贴到代码或聊天中。.env.local - 使用在假设CLI出现故障之前进行诊断。
doctor --json
References
参考资料
- references/auth.md - auth flow, key resolution order, host-vs-sandbox behavior, /
--apptargeting, Backend vs Platform API.--instance - references/recipes.md - copy-pasteable recipes for common Clerk tasks.
- references/agent-mode.md - agent-mode behavior matrix, sandbox warning semantics, exit codes, error format.
- references/auth.md - 认证流程、密钥解析顺序、主机与沙箱行为、/
--app定位、后端与平台API对比。--instance - references/recipes.md - 常见Clerk任务的可复制粘贴方案。
- references/agent-mode.md - 代理模式行为矩阵、沙箱警告语义、退出码、错误格式。