Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/gravitational/teleport/llms.txt

Use this file to discover all available pages before exploring further.

tctl is the administrative CLI for Teleport cluster management. It lets cluster administrators manage users, roles, join tokens, certificate authorities, nodes, access requests, and Machine ID bots — either locally on an Auth Service host or remotely using a signed identity file. 
tctl [<flags>] <command> [<args> ...]
tctl requires either local access to the Teleport Auth Service (via /etc/teleport.yaml) or a remote identity file created with tctl auth sign. Running it without proper authorization will result in an authentication error.

Global Flags

FlagDefaultDescription
--auth-serverno defaultAttempts to connect to specific auth/proxy address(es) instead of local auth [127.0.0.1:3025].
-c, --configno defaultPath to a configuration file [/etc/teleport.yaml] for an Auth Service instance.
-i, --identityno defaultPath to an identity file for remote auth connections.
--mfa-modeautoPreferred MFA mode: auto, cross-platform, platform, sso, browser.
--[no-]insecurefalseDo not verify the proxy TLS certificate (use with caution).
-d, --[no-]debugfalseEnable verbose logging to stderr.

Global Environment Variables

VariableDefaultDescription
TELEPORT_AUTH_SERVERno defaultAttempts to connect to specific auth/proxy address(es) instead of local auth.
TELEPORT_IDENTITY_FILEno defaultPath to an identity file for remote connections.
TELEPORT_MFA_MODEautoPreferred MFA mode.

User Commands

tctl users add

Generate a user invitation token for a new local Teleport user. 
tctl users add --roles=ROLES [<flags>] <account>
FlagDefaultDescription
--rolesno defaultList of roles for the new user to assume.
--loginsno defaultList of allowed SSH logins for the new user.
--ttl1h0m0sSet expiration time for token (max 48h).
--formattextOutput format: text, json, yaml.
--kubernetes-groupsno defaultList of allowed Kubernetes groups for the new user.
--kubernetes-usersno defaultList of allowed Kubernetes users for the new user.
--db-usersno defaultList of allowed database users for the new user.
--db-namesno defaultList of allowed database names for the new user.
--db-rolesno defaultList of database roles for automatic database user provisioning.
--aws-role-arnsno defaultList of allowed AWS role ARNs for the new user.
--azure-identitiesno defaultList of allowed Azure identities for the new user.
--gcp-service-accountsno defaultList of allowed GCP service accounts for the new user.
--host-user-uidno defaultUID for auto provisioned host users to use.
--host-user-gidno defaultGID for auto provisioned host users to use.
--windows-loginsno defaultList of allowed Windows logins for the new user.
--mcp-toolsno defaultList of allowed MCP tools for the new user.
--default-relay-addrno defaultRelay address that clients should use by default.
Example: 
# Add a new user with the 'dev' role
tctl users add --roles=dev alice

# Add a user with SSH logins
tctl users add --roles=devops --logins=ubuntu,ec2-user bob

tctl users ls

List all user accounts in the cluster. 
tctl users ls [<flags>]
FlagDefaultDescription
--formattextOutput format: text, json, yaml.
Example: 
tctl users ls
tctl users ls --format=json

tctl users rm

Delete one or more user accounts. 
tctl users rm <logins>
Example: 
# Delete a single user
tctl users rm alice

# Delete multiple users (comma-separated)
tctl users rm alice,bob

tctl users reset

Reset a user’s password and generate a new invitation token. 
tctl users reset [<flags>] <account>
FlagDefaultDescription
--ttl8h0m0sSet expiration time for token (max 24h).
--formattextOutput format: text, json, yaml.
Example: 
tctl users reset alice

Role Commands

Roles are managed using the generic tctl get, tctl create, and tctl rm resource commands.

tctl get roles

Retrieve and display role definitions. 
tctl get roles [<flags>]
tctl get roles/<rolename>
FlagDefaultDescription
--formatyamlOutput format: yaml, json, text.
--[no-]with-secretsfalseInclude secrets in output.
Example: 
# List all roles
tctl get roles

# Get a specific role in YAML format
tctl get roles/dev-access

# Get in JSON
tctl get roles/dev-access --format=json

tctl create (roles)

Create or update a role from a YAML file. 
tctl create [<flags>] [<filename>]
FlagDefaultDescription
-f, --[no-]forcefalseOverwrite the resource if it already exists.
Example: 
# Create a role from a YAML file
tctl create role.yaml

# Force-overwrite an existing role
tctl create -f role.yaml
Sample role YAML: 
kind: role
version: v7
metadata:
  name: dev-access
spec:
  allow:
    logins: ['ubuntu', 'ec2-user']
    node_labels:
      env: dev
  deny: {}

tctl rm (roles)

Delete a role. 
tctl rm roles/<rolename>
Example: 
tctl rm roles/dev-access

Token Commands

tctl tokens add

Create an invitation token for joining nodes, proxies, databases, or apps. 
tctl tokens add --type=TYPE [<flags>]
FlagDefaultDescription
--typeno defaultType(s) of token to add, e.g. --type=node,app,db,proxy.
--ttl30m0sSet expiration time for token (default 30 minutes).
--valueno defaultOverride the default random generated token with a specified value.
--formatno defaultOutput format: text, json, yaml.
--labelsno defaultSet token labels, e.g. env=prod,region=us-west.
Example: 
# Create a node join token
tctl tokens add --type=node

# Create a token valid for 1 hour for a database agent
tctl tokens add --type=db --ttl=1h

# Create a token with a custom value
tctl tokens add --type=node --value=my-secret-token

tctl tokens ls

List existing invitation tokens. 
tctl tokens ls [<flags>]
FlagDefaultDescription
--formatno defaultOutput format: text, json, yaml.
--labelsno defaultFilter by labels.
--[no-]with-secretsfalseDo not redact join tokens (show full values).
Example: 
tctl tokens ls
tctl tokens ls --format=json

tctl tokens rm

Delete/revoke an invitation token. 
tctl tokens rm [<token>]
Example: 
tctl tokens rm abc123tokenvalue

Auth Commands

tctl auth sign

Create an identity file for a given user (used for remote tctl access or CI/CD pipelines). 
tctl auth sign --out=OUT [<flags>]
FlagDefaultDescription
-o, --outno defaultIdentity output path (required).
--userno defaultTeleport user name.
--hostno defaultTeleport host name.
--ttl12h0m0sTTL for the generated certificate.
--formatfileIdentity format: file, openssh, tls, kubernetes, db, windows, mongodb, cockroachdb, redis, snowflake, elasticsearch, cassandra, scylla, oracle.
--proxyno defaultProxy address (used when format is kubernetes).
--kube-cluster-nameno defaultKubernetes cluster name when format is kubernetes.
--leaf-clusterno defaultLeaf cluster to generate identity file for when format is kubernetes.
--app-nameno defaultApplication to generate identity file for. Mutually exclusive with --db-service.
--db-serviceno defaultDatabase to generate identity file for. Mutually exclusive with --app-name.
--db-userno defaultDatabase user placed on the identity file. Only used when --db-service is set.
--db-nameno defaultDatabase name placed on the identity file. Only used when --db-service is set.
--compatno defaultOpenSSH compatibility flag.
--[no-]overwritefalseWhether to overwrite existing destination files.
--[no-]tarfalseCreate a tarball of the resulting certificates and stream to stdout.
Example: 
# Sign an identity for a user
tctl auth sign --user=alice --out=/tmp/alice-identity

# Sign a kubeconfig for a Kubernetes cluster
tctl auth sign --user=alice --format=kubernetes \
  --kube-cluster-name=my-cluster --out=kubeconfig

# Sign a certificate with a 24-hour TTL
tctl auth sign --user=ci-bot --ttl=24h --out=/tmp/ci-identity

tctl auth export

Export public cluster CA certificates. 
tctl auth export [<flags>]
FlagDefaultDescription
--typeno defaultCertificate type: user, host, tls-host, tls-user, db, openssh, etc.
--fingerprintno defaultFilter by CA fingerprint.
--outno defaultWrite exported authorities to files with the given path prefix.
--[no-]keysfalseIf set, also print private keys.
Example: 
# Export host CA
tctl auth export --type=tls-host

# Export user CA
tctl auth export --type=user

Node Commands

tctl nodes ls

List all active SSH nodes in the cluster. 
tctl nodes ls [<flags>] [<labels>]
FlagDefaultDescription
--formattextOutput format: text, json, yaml.
--searchno defaultSearch keywords.
--queryno defaultPredicate language query.
-v, --[no-]verbosefalseVerbose table output.
Example: 
tctl nodes ls
tctl nodes ls env=production
tctl nodes ls --format=json

tctl nodes add

Generate a node invitation token. 
tctl nodes add [<flags>]
FlagDefaultDescription
--rolesnodeComma-separated roles for the new node.
--ttl30m0sTime to live for the generated token.
--tokenno defaultOverride the generated token with a specified value.
--formattextOutput format: text, json, yaml.
Example: 
tctl nodes add
tctl nodes add --ttl=1h

Access Request Commands

tctl requests ls

Show active Access Requests. 
tctl requests ls [<flags>]
FlagDefaultDescription
--formattextOutput format: text, json, yaml.
--sort-indexcreatedSort field: created or state.
--sort-orderdescendingSort order: ascending or descending.
Example: 
tctl requests ls
tctl requests ls --format=json

tctl requests approve

Approve a pending Access Request. 
tctl requests approve [<flags>] <request-id>
FlagDefaultDescription
--reasonno defaultOptional reason message.
--rolesno defaultOverride requested roles.
--annotationsno defaultResolution attributes as key=val[,...].
--assume-start-timeno defaultSets when roles can be assumed (RFC3339).
--delegatorno defaultOptional delegating identity.
Example: 
tctl requests approve --reason="Verified and approved" abc123-request-id

tctl requests deny

Deny a pending Access Request. 
tctl requests deny [<flags>] <request-id>
FlagDefaultDescription
--reasonno defaultOptional reason message.
--annotationsno defaultResolution annotations.
--delegatorno defaultOptional delegating identity.
Example: 
tctl requests deny --reason="Outside the change window" abc123-request-id

tctl requests review

Review an Access Request. 
tctl requests review --author=AUTHOR [<flags>] <request-id>
FlagDefaultDescription
--authorno defaultUsername of reviewer (required).
--[no-]approvefalseReview proposes approval.
--[no-]denyfalseReview proposes denial.
Example: 
tctl requests review --author=admin --approve abc123-request-id

Bot Commands

Bots are Machine ID agents that programmatically issue short-lived certificates.

tctl bots add

Add a new bot to the cluster. 
tctl bots add [<flags>] <name>
FlagDefaultDescription
--rolesno defaultRoles the bot is able to assume.
--loginsno defaultList of allowed SSH logins for the bot user.
--ttl1h0m0sTTL for the bot join token.
--tokenno defaultSpecify a token to use; if unset, one is generated.
--formattextOutput format: text, json, yaml.
--max-session-ttlno defaultSet a max session TTL for the bot’s internal identity (12h default, 168h maximum).
--initial-public-keyno defaultUse the given initial public key in SSH authorized_keys format. Not compatible with --token or --legacy.
--[no-]legacyfalseGenerate a legacy joining token instead of a bound keypair token. No effect if --token is set.
--recovery-limitno defaultOverrides the recovery limit for the bound keypair token. Must be greater than 1.
--recovery-modestandardOverride the recovery mode for the bound keypair token: standard, relaxed, insecure.
--registration-secretno defaultSets a registration secret for the bound keypair token.
Example: 
# Add a bot with the 'ci-reader' role
tctl bots add --roles=ci-reader ci-bot

# Add a bot with a custom token TTL
tctl bots add --roles=deployer --ttl=4h deploy-bot

tctl bots ls

List all Machine ID bots registered with the cluster. 
tctl bots ls [<flags>]
FlagDefaultDescription
--formattextOutput format: text, json, yaml.
Example: 
tctl bots ls

tctl bots rm

Permanently remove a bot from the cluster. 
tctl bots rm <name>
Example: 
tctl bots rm ci-bot

Resource CRUD

tctl provides generic resource management commands that work with any Teleport resource kind.

tctl get

Print a YAML (or JSON) declaration of any Teleport resource. 
tctl get [<flags>] <resources> [<id>]
Examples: 
tctl get roles
tctl get users/alice
tctl get nodes
tctl get cert_authority

tctl create

Create or update a resource from a YAML file. 
tctl create [<flags>] [<filename>]

tctl create -f my-role.yaml

tctl rm

Delete a resource by type and name. 
tctl rm <resource-type>/<resource-name>

tctl rm roles/dev-access
tctl rm users/alice
tctl rm tokens/abc123

tctl edit

Open a resource in your editor for interactive editing. 
tctl edit <resource-type>/<resource-name>

tctl edit roles/dev-access
Use tctl status to display a summary of the cluster’s health and CA information — helpful for verifying connectivity before running other admin commands.

Build docs developers (and LLMs) love

Get started for freeTalk to us