@lance0/latch-cli

CLI tools for Latch authentication library

Quickly generate secrets and initialize Latch configuration with an interactive wizard.

Installation

# Global installation
npm install -g @lance0/latch-cli

# Or use with npx (no installation required)
npx @lance0/latch-cli [command]

Commands

generate-secret (alias: secret)

Generate a cryptographically secure random secret for LATCH_COOKIE_SECRET:

npx @lance0/latch-cli generate-secret

# Output:
# ✓ Generated secure cookie secret:
#
# LATCH_COOKIE_SECRET=ip+N8RAVD2jUtdKKQEqk9wgyNE8BHI/L8c5qYRnjVcM=
#
# Add this to your .env.local file
# Never commit this secret to version control!

init

Interactive wizard to initialize Latch configuration:

npx @lance0/latch-cli init

The wizard will prompt you for:

1. Cloud environment - Azure Commercial, GCC-High, or DoD
2. Azure AD Client ID - Application (client) ID from Azure portal
3. Azure AD Tenant ID - Directory (tenant) ID from Azure portal
4. Client type - Public Client (PKCE) or Confidential Client (client_secret)
5. Client Secret - (Only if Confidential Client selected)
6. OAuth Redirect URI - Defaults to http://localhost:3000/api/latch/callback
7. OAuth Scopes - Defaults to openid profile User.Read

Example session:

🔐 Latch Configuration Wizard

? Which Azure cloud environment? › Azure Government GCC-High (IL4)
? Azure AD Client ID (Application ID): › 00000000-0000-0000-0000-000000000000
? Azure AD Tenant ID (Directory ID): › 11111111-1111-1111-1111-111111111111
? Client type: › Confidential Client (Client Secret)
? Azure AD Client Secret (from Certificates & secrets): › ••••••••••••••••
? OAuth Redirect URI: › http://localhost:3000/api/latch/callback
? OAuth Scopes (space-separated): › openid profile User.Read

✓ Configuration complete!

Created: .env.local

Next steps:
  1. Review your .env.local file
  2. Create API routes in app/api/latch/
  3. Wrap your app with <LatchProvider>
  4. Run pnpm dev to start

⚠  Government Cloud Notes:
  • Register your app at https://portal.azure.us
  • Do NOT use .com Graph URLs in scopes

ℹ️  Confidential Client Setup:
  • Add http://localhost:3000/api/latch/callback to Redirect URIs (Web platform)
  • Client secret rotation recommended every 6-12 months
  • See docs/AUTHENTICATION_SETUP.md for rotation procedures

Output:

Creates a .env.local file with all required Latch configuration:

# Latch Configuration - Azure Government GCC-High
# Generated by @lance0/latch-cli on 2025-10-23

# Azure AD Application
LATCH_CLIENT_ID=00000000-0000-0000-0000-000000000000
LATCH_TENANT_ID=11111111-1111-1111-1111-111111111111
LATCH_CLIENT_SECRET=your-client-secret-here  # Only if Confidential Client

# Cloud Environment
LATCH_CLOUD=gcc-high

# OAuth Configuration
LATCH_SCOPES=openid profile User.Read
LATCH_REDIRECT_URI=http://localhost:3000/api/latch/callback

# Cookie Encryption Secret (NEVER commit this!)
LATCH_COOKIE_SECRET=<automatically generated>

# Debug Mode (optional)
LATCH_DEBUG=false

# Next.js URL
NEXTAUTH_URL=http://localhost:3000

scaffold

Copy API routes and Server Actions from example apps.

latch scaffold
latch scaffold --example commercial

validate

Validate .env.local for common mistakes (UUIDs, cloud/scope mismatches, etc).

latch validate

doctor

Run diagnostics on your Latch setup (checks install, config, routes, LatchProvider).

latch doctor

Features

✅ Interactive wizards with validation ✅ Scaffold routes from examples
✅ Validate configuration
✅ Diagnose setup issues ✅ Auto-generate secure secrets

Usage in Monorepo

If you're developing in the Latch monorepo:

# From root
pnpm --filter @lance0/latch-cli build

# Run locally
node packages/latch-cli/dist/index.js generate-secret
node packages/latch-cli/dist/index.js init

Related Packages

• @lance0/latch - Core authentication library

License

Apache-2.0