Skip to content

Kupe CLI

Use the kupe CLI for everyday tenant and cluster operations.

Pick your operating system. Each tab shows the most common install paths for that platform; advanced options that work on any platform (go install, direct binary download) are below.

Install script — no prerequisites, installs to ~/.local/bin (no sudo, no password prompt):

Terminal window
curl -fsSL https://get.kupe.cloud | sh

On macOS, ~/.local/bin isn’t on PATH by default; the script prints shell-specific one-liners to add it after install.

Homebrew — auto-updates, plus shell completions (bash/zsh/fish) and the man page are wired up automatically:

Terminal window
brew install kupecloud/tap/kupe

Update with brew upgrade kupe. If brew upgrade reports “the latest version is already installed” but you know a newer version exists, run brew update first to refresh the tap clone — Homebrew throttles auto-updates to once a day by default.

These work on macOS and Linux:

Terminal window
# Pin a specific version (default: latest)
curl -fsSL https://get.kupe.cloud | sh -s -- --version 1.1.3
# System-wide install instead of ~/.local/bin (will sudo)
curl -fsSL https://get.kupe.cloud | sh -s -- --install-dir /usr/local/bin
# Install into any custom directory
curl -fsSL https://get.kupe.cloud | sh -s -- --install-dir /opt/bin

Requirements: curl, tar, and either sha256sum or shasum. Works on any POSIX shell — your interactive shell (bash, zsh, fish, etc.) doesn’t matter because the script is interpreted by sh after the pipe.

These work on any platform.

Requires Go 1.26 or newer.

Terminal window
go install github.com/kupecloud/kupe-cli/cmd/kupe@latest

The binary lands at $(go env GOPATH)/bin/kupe. This builds without the release ldflags (no version, commit, or build date metadata) — fine for development; use a release artifact for anything else.

Terminal window
kupe version --short

Should print just the semver string (e.g. 1.1.3). For full build metadata:

Terminal window
kupe version
# kupe version 1.1.3 (commit a1b2c3d, built 2026-05-07T..., go1.26.2 darwin/arm64)
Terminal window
kupe auth login --tenant <your-tenant>

The default --method oidc runs an RFC 8628 device-code flow — the CLI prints a short user code plus a verification URL, opens your browser (best-effort), and waits for you to approve. Works identically on laptops, SSH sessions, and CI runners.

For machine-to-machine use, generate an API token in the console and pass it via KUPE_API_TOKEN instead. See Cluster Access for full details.

Install methodUpdate command
Install scriptRe-run curl -fsSL https://get.kupe.cloud | sh
Homebrewbrew upgrade kupe
Scoopscoop update kupe
go installgo install github.com/kupecloud/kupe-cli/cmd/kupe@latest
Direct downloadDownload the new archive and replace the binary
Install methodUninstall command
Install scriptrm ~/.local/bin/kupe (or wherever --install-dir pointed)
Homebrewbrew uninstall kupe
Scoopscoop uninstall kupe
go installrm $(go env GOPATH)/bin/kupe
Direct downloadrm /path/to/kupe

To fully remove all CLI state:

Terminal window
kupe auth logout --all # revoke OIDC refresh tokens at the IdP, clear keyring
rm -rf ~/.config/kupe # config file + plaintext credentials fallback

The CLI currently ships unsigned binaries, so you may see trust prompts on first run. Code signing is on the roadmap; until then, verify downloads with the published checksums (see Verifying release artifacts).

  • macOS — Gatekeeper warning. The install script and the Homebrew cask both strip the com.apple.quarantine extended attribute automatically, so installing through either of those paths shows no warning. If you downloaded a binary directly from a release page and saw the warning, run once:

    Terminal window
    xattr -dr com.apple.quarantine "$(which kupe)"
  • Windows — SmartScreen warning. On the first run after scoop install kupe, Windows shows “Windows protected your PC”. Click More infoRun anyway. The warning won’t reappear for that binary.

  • Linux — no equivalent warning. The install script and direct downloads are checksum-verified and (optionally) Cosign-verifiable.

Apple Developer ID notarization (macOS) and Authenticode signing via Azure Trusted Signing (Windows) are on the roadmap — once shipped, both warnings will go away.

Every release’s checksums.txt is signed with Cosign keyless signing via GitHub Actions OIDC. To verify on macOS or Linux:

Terminal window
TAG=v1.1.3
cd "$(mktemp -d)"
gh release download "$TAG" -R kupecloud/kupe-cli -p '*checksums.txt*'
cosign verify-blob \
--certificate kupe_${TAG#v}_checksums.txt.pem \
--certificate-identity-regexp 'https://github.com/kupecloud/kupe-cli/.+' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--signature kupe_${TAG#v}_checksums.txt.sig \
kupe_${TAG#v}_checksums.txt

A successful verification prints Verified OK. The signature attests that the checksums file was produced by the kupe-cli release workflow on a specific commit. Once the checksums file is verified, archive integrity is verified by the SHA-256s listed inside it.