Kupe CLI
Use the kupe CLI for everyday tenant and cluster operations.
Install
Section titled “Install”Pick your operating system. Each tab shows the most common install paths for that
platform; advanced options that work on any platform (go install, direct binary
download) are below.
Install script — no prerequisites, installs to ~/.local/bin (no sudo,
no password prompt):
curl -fsSL https://get.kupe.cloud | shOn macOS, ~/.local/bin isn’t on PATH by default; the script prints
shell-specific one-liners to add it after install.
Homebrew — auto-updates, plus shell completions (bash/zsh/fish) and the man page are wired up automatically:
brew install kupecloud/tap/kupeUpdate with brew upgrade kupe. If brew upgrade reports “the latest version is
already installed” but you know a newer version exists, run brew update first to
refresh the tap clone — Homebrew throttles auto-updates to once a day by default.
Install script — no prerequisites, installs to ~/.local/bin (no sudo,
no password prompt):
curl -fsSL https://get.kupe.cloud | shOn most modern distros (Ubuntu since 18.04, Fedora, etc.) ~/.local/bin is on
PATH out of the box and you can run kupe immediately. The script prints
shell-specific instructions if not.
Homebrew — if you already have Linuxbrew, the same cask path works. Adds shell completions and the man page:
brew install kupecloud/tap/kupeUpdate with brew upgrade kupe.
scoop bucket add kupe https://github.com/kupecloud/scoop-bucketscoop install kupeUpdate with scoop update kupe.
On first run after install, Windows SmartScreen may show “Windows protected your PC” because the binaries are not yet Authenticode-signed. Click More info → Run anyway. The warning won’t reappear.
Install script — flags
Section titled “Install script — flags”These work on macOS and Linux:
# Pin a specific version (default: latest)curl -fsSL https://get.kupe.cloud | sh -s -- --version 1.1.3
# System-wide install instead of ~/.local/bin (will sudo)curl -fsSL https://get.kupe.cloud | sh -s -- --install-dir /usr/local/bin
# Install into any custom directorycurl -fsSL https://get.kupe.cloud | sh -s -- --install-dir /opt/binRequirements: curl, tar, and either sha256sum or shasum. Works on any POSIX
shell — your interactive shell (bash, zsh, fish, etc.) doesn’t matter because
the script is interpreted by sh after the pipe.
Other ways to install
Section titled “Other ways to install”These work on any platform.
Requires Go 1.26 or newer.
go install github.com/kupecloud/kupe-cli/cmd/kupe@latestThe binary lands at $(go env GOPATH)/bin/kupe. This builds without the release
ldflags (no version, commit, or build date metadata) — fine for development; use
a release artifact for anything else.
Pre-built binaries for darwin/linux/windows × amd64/arm64 are attached to every GitHub release.
Each release also ships:
checksums.txt— SHA-256 for every archivechecksums.txt.sig— Cosign keyless signature on the checksum file*.sbom.spdx.json— SPDX SBOM per archive
Download the archive matching your platform, verify the checksum, extract, and
move the kupe binary somewhere on your $PATH. On macOS, run
xattr -dr com.apple.quarantine path/to/kupe once after extracting to bypass
Gatekeeper.
Verify
Section titled “Verify”kupe version --shortShould print just the semver string (e.g. 1.1.3). For full build metadata:
kupe version# kupe version 1.1.3 (commit a1b2c3d, built 2026-05-07T..., go1.26.2 darwin/arm64)Authenticate
Section titled “Authenticate”kupe auth login --tenant <your-tenant>The default --method oidc runs an RFC 8628
device-code flow — the CLI prints a short user code plus a verification URL,
opens your browser (best-effort), and waits for you to approve. Works identically on
laptops, SSH sessions, and CI runners.
For machine-to-machine use, generate an API token in the console and pass it via
KUPE_API_TOKEN instead. See Cluster Access for full details.
Update
Section titled “Update”| Install method | Update command |
|---|---|
| Install script | Re-run curl -fsSL https://get.kupe.cloud | sh |
| Homebrew | brew upgrade kupe |
| Scoop | scoop update kupe |
go install | go install github.com/kupecloud/kupe-cli/cmd/kupe@latest |
| Direct download | Download the new archive and replace the binary |
Uninstall
Section titled “Uninstall”| Install method | Uninstall command |
|---|---|
| Install script | rm ~/.local/bin/kupe (or wherever --install-dir pointed) |
| Homebrew | brew uninstall kupe |
| Scoop | scoop uninstall kupe |
go install | rm $(go env GOPATH)/bin/kupe |
| Direct download | rm /path/to/kupe |
To fully remove all CLI state:
kupe auth logout --all # revoke OIDC refresh tokens at the IdP, clear keyringrm -rf ~/.config/kupe # config file + plaintext credentials fallbackKnown issues
Section titled “Known issues”The CLI currently ships unsigned binaries, so you may see trust prompts on first run. Code signing is on the roadmap; until then, verify downloads with the published checksums (see Verifying release artifacts).
-
macOS — Gatekeeper warning. The install script and the Homebrew cask both strip the
com.apple.quarantineextended attribute automatically, so installing through either of those paths shows no warning. If you downloaded a binary directly from a release page and saw the warning, run once:Terminal window xattr -dr com.apple.quarantine "$(which kupe)" -
Windows — SmartScreen warning. On the first run after
scoop install kupe, Windows shows “Windows protected your PC”. Click More info → Run anyway. The warning won’t reappear for that binary. -
Linux — no equivalent warning. The install script and direct downloads are checksum-verified and (optionally) Cosign-verifiable.
Apple Developer ID notarization (macOS) and Authenticode signing via Azure Trusted Signing (Windows) are on the roadmap — once shipped, both warnings will go away.
Verifying release artifacts
Section titled “Verifying release artifacts”Every release’s checksums.txt is signed with Cosign
keyless signing via GitHub Actions OIDC. To verify on macOS or Linux:
TAG=v1.1.3cd "$(mktemp -d)"gh release download "$TAG" -R kupecloud/kupe-cli -p '*checksums.txt*'cosign verify-blob \ --certificate kupe_${TAG#v}_checksums.txt.pem \ --certificate-identity-regexp 'https://github.com/kupecloud/kupe-cli/.+' \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ --signature kupe_${TAG#v}_checksums.txt.sig \ kupe_${TAG#v}_checksums.txtA successful verification prints Verified OK. The signature attests that the
checksums file was produced by the kupe-cli release workflow on a specific commit.
Once the checksums file is verified, archive integrity is verified by the SHA-256s
listed inside it.
Source and issues
Section titled “Source and issues”- Source: github.com/kupecloud/kupe-cli
- Issues / feature requests: github.com/kupecloud/kupe-cli/issues
- Security: see SECURITY.md for responsible disclosure