Skip to main content
Version: 19.x (unreleased)

tsh Reference

Report an Issue

This guide provides a comprehensive list of commands, arguments, and flags for tsh.

tsh is a CLI client for accessing Teleport-protected resources. It allows users to interact with current and past sessions on the cluster, copy files to and from nodes, and list information about the cluster.

tsh [<flags>] <command> [<args> ...]

Global flags:

FlagDefaultDescription
--authnoneSpecify the name of authentication connector to use.
--bind-addrnoneOverride host:port used when opening a browser for cluster logins.
--callbacknoneOverride the base URL (host:port) of the link shown when opening a browser for cluster logins. Must be used with --bind-addr.
--cert-formatnoneSSH certificate format.
-d, --[no-]debugfalseVerbose logging to stdout.
-i, --identitynoneIdentity file.
-J, --jumphostnoneSSH jumphost.
-k, --add-keys-to-agentautoControls how keys are handled. Valid values are [auto no yes only].
-l, --loginnoneRemote host login.
--mfa-modeautoPreferred mode for MFA and Passwordless assertions (auto, cross-platform, platform, otp, sso).
--mlockautoDetermines whether process memory will be locked and whether failure to do so will be accepted (off, auto, best_effort, strict).
--[no-]enable-escape-sequencestrueEnable support for SSH escape sequences. Type '~?' during an SSH session to list supported sequences. Default is enabled.
--[no-]headlessfalseUse headless login. Shorthand for --auth=headless.
--[no-]insecurefalseDo not verify server's certificate and host name. Use only in test environments.
--[no-]os-logfalseVerbose logging to the unified logging system. This flag implies --debug. Also available through the TELEPORT_OS_LOG env var. More details see https://goteleport.com/docs/connect-your-client/tsh/#debug-logs.
--[no-]skip-version-checkfalseSkip version checking between server and client.
--piv-slotnoneSpecify a PIV slot key to use for Hardware Key support instead of the default. Ex: "9d".
--proxynoneTeleport proxy address.
--relaynoneTeleport relay address, "none" to explicitly disable the use of a relay, or "default" to use the cluster-provided address even if a different address was specified at login time.
--ttlnoneMinutes to live for a session.
--usernoneTeleport user, defaults to current local user.

Global environment variables:

VariableDefaultDescription
TELEPORT_ADD_KEYS_TO_AGENTautoControls how keys are handled. Valid values are [auto no yes only].
TELEPORT_AUTHnoneSpecify the name of authentication connector to use.
TELEPORT_CLUSTERnoneName of a Teleport root or leaf cluster
TELEPORT_GLOBAL_TSH_CONFIGnoneOverride location of global tsh config file from default /etc/tsh.yaml
TELEPORT_HEADLESSfalseUse headless login. Shorthand for --auth=headless.
TELEPORT_HOMEnoneHome location for tsh configuration and data
TELEPORT_IDENTITY_FILEnoneIdentity file.
TELEPORT_LOGINnoneRemote host login.
TELEPORT_LOGIN_BIND_ADDRnoneOverride host:port used when opening a browser for cluster logins.
TELEPORT_MFA_MODEautoPreferred mode for MFA and Passwordless assertions (auto, cross-platform, platform, otp, sso).
TELEPORT_MLOCK_MODEautoDetermines whether process memory will be locked and whether failure to do so will be accepted (off, auto, best_effort, strict).
TELEPORT_PIV_SLOTnoneSpecify a PIV slot key to use for Hardware Key support instead of the default. Ex: "9d".
TELEPORT_PROXYnoneTeleport proxy address.
TELEPORT_RELAYnoneTeleport relay address, "none" to explicitly disable the use of a relay, or "default" to use the cluster-provided address even if a different address was specified at login time.
TELEPORT_USERnoneTeleport user, defaults to current local user.

tsh apps config

Print app connection information.

Usage:

tsh apps config [<flags>] [<app>]

Flags:

FlagDefaultDescription
-f, --formatnoneOptional print format, one of: "uri" to print app address, "ca" to print CA cert path, "cert" to print cert path, "key" print key path, "curl" to print example curl command, "json" or "yaml" to print everything as JSON or YAML.

Arguments:

ArgumentDefaultDescription
appnone (optional)App to print information for. Required when logged into multiple apps.

tsh apps login

Retrieve short-lived certificate for an app.

Usage:

tsh apps login [<flags>] <app>

Flags:

FlagDefaultDescription
--aws-rolenone(For AWS CLI access only) Amazon IAM role ARN or role name.
--azure-identitynone(For Azure CLI access only) Azure managed identity name.
--gcp-service-accountnone(For GCP CLI access only) GCP service account name.
-q, --[no-]quietfalseQuiet mode.
--target-portnonePort to which connections made using this cert should be routed to. Valid only for multi-port TCP apps.

Arguments:

ArgumentDefaultDescription
appnone (required)App name to retrieve credentials for. Can be obtained from tsh apps ls output.

tsh apps logout

Remove app certificate.

Usage:

tsh apps logout [<app>]

Arguments:

ArgumentDefaultDescription
appnone (optional)App to remove credentials for.

tsh apps ls

List available applications.

Usage:

tsh apps ls [<flags>] [<labels>]

Flags:

FlagDefaultDescription
-f, --formattextFormat output (text, json, yaml).
--querynoneQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
-R, --[no-]allfalseList apps from all clusters and proxies.
--searchnoneList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase").
-v, --[no-]verbosefalseShow extra application fields.

Arguments:

ArgumentDefaultDescription
labelsnone (optional)List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).

tsh aws

Access AWS API.

Usage:

tsh aws [<flags>] [<command>...]

Flags:

FlagDefaultDescription
--appnoneOptional Name of the AWS application to use if logged into multiple.
--aws-rolenone(For AWS CLI access only) Amazon IAM role ARN or role name.
--execnoneExecute different commands (e.g. terraform) under Teleport credentials.

Arguments:

ArgumentDefaultDescription
commandnone (optional)AWS command and subcommands arguments that are going to be forwarded to AWS CLI.

tsh az

Access Azure API.

Usage:

tsh az [<flags>] [<command>...]

Flags:

FlagDefaultDescription
--appnoneOptional name of the Azure application to use if logged into multiple.
--azure-identitynone(For Azure CLI access only) Azure managed identity name.

Arguments:

ArgumentDefaultDescription
commandnone (optional)az command and subcommands arguments that are going to be forwarded to Azure CLI.

tsh clusters

List available Teleport clusters.

Usage:

tsh clusters [<flags>]

Flags:

FlagDefaultDescription
-f, --formattextFormat output (text, json, yaml).
-q, --[no-]quietfalseQuiet mode.
-v, --[no-]verbosefalseVerbose table output, shows full label output.

tsh config

Print OpenSSH configuration details.

Usage:

tsh config [<flags>]

Flags:

FlagDefaultDescription
-p, --portnoneSSH port on a remote host.

tsh db config

Print database connection information. Useful when configuring GUI clients.

Usage:

tsh db config [<flags>] [<db>]

Flags:

FlagDefaultDescription
-f, --formatnonePrint format: "text" to print in table format (default), "cmd" to print connect command, "json" or "yaml" to print in JSON or YAML.
--labelsnoneList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
--querynoneQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').

Arguments:

ArgumentDefaultDescription
dbnone (optional)Print information for the specified database.

tsh db connect

Connect to a database.

Usage:

tsh db connect [<flags>] [<db>]

Flags:

FlagDefaultDescription
--labelsnoneList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
-n, --db-namenoneDatabase name to log in to.
--[no-]disable-access-requestfalseDisable automatic resource Access Requests.
--querynoneQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
-r, --db-rolesnoneList of comma separate database roles to use for auto-provisioned user.
--request-reasonnoneReason for requesting access.
-u, --db-usernoneDatabase user to log in as.

Arguments:

ArgumentDefaultDescription
dbnone (optional)Database service name to connect to.

tsh db env

Print environment variables for the configured database.

Usage:

tsh db env [<flags>] [<db>]

Flags:

FlagDefaultDescription
-f, --formattextFormat output (text, json, yaml).
--labelsnoneList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
--querynoneQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').

Arguments:

ArgumentDefaultDescription
dbnone (optional)Print environment for the specified database.

tsh db exec

Execute database commands on target database services.

Usage:

tsh db exec [<flags>] <command>

Flags:

FlagDefaultDescription
--dbsnoneList of comma separated target database services. Mutually exclusive with --search or --labels.
--labelsnoneList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
-n, --db-namenoneDatabase name to log in to.
--[no-]confirmtrueConfirm selected database services before executing command.
--output-dirnoneDirectory to store command output per target database service. A summary is saved as "summary.json".
--parallel1Run commands on target databases in parallel. Defaults to 1, and maximum allowed is 10.
-r, --db-rolesnoneList of comma separate database roles to use for auto-provisioned user.
--searchnoneList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase").
-u, --db-usernoneDatabase user to log in as.

Arguments:

ArgumentDefaultDescription
commandnone (required)Execute this command on target database services.

tsh db login

Retrieve credentials for a database.

Usage:

tsh db login [<flags>] [<db>]

Flags:

FlagDefaultDescription
--labelsnoneList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
-n, --db-namenoneDatabase name to configure as default.
--[no-]disable-access-requestfalseDisable automatic resource Access Requests.
--querynoneQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
-r, --db-rolesnoneList of comma separate database roles to use for auto-provisioned user.
--request-reasonnoneReason for requesting access.
-u, --db-usernoneDatabase user to configure as default.

Arguments:

ArgumentDefaultDescription
dbnone (optional)Database to retrieve credentials for. Can be obtained from 'tsh db ls' output.

tsh db logout

Remove database credentials.

Usage:

tsh db logout [<flags>] [<db>]

Flags:

FlagDefaultDescription
--labelsnoneList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
--querynoneQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').

Arguments:

ArgumentDefaultDescription
dbnone (optional)Database to remove credentials for.

tsh db ls

List all available databases.

Usage:

tsh db ls [<flags>] [<labels>]

Flags:

FlagDefaultDescription
-f, --formattextFormat output (text, json, yaml).
--querynoneQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
-R, --[no-]allfalseList databases from all clusters and proxies.
--searchnoneList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase").
-v, --[no-]verbosefalseShow extra database fields.

Arguments:

ArgumentDefaultDescription
labelsnone (optional)List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).

tsh device enroll

Enroll this device as a trusted device. Requires Teleport Enterprise.

Usage:

tsh device enroll [<flags>]

Flags:

FlagDefaultDescription
--[no-]current-devicefalseAttempts to register and enroll the current device. Requires device admin privileges.
--tokennoneDevice enrollment token.

tsh env

Print commands to set Teleport session environment variables.

Usage:

tsh env [<flags>]

Flags:

FlagDefaultDescription
-f, --formattextFormat output (text, json, yaml).
--[no-]unsetfalsePrint commands to clear Teleport session environment variables.

tsh gcloud

Access GCP API with the gcloud command.

Usage:

tsh gcloud [<flags>] [<command>...]

Flags:

FlagDefaultDescription
--appnoneOptional name of the GCP application to use if logged into multiple.
--gcp-service-accountnone(For GCP CLI access only) GCP service account name.

Arguments:

ArgumentDefaultDescription
commandnone (optional)gcloud command and subcommands arguments.

tsh git clone

Clone a Git repository.

Usage:

tsh git clone <repository> [<directory>]

Arguments:

ArgumentDefaultDescription
directorynone (optional)The name of a new directory to clone into.
repositorynone (required)Git URL of the repository to clone.

tsh git config

Check Teleport config on the working Git directory. Or provide an action ('update' or 'reset') to configure the Git repo.

Usage:

tsh git config [<action>]

Arguments:

ArgumentDefaultDescription
actionnone (optional)Optional action to perform. 'update' to configure the Git repo to proxy Git commands through Teleport. 'reset' to clear Teleport configuration from the Git repo.

tsh git login

Opens a browser and retrieves your login from GitHub.

Usage:

tsh git login --github-org=GITHUB-ORG [<flags>]

Flags:

FlagDefaultDescription
--github-orgnoneGitHub organization.
--[no-]forcefalseForce a login.

tsh git ls

List Git servers.

Usage:

tsh git ls [<flags>] [<labels>]

Flags:

FlagDefaultDescription
-f, --formattextFormat output (text, json, yaml).
--querynoneQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
--searchnoneList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase").

Arguments:

ArgumentDefaultDescription
labelsnone (optional)List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).

tsh gsutil

Access Google Cloud Storage with the gsutil command.

Usage:

tsh gsutil [<flags>] [<command>...]

Flags:

FlagDefaultDescription
--appnoneOptional name of the GCP application to use if logged into multiple.
--gcp-service-accountnone(For GCP CLI access only) GCP service account name.

Arguments:

ArgumentDefaultDescription
commandnone (optional)gsutil command and subcommands arguments.

tsh headless approve

Approve a headless authentication request.

Usage:

tsh headless approve [<flags>] [<request id>]

Environment variables:

VariableDefaultDescription
TELEPORT_HEADLESS_SKIP_CONFIRMfalseSkip confirmation and prompt for MFA immediately.

Flags:

FlagDefaultDescription
--[no-]skip-confirmfalseSkip confirmation and prompt for MFA immediately.

Arguments:

ArgumentDefaultDescription
request idnone (optional)Headless authentication request ID.

tsh help

Show help.

Usage:

tsh help [<command>...]

Arguments:

ArgumentDefaultDescription
commandnone (optional)Show help on command.

tsh join

Join the active SSH or Kubernetes session.

Usage:

tsh join [<flags>] <session-id>

Flags:

FlagDefaultDescription
-c, --clusternoneSpecify the Teleport cluster to connect.
-m, --modeobserverMode of joining the session, valid modes are observer, moderator and peer.

Arguments:

ArgumentDefaultDescription
session-idnone (required)ID of the session to join.

tsh kube exec

Execute a command in a Kubernetes pod.

Usage:

tsh kube exec [<flags>] <target> <command>...

Flags:

FlagDefaultDescription
-c, --containernoneContainer name. If omitted, use the kubectl.kubernetes.io/default-container annotation for selecting the container to be attached or the first container in the pod will be chosen.
-f, --filenamenoneTo use to exec into the resource.
--invitenoneA comma separated list of people to mark as invited for the session.
-n, --namespacenoneConfigure the default Kubernetes namespace.
--[no-]participant-reqfalseDisplays a verbose list of required participants in a moderated session.
-q, --[no-]quietfalseOnly print output from the remote session.
--reasonnoneThe purpose of the session.
-s, --[no-]stdinfalsePass stdin to the container.
-t, --[no-]ttyfalseStdin is a TTY.

Arguments:

ArgumentDefaultDescription
commandnone (required)Command to execute in the container.
targetnone (required)Pod or deployment name.

tsh kube join

Join an active Kubernetes session.

Usage:

tsh kube join [<flags>] <session>

Flags:

FlagDefaultDescription
-c, --clusternoneSpecify the Teleport cluster to connect.
-m, --modeobserverMode of joining the session, valid modes are observer, moderator and peer.

Arguments:

ArgumentDefaultDescription
sessionnone (required)The ID of the target session.

tsh kube login

Login to a Kubernetes cluster.

Usage:

tsh kube login [<flags>] [<kube-cluster>]

Flags:

FlagDefaultDescription
--asnoneConfigure custom Kubernetes user impersonation.
--as-groupsnoneConfigure custom Kubernetes group impersonation.
-c, --clusternoneSpecify the Teleport cluster to connect.
--labelsnoneList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
-n, --namespacenoneConfigure the default Kubernetes namespace.
--[no-]allfalseGenerate a kubeconfig with every cluster the user has access to. Mutually exclusive with --labels or --query.
--[no-]disable-access-requestfalseDisable automatic resource Access Requests.
--querynoneQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
--request-reasonnoneReason for requesting access.
--set-context-name{{.ClusterName}}-{{.KubeName}}Define a custom context name. To use it with --all include "{{.KubeName}}".

Arguments:

ArgumentDefaultDescription
kube-clusternone (optional)Name of the Kubernetes cluster to login to. Check 'tsh kube ls' for a list of available clusters.

tsh kube ls

Get a list of Kubernetes clusters.

Usage:

tsh kube ls [<flags>] [<labels>]

Flags:

FlagDefaultDescription
-c, --clusternoneSpecify the Teleport cluster to connect.
-f, --formattextFormat output (text, json, yaml).
-q, --[no-]quietfalseQuiet mode.
--querynoneQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
-R, --[no-]allfalseList Kubernetes clusters from all clusters and proxies.
--searchnoneList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase").
-v, --[no-]verbosefalseShow an untruncated list of labels.

Arguments:

ArgumentDefaultDescription
labelsnone (optional)List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).

tsh kube sessions

Get a list of active Kubernetes sessions. (DEPRECATED: use tsh sessions ls --kind=kube instead.)

Usage:

tsh kube sessions [<flags>]

Flags:

FlagDefaultDescription
-c, --clusternoneSpecify the Teleport cluster to connect.
-f, --formattextFormat output (text, json, yaml).

tsh kubectl

Runs a kubectl command on a Kubernetes cluster.

Usage:

tsh kubectl [args...]

Arguments:

ArgumentDefaultDescription
argsnone (optional)Arbitrary arguments

tsh latency ssh

Measure latency to a particular SSH host.

Usage:

tsh latency ssh [<flags>] <[user@]host>

Environment variables:

VariableDefaultDescription
TELEPORT_NO_RESUMEfalseDisable SSH connection resumption.

Flags:

FlagDefaultDescription
-c, --clusternoneSpecify the Teleport cluster to connect.
--[no-]no-resumefalseDisable SSH connection resumption.

Arguments:

ArgumentDefaultDescription
[user@]hostnone (required)Remote hostname and the login to use.

tsh login

Log in to a cluster and retrieve the session certificate.

Usage:

tsh login [<flags>] [<cluster>]

Flags:

FlagDefaultDescription
--browsernoneSet to 'none' to suppress browser opening on login.
-f, --formatfileIdentity format: file, openssh (for OpenSSH compatibility) or kubernetes (for kubeconfig).
--kube-clusternoneName of the Kubernetes cluster to login to.
--[no-]overwritefalseWhether to overwrite the existing identity file.
--[no-]request-nowaitfalseFinish without waiting for request resolution.
-o, --outnoneIdentity output.
--request-idnoneLogin with the roles requested in the given request.
--request-reasonnoneReason for requesting additional roles.
--request-reviewersnoneSuggested reviewers for role request.
--request-rolesnoneRequest one or more extra roles.
--scopenoneScope pins credentials to a given scope.
-v, --[no-]verbosefalseShow extra status information.

Arguments:

ArgumentDefaultDescription
clusternone (optional)Specify the Teleport cluster to connect.

tsh logout

Delete a cluster certificate.

Usage:

tsh logout

tsh ls

List remote SSH nodes.

Usage:

tsh ls [<flags>] [<labels>]

Flags:

FlagDefaultDescription
-c, --clusternoneSpecify the Teleport cluster to connect.
-f, --formattextFormat output (text, json, yaml, names).
--querynoneQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
-R, --[no-]allfalseList nodes from all clusters and proxies.
--searchnoneList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase").
-v, --[no-]verbosefalseOne-line output (for text format), including node UUIDs.

Arguments:

ArgumentDefaultDescription
labelsnone (optional)List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).

tsh mcp config

Print client configuration details.

Usage:

tsh mcp config [<flags>] [<name>]

Environment variables:

VariableDefaultDescription
TELEPORT_MCP_CLIENT_CONFIGnoneIf specified, update the specified client config, assuming its format. "claude" for default Claude Desktop config, "cursor" for global Cursor MCP servers config, or specify a JSON file path. Can also be set with environment variable TELEPORT_MCP_CLIENT_CONFIG.
TELEPORT_MCP_CONFIG_JSON_FORMATautoFormat the JSON file (pretty, compact, auto, none). auto saves in compact if the file is already compact, otherwise pretty. Can also be set with environment variable TELEPORT_MCP_CONFIG_JSON_FORMAT. Default is auto.

Flags:

FlagDefaultDescription
--client-confignoneIf specified, update the specified client config, assuming its format. "claude" for default Claude Desktop config, "cursor" for global Cursor MCP servers config, or specify a JSON file path. Can also be set with environment variable TELEPORT_MCP_CLIENT_CONFIG.
--formatnoneFormat specifies the configuration format (claude, vscode, cursor). If not provided it will assume format from the configuration file, When no configuration file is provided it defaults to "claude".
-H, --headernoneExtra custom headers used for streamable HTTP MCP servers.
--json-formatautoFormat the JSON file (pretty, compact, auto, none). auto saves in compact if the file is already compact, otherwise pretty. Can also be set with environment variable TELEPORT_MCP_CONFIG_JSON_FORMAT. Default is auto.
--labelsnoneList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
--[no-]auto-reconnectfalseAutomatically starts a new remote MCP session when the previous remote session is interrupted by network issues or tsh session expirations. Recommended for stateless MCP sessions. Defaults to true.
--querynoneQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
-R, --[no-]allfalseSelect all MCP servers. Mutually exclusive with --labels or --query.

Arguments:

ArgumentDefaultDescription
namenone (optional)Name of the MCP server.

tsh mcp db config

Print client configuration details.

Usage:

tsh mcp db config [<flags>] [<name>]

Environment variables:

VariableDefaultDescription
TELEPORT_MCP_CLIENT_CONFIGnoneIf specified, update the specified client config, assuming its format. "claude" for default Claude Desktop config, "cursor" for global Cursor MCP servers config, or specify a JSON file path. Can also be set with environment variable TELEPORT_MCP_CLIENT_CONFIG.
TELEPORT_MCP_CONFIG_JSON_FORMATautoFormat the JSON file (pretty, compact, auto, none). auto saves in compact if the file is already compact, otherwise pretty. Can also be set with environment variable TELEPORT_MCP_CONFIG_JSON_FORMAT. Default is auto.

Flags:

FlagDefaultDescription
--client-confignoneIf specified, update the specified client config, assuming its format. "claude" for default Claude Desktop config, "cursor" for global Cursor MCP servers config, or specify a JSON file path. Can also be set with environment variable TELEPORT_MCP_CLIENT_CONFIG.
--formatnoneFormat specifies the configuration format (claude, vscode, cursor). If not provided it will assume format from the configuration file, When no configuration file is provided it defaults to "claude".
--json-formatautoFormat the JSON file (pretty, compact, auto, none). auto saves in compact if the file is already compact, otherwise pretty. Can also be set with environment variable TELEPORT_MCP_CONFIG_JSON_FORMAT. Default is auto.
-n, --db-namenoneDatabase name to log in to.
--[no-]overwritefalseOverwrites command and environment variable from the config file.
-u, --db-usernoneDatabase user to log in as.

Arguments:

ArgumentDefaultDescription
namenone (optional)Database service name.

tsh mcp ls

List available MCP server applications.

Usage:

tsh mcp ls [<flags>] [<labels>]

Flags:

FlagDefaultDescription
-f, --formattextFormat output (text, json, yaml).
--querynoneQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
--searchnoneList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase").
-v, --[no-]verbosefalseShow extra MCP server fields.

Arguments:

ArgumentDefaultDescription
labelsnone (optional)List of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).

tsh mfa add

Add a new MFA device.

Usage:

tsh mfa add [<flags>]

Flags:

FlagDefaultDescription
--namenoneName of the new MFA device.
--typenoneType of the new MFA device (TOTP, WEBAUTHN).

tsh mfa ls

Get a list of registered MFA devices.

Usage:

tsh mfa ls [<flags>]

Flags:

FlagDefaultDescription
-f, --formattextFormat output (text, json, yaml).
-v, --[no-]verbosefalsePrint more information about MFA devices.

tsh mfa rm

Remove a MFA device.

Usage:

tsh mfa rm <name>

Arguments:

ArgumentDefaultDescription
namenone (required)Name or ID of the MFA device to remove.

tsh piv agent

Start PIV key agent.

Usage:

tsh piv agent

tsh play

Replay the recorded session (SSH, Kubernetes, App, DB).

Usage:

tsh play [<flags>] <session-id>

Flags:

FlagDefaultDescription
-c, --clusternoneSpecify the Teleport cluster to connect.
-f, --formatptyFormat output (pty, json, yaml, text).
--[no-]skip-idle-timefalseQuickly skip over idle time, applicable when streaming SSH or Kubernetes sessions.
--speed1xPlayback speed, applicable when streaming SSH or Kubernetes sessions.

Arguments:

ArgumentDefaultDescription
session-idnone (required)ID or path to session file to play.

tsh proxy app

Start local TLS proxy for app connection when using Teleport in single-port mode.

Usage:

tsh proxy app [<flags>] <app>

Flags:

FlagDefaultDescription
-c, --clusternoneSpecify the Teleport cluster to connect.
-p, --portnoneSpecifies the listening port used by by the proxy app listener. Accepts an optional target port of a multi-port TCP app after a colon, e.g. "1234:5678".

Arguments:

ArgumentDefaultDescription
appnone (required)The name of the application to start local proxy for.

tsh proxy aws

Start local proxy for AWS access.

Usage:

tsh proxy aws [<flags>]

Flags:

FlagDefaultDescription
--appnoneOptional Name of the AWS application to use if logged into multiple.
-f, --formatunixOptional format to print the commands for setting environment variables, one of: unix, command-prompt, powershell, text. Default is unix. Or specify a service format, one of: athena-odbc, athena-jdbc.
-p, --portnoneSpecifies the source port used by the proxy listener.

tsh proxy azure

Start local proxy for Azure access.

Usage:

tsh proxy azure [<flags>]

Flags:

FlagDefaultDescription
--appnoneOptional Name of the Azure application to use if logged into multiple.
-f, --formatunixOptional format to print the commands for setting environment variables, one of: unix, command-prompt, powershell, text. Default is unix.
-p, --portnoneSpecifies the source port used by the proxy listener.

tsh proxy db

Start local TLS proxy for database connections when using Teleport in single-port mode.

Usage:

tsh proxy db [<flags>] [<db>]

Flags:

FlagDefaultDescription
-c, --clusternoneSpecify the Teleport cluster to connect.
--labelsnoneList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
--listennoneSpecifies the source address used by proxy db listener. Mutually exclusive with --port.
-n, --db-namenoneDatabase name to log in to.
--[no-]disable-access-requestfalseDisable automatic resource Access Requests.
--[no-]insecure-listen-anywherefalseAllows the local proxy to listen on any address without restrictions. WARNING: this will expose unsecured listener to anyone in the network. Only use when network access is otherwise restricted.
--[no-]tunnelfalseOpen authenticated tunnel using database's client certificate so clients don't need to authenticate.
-p, --portnoneSpecifies the source port used by proxy db listener.
--querynoneQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
-r, --db-rolesnoneList of comma separate database roles to use for auto-provisioned user.
--request-reasonnoneReason for requesting access.
-u, --db-usernoneDatabase user to log in as.

Arguments:

ArgumentDefaultDescription
dbnone (optional)The name of the database to start local proxy for.

tsh proxy gcloud

Start local proxy for GCP access.

Usage:

tsh proxy gcloud [<flags>]

Flags:

FlagDefaultDescription
--appnoneOptional Name of the GCP application to use if logged into multiple.
-f, --formatunixOptional format to print the commands for setting environment variables, one of: unix, command-prompt, powershell, text. Default is unix.
-p, --portnoneSpecifies the source port used by the proxy listener.

tsh proxy kube

Start local proxy for Kubernetes access.

Usage:

tsh proxy kube [<flags>] [<kube-cluster>...]

Flags:

FlagDefaultDescription
--asnoneConfigure custom Kubernetes user impersonation.
--as-groupsnoneConfigure custom Kubernetes group impersonation.
-c, --clusternoneSpecify the Teleport cluster to connect.
-f, --formatunixOptional format to print the commands for setting environment variables, one of: unix, command-prompt, powershell, text. Default is unix.
--labelsnoneList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
-n, --namespacenoneConfigure the default Kubernetes namespace.
--[no-]execfalseRun the proxy in the background and reexec into a new shell with $KUBECONFIG already pointed to our config file.
-p, --portnoneSpecifies the source port used by the proxy listener.
--querynoneQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
--set-context-name{{.ClusterName}}-{{.KubeName}}Define a custom context name or template.

Arguments:

ArgumentDefaultDescription
kube-clusternone (optional)Name of the Kubernetes cluster to proxy. Check 'tsh kube ls' for a list of available clusters. If not specified, all clusters previously logged in through tsh kube login will be used.

tsh proxy mcp

Start local proxy for MCP access.

Usage:

tsh proxy mcp [<flags>] <app>

Flags:

FlagDefaultDescription
-c, --clusternoneSpecify the Teleport cluster to connect.
-p, --portnoneSpecifies the listening port used by by the proxy app listener.

Arguments:

ArgumentDefaultDescription
appnone (required)The name of the MCP application to start local proxy for.

tsh proxy ssh

Start local TLS proxy for ssh connections when using Teleport in single-port mode.

Usage:

tsh proxy ssh [<flags>] <[user@]host>

Environment variables:

VariableDefaultDescription
TELEPORT_NO_RESUMEfalseDisable SSH connection resumption.

Flags:

FlagDefaultDescription
-c, --clusternoneSpecify the Teleport cluster to connect.
--[no-]no-resumefalseDisable SSH connection resumption.
--[no-]relogintruePermit performing an authentication attempt on a failed command.

Arguments:

ArgumentDefaultDescription
[user@]hostnone (required)Remote hostname and the login to use.

tsh recordings export

Export recorded desktop sessions to video.

Usage:

tsh recordings export [<flags>] <session-id>

Flags:

FlagDefaultDescription
--outnoneOverride output file name.

Arguments:

ArgumentDefaultDescription
session-idnone (required)ID of the session to export.

tsh recordings ls

List recorded sessions.

Usage:

tsh recordings ls [<flags>]

Flags:

FlagDefaultDescription
-f, --formattextFormat output (text, json, yaml).. Defaults to 'text'.
--from-utcnoneStart of time range in which recordings are listed. Format 2006-01-02. Defaults to 24 hours ago.
--lastnoneDuration into the past from which session recordings should be listed. Format "5h30m40s".
--limit50Maximum number of recordings to show. Default 50.
--to-utcnoneEnd of time range in which recordings are listed. Format 2006-01-02. Defaults to current time.

tsh request create

Create a new Access Request.

Usage:

tsh request create [<flags>]

Flags:

FlagDefaultDescription
--assume-start-timenoneSets time roles can be assumed by requestor (RFC3339 e.g 2023-12-12T23:20:50.52Z).
--max-durationnoneHow long the access should be granted for.
--[no-]nowaitfalseFinish without waiting for request resolution.
--reasonnoneReason for requesting.
--request-ttlnoneExpiration time for the Access Request.
--resourcenoneResource ID to be requested.
--reviewersnoneSuggested reviewers.
--rolesnoneRoles to be requested.
--session-ttlnoneExpiration time for the elevated certificate.

tsh request drop

Drop one more Access Requests from current identity.

Usage:

tsh request drop [<request-id>...]

Arguments:

ArgumentDefaultDescription
request-id* (optional)IDs of requests to drop (default drops all requests).

tsh request ls

List Access Requests.

Usage:

tsh request ls [<flags>]

Flags:

FlagDefaultDescription
-f, --formattextFormat output (text, json, yaml).
--[no-]my-requestsfalseOnly show requests created by current user.
--[no-]reviewablefalseOnly show requests reviewable by current user.
--[no-]suggestedfalseOnly show requests that suggest current user as reviewer.

tsh request review

Review an Access Request.

Usage:

tsh request review [<flags>] <request-id>

Flags:

FlagDefaultDescription
--assume-start-timenoneSets time roles can be assumed by requestor (RFC3339 e.g 2023-12-12T23:20:50.52Z).
--[no-]approvefalseReview proposes approval.
--[no-]denyfalseReview proposes denial.
--reasonnoneReview reason message.

Arguments:

ArgumentDefaultDescription
request-idnone (required)ID of target request.

Search for resources to request access to.

Usage:

tsh request search [<flags>]

Flags:

FlagDefaultDescription
-f, --formattextFormat output (text, json, yaml).
--kindnoneResource kind to search for (node, kube_cluster, kube_resource, db, app, windows_desktop, user_group, saml_idp_service_provider, aws_ic_account, aws_ic_account_assignment, git_server). Mutually exclusive with --roles.
--kube-api-groupnoneKubernetes API group to search for resources.
--kube-clusternoneKubernetes Cluster to search for Pods.
--kube-kindnoneKubernetes resource kind name (plural) to search for. Required with --kind="kube_resource" Ex: pods, deployments, namespaces, etc.
--labelsnoneList of comma separated labels to filter by labels (e.g. key1=value1,key2=value2).
--namespacedefaultKubernetes Namespace to search for Pods.
--[no-]all-kube-namespacesfalseSearch Pods in every namespace.
--[no-]rolesfalseList requestable roles instead of searching for resources. Mutually exclusive with --kind.
--querynoneQuery by predicate language enclosed in single quotes. Supports ==, !=, &&, and || (e.g. --query='labels["key1"] == "value1" && labels["key2"] != "value2"').
--searchnoneList of comma separated search keywords or phrases enclosed in quotations (e.g. --search=foo,bar,"some phrase").
-v, --[no-]verbosefalseVerbose table output, shows full label output.

tsh request show

Show request details.

Usage:

tsh request show [<flags>] <request-id>

Flags:

FlagDefaultDescription
-f, --formattextFormat output (text, json, yaml).

Arguments:

ArgumentDefaultDescription
request-idnone (required)ID of the target request.

tsh resolve

Resolves an SSH host.

Usage:

tsh resolve [<flags>] <host>

Flags:

FlagDefaultDescription
-f, --formattextFormat output (text, json, yaml).
-q, --[no-]quietfalseQuiet mode.

Arguments:

ArgumentDefaultDescription
hostnone (required)Remote hostname to resolve.

tsh scan keys

Scan the local machine for SSH private keys and report findings to Teleport.

Usage:

tsh scan keys [<flags>]

Flags:

FlagDefaultDescription
--dirs/Users/Directories to scan.
--skip-pathsnonePaths to directories or files to skip. Supports for matching patterns.

tsh scopes ls

List scopes at which user has assigned privileges.

Usage:

tsh scopes ls [<flags>]

Flags:

FlagDefaultDescription
-v, --[no-]verbosefalseShow table with details of per-scope privileges.

tsh scp

Transfer files to a remote SSH node.

Usage:

tsh scp [<flags>] <from, to>...

Environment variables:

VariableDefaultDescription
TELEPORT_NO_RESUMEfalseDisable SSH connection resumption.

Flags:

FlagDefaultDescription
-c, --clusternoneSpecify the Teleport cluster to connect.
--[no-]no-resumefalseDisable SSH connection resumption.
--[no-]relogintruePermit performing an authentication attempt on a failed command.
-p, --[no-]preservefalsePreserves access and modification times from the original file.
-P, --portnonePort to connect to on the remote host.
-q, --[no-]quietfalseQuiet mode.
-r, --[no-]recursivefalseRecursive copy of subdirectories.

Arguments:

ArgumentDefaultDescription
from, tonone (required)Source and destination to copy, one must be a local path and one must be a remote path.

tsh sessions ls

List active sessions.

Usage:

tsh sessions ls [<flags>]

Flags:

FlagDefaultDescription
-f, --formattextFormat output (text, json, yaml).
--kindssh,k8s,db,app,desktopFilter by session kind(s).

tsh ssh

Run shell or execute a command on a remote SSH node.

Usage:

tsh ssh [<flags>] [<[user@]host>] [<command>...]

Environment variables:

VariableDefaultDescription
TELEPORT_NO_RESUMEfalseDisable SSH connection resumption.
TELEPORT_REQUEST_MODEresourceType of automatic Access Request to make (off, resource, role).

Flags:

FlagDefaultDescription
-A, --[no-]forward-agentfalseForward agent to target node.
-c, --clusternoneSpecify the Teleport cluster to connect.
-D, --dynamic-forwardnoneForward localhost connections to remote server using SOCKS5.
-f, --[no-]fork-after-authenticationfalseRun in background after authentication is complete.
--invitenoneA comma separated list of people to mark as invited for the session.
-L, --forwardnoneForward localhost connections to remote server.
--log-dirnoneDirectory to log separated command output, when executing on multiple nodes. If set, output from each node will also be labeled in the terminal.
-N, --[no-]no-remote-execfalseDon't execute remote command, useful for port forwarding.
--[no-]disable-access-requestfalseDisable automatic resource Access Requests (DEPRECATED: use --request-mode=off).
--[no-]localfalseExecute command on localhost after connecting to SSH node.
--[no-]no-resumefalseDisable SSH connection resumption.
--[no-]participant-reqfalseDisplays a verbose list of required participants in a moderated session.
--[no-]relogintruePermit performing an authentication attempt on a failed command.
-o, --optionnoneOpenSSH options in the format used in the configuration file.
-p, --portnoneSSH port on a remote host.
--reasonnoneThe purpose of the session.
--request-moderesourceType of automatic Access Request to make (off, resource, role).
--request-reasonnoneReason for requesting access.
-R, --remote-forwardnoneForward remote connections to localhost.
-t, --[no-]ttyfalseAllocate TTY.
--x11-untrusted-timeout10mSets a timeout for untrusted X11 forwarding, after which the client will reject any forwarding requests from the server.
-X, --[no-]x11-untrustedfalseRequests untrusted (secure) X11 forwarding for this session.
-Y, --[no-]x11-trustedfalseRequests trusted (insecure) X11 forwarding for this session. This can make your local machine vulnerable to attacks, use with caution.

Arguments:

ArgumentDefaultDescription
commandnone (optional)Command to execute on a remote host.
[user@]hostnone (optional)Remote hostname and the login to use, this argument is required.

tsh status

Display the list of proxy servers and retrieved certificates.

Usage:

tsh status [<flags>]

Flags:

FlagDefaultDescription
-f, --formattextFormat output (text, json, yaml).
-v, --[no-]verbosefalseShow extra status information after successful login.

tsh update

Update client tools (tsh, tctl) to the latest version defined by the cluster configuration.

Usage:

tsh update [<flags>]

Flags:

FlagDefaultDescription
--[no-]clearfalseRemoves locally installed client tools updates from the Teleport home directory.

tsh version

Print the tsh client and Proxy server versions for the current context.

Usage:

tsh version [<flags>]

Flags:

FlagDefaultDescription
-f, --formattextFormat output (text, json, yaml).
--[no-]clientfalseShow the client version only (no server required).

tsh vnet

Start Teleport VNet, a virtual network for TCP application access.

Usage:

tsh vnet

tsh vnet-ssh-autoconfig

Automatically include VNet's generated OpenSSH-compatible config file in ~/.ssh/config.

Usage:

tsh vnet-ssh-autoconfig

tsh workload-identity issue-x509

Use Teleport Workload Identity to issue an X509 credential write it to a local directory.

Usage:

tsh workload-identity issue-x509 --output=OUTPUT [<flags>]

Flags:

FlagDefaultDescription
--credential-ttl1hSets the time to live for the credential.
--label-selectornoneA label-based selector for which workload identities to issue. Multiple labels can be provided using ','.
--name-selectornoneThe name of the workload identity to issue.
--outputnonePath to the directory to write the SVID into.