@lance0/latch-cli

CLI tools for Latch authentication library

Quickly generate secrets and initialize Latch configuration with an interactive wizard.

Installation

``bash


Global installation

npm install -g @lance0/latch-cli

Or use with npx (no installation required)

npx @lance0/latch-cli [command]
`

Commands

$3

Generate a cryptographically secure random secret for LATCH_COOKIE_SECRET:

`bash
npx @lance0/latch-cli generate-secret

Output:

✓ Generated secure cookie secret:

#

LATCH_COOKIE_SECRET=ip+N8RAVD2jUtdKKQEqk9wgyNE8BHI/L8c5qYRnjVcM=

#

Add this to your .env.local file

Never commit this secret to version control!

`

$3

Interactive wizard to initialize Latch configuration:

`bash
npx @lance0/latch-cli init
`

The wizard will prompt you for:

1. Cloud environment - Azure Commercial, GCC-High, or DoD
2. Azure AD Client ID - Application (client) ID from Azure portal
3. Azure AD Tenant ID - Directory (tenant) ID from Azure portal
4. Client type - Public Client (PKCE) or Confidential Client (client_secret)
5. Client Secret - (Only if Confidential Client selected)
6. OAuth Redirect URI - Defaults to http://localhost:3000/api/latch/callback
7. OAuth Scopes - Defaults to openid profile User.Read

Example session:

`
🔐 Latch Configuration Wizard

? Which Azure cloud environment? › Azure Government GCC-High (IL4)
? Azure AD Client ID (Application ID): › 00000000-0000-0000-0000-000000000000
? Azure AD Tenant ID (Directory ID): › 11111111-1111-1111-1111-111111111111
? Client type: › Confidential Client (Client Secret)
? Azure AD Client Secret (from Certificates & secrets): › ••••••••••••••••
? OAuth Redirect URI: › http://localhost:3000/api/latch/callback
? OAuth Scopes (space-separated): › openid profile User.Read

✓ Configuration complete!

Created: .env.local

Next steps:
1. Review your .env.local file
2. Create API routes in app/api/latch/
3. Wrap your app with
4. Run pnpm dev to start

⚠ Government Cloud Notes:
• Register your app at https://portal.azure.us
• Do NOT use .com Graph URLs in scopes

ℹ️ Confidential Client Setup:
• Add http://localhost:3000/api/latch/callback to Redirect URIs (Web platform)
• Client secret rotation recommended every 6-12 months
• See docs/AUTHENTICATION_SETUP.md for rotation procedures
`

Output:

Creates a .env.local file with all required Latch configuration:

`env


Latch Configuration - Azure Government GCC-High

Generated by @lance0/latch-cli on 2025-10-23

Azure AD Application

LATCH_CLIENT_ID=00000000-0000-0000-0000-000000000000
LATCH_TENANT_ID=11111111-1111-1111-1111-111111111111
LATCH_CLIENT_SECRET=your-client-secret-here # Only if Confidential Client

Cloud Environment

LATCH_CLOUD=gcc-high

OAuth Configuration

LATCH_SCOPES=openid profile User.Read
LATCH_REDIRECT_URI=http://localhost:3000/api/latch/callback

Cookie Encryption Secret (NEVER commit this!)

LATCH_COOKIE_SECRET=

Debug Mode (optional)

LATCH_DEBUG=false

Next.js URL

NEXTAUTH_URL=http://localhost:3000
`

$3

Copy API routes and Server Actions from example apps.

`bash
latch scaffold
latch scaffold --example commercial
`

$3

Validate .env.local for common mistakes (UUIDs, cloud/scope mismatches, etc).

`bash
latch validate
`

$3

Run diagnostics on your Latch setup (checks install, config, routes, LatchProvider).

`bash
latch doctor
`

Features

✅ Interactive wizards with validation
✅ Scaffold routes from examples
✅ Validate configuration
✅ Diagnose setup issues
✅ Auto-generate secure secrets

Usage in Monorepo

If you're developing in the Latch monorepo:

`bash


From root

pnpm --filter @lance0/latch-cli build

Run locally

node packages/latch-cli/dist/index.js generate-secret
node packages/latch-cli/dist/index.js init
``

Related Packages

- @lance0/latch - Core authentication library

License

Apache-2.0