AuthzX CLI (`azx`)

Command-line tool for storing your API key, running authorization checks, and managing a local AuthzX Agent from the shell.

Install

Quick install (macOS / Linux)

curl -fsSL https://authzx.com/install.sh | sh

Detects your OS and architecture, downloads the latest binary from GitHub Releases, and installs to /usr/local/bin.

Homebrew

brew tap authzx/tap
brew install azx

Binary download

Grab the latest release from GitHub Releases — binaries for macOS, Linux, and Windows (amd64/arm64).

From source

Requires Go 1.21+.

go install github.com/authzx/authzx-cli/cmd/azx@latest

Configure

Store your API key locally at ~/.authzx/config.yaml:

azx configure
# AuthzX API Key: **** (input is masked)
# Saved to ~/.authzx/config.yaml

Get an API key from the AuthzX console under Settings → API → API Keys. Keys start with azx_. If you paste an OAuth client secret (azx_cs_...) the CLI will refuse it — use azx configure with an API key only.

The config file is written with mode 0600 inside a 0700 directory.

Check permissions

azx check \
  --subject user-123 \
  --action read \
  --resource doc-456

Output:

ALLOWED
  Reason: Policy 'editors-can-read-write' grants access
  Policy: 550e8400-e29b-41d4-a716-446655440000
  Path:   role

With roles and context

azx check \
  --subject user-123 \
  --action read \
  --resource doc-456 \
  --roles editor,viewer \
  --context '{"ip":"10.0.0.1"}'

Against a local agent

If you are running the AuthzX Agent locally on localhost:8181, add --local to route the check through it instead of the cloud API:

azx check \
  --subject user-123 \
  --action read \
  --resource doc-456 \
  --local

Manage a local agent

The azx agent commands let you run and manage a local AuthzX Agent in Docker:

# Generate agent config with your API key prefilled
azx agent config

# Start the agent (detached by default)
azx agent start

# Start a specific version on a custom port
azx agent start --image authzx/agent:v0.1.3 --port 9090

# Check agent health
azx agent status

# Tail agent logs
azx agent logs
azx agent logs --tail 50

# Stop and remove the container
azx agent stop

Flag	Default	Description
`--image`	`authzx/agent:latest`	Docker image to run
`--port`	`8181`	Host port mapped to the agent
`--name`	`authzx-agent`	Container name
`--config`	`authzx-agent.yaml`	Config file to mount
`--foreground`	`false`	Run attached (not detached)
`-e, --env`	—	Environment variables (repeatable)

Authentication resolution

When a command needs an API key, the CLI resolves it in this order (first match wins):

--api-key flag
AUTHZX_API_KEY environment variable
api_key from ~/.authzx/config.yaml

If none is set, the CLI prints: Not authenticated. Run 'azx configure' or set AUTHZX_API_KEY.

All commands

Command	Description
`azx configure`	Store your API key
`azx check`	Run an authorization check
`azx agent config`	Generate agent config file
`azx agent start`	Start the agent in Docker
`azx agent status`	Check agent health
`azx agent logs`	Tail agent logs
`azx agent stop`	Stop and remove agent container
`azx version`	Print CLI version
`azx help`	Help for any command
`azx completion <shell>`	Generate shell autocompletion

Install​

Quick install (macOS / Linux)​

Homebrew​

Binary download​

From source​

Configure​

Check permissions​

With roles and context​

Against a local agent​

Manage a local agent​

Authentication resolution​

All commands​