Installation & Authentication
Install the Frontier CLI on macOS, Linux, or Windows and authenticate with Keycloak for platform access.
Installation
The Frontier CLI is a single statically-linked Go binary with no runtime dependencies.
Supported Platforms
| Platform | Architecture | Binary |
|---|---|---|
| macOS | Apple Silicon (M1/M2/M3/M4) | frontier-darwin-arm64 |
| macOS | Intel | frontier-darwin-amd64 |
| Linux | x86_64 | frontier-linux-amd64 |
| Linux | ARM64 | frontier-linux-arm64 |
| Windows | x86_64 | frontier-windows-amd64.exe |
Install Using Homebrew (macOS / Linux)
The recommended installation method for macOS and Linux:
brew tap eupraxialabs/frontier-cli
brew install frontier-cli
To upgrade to the latest version:
brew upgrade frontier-cli
To uninstall:
brew uninstall frontier-cli
brew untap eupraxialabs/frontier-cli
Install Using Chocolatey (Windows)
Coming soon. Chocolatey package is in development. For now, use the direct binary download below.
Direct Binary Download
The current release is v5.8.0. Download the binary for your platform directly. Contact your Federal Frontier administrator for the access token.
macOS / Linux
# Replace <VERSION> with the release version (e.g., v5.8.0)
# Replace <TOKEN> with your access token
# macOS (Apple Silicon)
curl -sL --header "PRIVATE-TOKEN: <TOKEN>" \
"https://gitlab.com/api/v4/projects/41561861/packages/generic/frontier-cli/<VERSION>/frontier-darwin-arm64" \
-o frontier
# macOS (Intel)
curl -sL --header "PRIVATE-TOKEN: <TOKEN>" \
"https://gitlab.com/api/v4/projects/41561861/packages/generic/frontier-cli/<VERSION>/frontier-darwin-amd64" \
-o frontier
# Linux (x86_64)
curl -sL --header "PRIVATE-TOKEN: <TOKEN>" \
"https://gitlab.com/api/v4/projects/41561861/packages/generic/frontier-cli/<VERSION>/frontier-linux-amd64" \
-o frontier
# Linux (ARM64)
curl -sL --header "PRIVATE-TOKEN: <TOKEN>" \
"https://gitlab.com/api/v4/projects/41561861/packages/generic/frontier-cli/<VERSION>/frontier-linux-arm64" \
-o frontier
# Make executable and install
chmod +x frontier
sudo mv frontier /usr/local/bin/
Windows (PowerShell)
# Replace <VERSION> and <TOKEN>
$headers = @{ "PRIVATE-TOKEN" = "<TOKEN>" }
$url = "https://gitlab.com/api/v4/projects/41561861/packages/generic/frontier-cli/<VERSION>/frontier-windows-amd64.exe"
Invoke-WebRequest -Uri $url -Headers $headers -OutFile frontier.exe
# Move to a directory in your PATH
Move-Item frontier.exe "$env:USERPROFILE\bin\frontier.exe"
# Add to PATH if needed (run once)
[Environment]::SetEnvironmentVariable("Path", "$env:Path;$env:USERPROFILE\bin", "User")
Build from Source
Requires Go 1.21+.
git clone git@gitlab.com:eupraxialabs/frontier-cli.git
cd frontier-cli
# Build for current platform
go build -ldflags "-s -w -X frontier/cmd/version.Version=dev" -o frontier .
# Cross-compile for other platforms
GOOS=linux GOARCH=amd64 go build -o frontier-linux-amd64 .
GOOS=darwin GOARCH=arm64 go build -o frontier-darwin-arm64 .
GOOS=windows GOARCH=amd64 go build -o frontier-windows-amd64.exe .
Verify Installation
frontier version
# Federal Frontier Platform — frontier-cli v5.8.0
Configuration
The CLI requires one environment variable pointing to your FFP API endpoint:
macOS / Linux
export API_SERVER_URL=https://outpostai.vitro.lan
Add to your shell profile (~/.bashrc, ~/.zshrc, or ~/.profile) for persistence.
Windows (PowerShell)
$env:API_SERVER_URL = "https://outpostai.vitro.lan"
# Persist across sessions
[Environment]::SetEnvironmentVariable("API_SERVER_URL", "https://outpostai.vitro.lan", "User")
Windows (Command Prompt)
set API_SERVER_URL=https://outpostai.vitro.lan
:: Persist
setx API_SERVER_URL "https://outpostai.vitro.lan"
Self-Signed TLS Certificates
For environments using self-signed certificates (common in air-gapped deployments):
# macOS / Linux
export FRONTIER_INSECURE=true
# Windows PowerShell
$env:FRONTIER_INSECURE = "true"
Configuration File
On first run, the CLI creates ~/app.env (macOS/Linux) or %USERPROFILE%\app.env (Windows) to store the access token. Token data is also stored in ~/.frontier/token.json.
Authentication
Frontier uses OAuth2/OIDC with PKCE via Keycloak (FAS realm). The login flow is browser-based and works identically on all platforms.
Login
frontier login
This opens your default browser to the Keycloak login page. After authentication:
- Browser redirects to
http://localhost:3333/callback - CLI exchanges the authorization code for access + refresh tokens
- Tokens are stored in
~/app.envand~/.frontier/token.json
$ frontier login
█▒▒▒▒▒▒▒▒▒
███████▒▒▒
███▒▒▒▒▒▒▒
███████▒▒▒
█▒▒▒▒▒▒▒▒▒
█████▒▒▒▒▒
Login Successful
Token Refresh
Tokens are automatically refreshed before expiry on subsequent commands. No manual re-login required unless the refresh token itself expires.
Logout
frontier logout
Clears the stored access token from configuration.
Role Verification
After login, the CLI extracts your role from the JWT. Available commands change based on your role. Run frontier --help to see which commands are available to you.