Miscellaneous Commands
Helpful commands for miscellaneous functionality.
Commands
Keeper Command Reference
Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.
To get help on a particular command, run:
help <command>
Configure device logout and persistent login preferences (stay logged in).
login to Keeper
set up biometric login with passkeys
information on logged in user
logout from Leeper
documentation on a given Commander command
display debug logs of commands in console
sync-down or d
download, sync, and decrypt vault
version or v
display Commander version and path information
clear or c
clear the screen
run-batch or run
Execute commands sequentially from the provided file.
Generate a secure password
Verify the integrity of imported records
Verify the integrity of records in shared folders
Reset the master password
Calculate and update security data for all user-owned password records (enterprise only)
Add delay (in seconds) between batch commands
Display or manage KeeperFill settings
Send a signal to prevent session timeout
2FA settings management
Check the current login status of the user outside of the Keeper shell.
this-device command
Command: this-device
Detail: Set device logout and persistent login preferences
Parameters:
None
Switches:
rename <Name of Device>: Change the name of the device
register: Encrypts the user's data key with the device public key in order to utilize persistent login sessions
persistent-login <ON|OFF>: Turn on or off the "Stay Logged In" setting for your account
ip-auto-approve <ON|OFF>: Control the IP Address device auto-approval security setting for your account
no-yubikey-pin <ON|OFF>: Turn on or off the PIN usage on Security Key (Webauthn) devices.
timeout: Set inactivity duration before automatic logout. Default unit is minutes (can be set to hours or days by appending "h" or "d", respectively).
Examples:
this-device
this-device rename "My MacOS CLI"
this-device persistent-login ON
this-device register
this-device ip-auto-approve ON
this-device timeout 10
this-device timeout 24hDisplay the available options
Rename the device that shows up in access logs
Enable "Stay Logged In" on the account
Register the user's "encrypted data key" with the server, for use in persistent login sessions
Enables IP Address auto-approval (applies to master password logins only)
Set the inactivity timeout to 10 minutes
Set the inactivity timeout to 24 hours
login command
Command: login
Detail: Login to Keeper
Parameters:
Email address of account to login to
Switches:
-p, --password password of Keeper account
You will be prompted to enter the password if it is not provided with the switch
Examples:
login [email protected]
login [email protected] -p BhR!jeL4*2_zQLogin to John Doe's Keeper account. Will be prompted for password
Login to Jane Doe's Keeper account with the given password
biometric command
Command: biometric
Detail: Manage biometric login with FIDO2 Passkeys on the local device.
When passkey authentication is activated, it replaces the need for a master password, SSO, and MFA by serving as both the first and second factor of authentication.
My Vault> biometric -h
biometric command [--options]
Command Description
----------- ---------------------------------------------------------
register Add biometric authentication method
list List biometric authentication methods
unregister Disable biometric authentication for this user
verify Verify biometric authentication with existing credentials
update-name Update friendly name of a biometric passkey
Sub-commands
biometric register
Activate and register biometric authentication with FIDO2 passkey
biometric list
List all registered passkeys on your account
biometric update-name
Update the friendly name of a passkey credential
biometric unregister
Remove the passkey from the Commander CLI on the local device
biometric verify
Test biometric authentication without logging in. Vault login and vault re-auth test methods available.
Switches:
--name Friendly name for the biometric method (used with register command)
--confirm Skip confirmation prompt (used with unregister command)
--purpose Quick verification of auth and re-auth challenges (used with verify command)
Examples:
biometric register
biometric register --name "Work Laptop"
biometric list
biometric verify
biometric unregister
biometric unregister --confirm
biometric update-namewhoami command
Command: whoami
Detail: Display information about the currently logged in user
Switches:
-v, --verbose include current datacenter and Commander environment
--json display the result in JSON format
Examples:
whoami
whoami --verbose --jsonSee detailed user information
See detailed user information with the current datacenter and environment in JSON format
Example Output:
My Vault> whoami --verbose --json
{
"logged_in": true,
"user": "[email protected]",
"server": "keepersecurity.com",
"data_center": "US",
"admin": true,
"account_type": "Enterprise",
"renewal_date": "Jul 29, 2026",
"storage_capacity": "10240GB",
"storage_usage": "3%",
"storage_renewal_date": "Jul 29, 2026",
"breachwatch": true,
"reporting_and_alerts": true,
"records_count": 811,
"shared_folders_count": 40,
"teams_count": 6,
"enterprise_licenses": [
{
"base_plan": "Enterprise",
"license_expires": "Jul 29, 2026 (in 223 days)",
"user_licenses": {
"plan": 2000,
"active": 1255,
"invited": 638
},
"secure_file_storage": "10TB",
"add_ons": [
"KeeperChat",
"Advanced Reporting & Alerts Module",
"Enterprise BreachWatch",
"Compliance Reporting",
"Keeper Secrets Manager (KSM)",
"Keeper Connection Manager (KCM) (2000 licenses)",
"Remote Browser Isolation",
"Privileged Access Manager (PAM)"
]
}
]
}logout command
Command: logout
Detail: Logout of Keeper
Examples:
logoutLogout of Keeper
help command
Command: help
Detail: Display information about a given Commander command or a list of all available commands.
Parameters:
A Commander command to see information for. To see a list of all available commands, leave unspecified.
Examples:
help add
help sync-down
helpSee detailed information on add command
See detailed information on sync-down command
See list of all available commands
debug command
Command: debug
Detail: Display debug logs of the commands.
Parameters:
--file <file_path>- Optional. Specify a file path to save debug logs to a file instead of displaying them in the console.
Examples:
debug
debug --file=/path/to/logfile.logToggles debug logging on/off in the console. When enabled, detailed debug logs will be displayed for all subsequent commands.
Enables debug logging to a specified file. All debug information will be written to the file instead of the console.
create-account command
Command: create-account
Details: Create a Keeper Account. You will be prompted to enter a password for the account, and then a verification email code.
Parameters:
Email address to use for the account.
Examples:
create-account [email protected]sync-down command
Command: sync-down or d
Detail: Download, sync, and decrypt vault
Examples:
sync-downSync vault
Sync vault
version command
Command: version or v
Detail: Display Commander version and path information
Switches:
-v display information about the underlying SDK, OS, working directory, and configuration file
Examples:
version
v -vShow current Commander version
Show current Commander version, as well as the SDK version, OS, working directory, and configuration file
clear command
Command: clear or c
Detail: Clear all lines from the screen
Examples:
clearclear all lines from the screen
run-batch command
Command: run-batch or run
Detail: Execute commands sequentially from the provided file.
Switches:
-d [seconds] Specify a delay of this number of seconds in between commands. This will help in preventing throttling on the backend.
-q Quiet mode
-n or --dry-run Preview the commands that will be run without execution.
Examples:
run-batch -d 10 "C:\path\to\commands.txt"
run-batch -d 2 "/path/on/linux/to/commands.txt"
run-batch --dry-run -d 1 commands.txtgenerate command
Requires Commander v16.5.10+
Command: generate
Detail: Generate a secure password
Switches:
-cc or --clipboard-copy copy the created password to the clipboard
-nb or --no-breachwatch skip Breachwatch check
-f <{table, json}> or --format <{table, json}> select an output method for the generated password
requires Commander v16.5.11+
-i <NUMBER> or --json-indent <NUMBER> with json format:
0 for plain json output
a number greater than 0 to select the indentation for easy to read output
requires Commander v16.5.11+
-n [NUMBER] or --number [NUMBER] create the given number of passwords
-c [LENGTH] or --count [LENGTH] length of the password
-s [SYMBOLS] or --symbols [SYMBOLS] minimum number of special symbols to include in the password
-d [DIGITS] or --digits [DIGITS] minimum number of digits to include in the password
-u [UPPERCASE] or --uppercase [UPPSERCASE] minimum number of uppercase letters to include in the password
-l [LOWERCASE] or --lowercase [LOWERCASE] minimum number of lowercase letters to include in the password
-dr [DICE_ROLLS] or --dice-rolls [DICE_ROLLS] number of dice rolls
Examples:
generate
generate -cc -c 12 -u 2 -s 2
generate --format json -i 0
generate --dice-rolls=6 --number=10 --no-breachwatchGenerate a secure password
Generate a secure password that is 12 characters longs with at least 2 uppercase letters and 2 symbols and copy the password to the system clipboard
Generate a password and show password strength, and Breachwatch result in plain json format
Generate 10 diceware passwords of 6 words
generate dice-roll passwords
Requires Commander v16.7.6+
Command: generate --dice-rolls
Detail: Generate a dice roll secure password consisting of random words
Switches:
-dr or --dice-rolls <NUMBER OF WORDS TO GENERATE> generate a dice roll password, and identify how many words to generate
--word-list <WORD LIST FILENAME>optionally use a file of words to use as a wordlist
Examples:
generate --dice-rolls 6
generate --dice-roll 5 --word-list "words.txt"generate a password of 6 random words
generate a password of 5 random words from the given file of words
verify-records command
Command: verify-records
Detail: Check for record format integrity and perform necessary repairs to record structure. Edge cases are added to this command when issues in the field are reported to Keeper support.
Examples:
verify-records
There are 23 record(s) to be corrected
Do you want to proceed? [y/n]: yverify-shared-folders command
Command: verify-shared-folders
Parameters
Name or UID of shared folder to check. Leave blank to check all
Detail: Check for records in shared folders that do not have the correct shared data key, then add the correct key where needed
Examples:
verify-shared-folders
There are 2 record key(s) to be corrected
x4qAxrfilDryCbNCoTqZ8A MyRecord
D9QWFSNliXJU86-VI3zyMw Twitter Login
Do you want to proceed? [y/n]:reset-password command
Command: reset-password
Detail: reset the account's master password
Switches:
--delete-sso deletes SSO master password
--current the current master password
--new the new password to set as master password
Examples:
reset-password --current MyOldPassword --new lTo@KjCitMPs+R[16HXsecurity-audit-sync command
Command: security-audit-sync or sas
Detail: Sync security audit data for enterprise vault(s). Used to correct mis-matching summary security audit scores as seen by the user (in their vault) and by an enterprise administrator (either in the admin console app or via a call to security-audit-report in Commander)
Parameters:
Username(s) of vault(s) whose security data are to be synced. Multiple values allowed. Specify@all to perform sync for all enterprise vaults.
Switches:
--soft Do a "soft" sync of security data. Does not require corresponding vault login. This is the default sync-type.
--medium Do a "medium" sync of security data. Can sync some data without the corresponding vault login.
--hard Do a "hard" sync of security data. No data are synced until the corresponding vault login occurs.
-f or --force Perform sync without being prompted for confirmation (non-interactive mode)
-v or --verbose Output a Security Audit report after performing sync
Examples:
security-audit-sync [email protected]
security-audit-sync --hard [email protected] [email protected]
sas --hard @all
sas --verbose --hard [email protected]Perform a "soft" sync of security data for vault owned by [email protected]
Initiate a "hard" security-data sync for the vaults belonging to [email protected] and [email protected]
Initiate a "hard" security-data sync for all vaults in the enterprise
Perform a "hard" sync of security-audit data for [email protected] and run a Security Audit report immediately after. Note that, in this scenario, you should expect the resulting report to show all 0s in the affected vault's summary scores (to be updated eventually once the affected owner logs in to their vault).
sleep command
This command is deprecated. If your goal is to add delay between commands, please refer to the run-batch command.
Command: sleep
Detail: Add delay (in seconds) between batch commands
Switches:
The number of seconds, the delay, to be added between batch commands
Example:
sleep 5Sleep for 5 seconds
keeper-fill command
Command: keeper-fill
Detail: Display or manage KeeperFill settings. For example, this allows you to view/change the "Autofill" and "Auto Submit" preferences on a specific Keeper record.
keeper-fill command [--options]
Command Description
--------- -------------------------------------
list Displays KeeperFill settings.
set Sets KeeperFill settings.To get help on the command run:
My Vault> keeper-fill <command> -hPossible values for "set" command: none, off, on.
If set to "none", the behavior of the browser extension is to follow the user preference (in the browser extension general Settings screen). If the value is set to "on" or "off", the browser extension will follow the setting for the record.
Example commands:
My Vault> keeper-fill list / --recursive
My Vault> keeper-fill set / --recursive --auto-fill=none
My Vault> keeper-fill set <RECORD_UID> --auto-submit=off
My Vault> keeper-fill set <RECORD_UID> --auto-fill=onkeep-alive command
Command: keep-alive
Detail: Send a signal to the Keeper server to prevent session timeout during long-running operations or interactive sessions.
Example:
keep-alivePrevent session timeout while performing long operations or during periods of inactivity
2fa command
Command: 2fa
Detail: Display, add, or delete manage 2FA settings.
2fa command [--options]
Command Description
--------- ------------------------------
list Displays a list of 2FA methods
add Add 2FA method
delete Delete 2FA methodTo get help on the command run:
My Vault> 2fa <command> -hExample commands:
My Vault> 2fa list
2FA authentication expires: Never
# Method Channel UID Name Created Phone Number
--- ------------ ---------------------- ----------- ------------------- --------------
1 TOTP scbqsym0rRAWhDFZqfClY 2021-09-20 16:07:01
2 Backup Codes I2KObaAfoQpfDJVjDKNFB Backup Code 2022-02-11 14:18:12
My Vault> 2fa delete scbqsym0rRAWhDFZqfClY
My Vault> 2fa add --method=totp --name="Google Authenticator"
My Vault> 2fa add --method=key --key-pin --name="Yubikey"login-status command
Command: login-status
Detail: Displays the current login session status of the user based on Persistent Login. It can be executed outside of the shell, allowing interactive use directly from the system terminal.
login-status --help
usage: login-status [-h]
Check user login status.Example commands: When Persistent Login is Disabled
user@machine:~/keeper-demo$ keeper login-status
Not logged inWhen Persistent Login is Enabled
user@machine:~/keeper-demo$ keeper login-status
Logged inLast updated
Was this helpful?