# Miscellaneous Commands ## Commands #### Keeper Command Reference Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options. To get help on a particular command, run: `help ` | [`this-device`](#this-device-command) | Configure device logout and persistent login preferences (stay logged in). | | --------------------------------------------------------- | ---------------------------------------------------------------------------------------- | | [`login`](#login-command) | login to Keeper | | [`biometric`](#biometric-command) | set up biometric login with passkeys | | [`whoami`](#whoami-command) | information on logged in user | | [`logout`](#logout-command) | logout from Keeper | | [`help`](#help-command) | documentation on a given Commander command | | [`debug`](#debug-command) | display debug logs of commands in console | | [`sync-down`](#sync-down-command) or `d` | download, sync, and decrypt vault | | [`version`](#version-command) or `v` | display Commander version and path information | | [`clear`](#clear-command) or `c` | clear the screen | | [`run-batch`](#run-batch-command) or `run` | Execute commands sequentially from the provided file. | | [`generate`](#generate-command) | Generate a secure password | | [`verify-records`](#verify-records-command) | Verify the integrity of imported records | | [`verify-shared-folders`](#verify-shared-folders-command) | Verify the integrity of records in shared folders | | [`reset-password`](#reset-password-command) | Reset the master password | | [`security-audit-sync`](#security-audit-sync-command) | Calculate and update security data for all user-owned password records (enterprise only) | | [`sleep`](#sleep) | Add delay (in seconds) between batch commands | | [`keeper-fill`](#keeper-fill-command) | Display or manage KeeperFill settings | | [`keep-alive`](#keep-alive-command) | Send a signal to prevent session timeout | | [`2fa`](#2fa-command) | 2FA settings management | | [`login-status`](#login-status-command) | Check the current login status of the user outside of the Keeper shell. | ### this-device command **Command:** `this-device` **Detail:** Set device logout and persistent login preferences **Parameters:** None **Switches:** rename \: Change the name of the device register: Encrypts the user's data key with the device public key in order to utilize persistent login sessions persistent-login \: Turn on or off the "Stay Logged In" setting for your account ip-auto-approve \: Control the IP Address device auto-approval security setting for your account no-yubikey-pin \: Turn on or off the PIN usage on Security Key (Webauthn) devices. timeout: Set inactivity duration before automatic logout. Default unit is minutes (can be set to hours or days by appending "h" or "d", respectively). **Examples:** {% code lineNumbers="true" %} ``` this-device this-device rename "My MacOS CLI" this-device persistent-login ON this-device register this-device ip-auto-approve ON this-device timeout 10 this-device timeout 24h ``` {% endcode %} 1. Display the available options 2. Rename the device that shows up in access logs 3. Enable "Stay Logged In" on the account 4. Register the user's "encrypted data key" with the server, for use in persistent login sessions 5. Enables IP Address auto-approval (applies to master password logins only) 6. Set the inactivity timeout to 10 minutes 7. Set the inactivity timeout to 24 hours *** ### login command **Command:** `login` **Detail:** Login to Keeper **Parameters:** Email address of account to login to **Switches:** -p, --password password of Keeper account You will be prompted to enter the password if it is not provided with the switch **Examples:** ``` login john.doe@keepersecurity.com login jane.doe@keepersecurity.com -p BhR!jeL4*2_zQ ``` 1. Login to John Doe's Keeper account. Will be prompted for password 2. Login to Jane Doe's Keeper account with the given password *** ### biometric command **Command:** `biometric` **Detail:** Manage biometric login with FIDO2 Passkeys on the local device. {% hint style="warning" %} When passkey authentication is activated, it replaces the need for a master password, SSO, and MFA by serving as both the first and second factor of authentication. {% endhint %} ``` My Vault> biometric -h biometric command [--options] Command Description ----------- --------------------------------------------------------- register Add biometric authentication method list List biometric authentication methods unregister Disable biometric authentication for this user verify Verify biometric authentication with existing credentials update-name Update friendly name of a biometric passkey ``` **Sub-commands**
CommandDescription
biometric registerActivate and register biometric authentication with FIDO2 passkey
biometric listList all registered passkeys on your account
biometric update-nameUpdate the friendly name of a passkey credential
biometric unregisterRemove the passkey from the Commander CLI on the local device
biometric verifyTest biometric authentication without logging in. Vault login and vault re-auth test methods available.
**Switches:** `--name` Friendly name for the biometric method (used with `register` command) `--confirm` Skip confirmation prompt (used with `unregister` command) `--purpose` Quick verification of auth and re-auth challenges (used with `verify` command) **Examples:** ``` biometric register biometric register --name "Work Laptop" biometric list biometric verify biometric unregister biometric unregister --confirm biometric update-name ``` *** ### whoami command **Command:** `whoami` **Detail:** Display information about the currently logged in user **Switches:** `-v`, `--verbose` include current datacenter and Commander environment `--json` display the result in JSON format **Examples:** ``` whoami whoami --verbose --json ``` 1. See detailed user information 2. See detailed user information with the current datacenter and environment in JSON format #### **Example Output:** ``` My Vault> whoami --verbose --json { "logged_in": true, "user": "user@company.com", "server": "keepersecurity.com", "data_center": "US", "admin": true, "account_type": "Enterprise", "renewal_date": "Jul 29, 2026", "storage_capacity": "10240GB", "storage_usage": "3%", "storage_renewal_date": "Jul 29, 2026", "breachwatch": true, "reporting_and_alerts": true, "records_count": 811, "shared_folders_count": 40, "teams_count": 6, "enterprise_licenses": [ { "base_plan": "Enterprise", "license_expires": "Jul 29, 2026 (in 223 days)", "user_licenses": { "plan": 2000, "active": 1255, "invited": 638 }, "secure_file_storage": "10TB", "add_ons": [ "KeeperChat", "Advanced Reporting & Alerts Module", "Enterprise BreachWatch", "Compliance Reporting", "Keeper Secrets Manager (KSM)", "Keeper Connection Manager (KCM) (2000 licenses)", "Remote Browser Isolation", "Privileged Access Manager (PAM)" ] } ] } ``` ### logout command **Command:** `logout` **Detail:** Logout of Keeper **Examples:** ``` logout ``` 1. Logout of Keeper *** ### help command **Command:** `help` **Detail:** Display information about a given Commander command or a list of all available commands. **Parameters:** A Commander command to see information for. To see a list of all available commands, leave unspecified. **Examples:** ``` help add help sync-down help ``` 1. See detailed information on add command 2. See detailed information on sync-down command 3. See list of all available commands *** ### debug command **Command:** `debug` **Detail:** Display debug logs of the commands. **Parameters:** * `--file ` - Optional. Specify a file path to save debug logs to a file instead of displaying them in the console. **Examples:** ``` debug debug --file=/path/to/logfile.log ``` 1. Toggles debug logging on/off in the console. When enabled, detailed debug logs will be displayed for all subsequent commands. 2. Enables debug logging to a specified file. All debug information will be written to the file instead of the console. *** ### create-account command **Command:** `create-account` **Details:** Create a Keeper Account. You will be prompted to enter a password for the account, and then a verification email code. **Parameters:** Email address to use for the account. **Examples:** ``` create-account example@keepersecurity.com ``` *** ### sync-down command **Command:** `sync-down` or `d` **Detail:** Download, sync, and decrypt vault **Examples:** ``` sync-down ``` 1. Sync vault 2. Sync vault ### version command **Command:** `version` or `v` **Detail:** Display Commander version and path information **Switches:** -v display information about the underlying SDK, OS, working directory, and configuration file **Examples:** ``` version v -v ``` 1. Show current Commander version 2. Show current Commander version, as well as the SDK version, OS, working directory, and configuration file *** ### clear command **Command:** `clear` or `c` **Detail:** Clear all lines from the screen **Examples:** ``` clear ``` 1. clear all lines from the screen *** ### run-batch command **Command:** `run-batch` or `run` **Detail:** Execute commands sequentially from the provided file. **Switches:** `-d [seconds]` Specify a delay of this number of seconds in between commands. This will help in preventing throttling on the backend. `-q` Quiet mode `-n` or `--dry-run` Preview the commands that will be run without execution. **Examples:** ``` run-batch -d 10 "C:\path\to\commands.txt" run-batch -d 2 "/path/on/linux/to/commands.txt" run-batch --dry-run -d 1 commands.txt ``` *** ### generate command Requires Commander v16.5.10+ **Command:** `generate` **Detail:** Generate a secure password **Switches:** `-cc` or `--clipboard-copy` copy the created password to the clipboard `-nb` or `--no-breachwatch` skip Breachwatch check `-f <{table, json}>` or `--format <{table, json}>` select an output method for the generated password * requires Commander v16.5.11+ `-i ` or `--json-indent ` with json format: * 0 for plain json output * a number greater than 0 to select the indentation for easy to read output * requires Commander v16.5.11+ `-n [NUMBER]` or `--number [NUMBER]` create the given number of passwords `-c [LENGTH]` or `--count [LENGTH]` length of the password `-s [SYMBOLS]` or `--symbols [SYMBOLS]` minimum number of special symbols to include in the password `-d [DIGITS]` or `--digits [DIGITS]` minimum number of digits to include in the password `-u [UPPERCASE]` or `--uppercase [UPPSERCASE]` minimum number of uppercase letters to include in the password `-l [LOWERCASE]` or `--lowercase [LOWERCASE]` minimum number of lowercase letters to include in the password `-dr [DICE_ROLLS]` or `--dice-rolls [DICE_ROLLS]` number of dice rolls **Examples:** ``` generate generate -cc -c 12 -u 2 -s 2 generate --format json -i 0 generate --dice-rolls=6 --number=10 --no-breachwatch ``` 1. Generate a secure password 2. Generate a secure password that is 12 characters longs with at least 2 uppercase letters and 2 symbols and copy the password to the system clipboard 3. Generate a password and show password strength, and Breachwatch result in plain json format 4. Generate 10 diceware passwords of 6 words *** ### generate dice-roll passwords Requires Commander v16.7.6+ **Command:** `generate --dice-rolls` **Detail:** Generate a dice roll secure password consisting of random words **Switches:** `-dr` or `--dice-rolls ` generate a dice roll password, and identify how many words to generate `--word-list `optionally use a file of words to use as a wordlist **Examples:** ``` generate --dice-rolls 6 generate --dice-roll 5 --word-list "words.txt" ``` 1. generate a password of 6 random words 2. generate a password of 5 random words from the given file of words *** ### verify-records command **Command:** `verify-records` **Detail:** Check for record format integrity and perform necessary repairs to record structure. Edge cases are added to this command when issues in the field are reported to Keeper support. **Examples:** ``` verify-records There are 23 record(s) to be corrected Do you want to proceed? [y/n]: y ``` *** ### verify-shared-folders command **Command:** `verify-shared-folders` Parameters Name or UID of shared folder to check. Leave blank to check all **Detail:** Check for records in shared folders that do not have the correct shared data key, then add the correct key where needed **Examples:** ``` verify-shared-folders There are 2 record key(s) to be corrected x4qAxrfilDryCbNCoTqZ8A MyRecord D9QWFSNliXJU86-VI3zyMw Twitter Login Do you want to proceed? [y/n]: ``` *** ### reset-password command **Command:** `reset-password` **Detail:** reset the account's master password Switches: `--delete-sso` deletes SSO master password `--current` the current master password `--new` the new password to set as master password **Examples:** ``` reset-password --current MyOldPassword --new lTo@KjCitMPs+R[16HX ``` {% hint style="info" %} Hint: you can use the generate command to generate a secure password within Commander {% endhint %} *** ### security-audit-sync command **Command:** `security-audit-sync` or `sas` {% hint style="info" %} This command is available only to enterprise administrators {% endhint %} **Detail:** Sync security audit data for enterprise vault(s). Used to correct mis-matching summary security audit scores as seen by the user (in their vault) and by an enterprise administrator (either in the admin console app or via a call to `security-audit-report` in Commander) **Parameters:** Username(s) of vault(s) whose security data are to be synced. Multiple values allowed. Specify`@all` to perform sync for all enterprise vaults. **Switches:** `--soft` Do a "soft" sync of security data. Does not require corresponding vault login. This is the default sync-type. `--medium` Do a "medium" sync of security data. Can sync some data without the corresponding vault login. `--hard` Do a "hard" sync of security data. No data are synced until the corresponding vault login occurs. `-f` or `--force` Perform sync without being prompted for confirmation (non-interactive mode) `-v` or `--verbose` Output a Security Audit report after performing sync **Examples:** ``` security-audit-sync user1@domain.com security-audit-sync --hard user2@domain.com user3@domain.com sas --hard @all sas --verbose --hard user1@domain.com ``` 1. Perform a "soft" sync of security data for vault owned by ** 2. Initiate a "hard" security-data sync for the vaults belonging to ** and ** 3. Initiate a "hard" security-data sync for all vaults in the enterprise 4. Perform a "hard" sync of security-audit data for ** and run a Security Audit report immediately after. Note that, in this scenario, you should expect the resulting report to show all 0s in the affected vault's summary scores (to be updated eventually once the affected owner logs in to their vault). {% hint style="info" %} Hint: If the total password record count shown in a user's vault (in "Security Audit" view) differs from the corresponding value shown in the admin console (also in "Security Audit" view) or the output of Commander's `security-audit-report --show-updated` command, use the `--hard` flag to force a summary security audit score reset/re-calculation to re-align those values. For more on the use of this command to correct mis-aligned security scores, please refer to the ["Security Audit Report Score Re-alignment Process"](https://docs.keeper.io/en/keeperpam/troubleshooting-commander-cli#security-audit-report-score-re-alignment-process) section of our Troubleshooting page. {% endhint %} *** ### sleep command {% hint style="warning" %} This command is deprecated. If your goal is to add delay between commands, please refer to the [`run-batch`](#run-batch-command) command. {% endhint %} **Command**: `sleep` **Detail**: Add delay (in seconds) between batch commands **Switches:** The number of seconds, the delay, to be added between batch commands **Example:** ``` sleep 5 ``` 1. Sleep for 5 seconds *** ### keeper-fill command **Command:** `keeper-fill` **Detail:** Display or manage KeeperFill settings. For example, this allows you to view/change the "Autofill" and "Auto Submit" preferences on a specific Keeper record. ``` keeper-fill command [--options] Command Description --------- ------------------------------------- list Displays KeeperFill settings. set Sets KeeperFill settings. ``` To get help on the command run: ``` My Vault> keeper-fill -h ``` Possible values for "set" command: none, off, on. If set to "none", the behavior of the browser extension is to follow the user preference (in the browser extension general Settings screen). If the value is set to "on" or "off", the browser extension will follow the setting for the record. Example commands: ```shell My Vault> keeper-fill list / --recursive My Vault> keeper-fill set / --recursive --auto-fill=none My Vault> keeper-fill set --auto-submit=off My Vault> keeper-fill set --auto-fill=on ``` *** ### keep-alive command **Command:** `keep-alive` **Detail:** Send a signal to the Keeper server to prevent session timeout during long-running operations or interactive sessions. **Example:** ``` keep-alive ``` 1. Prevent session timeout while performing long operations or during periods of inactivity *** ### 2fa command **Command:** `2fa` **Detail:** Display, add, or delete manage 2FA settings. ``` 2fa command [--options] Command Description --------- ------------------------------ list Displays a list of 2FA methods add Add 2FA method delete Delete 2FA method ``` To get help on the command run: ```bash My Vault> 2fa -h ``` Example commands: ```shell My Vault> 2fa list 2FA authentication expires: Never # Method Channel UID Name Created Phone Number --- ------------ ---------------------- ----------- ------------------- -------------- 1 TOTP scbqsym0rRAWhDFZqfClY 2021-09-20 16:07:01 2 Backup Codes I2KObaAfoQpfDJVjDKNFB Backup Code 2022-02-11 14:18:12 My Vault> 2fa delete scbqsym0rRAWhDFZqfClY My Vault> 2fa add --method=totp --name="Google Authenticator" My Vault> 2fa add --method=key --key-pin --name="Yubikey" ``` ### login-status command **Command:** `login-status` **Detail:** Displays the current login session status of the user based on **Persistent Login.**\ It can be executed outside of the shell, allowing interactive use directly from the system terminal. ```bash login-status --help usage: login-status [-h] Check user login status. ``` Example commands:\ When Persistent Login is **Disabled** ``` user@machine:~/keeper-demo$ keeper login-status Not logged in ``` When Persistent Login is **Enabled** ``` user@machine:~/keeper-demo$ keeper login-status Logged in ```