Skip to main content

Try free on Pangolin Cloud

Fastest way to get started with Pangolin using the hosted control plane. No credit card required.
The Pangolin container includes a CLI tool called pangctl that provides commands to help you manage your Pangolin instance.

Accessing the CLI

Run the following command on the host where the Pangolin container is running: 
docker exec -it pangolin pangctl <command>

Available Commands

To see all available commands: 
docker exec -it pangolin pangctl --help

Set Admin Credentials

Set or reset admin credentials for your Pangolin instance: 
docker exec -it pangolin pangctl set-admin-credentials --email "admin@example.com" --password "Password123!"
Use a strong password and keep your admin credentials secure.

Clear Exit Nodes

Clear all exit nodes from the database: 
docker exec -it pangolin pangctl clear-exit-nodes
This command permanently deletes all exit nodes from the database. This action cannot be undone.

Reset User Security Keys

Reset a user’s security keys (passkeys) by deleting all their webauthn credentials: 
docker exec -it pangolin pangctl reset-user-security-keys --email "user@example.com"
This command permanently deletes all security keys for the specified user. The user will need to re-register their security keys to use passkey authentication again.

Rotate Server Secret

Rotate the server secret by decrypting all encrypted values with the old secret and re-encrypting with a new secret. This command updates OIDC IdP configurations and license keys in the database, as well as the config file. 
docker exec -it pangolin pangctl rotate-server-secret --old-secret "current-secret" --new-secret "new-secret"

Options

  • --old-secret (required): The current server secret (for verification)
  • --new-secret (required): The new server secret to use (must be at least 8 characters long)
  • --force (optional): Force rotation even if the old secret doesn’t match the config file. Use this if you know the old secret is correct but the config file is out of sync.
This command performs a critical operation that affects all encrypted data in your database. Ensure you have a backup before running this command.Important considerations:
  • The new secret must be at least 8 characters long
  • The new secret must be different from the old secret
  • The command verifies the old secret matches the config file (unless --force is used)
  • After rotation, you must restart the server for the new secret to take effect
  • Using --force with an incorrect old secret will cause the rotation to fail or corrupt encrypted data

Clear License Keys

Clear all license keys from the database: 
docker exec -it pangolin pangctl clear-license-keys
This command permanently deletes all license keys from the database. This action cannot be undone.

Delete Client

Delete a client and all associated data (OLMs, current fingerprint, userClients, approvals). Snapshots are preserved. 
docker exec -it pangolin pangctl delete-client --orgId "org-123" --niceId "client-identifier"

Options

  • --orgId (required): The organization ID
  • --niceId (required): The client niceId (identifier)
This command permanently deletes the client and its associated data:
  • All OLMs (One-time Login Mechanisms) associated with the client
  • Current fingerprint entries
  • Approval records
  • UserClient associations
Note: Snapshots are preserved and will not be deleted.This action cannot be undone. Ensure you have backups if needed.

Generate Org CA Keys

Generate an SSH CA public/private key pair for an organization and store them in the database. The private key is encrypted with the server secret. 
docker exec -it pangolin pangctl generate-org-ca-keys --orgId "org-123"

Options

  • --orgId (required): The organization ID
  • --secret (optional): Server secret used to encrypt the CA private key. If omitted, the secret is read from the config file (config.yml or config.yaml in the config directory).
  • --force (optional, default: false): Overwrite existing CA keys for the organization if they already exist
If the organization already has CA keys, the command fails unless you pass --force. Using --force overwrites the existing keys; ensure you have a backup or understand the impact before overwriting.