# inrok CLI configuration

The CLI is deliberately low-config: one JSON file written by `inrok login`,
one optional environment variable, and a self-contained state directory.

## Config file

`inrok login` saves credentials to:

```
~/.inrok/config.json        (directory 0700, file 0600)
```

```json
{
  "apiBaseUrl": "https://app.inrok.in",
  "apiKey": "inrok_…"
}
```

Don't edit this by hand — re-run `inrok login` to change it, or `inrok logout`
to remove it. `inrok logout` also wipes the device identity (see below), so the
next login starts clean.

## Environment variables

| Variable           | Effect                                                                                                                                                         |
| ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `INROK_CONFIG_DIR` | Overrides the `~/.inrok` directory entirely (config file **and** device state live under it). Useful for CI, containers, or running two accounts side by side. |

There is no `INROK_API_KEY` environment variable — pass a key explicitly with
`inrok login --key`.

## Login flags

```sh
inrok login --key inrok_…                 # skip the interactive prompt
inrok login --api-url https://app.inrok.in # point at a different API host
```

`--api-url` defaults to `https://app.inrok.in` (the dashboard host that serves
`/api/v1`). You only need it for self-hosted or staging setups.

## Device state

The first `inrok http` (or any host command) transparently enrolls this machine
with inrok's tunneling fabric. That state lives under `~/.inrok/` and is owned
and managed entirely by inrok — don't edit it by hand. It is account-bound:
`inrok logout` removes it, and the CLI automatically repairs it if it goes
stale (you'll see "re-enrolling and retrying" once, then your tunnel comes up).

## Foreground model and signals

The host command (`http`) runs in the foreground and streams request logs
until interrupted:

- **Ctrl-C / SIGTERM** — stops serving gracefully (the public name stays
  reserved for your account; re-running re-binds the same URL).
- `inrok stop <name>` — releases the reservation entirely.

To run a tunnel unattended, use your platform's service manager (systemd,
launchd, NSSM) or a terminal multiplexer; the process is safe to supervise and
restart — the same `--name` always re-binds the same URL.

## Updates

```sh
inrok update          # download + verify + replace the binary in place
inrok update --check  # only report whether a newer version exists
```

After any command, the CLI may print a one-line nudge if a newer release
exists; the check runs at most once every 24 hours and never blocks or fails a
command.

## Exit codes

`0` on success; non-zero on any error, with a single human-readable message on
stderr (see [Troubleshooting](https://inrok.in/docs/cli/troubleshooting.md)
for the catalogue).