protonag-inofficial/Proton-Pass

Fork 0

Table of Contents

Proton Pass CLI Cheat Sheet

Top-Level Commands
vault — Vault Operations
item — Item Operations

List & View
Create — login
Create — note
Create — credit-card
Create — wifi
Create — custom
Create — identity
Create — ssh-key
Update
Delete
Move
Share
Trash & Untrash
TOTP
Attachment Download
Alias Create
Member Management

invite — Invite Operations
password — Password Utilities
personal-access-token — PAT Operations
totp — TOTP Utilities
share — Share Operations
user — User Operations
ssh-agent — SSH Agent Operations
settings — Persistent Settings

Proton Pass CLI Cheat Sheet

Quick reference for all pass-cli commands. For installation and initial setup, see Install.

After installing, authenticate once with pass-cli login (opens a browser). Subsequent commands reuse the stored session. For non-interactive / CI use, create a personal access token instead.

Top-Level Commands

Command	Description
`pass-cli login`	Log in to Proton Pass (defaults to web login)
`pass-cli logout`	Log out of the current session
`pass-cli test`	Test if an authenticated connection can be established
`pass-cli info`	Show information about the current session
`pass-cli inject`	Read a template file containing `{{ secret.ref }}` placeholders and write it out with real secret values substituted
`pass-cli run`	Execute a command with Proton Pass secrets exposed as environment variables (secrets never touch disk)
`pass-cli update`	Check for and install updates
`pass-cli support`	Contact support

`vault` — Vault Operations

Command	Description
`pass-cli vault list`	List all vaults
`pass-cli vault create`	Create a new vault
`pass-cli vault update`	Update a vault
`pass-cli vault delete`	Delete a vault
`pass-cli vault share <EMAIL>`	Share a vault with someone by email
`pass-cli vault transfer <MEMBER_SHARE_ID>`	Transfer vault ownership to another member (irreversible unless the new owner transfers back)
`pass-cli vault member list`	List vault members
`pass-cli vault member update`	Update a vault member's role
`pass-cli vault member remove`	Remove a vault member

`item` — Item Operations

List & View

pass-cli item list [VAULT_NAME] \
  [--share-id <SHARE_ID>] \
  [--filter-type note|login|alias|credit-card|identity|ssh-key|wifi|custom] \
  [--filter-state active|trashed] \
  [--sort-by alphabetic-asc|alphabetic-desc|created-asc|created-desc] \
  [--output human|json]

pass-cli item view [URI] \
  [--share-id <SHARE_ID>] \
  [--vault-name <VAULT_NAME>] \
  [--item-id <ITEM_ID>] \
  [--item-title <ITEM_TITLE>] \
  [--field <FIELD>] \
  [--output human|json]

Create — `login`

pass-cli item create login \
  --vault-name "My Vault" \
  --title "Example Login" \
  --email "user@example.com" \
  --username "myuser" \
  --password "s3cr3t" \
  --url "https://example.com"   # repeatable for multiple URLs

# Password alternatives (mutually exclusive with --password):
  --generate-password[="length,uppercase,symbols"]   # e.g. "20,true,true"
  --generate-passphrase[=<WORD_COUNT>]

# Template workflow:
  --get-template                 # print a JSON template to stdout
  --from-template <FILE>|-       # create from a JSON template file (or stdin)

Create — `note`

pass-cli item create note \
  --vault-name "My Vault" \
  --title "My Note" \
  --note "Note content here"

# Template:  --get-template / --from-template <FILE>|-

Create — `credit-card`

pass-cli item create credit-card \
  --vault-name "My Vault" \
  --title "Visa Gold" \
  --cardholder-name "John Doe" \
  --number "4111111111111111" \
  --cvv "123" \
  --expiration-date "2027-12" \
  --pin "0000" \
  --note "Optional note"

# Template:  --get-template / --from-template <FILE>|-

Create — `wifi`

pass-cli item create wifi \
  --vault-name "My Vault" \
  --title "Home WiFi" \
  --ssid "MyNetwork" \
  --password "wifipassword" \
  --security wpa2 \           # wpa | wpa2 | wpa3 | wep | open | none
  --note "Optional note"

# Template:  --get-template / --from-template <FILE>|-

Create — `custom`

Custom items are template-driven only. Available field types: text, hidden, totp, timestamp.

# 1. Get the template
pass-cli item create custom --get-template > custom.json

# 2. Edit custom.json, then create
pass-cli item create custom \
  --vault-name "My Vault" \
  --from-template custom.json

Create — `identity`

Identity items are template-driven only.

# 1. Get the template
pass-cli item create identity --get-template > identity.json

# 2. Edit identity.json fields (full_name, email, phone_number, first_name,
#    middle_name, last_name, birthdate, gender, organization, street_address,
#    zip_or_postal_code, city, state_or_province, country_or_region, floor,
#    county, social_security_number, passport_number, license_number,
#    website, x_handle, second_phone_number, linkedin, reddit, facebook,
#    yahoo, instagram, company, job_title, personal_website,
#    work_phone_number, work_email), then create
pass-cli item create identity \
  --vault-name "My Vault" \
  --from-template identity.json

Create — `ssh-key`

# Import an existing private key
pass-cli item create ssh-key import \
  --vault-name "My Vault" \
  --title "My SSH Key" \
  --from-private-key ~/.ssh/id_ed25519 \
  [--password]                  # prompt for a passphrase to protect the key

# Generate a new key pair
pass-cli item create ssh-key generate \
  --vault-name "My Vault" \
  --title "Generated Key" \
  --key-type ed25519 \          # ed25519 (default) | rsa2048 | rsa4096
  --comment "work laptop" \
  [--password]

Update

pass-cli item update \
  [--share-id <SHARE_ID>] \
  [--vault-name <VAULT_NAME>] \
  [--item-id <ITEM_ID>] \
  [--item-title <ITEM_TITLE>] \
  --field field_name=field_value   # repeatable for multiple fields

Delete

pass-cli item delete \
  --share-id <SHARE_ID> \
  --item-id <ITEM_ID>

Move

pass-cli item move \
  [--from-share-id <FROM_SHARE_ID>] \
  [--from-vault-name <FROM_VAULT_NAME>] \
  [--item-id <ITEM_ID>] \
  [--item-title <ITEM_TITLE>] \
  [--to-share-id <TO_SHARE_ID>] \
  [--to-vault-name <TO_VAULT_NAME>]

pass-cli item share <EMAIL> \
  --share-id <SHARE_ID> \
  --item-id <ITEM_ID> \
  [--role viewer|editor|manager]   # default: viewer

Trash & Untrash

pass-cli item trash \
  [--share-id <SHARE_ID>] \
  [--vault-name <VAULT_NAME>] \
  [--item-id <ITEM_ID>] \
  [--item-title <ITEM_TITLE>]

pass-cli item untrash \
  [--share-id <SHARE_ID>] \
  [--vault-name <VAULT_NAME>] \
  [--item-id <ITEM_ID>] \
  [--item-title <ITEM_TITLE>]

TOTP

pass-cli item totp [URI] \
  [--share-id <SHARE_ID>] \
  [--vault-name <VAULT_NAME>] \
  [--item-id <ITEM_ID>] \
  [--item-title <ITEM_TITLE>] \
  [--field <FIELD>] \
  [--output human|json]

Attachment Download

pass-cli item attachment download \
  --share-id <SHARE_ID> \
  --item-id <ITEM_ID> \
  --attachment-id <ATTACHMENT_ID> \
  --output <OUTPUT_PATH>

Alias Create

pass-cli item alias create \
  --prefix <PREFIX> \
  [--share-id <SHARE_ID>] \
  [--vault-name <VAULT_NAME>] \
  [--output human|json]

The resulting alias email is <prefix>.<suffix> (suffix assigned by SimpleLogin).

Member Management

pass-cli item member list \
  --share-id <SHARE_ID> \
  --item-id <ITEM_ID> \
  [--output human|json]

pass-cli item member update \
  --share-id <SHARE_ID> \
  --member-share-id <MEMBER_SHARE_ID> \
  --role viewer|editor|manager

pass-cli item member remove \
  --share-id <SHARE_ID> \
  --member-share-id <MEMBER_SHARE_ID>

`invite` — Invite Operations

Command	Description
`pass-cli invite list`	List pending invites
`pass-cli invite accept`	Accept an invite
`pass-cli invite reject`	Reject an invite

`password` — Password Utilities

Command	Description
`pass-cli password generate`	Generate a password
`pass-cli password score`	Evaluate the strength of a given password and display a score

`personal-access-token` — PAT Operations

Command	Description
`pass-cli personal-access-token create`	Create a new personal access token
`pass-cli personal-access-token list`	List all personal access tokens
`pass-cli personal-access-token delete`	Delete a personal access token
`pass-cli personal-access-token renew`	Renew a personal access token
`pass-cli personal-access-token access grant`	Grant a PAT access to a specific vault or item
`pass-cli personal-access-token access revoke`	Revoke a PAT's access to a vault or item
`pass-cli personal-access-token access list-access`	List all vaults and items a PAT can access

`totp` — TOTP Utilities

Command	Description
`pass-cli totp generate`	Generate a TOTP token from a raw secret or `otpauth://` URI (without needing a stored item)

`share` — Share Operations

Command	Description
`pass-cli share list`	List available shares

`user` — User Operations

Command	Description
`pass-cli user info`	Show info about the current user

`ssh-agent` — SSH Agent Operations

Command	Description
`pass-cli ssh-agent start`	Start a Proton Pass SSH agent
`pass-cli ssh-agent load`	Load SSH keys stored in Proton Pass into the system SSH agent for immediate use
`pass-cli ssh-agent debug`	Inspect SSH key items and report why each one can or cannot be used
`pass-cli ssh-agent daemon start`	Start the SSH agent as a background daemon
`pass-cli ssh-agent daemon status`	Show the status of the SSH agent daemon
`pass-cli ssh-agent daemon stop`	Stop the SSH agent daemon

`settings` — Persistent Settings

Command	Description
`pass-cli settings view`	View all current settings
`pass-cli settings set`	Set a setting value
`pass-cli settings unset`	Unset (clear) a setting

Proton Pass CLI Cheat Sheet

Top-Level Commands

vault — Vault Operations

item — Item Operations

List & View

Create — login

Create — note

Create — credit-card

Create — wifi

Create — custom

Create — identity

Create — ssh-key