Reference

CLI reference

Every weave command follows one consistent shape. Learn it once, it works for every module.

Grammar

weave <module> <verb> <noun> [arg] [--flags]

Six universal verbs. Every module implements as many as it makes sense for.

Verb	Meaning	R/W
find	Search by an identifier you have (MAC, email, name)	read
show	Describe one specific entity by canonical ID	read
list	List entities, optionally filtered	read
set	Mutate a property of one entity	write
do	Trigger an action (reset MFA, reboot, archive)	write
watch	Tail real-time state (where supported)	read

weave <module> --help always shows the verbs it supports. weave <module> <verb> --help shows the nouns under each verb.

Top-level

weave [OPTIONS] COMMAND [ARGS]...

Options
  --install-completion   Install completion for the current shell.
  --show-completion      Show completion for the current shell.
  --help                 Show help and exit.

Commands
  setup        Interactive first-run setup (module, secrets, snapshot path).
  init         Alias for weave setup.
  modules      List installed modules and their capabilities.
  doctor       Diagnose weave's environment and module readiness.
  secrets      Inspect required env vars (list, check, backends).
  config       User settings paths (config path).
  enable       Add modules to your enabled set.
  disable      Remove modules from your enabled set.
  enabled      Show modules in your enabled set.
  login        Verify credentials for a module (or all modules).
  whoami       Cross-module identity lookup.
  okta              Okta — users, groups, MFA, lifecycle ops
  github            GitHub — org users, repos, teams, permissions
  pagerduty         PagerDuty — users, schedules, on-call, incidents
  slack             Slack — workspace users, channels, live lookups
  cloudflare        Cloudflare — zones, DNS records, Zero Trust (DNS first)
  meraki            Cisco Meraki — networks, switches, clients
  entra             Microsoft Entra ID — users, groups, sign-ins, lifecycle
  googleworkspace   Google Workspace — users, groups, OUs, lifecycle
  intune            Microsoft Intune — devices, compliance, wipe/retire
  teams             Microsoft Teams — teams, channels, members
  mosyle            Mosyle — Apple MDM devices + commands
  jamf              Jamf Pro — Mac fleet, smart groups, policies
  tailscale         Tailscale — tailnet devices, keys, tags
  onepassword       1Password — Events API audit (sign-ins, item usage)
  vault             HashiCorp Vault — mounts, auth, policies, leases
  datadog           Datadog — monitors, downtimes, users
  fortinet          Fortinet FortiGate — policies, addresses, sessions
  paloalto          Palo Alto NGFW (PAN-OS) — security/NAT rules, services
  unifi             Ubiquiti UniFi — sites, devices, networks, WLANs
  mikrotik          MikroTik RouterOS — interfaces, firewall, NAT, DHCP
  sentry            Sentry — projects, issues, teams, alerts
  aws_iam           AWS IAM — users, roles, groups, policies, access keys
  activedirectory   Active Directory — users, groups, administrative units
  crowdstrike       CrowdStrike Falcon — EDR hosts, detections, prevention
  (plus 61 more — see catalog)

weave setup

write

Interactive onboarding: pick your first module, secrets injection style, and snapshot path. Writes ~/.config/weave/enabled.toml. weave init is an alias.

weave setup [--force] [--yes -m MODULE -b BACKEND]

weave secrets

read

Backend-agnostic credential inspection — no secrets broker bundled. Subcommands: list, check, backends.

weave secrets check
weave secrets backends

weave modules

read

List every installed module, whether its env vars are set, and a one-line capability summary. The Terraform-parallel would be terraform providers list.

weave modules [--json | --format auto|table|json]

weave doctor

read

Diagnose: Python version, weave version, modules loaded, and per-module env-var presence. Returns a non-zero exit code if anything fails. Roughly Terraform's validate.

weave doctor [--json | --format auto|table|json]

weave login

read

Verify credentials are present for one or all modules. Today: env-var presence check. Future (per OAuth module): browser device-code flow. Roughly Terraform's init.

weave login [MODULE]

Arguments
  MODULE   Module to verify; omit to check all installed modules.

weave whoami

read

Take any identifier you have — email, GitHub login, Slack user_id, MAC address, device serial — and ask every installed module that knows how to resolve it. Modules are peers: whoami works the same whether you have one configured or ten. No identity provider is required.

weave whoami IDENTIFIER [OPTIONS]

Arguments
  IDENTIFIER       email / login / user_id / mac / serial / …
                   (kind auto-detected from the value)

Options
  --as TEXT        Force the identifier kind
  --format TEXT    Output: auto (default), table, or json
  --json           Shortcut for --format json

Example flows weave can do today depending on what's installed:

# email → fans out to every module that can resolve an email
$ weave whoami alice@example.com
# works with any subset of: okta, entra, googleworkspace,
#                          github, slack, pagerduty, datadog

# MAC → Meraki finds the human behind the cable. No IdP needed.
$ weave whoami 00:11:22:33:44:55

# GitHub login → just GitHub. Still useful.
$ weave whoami andy-broyles --as login

Live modules

Twenty-four modules with real API wiring. Each is mounted under weave <name>. Run weave <name> --help for the full verb list. The cards below cover each live integration; verb-noun grammar is consistent everywhere, so --help is always the authoritative reference. State-management verbs (snapshot / diff / apply) are called out on the modules that support them.

weave okta

live

Env: OKTA_DOMAIN, OKTA_TOKEN

weave okta find user alice@example.com
weave okta list users --search alice
weave okta show user-groups alice@example.com
weave okta do suspend alice@example.com
weave okta do reset-mfa alice@example.com
weave okta do reset-password alice@example.com

State kinds

weave okta snapshot groups
weave okta diff     groups     # surfaces members added/removed per group
weave okta apply    groups --yes

weave github

live

Env: GITHUB_TOKEN

weave github find user andy-broyles
weave github find repo andy-broyles/weavewhatever
weave github list members my-org --role admin
weave github list repos my-org

weave pagerduty

live

Env: PAGERDUTY_TOKEN

weave pagerduty show oncall
weave pagerduty find user alice@example.com
weave pagerduty list users
weave pagerduty list services
weave pagerduty list incidents --statuses triggered,acknowledged

weave slack

live

Env: SLACK_TOKEN (xoxb-… bot or xoxp-… user)

weave slack find user alice@example.com
weave slack find user U01ABC123
weave slack list users
weave slack list channels
weave slack find channel incidents

weave cloudflare

live

Env: CLOUDFLARE_API_TOKEN

weave cloudflare list zones
weave cloudflare find zone weavewhatever.com
weave cloudflare list dns weavewhatever.com --type A
weave cloudflare find dns-record www.weavewhatever.com

State kinds

weave cloudflare snapshot dns --zone weavewhatever.com
weave cloudflare diff     dns --zone weavewhatever.com
weave cloudflare apply    dns --zone weavewhatever.com --yes

weave entra

live

Env: AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET. App-only OAuth2 via Microsoft Graph.

weave entra find user alice@example.com
weave entra list users --search alice
weave entra list signins --user alice@example.com
weave entra do disable alice@example.com
weave entra do revoke-sessions alice@example.com

State kinds

weave entra snapshot groups
weave entra diff     groups
weave entra apply    groups --yes

weave googleworkspace

live

Env: GOOGLE_WORKSPACE_TOKEN (e.g. gcloud auth print-access-token).

weave googleworkspace find user alice@example.com
weave googleworkspace list users --query "isAdmin=true"
weave googleworkspace list ous
weave googleworkspace do suspend alice@example.com
weave googleworkspace do sign-out alice@example.com

State kinds

weave googleworkspace snapshot groups
weave googleworkspace diff     groups
weave googleworkspace apply    groups --yes

weave intune

live

Env: same Azure app credentials as Entra. Graph /deviceManagement.

weave intune find device C02ABC123
weave intune list devices --os macOS
weave intune do sync <deviceId>
weave intune do retire <deviceId>
weave intune do wipe <deviceId> --yes

State kinds

weave intune snapshot configuration-profiles
weave intune diff     configuration-profiles
weave intune apply    configuration-profiles --yes

weave teams

live

Env: Azure app credentials. Graph /teams.

weave teams list teams
weave teams find team "IT Ops"
weave teams list channels <teamId>
weave teams list members <teamId>

State kinds

weave teams snapshot teams
weave teams diff     teams
weave teams apply    teams --yes

weave mosyle

live

Env: MOSYLE_ACCESS_TOKEN. Mosyle Business API.

weave mosyle find device C02ABC123
weave mosyle list devices --os mac
weave mosyle do lock C02ABC123
weave mosyle do wipe C02ABC123 --yes

State kinds

weave mosyle snapshot profiles  # snapshot + diff only; apply
weave mosyle diff     profiles  # surfaces drift, hints to use the
                                # Mosyle dashboard to author changes

weave jamf

live

Env: JAMF_URL, JAMF_CLIENT_ID, JAMF_CLIENT_SECRET. OAuth2 client-credentials.

weave jamf find computer C02ABC123
weave jamf list computers --limit 100
weave jamf list groups
weave jamf do lock <managementId>

State kinds

weave jamf snapshot configuration-profiles
weave jamf diff     configuration-profiles
weave jamf apply    configuration-profiles --yes

weave tailscale

live

Env: TAILSCALE_API_KEY, TAILSCALE_TAILNET.

weave tailscale list devices
weave tailscale find device andy-laptop
weave tailscale do expire-key <deviceId>
weave tailscale do tag <deviceId> tag:server,tag:prod

State kinds

weave tailscale snapshot acl       # full tailnet ACL document
weave tailscale diff     acl       # diff per top-level section
weave tailscale apply    acl --yes

weave onepassword

live

Env: OP_EVENTS_TOKEN (Events API token).

weave onepassword list signin-attempts --hours 24
weave onepassword list item-usages
weave onepassword list audit-events

weave vault

live

Env: VAULT_ADDR, VAULT_TOKEN.

weave vault list mounts
weave vault list auth
weave vault list policies
weave vault show policy admin
weave vault do revoke <leaseId>

State kinds

weave vault snapshot policies      # HCL bodies inlined
weave vault diff     policies
weave vault apply    policies --yes

weave datadog

live

Env: DATADOG_API_KEY, DATADOG_APP_KEY; optional DATADOG_SITE (default: datadoghq.com).

weave datadog list monitors --tag env:prod
weave datadog find monitor "api errors"
weave datadog list downtimes
weave datadog do schedule-downtime env:prod --minutes 60
weave datadog do cancel-downtime <downtimeId>

State kinds

weave datadog snapshot monitors    # git-versioned alerts
weave datadog diff     monitors
weave datadog apply    monitors --yes

weave fortinet

live

Env: FORTIGATE_HOST, FORTIGATE_TOKEN. FortiOS REST API.

weave fortinet list policies
weave fortinet find policy "Allow-Web"
weave fortinet list addresses
weave fortinet list interfaces
weave fortinet list sessions --limit 50

State kinds

weave fortinet snapshot policies     # all IPv4 firewall policies
weave fortinet diff     policies
weave fortinet apply    policies --yes

weave paloalto

live

Env: PANOS_HOST, PANOS_API_KEY. PAN-OS XML API (vsys1).

weave paloalto list security-rules
weave paloalto find security-rule "Allow-DNS"
weave paloalto list addresses
weave paloalto list services
weave paloalto do commit --description "weave change"

State kinds

weave paloalto snapshot security-rules
weave paloalto diff     security-rules
weave paloalto apply    security-rules --yes

weave unifi

live

Env: UNIFI_HOST, UNIFI_USERNAME, UNIFI_PASSWORD; optional UNIFI_SITE (default default).

weave unifi list sites
weave unifi list devices
weave unifi list clients
weave unifi list networks
weave unifi list wlans

State kinds

weave unifi snapshot wlans --site default
weave unifi diff     wlans --site default
weave unifi apply    wlans --site default --yes

weave mikrotik

live

Env: MIKROTIK_HOST, MIKROTIK_USERNAME, MIKROTIK_PASSWORD. RouterOS REST API.

weave mikrotik list interfaces
weave mikrotik list firewall
weave mikrotik list nat
weave mikrotik list leases
weave mikrotik list routes
weave mikrotik find lease 00:11:22:33:44:55

State kinds

weave mikrotik snapshot firewall-filter
weave mikrotik diff     firewall-filter
weave mikrotik apply    firewall-filter --yes

weave sentry

live

Env: SENTRY_TOKEN; optional SENTRY_HOST (default sentry.io).

weave sentry list projects --org my-org
weave sentry find project my-app
weave sentry list issues --org my-org --project my-app
weave sentry find issue PROJECT-1 --org my-org
weave sentry list teams --org my-org
weave sentry do resolve-issue 12345
weave sentry do ignore-issue 12345

State kinds

weave sentry snapshot projects --org my-org
weave sentry diff     projects --org my-org
weave sentry apply    projects --org my-org --yes

weave aws_iam

live

Env: standard AWS credentials — AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, optional AWS_SESSION_TOKEN, AWS_REGION. boto3 under the hood.

weave aws_iam list users
weave aws_iam find user alice
weave aws_iam list roles
weave aws_iam list policies
weave aws_iam do create-access-key alice
weave aws_iam do delete-access-key alice AKIAIOSFODNN7EXAMPLE --yes

State kinds

weave aws_iam snapshot policies      # all customer-managed policies
weave aws_iam diff     policies
weave aws_iam apply    policies --yes

weave activedirectory

live

Env: AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET. AD/Entra-synced directory via Microsoft Graph.

weave activedirectory find user alice@example.com
weave activedirectory list users --search alice
weave activedirectory list groups
weave activedirectory show group "IT-Admins"
weave activedirectory do disable-user alice@example.com

State kinds

weave activedirectory snapshot group-memberships --group "IT-Admins"
weave activedirectory diff     group-memberships --group "IT-Admins"
weave activedirectory apply    group-memberships --group "IT-Admins" --yes

weave crowdstrike

live

Env: FALCON_CLIENT_ID, FALCON_CLIENT_SECRET; optional FALCON_CLOUD (default api.crowdstrike.com). OAuth2.

weave crowdstrike list hosts
weave crowdstrike find host SERIAL123
weave crowdstrike list detections --severity high
weave crowdstrike do contain <deviceId>
weave crowdstrike do lift-containment <deviceId>

State kinds

weave crowdstrike snapshot prevention-policies
weave crowdstrike diff     prevention-policies
weave crowdstrike apply    prevention-policies --yes

meraki

Live operations against the Cisco Meraki dashboard. Reads MERAKI_API_KEY from the environment.

weave meraki find client

read

Locate a client across every org you have access to. Today the identifier is a MAC address. Returns the network, device, switch port, VLAN, IP, and current status.

weave meraki find client IDENTIFIER [OPTIONS]

Arguments
  IDENTIFIER         MAC address (00:11:22:33:44:55)

Options
  --org TEXT         Limit search to one organization ID
  --format TEXT      Output: auto (default), table, or json
  --json             Shortcut for --format json

Scans the first 8 organizations and 32 networks per org by default to keep response time tight.

weave meraki set port

write

Update an individual switch port's VLAN, description, and admin state in one call.

weave meraki set port SERIAL PORT [OPTIONS]

Arguments
  SERIAL                    Switch serial (e.g. SW-ABC123)
  PORT                      Port number (e.g. 12)

Options
  --vlan INTEGER            VLAN ID  [required]
  --desc TEXT               Port description (sets the port name)
  --enabled / --disabled    Admin state  [default: --enabled]
  --format TEXT             Output: auto (default), table, or json
  --json                    Shortcut for --format json

weave meraki snapshot / diff / apply

state

Round-trip Meraki config through a YAML file in your repo. Today we support two kinds — bulk-edit ports or VLANs and apply the diff back to the dashboard. See the state docs for the full model and the YAML schema.

weave meraki snapshot ports --network "Main Office"
weave meraki diff     ports --network "Main Office"
weave meraki apply    ports --network "Main Office" --yes

weave meraki snapshot vlans --network "Main Office"
weave meraki diff     vlans --network "Main Office"
weave meraki apply    vlans --network "Main Office" --yes

Full catalog

All 87 modules ship with manifests, Typer apps, and --help. Depth varies — reference integrations (Okta, Meraki, Slack, …) have full API wiring; thinner modules expose list/find and inventory state first. See each module page for commands and state kinds. Sample namespaces:

weave auth0

Auth0 (CIAM)

weave jumpcloud

JumpCloud

weave onelogin

OneLogin

weave keycloak

Keycloak (self-hosted OIDC)

weave duo

Duo Security (MFA)

weave freeipa

FreeIPA

weave pingone

PingOne

weave ldap

Generic LDAP

weave kandji

Kandji (Apple MDM)

weave workspaceone

VMware Workspace ONE

weave hexnode

Hexnode MDM

weave sentinelone

SentinelOne

weave defender

Defender for Endpoint

weave sophos

Sophos Central

weave trendmicro

Trend Micro Vision One

weave tenable

Tenable.io

weave checkpoint

Check Point

weave wazuh

Wazuh (open-source SIEM)

weave junos

Juniper Junos

weave cisco_iosxe

Cisco IOS XE

weave cisco_nxos

Cisco NX-OS

weave aruba

Aruba AOS-CX

weave f5

F5 BIG-IP

weave extreme

Extreme Networks

weave netbox

NetBox (DCIM / IPAM)

weave twingate

Twingate (zero-trust)

weave route53

AWS Route 53

weave proxmox

Proxmox VE

weave vsphere

VMware vSphere

weave opsgenie

Opsgenie (on-call)

weave discord

Discord

weave zoom

Zoom

weave statuspage

Statuspage

weave gitlab

GitLab

weave bitbucket

Bitbucket

weave jira

Atlassian Jira

weave linear

Linear

weave newrelic

New Relic

weave grafana

Grafana

weave splunk

Splunk

weave honeycomb

Honeycomb

weave doppler

Doppler

weave infisical

Infisical

weave snowflake

Snowflake

weave launchdarkly

LaunchDarkly

weave stripe

Stripe

weave hubspot

HubSpot

weave zendesk

Zendesk

Output format

Every command is smart about output. If stdout is a TTY you get a Rich table. If stdout is piped (to jq, tee, a file) you get JSON.

# interactive: pretty table
$ weave modules

# piped: JSON for scripting
$ weave modules | jq '.[] | .module'

# force either way
$ weave modules --format table | less -R
$ WEAVE_OUTPUT=json weave modules

WEAVE_OUTPUT env var overrides auto-detection globally (handy for CI). --format / --json override per-command.

Exit codes

Code	Meaning
0	Success
1	Runtime error (missing env var, bad API response)
2	Bad usage / missing argument