Skip to main content
The Declaw CLI lets you create and manage sandboxes, run commands, transfer files, build templates, and sandbox MCP servers — all from your terminal.

Install

Verify the installation: 
declaw version

Authentication

Sign up at console.declaw.ai, copy your API key from the dashboard, and run: 
declaw auth login
You’ll be prompted to enter your API key (input is hidden). The CLI validates it against the API and saves it to ~/.declaw/config.json. You can also pass it directly: 
declaw auth login --api-key <your-key>

declaw auth status    # check who you're logged in as
declaw auth logout    # remove stored credentials

Configuration

The CLI resolves credentials in this order (highest priority first):
PrioritySource
1--api-key and --domain flags
2DECLAW_API_KEY, DECLAW_DOMAIN, and DECLAW_API_URL environment variables
3~/.declaw/config.json (written by declaw auth login)
The config file location can be overridden with the DECLAW_CONFIG_DIR environment variable.

Config file format

{
  "api_key": "your-api-key",
  "domain": "api.declaw.ai",
  "api_url": "",
  "default_template": "",
  "default_timeout": 0
}
Only api_key is required. The other fields are optional overrides — api_url sets a full base URL (useful for on-prem deployments), default_template and default_timeout override the defaults for sandbox create.

Global flags

These flags are available on every command:
FlagDescription
--api-keyAPI key (overrides env var and config file)
--domainAPI domain (overrides env var and config file)
--jsonOutput as JSON (for scripting)

Commands

declaw mcp

Wrap any stdio-based MCP server in a sandboxed microVM. Key flags include --network-allow for outbound host allowlisting and --env for credential forwarding. See the MCP Sandboxing page for full documentation. 
declaw mcp [flags] -- <command> [args...]

declaw sandbox

Create, inspect, and manage sandboxes. 
declaw sandbox create    # create a new sandbox
declaw sandbox list      # list active sandboxes
declaw sandbox info      # show sandbox details
declaw sandbox kill      # destroy a sandbox
declaw sandbox pause     # pause a sandbox
declaw sandbox resume    # resume a paused sandbox
declaw sandbox exec      # run a command in a sandbox
declaw sandbox connect   # open an interactive shell (PTY)
declaw sandbox files ls     # list files in a directory
declaw sandbox files read   # download a file from sandbox
declaw sandbox files write  # upload a file to sandbox
Alias: declaw sb

declaw template

Build and manage sandbox templates. 
declaw template list     # list available templates
declaw template build    # build a template from a Dockerfile
declaw template info     # show template details
declaw template delete   # delete a template
Alias: declaw tpl

declaw template build

Build a custom template when the built-in mcp-server, python, node, or base templates don’t have the dependencies you need: 
declaw template build --dockerfile Dockerfile

declaw volume

Create and manage persistent volumes that can be attached to sandboxes. 
declaw volume create     # create a named volume (optionally from a .tar.gz)
declaw volume list       # list volumes
declaw volume get        # show volume details
declaw volume delete     # delete a volume
Alias: declaw vol

declaw account

View account information and manage API keys. 
declaw account info      # show account details and tier
declaw account usage     # show usage statistics
declaw account api-keys list      # list API keys
declaw account api-keys create    # create a new API key
declaw account api-keys revoke    # revoke an API key

declaw auth

Manage authentication credentials. 
declaw auth login        # save an API key
declaw auth logout       # remove stored credentials
declaw auth status       # show current auth status

declaw version

Print CLI version, git commit, and build date. 
declaw version
declaw version --json    # machine-readable output

Next steps