Skip to content

Install & auth

The PandaStack CLI is a Node.js command-line tool published as @pandastack/cli. It authenticates with a psk_ API token, targets the control plane over /v1/* paths, and unwraps the standard { success, data } envelope so you work with plain payloads.

npm package@pandastack/cli
Binary namepanda
Version0.1.17
LicenseMIT
RuntimeNode.js >= 18
Terminal window
npm install -g @pandastack/cli

This installs the panda binary globally.

Standalone binaries are produced with pkg (Node 20 targets):

Build scriptOutputTargets
npm run build:macdist/panda-macosmacos-x64, macos-arm64
npm run build:linuxdist/panda-linuxlinux-x64
npm run build:windist/panda-win.exewin-x64

The CLI authenticates with a psk_ API token. These tokens are org-scoped — the organization is baked into the token — so the CLI never sends an organization_id parameter. Org resolution happens by calling whoami with the token.

Terminal window
panda login

panda login:

  1. Prompts you to paste a token. It must start with psk_.
  2. Saves the token, then calls GET /v1/whoami to resolve your orgId, orgName, and role.
  3. On success, writes the token plus org_id and org_name to the config file.

On a 401, the API client prints Unauthorized and exits — the token is not saved as valid.

Create a token from your dashboard settings page (https://dashboard.pandastack.io/settings).

Terminal window
panda logout

Clears the stored token, org_id, and org_name. It keeps api_url so a custom base URL survives a logout.

Because psk_ tokens are already org-scoped, there is no multi-org switching in the CLI:

  • panda org list shows the single org the current token belongs to.
  • panda org use explains that tokens are per-org — to “switch,” log in with a different org’s token.

Config lives at ~/.panda/config.json.

KeyPurposeDefault
api_urlControl-plane base URLhttps://api2.pandastack.io (override with PANDA_API_URL)
tokenpsk_ API token (org-scoped)none — set by panda login
org_idOrg id resolved from /v1/whoaminone
org_nameOrg name from /v1/whoaminone

requireAuth() needs both token and org_id set before a command that talks to the API will run.

  • The default base URL is https://api2.pandastack.io. Override it per-invocation with the PANDA_API_URL environment variable, or persist it as api_url in the config.

    Terminal window
    PANDA_API_URL=https://api2.pandastack.io panda status
  • Every request uses /v1/... paths (no /api prefix) and sends Authorization: Bearer <psk_ token>.

  • The response interceptor unwraps the { success: true, data: ... } envelope, so commands read the payload directly. List endpoints return { items, total }.

  • Errors follow the standard envelope: { success: false, error: { code, message } }.

Once logged in, confirm everything resolves:

Terminal window
panda status

panda status aggregates whoami, projects, functions, cronjobs, and databases, then prints your org name/id/role/plan, resource counts, and any failed projects. Add --json for raw output.