Official command-line interface for Retyc - send transfers and manage datarooms directly from your terminal.
Retyc is a European sovereign file-sharing platform with end-to-end post-quantum encryption. Data stays in Europe, GDPR-compliant by design.
retyc-cli lets you integrate Retyc transfers and datarooms into your scripts, pipelines and workflows - no browser required.
Download the binary for your platform from the latest release.
go install -tags prod github.com/retyc/retyc-cli@latestgit clone https://github.com/retyc/retyc-cli.git
cd retyc-cli
go build -tags prod -ldflags "-X github.com/retyc/retyc-cli/cmd.Version=$(git describe --tags --always)" -o retyc .# Docker Hub
docker pull retyc/retyc-cli:latest
# GitHub Container Registry
docker pull ghcr.io/retyc/retyc-cli:latest# 1. Authenticate (opens a browser tab, no password stored)
retyc auth login
# 2. Send a file
retyc transfer create report.pdf
# 3. List your transfers
retyc transfer ls
# 4. Download a transfer
retyc transfer download <transfer-id>| Command | Description |
|---|---|
retyc auth login |
Authenticate via OIDC device flow |
retyc auth login --offline |
Authenticate and print an offline token for CI/CD use |
retyc auth status |
Check authentication status (silently refreshes token) |
retyc auth logout |
Sign out |
| Command | Description |
|---|---|
retyc transfer create <file> |
Create and send a new transfer (--generate-passphrase to auto-generate a secure passphrase) |
retyc transfer info <id> |
Get transfer details |
retyc transfer ls |
List sent and received transfers |
retyc transfer download <id> |
Download a transfer |
retyc transfer enable <id> |
Enable a transfer |
retyc transfer disable <id> |
Disable a transfer |
Datarooms are persistent, end-to-end encrypted shared spaces for files and folders.
All paths use the retyc://dataroom-id/path URI scheme.
Glob patterns (*, ?, [...]) are supported in remote paths.
| Command | Description |
|---|---|
retyc dataroom ls |
List all your datarooms |
retyc dataroom ls retyc://<id>[/path] |
List nodes at a path (supports globs) |
retyc dataroom create --title <title> |
Create a new dataroom |
retyc dataroom info <id> |
Show dataroom details, stats and members |
retyc dataroom cp <local…> retyc://<id>/<dest> |
Upload files or directories |
retyc dataroom cp retyc://<id>/<path> <local-dir> |
Download a file |
retyc dataroom mv retyc://<id>/<src> retyc://<id>/<dst> |
Rename or move a node |
retyc dataroom rm retyc://<id> |
Delete the entire dataroom |
retyc dataroom rm retyc://<id>/<path> |
Delete a node (supports globs) |
retyc dataroom mkdir retyc://<id>/<path> |
Create a folder |
retyc dataroom user add <id> <email> [--role viewer|editor|admin] |
Add a member |
retyc dataroom user rm <id> <user-id> |
Remove a member |
# Create a dataroom (title is required)
retyc dataroom create --title "Project Alpha"
# Upload a release directory
retyc dataroom cp ./dist/ retyc://019d3de3-.../releases/
# List contents
retyc dataroom ls retyc://019d3de3-.../releases/
# Download a specific file
retyc dataroom cp retyc://019d3de3-.../releases/binary ./
# Download all PDFs from a folder
retyc dataroom cp retyc://019d3de3-.../docs/*.pdf ./local/
# Delete all log files
retyc dataroom rm retyc://019d3de3-.../*.log
# Delete the entire dataroom
retyc dataroom rm retyc://019d3de3-...
# Add a collaborator
retyc dataroom user add 019d3de3-... alice@example.com --role editorConfig and tokens are persisted in a named volume. The -it flags are required for interactive prompts (device flow, passphrase).
# Authenticate
docker run -it --rm -v retyc-config:/home/retyc/.config/retyc retyc/retyc-cli:latest auth login
# Send / list / download (mount current directory for file access)
docker run -it --rm \
-v retyc-config:/home/retyc/.config/retyc \
-v "$(pwd)":/data \
retyc/retyc-cli:latest transfer create /data/report.pdfTip:
alias retyc='docker run -it --rm -v retyc-config:/home/retyc/.config/retyc -v "$(pwd)":/data retyc/retyc-cli:latest'
Note: kernel keyring caching is not available in Docker (blocked by the default seccomp profile). The passphrase will be prompted on each invocation.
retyc-cli can run fully non-interactively for authentication and key-unlock flows in pipelines. Set the following environment variables to avoid credential and key passphrase prompts:
| Variable | Description |
|---|---|
RETYC_TOKEN |
Offline refresh token used instead of reading credentials from disk |
RETYC_KEY_PASSPHRASE |
Passphrase for your AGE private key, used instead of an interactive passphrase prompt |
Note: Other interactive prompts (for example, transfer confirmation unless you pass
-y) may still appear and must be disabled using the appropriate CLI flags when running in CI.
# Authenticate and print an offline token
retyc auth login --offlineCopy the printed token and store it as a secret in your CI provider alongside your key passphrase.
export RETYC_TOKEN=<offline_token>
export RETYC_KEY_PASSPHRASE=<key_passphrase>
# Send build artifacts
retyc transfer create -y --title "Release v1.2.3" ./dist/app.tar.gz
# Download a transfer
retyc transfer download -y <transfer-id>The offline token is a long-lived refresh token. At each invocation the CLI exchanges it for a short-lived access token — nothing is written to disk.
Credentials and config are stored in a platform-specific directory:
| Build | Config directory |
|---|---|
Production (-tags prod) |
~/.config/retyc/ (XDG Base Dir) |
| Development (default) | .retyc/ in the current directory |
Override at any time:
export RETYC_CONFIG_DIR=/path/to/config| Variable | Description |
|---|---|
RETYC_CONFIG_DIR |
Override the config directory |
RETYC_TOKEN |
Offline refresh token (bypasses disk credentials — see CI / CD) |
RETYC_KEY_PASSPHRASE |
AGE key passphrase (bypasses interactive prompt — see CI / CD) |
Create config.yaml to override defaults:
api:
base_url: https://api.retyc.com| Flag | Short | Description |
|---|---|---|
--config <file> |
Use a specific config file | |
--insecure |
-k |
Skip TLS certificate verification |
--debug |
Enable debug mode |
- Authentication: OIDC device flow - no password ever stored locally
- File data + metadata: end to end encrypted with AGE post-quantum hybrid keys
- Private key caching (Linux only): the decrypted AGE identity is stored in the kernel session keyring and is never written to disk. It is scoped to the current terminal session, isolated from other users and sessions, and uses a sliding TTL (default: 60 seconds). Each access refreshes the expiration timer.
- Transport: TLS enforced by default
| Feature | Status |
|---|---|
| Create | ✅ |
| Info | ✅ |
| List (inbox / sent) | ✅ |
| Download | ✅ |
| Enable/Disable | ✅ |
| Feature | Status |
|---|---|
| Create / Info / List | ✅ |
| User management (add / remove + rekey) | ✅ |
| Upload (files + recursive directories) | ✅ |
| Download (single file + glob) | ✅ |
| Move / Rename | ✅ |
| Delete (single + glob) | ✅ |
| Create folder | ✅ |
| Versioning (promote / manage) | 🔜 |
| Feature | Status |
|---|---|
| Get data | ✅ |
| Get quota | ✅ |
| Feature | Status |
|---|---|
| User management (invitations, roles) | 🔜 |
# Run in dev mode
go run . --help
# Run tests
go test -race ./...
# Production build
go build -tags prod -ldflags "-X github.com/retyc/retyc-cli/cmd.Version=v0.1.0" -o retyc .MIT - © Retyc / TripleStack SAS