Thoryn

Developer tools

Manage Thoryn from your terminal.

thoryn is a single-binary CLI for the Thoryn customer plane. Log in once, then create OAuth clients, manage users, and configure federation from a terminal or a CI pipeline. Same OAuth model as the API — no separate keys to rotate.

InstallRead the reference

Install

One command, every platform.

Native binaries built with GraalVM. No JVM, no Node, no Python — just a single executable. Choose your platform.

macOS

brew install thoryn-io/tap/thoryn

Homebrew tap; works on Apple Silicon and Intel.

Linux (apt)

curl -fsSL https://download.thoryn.org/apt/key.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/thoryn.gpg
echo "deb [signed-by=/etc/apt/keyrings/thoryn.gpg] https://download.thoryn.org/apt stable main" | sudo tee /etc/apt/sources.list.d/thoryn.list
sudo apt update && sudo apt install thoryn

Debian, Ubuntu, and derivatives.

Linux (rpm)

sudo rpm --import https://download.thoryn.org/rpm/key.gpg
sudo dnf config-manager --add-repo https://download.thoryn.org/rpm/thoryn.repo
sudo dnf install thoryn

Fedora, RHEL, openSUSE, and derivatives.

Windows (Scoop)

scoop bucket add thoryn https://github.com/thoryn-io/scoop-bucket
scoop install thoryn

Scoop bucket. Alternative: winget install Thoryn.Cli.

Direct download

# Download, verify checksum + cosign signature, install
curl -LO https://download.thoryn.org/cli/latest/thoryn-linux-x64
curl -LO https://download.thoryn.org/cli/latest/SHA256SUMS
sha256sum -c --ignore-missing SHA256SUMS
cosign verify-blob --certificate thoryn-linux-x64.pem --signature thoryn-linux-x64.sig thoryn-linux-x64
chmod +x thoryn-linux-x64 && sudo mv thoryn-linux-x64 /usr/local/bin/thoryn

All releases are signed with cosign keyless signatures. Verify before running.

What you can do

The commands you'll reach for.

  • thoryn login

    Authenticate against your tenant. Uses PKCE + loopback redirect by default; falls back to RFC 8628 device-code in headless environments.

  • thoryn clients [list|create|delete]

    Manage OAuth clients in your tenant. Same surface as the customer-plane console, scriptable.

  • thoryn config

    Inspect or set the active hub URL, gateway URL, and refresh-token storage path.

  • thoryn logout

    Clear locally stored credentials. Does not revoke tokens server-side — use the console for that.

How it authenticates

OAuth, all the way down.

thoryn uses the same OAuth 2.0 model as the rest of the customer plane. Default flow is authorization code with PKCE (RFC 7636) and a loopback redirect (RFC 8252) — your default browser handles the login, the CLI captures the code on a localhost port, and the resulting refresh token is stored under XDG-conformant config (~/.config/thoryn/credentials on Linux/macOS, %APPDATA%\thoryn on Windows). For CI pipelines, headless servers, or any environment without a browser, the CLI falls back to RFC 8628 device-code: it prints a verification URL and a short code, polls the hub, and obtains the same scopes once the code is approved.

Full reference in Antora docs

CI / scripting

Headless-friendly by default.

Drive thoryn from CI without an interactive shell. The device-code flow takes a verification code via stdin or env var; once a CI-issued service account approves it once, the resulting refresh token can be cached as a CI secret. Subsequent invocations exchange the refresh token for short-lived access tokens automatically.

# In a GitHub Actions step
- name: Manage Thoryn clients
  env:
    THORYN_REFRESH_TOKEN: ${{ secrets.THORYN_REFRESH_TOKEN }}
  run: |
    thoryn clients create --name "prod-frontend" --redirect-uri https://app.example.com/callback
    thoryn clients list --output json

Source + reference

Pick your level of detail.

Ready to ship?

Install the CLI, run thoryn login, and create your first OAuth client in under five minutes.

Start freeTalk to us