| name | flareauth-restish |
| description | Operate FlareAuth Management APIs with Restish OAuth PKCE login |
| user-invocable | false |
| allowed-tools | ["Bash"] |
FlareAuth Restish - Operational Procedures
Use this skill when an agent needs safe terminal access to a deployed FlareAuth Management API. The default path uses Restish OAuth authorization code with PKCE through the built-in public flareauth-cli client. Do not ask for client secrets, API keys, or copied bearer tokens.
Prerequisites
restish is installed and available on PATH.
FLAREAUTH is the deployed FlareAuth base URL, for example https://auth.example.com.
- The first login can open a browser on the same machine, or the operator can complete the browser login flow.
- The user who authorizes Restish has admin or management permission in that FlareAuth deployment.
- The deployment includes the built-in public native client:
- client id:
flareauth-cli
- no client secret
- PKCE required
- redirect URIs include
http://127.0.0.1:8484/callback and http://localhost:8484/callback
- scopes include
openid offline_access management:read management:write
Session Setup
Set these variables at the start of every session:
export FLAREAUTH="https://auth.example.com"
export FA_API="flareauth"
export FA_MGMT="$FLAREAUTH/api/management"
Confirm the target before any mutation:
printf 'Target FlareAuth: %s\nManagement API: %s\n' "$FLAREAUTH" "$FA_MGMT"
First Run
- Confirm the OpenAPI document is reachable. The Management OpenAPI operation is
getManagementOpenApi.
restish get "$FA_MGMT/openapi.json" -o json >/dev/null
- Configure a named Restish API. Use the FlareAuth base URL or the Management OpenAPI URL when prompted. Select OAuth2 authorization code when Restish asks for auth, use client id
flareauth-cli, leave client secret empty, use redirect URL http://127.0.0.1:8484/callback, and request scopes openid offline_access management:read management:write.
restish api configure "$FA_API"
restish api sync "$FA_API"
- Trigger the OAuth PKCE login with a harmless read. Restish starts a local callback listener on port
8484, opens a browser, exchanges the authorization code, and caches tokens for later commands.
restish get "$FA_MGMT/readiness" -o json
Authorize as an admin or management-capable user. Later commands reuse the cached Restish token and refresh it when possible.
Guardrails
- Print and inspect
$FLAREAUTH and $FA_MGMT before any post, put, patch, or delete.
- Never print raw secrets, bearer tokens,
restish auth-header output, or Restish token cache contents.
- After every write, run the matching
get or list command and verify the returned state.
- Respect
401 and 403. Do not bypass authorization, use another user's session, or inject copied tokens.
- Prefer narrow
patch bodies over broad rewrites.
- Treat
flareauth-cli and any other systemManaged application as protected. Do not update or delete system-managed clients.
- Avoid broad destructive commands. Delete only explicitly named test or operator-approved resources.
Readiness
Operations: getReadiness, getManagementOpenApi.
restish get "$FA_MGMT/readiness" -o json
restish get "$FA_MGMT/openapi.json" -o json >/dev/null
Applications
Operations: listApplications, getApplication, createApplication, updateApplication, deleteApplication, listRedirectUris, replaceRedirectUris.
restish get "$FA_MGMT/applications" -o json
APP_ID="app_123"
restish get "$FA_MGMT/applications/$APP_ID" -o json
restish post "$FA_MGMT/applications" \
'{
"name": "Example Web App",
"clientType": "confidential_web",
"redirectUris": ["https://app.example.com/callback"],
"allowedGrantTypes": ["authorization_code", "refresh_token"],
"allowedScopes": ["openid", "profile", "email", "offline_access"]
}' \
-o json
restish patch "$FA_MGMT/applications/$APP_ID" name:"Example Web App - Production" -o json
restish get "$FA_MGMT/applications/$APP_ID" -o json
restish put "$FA_MGMT/applications/$APP_ID/redirect-uris" \
'{
"redirectUris": [
"https://app.example.com/callback",
"https://app.example.com/oauth/callback"
]
}' \
-o json
restish get "$FA_MGMT/applications/$APP_ID/redirect-uris" -o json
restish delete "$FA_MGMT/applications/$APP_ID"
restish get "$FA_MGMT/applications/$APP_ID" --rsh-ignore-status-code -o json
Before deleting, inspect the application and stop if id, clientId, or slug is flareauth-cli, or if systemManaged is true.
Connectors
Operations: listConnectors, getConnector, listConnectorReadiness, listConnectorTemplates, createConnector, updateConnector, deleteConnector.
restish get "$FA_MGMT/connectors" -o json
restish get "$FA_MGMT/connectors/templates" -o json
CONNECTOR_ID="conn_123"
restish get "$FA_MGMT/connectors/$CONNECTOR_ID/readiness" -o json
restish patch "$FA_MGMT/connectors/$CONNECTOR_ID" '{"enabled": true}' -o json
restish get "$FA_MGMT/connectors/$CONNECTOR_ID" -o json
restish get "$FA_MGMT/connectors/$CONNECTOR_ID/readiness" -o json
Connector secret material may be write-only or masked by the API. Do not print configured secrets or use verbose output around secret-bearing connector updates.
Sign-In Settings
Operations: getSignInSettings, updateSignInSettings.
restish get "$FA_MGMT/sign-in-settings" -o json
restish patch "$FA_MGMT/sign-in-settings" '{"signIn": {"passwordEnabled": true}}' -o json
restish get "$FA_MGMT/sign-in-settings" -o json
Branding Settings
Operations: getBrandingSettings, updateBrandingSettings, uploadBrandingLogo, uploadBrandingFavicon.
restish get "$FA_MGMT/branding-settings" -o json
restish patch "$FA_MGMT/branding-settings" \
'{"copy": {"productName": "Example Auth"}, "branding": {"primaryColor": "#2563eb"}}' \
-o json
restish get "$FA_MGMT/branding-settings" -o json
For logo or favicon uploads, inspect the OpenAPI for the deployed version first and avoid echoing binary data or asset contents into logs.
Account Center Settings
Operations: getAccountCenterSettings, updateAccountCenterSettings.
restish get "$FA_MGMT/account-center-settings" -o json
restish patch "$FA_MGMT/account-center-settings" \
'{"accountCenter": {"profileEditingEnabled": true, "sessionsViewEnabled": true}}' \
-o json
restish get "$FA_MGMT/account-center-settings" -o json
Users
Operations: listUsers, getUser, updateUser, deleteUser, banUser, unbanUser, createUserPasswordResetRequest, listUserSessions, deleteUserSessions.
Prefer read-only user operations unless the task explicitly requires user mutation.
restish get "$FA_MGMT/users" -o json
USER_ID="user_123"
restish get "$FA_MGMT/users/$USER_ID" -o json
restish get "$FA_MGMT/users/$USER_ID/sessions" -o json
restish get "$FA_MGMT/users/$USER_ID/linked-accounts" -o json
restish post "$FA_MGMT/users/$USER_ID/password-reset-requests" redirectTo:"https://app.example.com/reset" -o json
restish get "$FA_MGMT/users/$USER_ID" -o json
Troubleshooting
Restish is missing
command -v restish
Install Restish with the operator-approved package manager for the environment, then restart the shell and rerun restish --help.
OpenAPI discovery is missing
Check the public Management OpenAPI endpoint directly:
restish get "$FA_MGMT/openapi.json" --rsh-ignore-status-code -o json
If it is not available, the deployment may not include the Restish-ready Management OpenAPI changes. Stop and report the missing /api/management/openapi.json; do not fall back to undocumented endpoints for mutations.
Non-admin login
A successful browser login can still return 403 on Management API requests if the user lacks admin or management permission. Stop and ask the operator to authorize with a management-capable user. Do not try alternate clients or copied tokens.
Expired or bad cached token
Clear the Restish auth cache for the named API and rerun a harmless read to trigger PKCE login again:
restish api clear-auth-cache "$FA_API"
restish get "$FA_MGMT/readiness" -o json
Do not inspect or print the token cache.
Missing built-in CLI client
If Restish configuration or token exchange reports an unknown client for flareauth-cli, the deployment has not bootstrapped the built-in public native client. Stop and report that flareauth-cli is missing or misconfigured. Do not create a replacement client with management scopes unless the task explicitly asks for bootstrap repair and the operator confirms the target deployment.
Generated operation commands are unavailable
Restish can expose generated API commands when discovery succeeds. Generic verb commands in this skill remain valid as long as the named API auth profile matches the same base URL. Run restish api sync "$FA_API" and inspect restish --help for generated commands before assuming an operation command is missing.