| name | toolhive-cli-user |
| description | Guide for using ToolHive CLI (thv) to run and manage MCP servers and skills. Use when running, listing, stopping, building, or configuring MCP servers locally. Covers server lifecycle, registry browsing, secrets management, client registration, groups, container builds, exports, permissions, network isolation, authentication, and skill management (install, uninstall, list, info, build, push, validate). NOT for Kubernetes operator usage or ToolHive development/contributing. |
| version | 0.3.0 |
| license | Apache-2.0 |
ToolHive CLI User Guide
Prerequisites
- Container Runtime: Docker, Podman, Colima, or Rancher Desktop (with dockerd/moby)
- ToolHive CLI: Install with
brew install stacklok/tap/thv (macOS/Linux) or winget install stacklok.thv (Windows)
Verify: thv version
Quick Start
thv run filesystem
thv list
thv status filesystem
thv logs filesystem
thv stop filesystem
thv rm filesystem
Running MCP Servers
Five input methods: registry name, container image, protocol scheme (uvx://, npx://, go://), exported config (--from-config), or remote URL.
thv run filesystem
thv run ghcr.io/github/github-mcp-server:latest -- <args>
thv run uvx://mcp-server-git
thv run npx://@modelcontextprotocol/server-filesystem
thv run go://github.com/example/mcp-server
thv run --from-config ./config.json
thv run https://api.example.com/mcp --name my-remote
For all flags, authentication options, and telemetry configuration, see COMMANDS.md.
For detailed usage patterns, see EXAMPLES.md.
Managing Servers
thv list
thv list --all
thv list --format json
thv list --format mcpservers
thv list --group production
thv status filesystem
thv status filesystem --format json
thv stop filesystem github
thv stop --all
thv start filesystem
thv start --all
thv start --group development
thv restart filesystem
thv rm filesystem github
thv rm --all
thv logs filesystem
thv logs filesystem --follow
thv logs filesystem --proxy
thv logs prune
Note: Remote servers trigger fresh OAuth authentication on start.
Registry Operations
thv registry list
thv registry list --format json
thv search github
thv registry info github
Custom registry:
thv config set-registry https://my-registry.example.com
thv config set-registry /path/to/local/registry
thv config get-registry
thv config unset-registry
Group Management
All servers are assigned to default group unless specified.
thv group create development
thv group list
thv run fetch --group development
thv group run kubernetes
thv group rm development
thv group rm development --with-workloads
Each server belongs to one group. To run same server in multiple groups, create uniquely named instances.
Secrets Management
Setup is required before use: thv secret setup (interactive provider selection).
Providers: Encrypted (AES-256-GCM, password in OS keyring) or 1Password (read-only, requires OP_SERVICE_ACCOUNT_TOKEN).
thv secret set MY_API_KEY
echo "value" | thv secret set MY_KEY
thv secret list
thv secret get MY_API_KEY
thv secret delete MY_API_KEY
Using secrets with servers:
thv run github --secret GITHUB_TOKEN,target=GITHUB_PERSONAL_ACCESS_TOKEN
thv run server --secret KEY1,target=ENV1 --secret KEY2,target=ENV2
Client Configuration
thv client status
thv client setup
thv client register claude-code --group development
thv client list-registered
thv client remove
Permissions and Network Isolation
Permission profiles control what a container can access (filesystem, network):
thv run myserver --permission-profile network
thv run myserver --permission-profile none
thv run myserver --permission-profile ./custom.json
Registry servers include a default profile. Without registry info, default is network.
Network isolation restricts outbound traffic to an allowlist via an egress proxy:
thv run myserver --isolate-network
Volume mounts for filesystem access:
thv run filesystem -v /home/user/projects:/workspace:ro
.thvignore hides sensitive files from volume mounts using gitignore-style patterns. Place .thvignore in mounted directories or globally at ~/.config/toolhive/thvignore. Disable global patterns with --ignore-globally=false.
For detailed examples, see EXAMPLES.md.
Building, Export, and Tool Overrides
thv build uvx://mcp-server-git
thv build --tag my-registry/server:v1.0 npx://package
thv build --dry-run --output Dockerfile.mcp uvx://mcp-server-git
thv export my-server ./config.json
thv export my-server ./server.yaml --format k8s
thv run --from-config ./config.json
For tool overrides, see EXAMPLES.md.
Skills Management
Requires thv serve to be running. Skills have two scopes: user (global, default) and project (local to a project root).
thv skill install my-skill
thv skill install ghcr.io/org/skill:v1.0
thv skill install my-skill --clients claude-code
thv skill install my-skill --scope project --project-root .
thv skill install my-skill --group development
thv skill install my-skill --force
thv skill list
thv skill ls --scope user --format json
thv skill ls --client claude-code --group dev
thv skill info my-skill
thv skill info my-skill --format json
thv skill uninstall my-skill
thv skill uninstall my-skill --scope project --project-root .
thv skill validate ./my-skill-dir
thv skill build ./my-skill-dir
thv skill build ./my-skill-dir --tag ghcr.io/org/skill:v1.0
thv skill push ghcr.io/org/skill:v1.0
For all flags and detailed examples, see COMMANDS.md and EXAMPLES.md.
Debugging
thv inspector filesystem
thv mcp list tools --server filesystem
thv mcp list resources --server filesystem
thv mcp list prompts --server filesystem
thv mcp call read_file --server filesystem --args '{"path":"/etc/hosts"}'
thv runtime check
For tool invocation patterns (file args, stdin, JSON output, error handling), see EXAMPLES.md.
Guardrails
- NEVER use
docker rm or podman rm on ToolHive-managed containers -- always use thv rm for proper cleanup.
- NEVER pass secrets as
-e SECRET=value -- use --secret with managed secrets instead.
- Confirm destructive operations (
thv rm --all, thv stop --all, thv group rm --with-workloads) with the user before running.
- Skill commands require
thv serve to be running. If a skill command fails with a connection error, suggest starting thv serve first.
- If the user asks about Kubernetes deployment, this skill does not cover the operator -- direct them accordingly.
Error Handling
| Symptom | Cause | Recovery |
|---|
| Container can't reach localhost | Bridge network isolation | Use host.docker.internal (Docker Desktop), host.containers.internal (Podman), 172.17.0.1 (Linux) |
| Port already in use | Another server on same port | Use --proxy-port <different-port> |
| Permission denied on volume | Mount path or profile issue | Check volume mount paths and permission profiles (--permission-profile) |
| Container runtime not found | No runtime or socket issue | Run thv runtime check; override socket with TOOLHIVE_PODMAN_SOCKET, TOOLHIVE_COLIMA_SOCKET, or TOOLHIVE_DOCKER_SOCKET |
| Secret operation fails | Provider not configured | Run thv secret setup first |
| Image pull fails | Network or auth issue | Check network connectivity; for private registries, ensure credentials are configured |
| Remote auth token expired | OAuth token lifetime exceeded | Restart the server (thv restart) to trigger fresh authentication |
| Sensitive files exposed in mount | No .thvignore configured | Add .thvignore in mounted directory or globally at ~/.config/toolhive/thvignore |
| Skill command fails with connection error | thv serve not running | Start thv serve before using skill commands |
| Skill validation fails | Invalid SKILL.md or directory structure | Run thv skill validate ./path and fix reported errors |
Global Options
--debug: Verbose output-h, --help: Command help
Container runtime auto-detected: Podman -> Colima -> Docker.
See Also
