superglue CLI () — Agent Reference
CRITICAL RULES — READ FIRST
Pre-requisites for using the CLI
- Check CLI exists: Run . If it fails with , install it:
npm install -g @superglue/cli
- Check superglue CLI config exists: Run . If it fails with or auth errors, the CLI needs configuration via (see below).
Calling systems and running tools
- ALWAYS make sure you pull the relevant system context using before calling system endpoints and running inline JSON tools or building new tools.
- Use to do a targeted keyword search of system docs if you're unsure about how a system works.
Authentication & Credentials:
- Auth headers MUST be set explicitly — credentials are NEVER auto-injected into requests or tool steps
- Every request step (in tools AND ) must include the appropriate auth header using
<<systemId_credentialKey>>
- OAuth systems also require explicit headers — only token refresh is automatic
Saving Tools:
- Don't save a tool without explicit user confirmation — always ask "Should I save this tool?" first
- After + , present results to the user and wait for approval
- Only run
sg tool save --draft <id>
Credentials in Non-Interactive Environments (AI Agents, CI):
- Pass ALL credentials (including secrets) directly via JSON — do NOT use (it requires an interactive TTY which agents don't have)
- Ask the user to provide secret values, then pass them in
--credentials '{"api_key":"sk-xxx"}'
Installation & Setup
Installing the CLI
bash
npm install -g @superglue/cli
After installation, the
command is available globally.
Initialization (REQUIRED before first use)
The CLI
will not work until configured with an API key. The endpoint defaults to
https://api.superglue.cloud
if not specified.
Option A: Interactive setup (recommended for humans)
This prompts for:
- API Key (required) — get one at https://app.superglue.cloud/admin?view=api-keys
- API Endpoint — defaults to
https://api.superglue.cloud
- Web Endpoint — for OAuth callbacks, auto-derived from API endpoint
- Output mode — (default) or
- Config location — project-local () or global ()
It verifies the connection before saving. On success it creates the config file, a
directory, and updates
if using local config.
Option B: Environment variables (recommended for CI and AI agents)
If
is not practical (non-interactive environments, CI, AI agents), set these env vars instead:
bash
export SUPERGLUE_API_KEY="your-api-key"
export SUPERGLUE_API_ENDPOINT="https://api.superglue.cloud" # optional, this is the default
With these set, all
commands work without a config file.
Option C: CLI flags (per-command override)
bash
sg system list --api-key "your-key" --endpoint "https://api.superglue.cloud"
Config Resolution Order
CLI flags > environment variables > config file (local
> global
).
Verifying Setup
After configuring, verify the connection works:
bash
sg system list # should return a list (possibly empty) without errors
Quick Start
bash
sg system list
sg tool build --config '{"id":"...","instruction":"...","steps":[...]}'
sg tool run --draft <draftId>
sg tool save --draft <draftId>
Global Flags
| Flag | Description |
|---|
| Force JSON output (auto-enabled in non-TTY) |
| Override API key |
| Override API endpoint |
Command Reference
Interactive setup — API key, endpoint, output mode. Creates
.
Tool Commands
— Register a tool config. Returns a
. Not AI-powered — you provide the full config.
bash
sg tool build --config '{"id":"...","steps":[...]}' # inline JSON
sg tool build --id my-tool --instruction "..." --steps steps.json --payload '{"key":"val"}'
sg tool build --config tool.json # from file
|
| Full JSON config (file path or inline JSON string) |
|
| Tool ID (kebab-case) |
|
| Human-readable description |
|
| JSON file with steps array |
|
| Sample payload |
|
| Attach file reference |
— Execute a draft or saved tool. Streams live execution logs to the terminal.
bash
sg tool run --draft <draftId> --payload '{"userId":"123"}'
sg tool run --tool my-tool --payload-file payload.json
|
/
| Draft ID or saved tool ID |
|
/
| Payload |
|
| Include raw step results |
|
| Include full tool config |
— Apply JSON Patch (RFC 6902) operations.
bash
sg tool edit --draft <draftId> --patches '[{"op":"replace","path":"/steps/0/config/url","value":"..."}]'
sg tool edit --tool my-tool --patches patches.json
|
| JSON Patch array (inline or file) |
— Persist draft to database. Deletes draft file on success.
bash
sg tool save --draft <draftId>
bash
sg tool list # all non-archived tools
sg tool find "shopify orders" # search (compact results)
sg tool find --id my-tool # exact ID lookup (full config)
System Commands
Required flags:
- — Human-readable display name
- — API base URL (auto-filled when using )
Optional:
- — System ID (lowercase, underscores only, no hyphens). Derived from if omitted.
- — Pre-configured template (auto-fills name and url if not provided)
Example with credentials (non-interactive — use this in AI agent / CI contexts):
bash
sg system create --name "My API" --url https://api.example.com \
--credentials '{"api_key":"sk-xxx"}'
With template:
bash
sg system create --name "Slack" --template slack
Full flag reference:
| Flag | Description |
|---|
| Human-readable name — REQUIRED |
| System ID (lowercase, underscores only) — derived from name if omitted |
| API base URL — REQUIRED (auto-filled by ) |
| Template ID (stripe, shopify, slack, etc.) |
| Credentials JSON (use for ALL creds in non-interactive mode) |
--sensitive-credentials <fields>
| Comma-separated fields for masked input (TTY only — do NOT use in AI agents) |
| Documentation URL to scrape |
| OpenAPI spec URL |
| Environment: or (default: prod) |
— Update system config or credentials. Supports
.
/ — List or search systems.
supports
.
—
CRITICAL for tool building. Make authenticated calls to APIs, databases, and file servers. Use this to:
- Explore API endpoints and response structures
- Verify field names and data shapes BEFORE building tools
bash
# POST request with auth and body
sg system call --url https://api.example.com/users \
--system-id my_api \
--method POST \
--headers '{"Authorization":"Bearer <<my_api_access_token>>"}' \
--body '{"name":"test"}'
# Database query (Postgres)
sg system call --url "postgres://<<my_db_host>>:5432/mydb" \
--system-id my_db \
--body '{"query":"SELECT * FROM users LIMIT 5"}'
# File server (SFTP)
sg system call --url "sftp://<<my_sftp_host>>:22/data" \
--system-id my_sftp \
--body '{"operation":"list","path":"/"}'
| Flag | Description |
|---|
| Full URL with protocol (http/https/postgres/sftp/ftp/smb) |
| System ID for credential injection |
| HTTP method (GET, POST, PUT, DELETE, PATCH) |
| HTTP headers JSON with credential placeholders |
| Request body (JSON string) |
| Environment: or |
| File references (repeatable) |
— Search system documentation.
bash
sg system search-docs --system-id slack -k "send message channels"
— Authenticate via OAuth.
bash
sg system oauth --system-id gmail --scopes "https://www.googleapis.com/auth/gmail.readonly"
sg system oauth --system-id my_api --grant-type client_credentials --scopes "read write"
|
| Required |
|
| Space-separated OAuth scopes (required) |
|
|
(default) or
|
Run Commands
— List execution runs. Filter by
,
,
,
.
— Get run details.
to include data.
Tool Configuration — Full Schema
json
{
"id": "kebab-case-tool-name",
"instruction": "Brief human-readable description of what this tool does",
"steps": [
{
"id": "unique-step-id",
"config": {
"systemId": "example_system",
"url": "https://api.example.com/endpoint?param=<<payload_field>>",
"method": "GET",
"headers": {
"Authorization": "Bearer <<example_system_access_token>>"
},
"queryParams": { "limit": "10" },
"body": "{ \"key\": \"<<payload_field>>\" }"
},
"dataSelector": "(sourceData) => sourceData.previousStep.data.items",
"failureBehavior": "fail"
}
],
"outputTransform": "(sourceData) => sourceData.stepId.data",
"outputSchema": { "type": "object", "properties": {} },
"inputSchema": { "type": "object", "properties": {} }
}
Step Config Fields (Request Steps)
| Field | Type | Description |
|---|
| string | (default, can be omitted) |
| string | System whose credentials to use |
| string | Full URL with placeholders |
| string | HTTP method |
| object | HTTP headers with credential placeholders |
| object | URL query parameters |
| string | Request body (JSON string with placeholders) |
| object | Auto-pagination config (see below) |
Step Config Fields (Transform Steps)
| Field | Type | Description |
|---|
| string | — REQUIRED for transform steps |
| string | JS function: (sourceData) => transformedData
|
Step Behavior Fields
| Field | Type | Description |
|---|
| string | JS function controlling step input and loop mode |
| string | (default) or |
Credential Placeholders
System credentials are namespaced as
<<systemId_credentialKey>>
and resolved server-side at execution time.
You MUST explicitly reference them in headers.Auth Header Patterns
json
{"Authorization": "Bearer <<stripe_api_key>>"}
{"Authorization": "Bearer <<gmail_access_token>>"}
{"X-API-Key": "<<my_api_api_key>>"}
{"Authorization": "Basic <<my_api_username>>:<<my_api_password>>"}
Basic auth is auto-encoded: if the value after
isn't already base64, the engine encodes it automatically.
Credential Lifecycle
- Non-sensitive creds (, , etc.) are stored via
- Sensitive creds (, ) — in non-interactive mode (AI agents, CI), pass via JSON. In interactive TTY, use for masked input, or set env vars.
- OAuth tokens (, ) are auto-refreshed before each step execution
Variables and Data Flow
Variable Syntax
All step config fields support
placeholders:
| Syntax | Resolves to |
|---|
| Payload field or credential |
| System credential |
| JavaScript expression |
CRITICAL: Simple
only works for
top-level keys. No dots, no nesting.
- VALID: , ,
- INVALID: , — these FAIL at runtime
For nested access, use arrow functions:
<<(sourceData) => sourceData.currentItem.id>>
sourceData Object
is the cumulative state available to all JS expressions (data selectors, transforms, variable expressions):
javascript
sourceData = {
// Payload fields at ROOT level (NEVER use sourceData.payload.*)
userId: "123",
date: "2024-01-15",
// Previous step results, keyed by step ID
// Object-selector step:
getUsers: { currentItem: {}, data: { users: [...] }, success: true },
// Array-selector (loop) step:
fetchDetails: [
{ currentItem: "id1", data: { name: "Alice" }, success: true },
{ currentItem: "id2", data: { name: "Bob" }, success: true },
],
// Current loop item (only set inside a looping step's config)
currentItem: { id: 1 },
// Credentials (flattened, namespaced)
systemId_access_token: "...",
systemId_api_key: "..."
}
Step Result Envelope
Every step result is wrapped in an envelope — you MUST account for this.
Object selector (or no selector) — step runs once:
javascript
sourceData.stepId = { currentItem: <selectorOutput>, data: <apiResponse>, success: true }
// Access the API response:
sourceData.stepId.data
sourceData.stepId.data.users
Array selector — step loops, result is an array of envelopes:
javascript
sourceData.stepId = [
{ currentItem: <item1>, data: <response1>, success: true },
{ currentItem: <item2>, data: <response2>, success: true },
...
]
Data Selectors
Control what a step receives as input and whether it loops:
| Return type | Behavior |
|---|
| Single object | Step runs once with that object |
| Array | Step runs once per item (loop mode) |
| / | Step receives full sourceData |
In loop mode,
is set to the current array element.
Empty arrays are valid — the step simply skips execution.
Two Step Types
Request step (HTTP, Postgres, FTP/SFTP/SMB) — makes an API call:
json
{
"id": "get-users",
"config": {
"type": "request",
"systemId": "my_api",
"url": "https://api.example.com/users",
"method": "GET",
"headers": { "Authorization": "Bearer <<my_api_access_token>>" }
}
}
Transform step — pure JavaScript, no API call. Use when a subsequent request step needs reshaped data:
json
{
"id": "format-data",
"config": {
"type": "transform",
"transformCode": "(sourceData) => sourceData.getUsers.data.map(u => ({ id: u.id, name: u.fullName }))"
}
}
Transform steps do NOT have:
,
,
,
,
,
, or
. The
function receives
(same object available everywhere) and its return value becomes
in the step envelope.
When to use each:
| Need | Use |
|---|
| Filter/reshape data for a SUBSEQUENT request step | Transform step () |
| Shape the final tool output | (runs after all steps, has a slightly different schema than transform only steps) |
| Select input / control looping for a step | on the step |
| Inline data computation in URL/body/headers | expressions |
Execution Pipeline
For each step in order:
- Build :
{ ...originalPayload, ...previousStepResults, ...credentials }
- Run → determines single vs loop execution
- For each item: merge into , resolve variables, execute step
- Request step: makes the HTTP/DB/FTP call, raw response becomes
- Transform step: runs
transformCode(sourceData)
- Wrap result:
{ currentItem, data, success }
- After all steps: run
outputTransform(sourceData)
HTTP API Patterns
Pagination
json
{
"pagination": {
"type": "offset|cursor|page",
"pageSize": 100,
"cursorPath": "$.nextPageToken",
"stopCondition": "(response) => !response.hasMore"
}
}
| Type | How it works |
|---|
| Increments param by each page |
| Extracts next cursor from , sends as query param |
| Increments query param |
All types stop when
returns true, response is empty, or max pages reached.
Systems
Credential Model
- — all credentials passed as JSON via
- — interactive masked prompt for secrets (TTY only, NOT for AI agents or CI)
- For AI agents / non-interactive use: pass ALL credentials (including secrets like api_key, client_secret) directly via
--credentials '{"api_key":"..."}'
- For human interactive use: use for masked input of secrets
Templates
Templates auto-populate endpoints and OAuth config. Use
to discover available templates.
Preconfigured OAuth (no user client_id/secret needed): slack, salesforce, asana, notion, airtable, jira, confluence
OAuth Flow
sg system create --name "Gmail" --url https://gmail.googleapis.com --credentials '{"auth_url":"...","token_url":"..."}' --sensitive-credentials client_id,client_secret
sg system oauth --system-id gmail --scopes "..."
- User authenticates in browser → tokens saved automatically
System IDs
- Lowercase letters, numbers, underscores only — no hyphens
- Used for credential namespacing:
Debugging Failed Tools
Debug Workflow
- Run with to see raw step responses
- Check each step's field — is the API returning what you expect?
- Verify credential placeholders match
sg system find --id <systemId>
- Test API calls directly with — isolate whether the issue is auth, endpoint, or transform
Deploying Tools to Production
After building and saving a tool, integrate it into your application:
REST API (Any Language)
bash
# Run a tool
curl -X POST "https://api.superglue.cloud/v1/tools/{toolId}/run" \
-H "Authorization: Bearer $SUPERGLUE_API_KEY" \
-H "Content-Type: application/json" \
-d '{"inputs": {"userId": "123"}}'
# Webhook trigger (async, fire-and-forget)
curl -X POST "https://api.superglue.cloud/v1/hooks/{toolId}?token=$SUPERGLUE_API_KEY" \
-H "Content-Type: application/json" \
-d '{"userId": "123"}'
TypeScript SDK
typescript
import { configure, runTool } from "@superglue/client";
configure({ apiKey: process.env.SUPERGLUE_API_KEY!, baseUrl: "https://api.superglue.cloud/v1" });
const response = await runTool("my-tool-id", { inputs: { userId: "123" } });
// response.data is a Run object: { runId, toolId, status, data, error, metadata }
Python SDK
python
import os
from superglue_client import AuthenticatedClient
from superglue_client.api.tools import run_tool
from superglue_client.models.run_request import RunRequest
from superglue_client.models.run_request_inputs import RunRequestInputs
client = AuthenticatedClient(base_url="https://api.superglue.cloud/v1", token=os.environ["SUPERGLUE_API_KEY"])
with client as c:
result = run_tool.sync("my-tool-id", client=c, body=RunRequest(inputs=RunRequestInputs.from_dict({"userId": "123"})))
Reference Files
For detailed documentation on specific topics, read these files in the
directory:
| File | When to read |
|---|
references/integration.md
| READ THIS when deploying tools to production - SDK usage, REST API, webhooks, error handling |
| Building tools that query PostgreSQL/MySQL databases |
references/file-servers.md
| Building tools that interact with FTP/SFTP/SMB file servers |
references/transforms-and-output.md
| Complex data transformations, output shaping, JS sandbox constraints |
Important: When the user asks about integrating superglue into their codebase, deploying tools, using the SDK, or calling tools from code, you MUST read
references/integration.md
for complete examples.
Draft Management
Drafts live in
.superglue/drafts/<draftId>.json
. Created by
, updated by
, deleted by
. Ephemeral — not persisted across sessions.
File References
Attach files with
. Reference in payloads with
. Auto-parsed to JSON.
bash
sg tool run --draft <id> --payload '{"data": "file::mysheet"}' --file mysheet=data.xlsx