Skip to main content
onecli run wraps a coding agent process with OneCLI gateway access. Your agent’s HTTPS traffic routes through the gateway, which injects stored credentials automatically. The agent never sees raw API keys or OAuth tokens.

Supported agents

AgentCommand
Claude Codeonecli run -- claude
Cursoronecli run -- cursor
Codexonecli run -- codex
Hermesonecli run -- hermes
OpenCodeonecli run -- opencode
Any command works after --. The agents listed above also get an auto-installed skill file that teaches them how to use the gateway.

Setup

1

Start OneCLI

docker run --pull always -p 10254:10254 -p 10255:10255 -v onecli-data:/app/data ghcr.io/onecli/onecli
2

Install the CLI

curl -fsSL onecli.sh/cli/install | sh
onecli auth login --api-key oc_...
Get your API key from the dashboard at localhost:10254.
3

Launch your agent

onecli run -- claude
You’ll see onecli: gateway connected. Starting claude... and your agent starts with the gateway configured.

What onecli run does

When you run onecli run -- claude, the CLI:
  1. Fetches gateway configuration from the OneCLI server
  2. Writes the gateway CA certificate to ~/.onecli/gateway-ca.pem
  3. Fetches your configured secrets and generates a dynamic skill file at ~/.claude/skills/onecli-gateway/SKILL.md listing your actual services
  4. Injects HTTPS_PROXY, CA trust variables, ONECLI_AGENT_NAME, and ONECLI_URL into the child process
  5. Hands over terminal control to the agent
The skill file is regenerated on every launch, so it always reflects your current secret configuration. Standard HTTP clients (curl, fetch, requests, axios, Go net/http, git) pick up the proxy settings automatically.

How agents connect to services

The skill file teaches supported agents a simple workflow:
  1. Make the request directly. The agent calls the real API URL (e.g. https://gmail.googleapis.com/...). No auth headers needed. If credentials are configured, the gateway injects them and the request succeeds.
  2. If it fails, help the user connect. The gateway returns a structured error with a connect_url. The agent appends &source=agent&agent_name= (from $ONECLI_AGENT_NAME) and presents the link to the user.
  3. Poll and retry. The agent polls the connection status and retries automatically once the user connects the service. No manual “try now” needed.
For OAuth apps (Gmail, GitHub, Google Drive, and 13 others), the user connects with one click in the dashboard. For API key services (Stripe, custom APIs), the user adds a secret via the dashboard or onecli secrets create.

Flags

FlagDescription
--agent <identifier>Use a specific OneCLI agent identity instead of the default
--gateway <host:port>Override the gateway address (default: derived from API host)
--no-caSkip CA certificate write and trust env injection
--dry-runPrint the resolved config as JSON without launching the agent

Dry run

Use --dry-run to inspect what onecli run would do without side effects: 
onecli run --dry-run -- claude
This prints the resolved binary path, injected environment variable keys, and CA cert path as JSON.

Compared to the SDK path

onecli run is for coding agents running directly on your machine. If your agents run in Docker containers (e.g. via NanoClaw), use the Node.js SDK instead. Both paths use the same gateway, the same secrets, and the same policy rules.
onecli runSDK / Docker
Agent runs onYour machine (local process)Docker container
Setuponecli run -- claudeapplyContainerConfig(args)
Skill filesAuto-installedNot applicable
Use caseDevelopment with coding agentsProduction orchestration