ChainLaunch

ChainLaunch Pro CLI Reference

Complete reference for the chainlaunch (Pro edition) command-line interface.

Complete reference for the chainlaunch (Pro edition) command-line interface.

This page documents every top-level command in the chainlaunch binary, the flags they accept, and concrete usage examples.

Global flags

The following persistent flags are available on every subcommand:

Flag Description Default
-v, --verbose Verbose output false
--log-level Log level: debug, info, warn, error info
--auth-username Username for basic authentication (or SWAGGER_CLI_AUTH_USERNAME)
--auth-password Password for basic authentication (or SWAGGER_CLI_AUTH_PASSWORD)
--auth-bearer Bearer token for authentication (or SWAGGER_CLI_AUTH_BEARER)
--output Output format: json or table json
--insecure-skip-tls-verify Skip TLS cert verification (or CHAINLAUNCH_INSECURE_SKIP_TLS_VERIFY=true) false

Environment variables

Most CLI subcommands talk to a running ChainLaunch server over its REST API. Configure them once and reuse:

export CHAINLAUNCH_API_URL="http://localhost:8100/api/v1"   # default
export CHAINLAUNCH_USER="admin"
export CHAINLAUNCH_PASSWORD="changeme"

Other environment variables read by individual commands:

Variable Used by Purpose
CHAINLAUNCH_USER serve, install Initial admin username
CHAINLAUNCH_PASSWORD serve, install Initial admin password
OPENAI_API_KEY serve, install OpenAI integration for SCAI
ANTHROPIC_API_KEY serve, install Anthropic integration for SCAI
KEY_ENCRYPTION_KEY encrypt, decrypt, crypto Encryption key for data-at-rest
GITHUB_TOKEN update Required to download Pro release artifacts
CHAINLAUNCH_INSECURE_SKIP_TLS_VERIFY all Disable TLS verification

Top-level command tree

chainlaunch
├── serve              Start the HTTP / HTTPS API server
├── install            Generate a system service unit (systemd or launchd)
├── version            Print version, git commit, build time
├── update             Self-update from GitHub releases (Pro)
├── fabric             Hyperledger Fabric peer / orderer / org / chaincode operations
├── fabricx            FabricX (Arma consensus) network — quickstart bundle
├── besu               Besu node management (create / list / update / delete)
├── networks           Cross-platform network management (Fabric + Besu)
│   ├── fabric         Fabric channels: create, join, import, reconcile, …
│   └── besu           Besu networks: create, list, update
├── nodes              Per-node operations
│   └── channels       join-by-block, bulk-join-orderers
├── keys               Cryptographic key management (create, get)
├── backup             Restore + start-services after restore
├── testnet            One-shot test network provisioning
│   ├── fabric
│   └── besu
├── metrics            Enable / disable Prometheus integration
├── compliance         Network compliance and health checks (Pro)
├── nodesharing        Peer-to-peer instance federation (auto-generated)
├── pro                Pro tagged endpoints (auto-generated)
├── encrypt            Encrypt arbitrary data with KEY_ENCRYPTION_KEY
├── decrypt            Decrypt previously encrypted data
└── crypto             Database-level decryption utilities (debug)

serve — Run the API server

chainlaunch serve [flags]

Starts the HTTP (and optionally HTTPS) ChainLaunch API server, runs migrations, and brings up the embedded web UI.

Flags

Flag Description Default
--http-addr HTTP listen address (e.g. :8080, 0.0.0.0:8080) :8100 (via --port)
--https-addr HTTPS listen address. Requires --tls-cert and --tls-key
-p, --port HTTP port (deprecated, use --http-addr) 8100
--tls-cert Path to TLS certificate file
--tls-key Path to TLS key file
--data Path to data directory ~/Library/Application Support/chainlaunch (macOS) / ~/.chainlaunch
--db Path to SQLite database file <data>/chainlaunch.db
--dev Enable development mode false
--local-node-id ID of the local node (federation) hostname-based
--external-url External URL for node sharing (e.g. https://mydomain.com:8100)
--projects Path to projects directory <data>/projects
--openai-key OpenAI API key (or OPENAI_API_KEY)
--anthropic-key Anthropic API key (or ANTHROPIC_API_KEY)
--ai-provider AI provider: openai or anthropic
--ai-model AI model (e.g. gpt-4o, claude-3-opus-20240229)

Examples

# Minimal HTTP server on port 8100
chainlaunch serve --port 8100 --data ~/.chainlaunch --db ~/.chainlaunch/test-1.db
 
# HTTPS with custom data dir, dev mode
chainlaunch serve \
  --https-addr 0.0.0.0:8443 \
  --tls-cert /etc/ssl/chainlaunch.crt \
  --tls-key  /etc/ssl/chainlaunch.key \
  --data /var/lib/chainlaunch \
  --dev
 
# Multi-instance setup for peer-to-peer testing
chainlaunch serve --port 8100 --data test-instance-1 --db test-1.db
chainlaunch serve --port 8104 --data test-instance-2 --db test-2.db
 
# AI-enabled (Smart Contract AI)
chainlaunch serve --ai-provider anthropic --ai-model claude-3-opus-20240229

First start: if the database has no users, CHAINLAUNCH_USER and CHAINLAUNCH_PASSWORD must be set or the server aborts. Setting them later resets the first user's password and re-grants admin role.

install — Register as a system service

chainlaunch install --name <name> --executable <path> [flags]

Generates a systemd unit (Linux) or launchd plist (macOS) wrapping chainlaunch serve. Provides install instructions on stdout.

Flags

Flag Description Default
--name Service name chainlaunch-pro
--executable Path to the chainlaunch-pro binary (required)
--user Service user current user
--group Service group current user's group
--working-dir Working directory dir of --executable
--data, --db, --port Forwarded to the serve command line (see above)
--tls-cert, --tls-key TLS material
--external-url, --local-node-id Federation flags
--projects Projects directory projects-data
--openai-key, --anthropic-key, --ai-provider, --ai-model AI config
--dev Pass --dev through to serve false
--chainlaunch-user Initial admin (or CHAINLAUNCH_USER)
--chainlaunch-password Initial password (or CHAINLAUNCH_PASSWORD)
--output Output path for the service file system default
--dry-run Print the unit file without writing false

Examples

# Linux: write /etc/systemd/system/chainlaunch-pro.service
sudo chainlaunch install \
  --name chainlaunch-pro \
  --executable /usr/local/bin/chainlaunch-pro \
  --port 8100 \
  --data /var/lib/chainlaunch \
  --chainlaunch-user admin \
  --chainlaunch-password "$(openssl rand -hex 16)"
 
sudo systemctl daemon-reload
sudo systemctl enable --now chainlaunch-pro
 
# Preview the file only
chainlaunch install --executable /usr/local/bin/chainlaunch-pro --dry-run
 
# macOS: ~/Library/LaunchAgents/<name>.plist
chainlaunch install --executable "$(which chainlaunch-pro)" --name chainlaunch-pro
launchctl load ~/Library/LaunchAgents/chainlaunch-pro.plist

version — Print version metadata

chainlaunch version

Prints Version, Git Commit, and Build Time for the binary in your $PATH.

update — Self-update from GitHub releases (Pro)

chainlaunch update [flags]

Downloads and installs the latest (or pinned) chainlaunch-pro release. Requires GITHUB_TOKEN because the Pro release repo is private.

Flags

Flag Description Default
--tag Release tag (e.g. v0.4.2) latest
--install-dir Install directory $HOME/.chainlaunch-pro
--owner GitHub owner chainlaunch
--repo GitHub repo chainlaunch-pro-releases
--exe-name Executable name chainlaunch-pro
--token GitHub token (or GITHUB_TOKEN)
--force Overwrite if the target file exists false

Examples

# Install the latest release
export GITHUB_TOKEN=ghp_xxx
chainlaunch update
 
# Pin to a specific release
chainlaunch update --tag v0.4.2 --force
 
# Install into a custom directory
chainlaunch update --install-dir /opt/chainlaunch

Windows is not supported by update; download the binary manually instead.

fabric — Fabric chaincode and resource operations

chainlaunch fabric <subcommand>
Subcommand Purpose
chaincode API-backed chaincode lifecycle (create / definition / install / approve / commit / deploy / invoke / query / logs / timeline / docker-info). See Chaincode CI/CD with the CLI.
install Install a chaincode package via a network.yaml (legacy path; talks to peers directly)
query Query a chaincode via a network.yaml
invoke Invoke a chaincode via a network.yaml
network-config Pull the network config from the API server
org Organization create / update / delete / list
peer Peer create / update / delete / list
orderer Orderer create / update / delete / list

Which install / invoke / query should I use? The new fabric chaincode subtree drives every action through the ChainLaunch REST API — peers and orderers are resolved by slug, signing identities by --key-id, and no local network.yaml is required. Prefer it for CI and any environment where the chaincode runs as CCaaS. The legacy fabric install / invoke / query commands documented below are the original direct-to-peer path and still work, but require a network-config file and TLS material on disk.

fabric install

Install a chaincode on one or more organizations.

Flag Description
--chaincode Chaincode name (label)
--channel Channel name
--config Repeated network-config files (one per org, or one shared)
--policy Signature policy
-o, --organizations Repeated org list
-u, --users Users to use per org
--chaincodeAddress Local chaincode-server address (e.g. localhost:9999)
--envFile Path where env-vars for the chaincode are written
--pdc PDC JSON file (see examples/pdc.json)
--metaInf Metadata directory
--rootCert, --clientCert, --clientKey TLS material
--local Use the local chaincode address without an ngrok tunnel 
chainlaunch fabric install \
  --chaincode mycc \
  --channel mychannel \
  --config org1-network.yaml --config org2-network.yaml \
  --organizations Org1MSP --organizations Org2MSP \
  --users admin \
  --chaincodeAddress localhost:9999 \
  --policy "OR('Org1MSP.member','Org2MSP.member')"

fabric query / fabric invoke

Query or invoke a chaincode against a running channel. Both share the same flag set:

Flag Description
--mspID MSP ID of the org used to send the request (required)
--user User to use (required)
--config Network config file (required)
--channel Channel name
--chaincode Chaincode label (required)
--fcn Function name (required)
-a, --args Repeated function arguments 
chainlaunch fabric invoke \
  --mspID Org1MSP --user admin \
  --config network.yaml \
  --channel mychannel --chaincode mycc \
  --fcn createAsset -a asset1 -a 100
 
chainlaunch fabric query \
  --mspID Org1MSP --user admin \
  --config network.yaml \
  --channel mychannel --chaincode mycc \
  --fcn readAsset -a asset1

fabric network-config pull

chainlaunch fabric network-config pull \
  --network mynet --msp-id Org1MSP \
  --output org1-network.yaml \
  --username admin --password $CHAINLAUNCH_PASSWORD
Flag Description
-n, --network Network name
-m, --msp-id Organization MSP ID
-f, --output Output file (stdout if omitted)
--url API base URL (default http://localhost:8100/api/v1)
-u, --username, -p, --password Basic-auth credentials

fabric org / fabric peer / fabric orderer

CRUD-style subcommands. Common pattern: each has create, list, update, delete.

# Create an organization
chainlaunch fabric org create \
  --name Org1 --msp-id Org1MSP --provider-id 1
 
# Create a peer
chainlaunch fabric peer create \
  --name peer0-org1 --msp-id Org1MSP --org-id 1 \
  --listen-addr 0.0.0.0:7051 \
  --chaincode-addr 0.0.0.0:7052 \
  --events-addr 0.0.0.0:7053 \
  --operations-addr 0.0.0.0:9443 \
  --external-addr peer0.org1.example.com:7051 \
  --domain peer0.org1.example.com --version 2.5.0 \
  --mode service
 
# Create an orderer
chainlaunch fabric orderer create \
  --name orderer0 --msp-id OrdererMSP --org-id 2 \
  --listen-addr 0.0.0.0:7050 --admin-addr 0.0.0.0:7053 \
  --operations-addr 0.0.0.0:9443 \
  --external-addr orderer0.example.com:7050 \
  --domain orderer0.example.com --version 2.5.0
 
# List with paging
chainlaunch fabric peer list --page 1 --limit 50 --output json
chainlaunch fabric orderer list --output tsv
 
# Update / delete
chainlaunch fabric peer update --id 12 --version 2.5.7
chainlaunch fabric orderer delete --id 14 --yes
chainlaunch fabric org delete --msp-id Org1MSP --yes

fabricx — FabricX (Arma consensus) networks

chainlaunch fabricx <subcommand>

fabricx quickstart

Provision a complete N-party FabricX network — the same bundle the web UI's "FabricX Quick Start" button creates.

chainlaunch fabricx quickstart [flags]
Flag Description Default
--network-name Name of the FabricX network fabricx-quickstart
--external-ip External IP/host for node endpoints platform setting
--base-port First port in the reserved range 17000
--slot-size Ports reserved per party 100
--postgres-port Host port for the shared Postgres container 15432
--parties Number of parties 4
--channel Channel ID (FabricX locks to arma) arma
--mode single (one MSP shared) or multi (N MSPs) single
--single-msp MSPID used by --mode=single AcmeMSP
--namespace Health-check namespace (empty to skip) quickstart
--namespace-timeout Committer finality timeout 60s
--keep-going Continue join through transient Docker errors true
--clean Wipe a prior bundle of this name first false
--data-path Server --data dir; with --clean, purges fabricx bind-mounts
--http-timeout Per-HTTP-request deadline 15m
--join-retries Retry count for transient Docker errors 5
--join-retry-backoff Delay between join retries (doubles) 2s
--backup-target-id Attach Postgres to a backup target (S3 type) 0 (off)
--backup-s3-prefix S3 prefix for WAL-G archives fabricx/<network-name>/
--retention-base-backups WAL-G base-backup retention count 7
--retention-wal-days WAL retention window in days 30

Examples

# Default 4-party single-MSP bundle
chainlaunch fabricx quickstart --network-name demo
 
# Production-shape multi-MSP
chainlaunch fabricx quickstart --network-name prod --parties 4 --mode multi
 
# Re-create a bundle (idempotent)
chainlaunch fabricx quickstart \
  --network-name demo --clean \
  --data-path ~/Library/Application\ Support/chainlaunch
 
# With WAL-G continuous archiving to S3
chainlaunch fabricx quickstart \
  --network-name prod --parties 4 --mode multi \
  --backup-target-id 3 --backup-s3-prefix fabricx/prod/

besu — Besu node management

chainlaunch besu <subcommand>
Subcommand Purpose
create Create a Besu node
list List Besu nodes
update Update a Besu node (network ID, env vars)
delete Delete a Besu node

besu create

Flag Description Default
--name Node name
--key-id Key ID (required)
--p2p-port, --rpc-port Ports 30303 / 8545
--p2p-host, --rpc-host Listen hosts 0.0.0.0
--external-ip, --internal-ip IPs 127.0.0.1
--env Env vars (KEY=VALUE)
--boot-nodes Comma-separated bootnodes
--network-id Network ID 0
--version Besu version 25.5.0 
chainlaunch besu create \
  --name validator-1 --key-id 7 \
  --p2p-port 30303 --rpc-port 8545 \
  --external-ip 1.2.3.4 --internal-ip 10.0.0.5 \
  --network-id 1 --version 25.5.0

besu list / update / delete

chainlaunch besu list --page 1 --limit 50 --output json
chainlaunch besu update --id 4 --network-id 1 --env LOG_LEVEL=DEBUG
chainlaunch besu delete --id 4

networks — Cross-platform network management

chainlaunch networks <fabric|besu> <subcommand>

networks fabric

Subcommand Purpose
create Create a Fabric network from a JSON config
update Update a Fabric network
import Import a network by fetching the config block from a remote orderer
join Join one peer to a network/channel (managed or external mode)
join-all Join all known peers to a Fabric network
join-orderer Join one orderer to a network/channel
join-all-orderers Join all known orderers
add-and-join Attach nodes + join to a channel in a single call
reconcile-status Reconcile network_nodes.status against live channel listings
list List Fabric networks 
# Create from JSON
chainlaunch networks fabric create --name mychannel --config network.json
 
# Update
chainlaunch networks fabric update --id 12 --config new-network.json
 
# Join a peer (managed: peer is already known to ChainLaunch)
chainlaunch networks fabric join --network-id 12 --peer-id 5
 
# Join a peer (external: fetch genesis from a remote orderer)
chainlaunch networks fabric join \
  --peer-id 5 \
  --channel-id mychannel \
  --orderer-url orderer.example.com:7050 \
  --orderer-tls-cert ./tls/orderer-ca.pem
 
# Bulk-join
chainlaunch networks fabric join-all --network-id 12
chainlaunch networks fabric join-all-orderers --network-id 12
 
# Import an existing network
chainlaunch networks fabric import \
  --channel-id mychannel \
  --orderer-url orderer.example.com:7050 \
  --orderer-tls-cert ./tls/orderer-ca.pem \
  --org-id 1 \
  --description "imported from prod"
 
# Attach 3 nodes + join in one call
chainlaunch networks fabric add-and-join \
  --network-id 12 \
  --node-ids 3,4,5 \
  --orderer-url orderer.example.com:7050 \
  --orderer-tls-cert ./tls/orderer-ca.pem \
  --signer-org-msp-id Org1MSP
 
# Reconcile DB state against live channels
chainlaunch networks fabric reconcile-status --network-id 12
 
chainlaunch networks fabric list --output table

networks besu

Subcommand Purpose
create Create a Besu network
list List Besu networks
update Update a Besu network 
chainlaunch networks besu create \
  --name mybesu --description "Dev IBFT2 network" \
  --config besu-network.json
 
chainlaunch networks besu list --output table
chainlaunch networks besu update --id 7 --config besu-network-v2.json

nodes — Per-node operations

chainlaunch nodes <subcommand>

nodes channels

Channel-membership operations for individual or groups of nodes.

Subcommand Purpose
join-by-block Join one peer or orderer to a channel by fetching the block from a remote orderer
bulk-join-orderers Join many orderers to one channel using a single fetched config block 
chainlaunch nodes channels join-by-block \
  --node-id 5 \
  --channel-id mychannel \
  --orderer-url orderer.example.com:7050 \
  --orderer-tls-cert ./tls/orderer-ca.pem \
  --signer-org-msp-id Org1MSP
 
chainlaunch nodes channels bulk-join-orderers \
  --orderer-ids 1,2,3 \
  --channel-id mychannel \
  --orderer-url orderer.example.com:7050 \
  --orderer-tls-cert ./tls/orderer-ca.pem \
  --signer-org-msp-id OrdererMSP

keys — Cryptographic key management

chainlaunch keys <subcommand>
Subcommand Purpose
create Create a new cryptographic key
get [key-id] Print key metadata

keys create

Flag Description
--name Key name (required)
--algorithm RSA, EC, or ED25519 (required)
--description Optional description
--key-size Key size in bits (RSA only)
--curve EC curve name (e.g. P-256, secp256k1) 
# EC key for a Fabric peer
chainlaunch keys create --name peer0-org1-key --algorithm EC --curve P-256
 
# RSA-4096 key for TLS
chainlaunch keys create --name tls-ca-key --algorithm RSA --key-size 4096
 
# Ed25519
chainlaunch keys create --name signer --algorithm ED25519
 
# Get a key by ID
chainlaunch keys get 42

backup — Restore + service start

chainlaunch backup <subcommand>
Subcommand Purpose
restore Restore a backup of ChainLaunch from a restic repository
start-services Start nodes / chaincodes / plugins / Prometheus after a restore

backup restore

Flag Description Default
--snapshot-id Restic snapshot ID latest
--repo-url Full restic repo URL (e.g. s3:https://s3.amazonaws.com/bkt/path)
--aws-access-key, --aws-secret-key S3 credentials
--restic-password Restic repository password
--s3-endpoint, --bucket-name, --bucket-path S3 components (alternative to --repo-url)
--s3-path-style Use S3 path-style addressing false
--output Local restore directory ~/.chainlaunch
--include-global Include global config in restore false
--exclude-config Exclude config files false
--dry-run Show what would be restored false
--list-snapshots List snapshots and exit false
--limit, --page Snapshot listing pagination 10 / 1 
# List available snapshots
chainlaunch backup restore \
  --s3-endpoint s3.amazonaws.com --bucket-name my-backups --bucket-path /chainlaunch \
  --aws-access-key AKIA... --aws-secret-key ... --restic-password secret \
  --list-snapshots
 
# Restore the latest snapshot
chainlaunch backup restore \
  --repo-url s3:https://s3.amazonaws.com/my-backups/chainlaunch \
  --aws-access-key AKIA... --aws-secret-key ... --restic-password secret \
  --output /var/lib/chainlaunch

backup start-services

After restoring, start (re-launch) services in the running ChainLaunch instance.

Flag Description
--nodes Start all nodes
--chaincodes Start all chaincodes
--plugins Start all plugins
--vaults Start all vaults
--prometheus Start Prometheus analytics
--all Start all of the above
--timeout Maximum total wait 
# Start everything after a restore
chainlaunch backup start-services --all --timeout 10m
 
# Just nodes + chaincodes
chainlaunch backup start-services --nodes --chaincodes

Vaults and plugins are always started automatically (they're prerequisites for key operations and analytics).

testnet — One-shot test networks

chainlaunch testnet <fabric|besu> [flags]

testnet fabric

Flag Description Default
--name Network name (required)
--nodes Number of nodes (cosmetic; per-org counts come from --peerCounts/--ordererCounts) 1
--org Organization MSP ID (required)
--peerOrgs Peer orgs (comma-separated)
--ordererOrgs Orderer orgs (must total ≥ 3 orderers across --ordererCounts)
--peerCounts Peers per org (Org1MSP=2,Org2MSP=1)
--ordererCounts Orderers per org (OrdererOrg=3); total must be ≥ 3
--mode Node mode: service or docker service
--provider-id Key provider ID 1
--channels Accepted but currently unused by the CLI. The testnet provisions the network only; create channels separately or use the REST POST /testnets/fabric payload.

The CLI runner enforces ≥ 3 orderers in total (consenters requirement) and currently does not wire --channels through to network creation — the flag exists on the cobra command but is not consumed by the runner. To get channels created at provisioning time, call POST /testnets/fabric with a channels field in the JSON body.

chainlaunch testnet fabric \
  --name demo \
  --org Org1MSP \
  --peerOrgs "Org1MSP,Org2MSP" \
  --ordererOrgs "OrdererOrg" \
  --peerCounts "Org1MSP=2,Org2MSP=1" \
  --ordererCounts "OrdererOrg=3" \
  --mode service --provider-id 1

On success the CLI prints plain-text status lines to stdout (Fabric testnet created successfully! Network ID: …, then a line per peer/orderer join). To get a structured JSON response with network_id + node_ids, call the REST endpoint directly.

testnet besu

Flag Description Default
--name Network name (required)
--nodes Number of nodes — minimum 4 (QBFT 3f+1, f=1); the runner rejects fewer 1
--prefix Prefix for node names besu
--mode service or docker (any other value is rejected) service
--version Besu version 25.5.0
--provider-id Key provider ID 1
--initial-balance Repeatable addr=wei pair for genesis prefunding

The runner provisions QBFT with chainID=1337, blockPeriod=5s, epochLength=30000, and gasLimit=0x29b92700. These are not flag-configurable from the CLI today; use POST /testnets/besu for fine-grained genesis tuning.

chainlaunch testnet besu \
  --name dev-besu --nodes 4 --mode docker --version 25.5.0 \
  --initial-balance 0xAbC...=0x1000000000000000000

metrics — Prometheus integration

chainlaunch metrics <enable|disable>

metrics enable

Flag Description Default
--version Prometheus version v3.5.0
--port Prometheus port 9090
--scrape-interval Scrape interval (seconds) 15
--deployment-mode docker or service docker
--network-mode Docker network mode (bridge or host) bridge 
chainlaunch metrics enable --port 9090 --scrape-interval 30
chainlaunch metrics disable

compliance — Network compliance & health checks (Pro)

chainlaunch compliance <subcommand>

Built-in checks include consensus quorum, TLS certificates, certificate expiry, node health, organization diversity, endpoint conflicts, and backup configuration.

Subcommand Purpose
scan [network-id] Scan a single network
summary Org-wide scan across every network
Persistent flag Description Default
-o, --output table or json table

Examples

# Scan a specific network
chainlaunch compliance scan 12
 
# Org-wide summary
chainlaunch compliance summary
 
# Pipe JSON output to jq
chainlaunch compliance summary --output json | jq '.networks[].status'

nodesharing — Peer-to-peer instance federation

chainlaunch nodesharing <subcommand>

nodesharing and pro are auto-generated from the OpenAPI spec — every endpoint tagged NodeSharing (or Pro) becomes a subcommand. The exact subcommand list depends on your build's swagger.yaml; run chainlaunch nodesharing --help for what's currently exposed.

Common operations include sending invitations between ChainLaunch instances, accepting them, and synchronizing remote nodes back into the local catalog.

chainlaunch nodesharing --help
chainlaunch nodesharing <subcommand> --help

pro — Pro-tagged endpoints

chainlaunch pro <subcommand>

Same auto-generation pattern as nodesharing: every endpoint tagged Pro in the OpenAPI spec becomes a subcommand. Use --help to enumerate the current set.

chainlaunch pro --help

encrypt — Encrypt arbitrary data

chainlaunch encrypt [data] [flags]

Encrypts data with the ChainLaunch encryption service (the same service that protects secrets at rest).

Flag Description
-k, --key Encryption key (or KEY_ENCRYPTION_KEY env var)
-f, --file Read data from a file
-o, --output Write encrypted data to a file
-j, --json Validate input as JSON before encrypting 
# Direct
chainlaunch encrypt "sensitive-data" --key "$KEY_ENCRYPTION_KEY"
 
# From file
chainlaunch encrypt --file secrets.txt -o secrets.enc
 
# JSON
chainlaunch encrypt '{"api_key":"secret"}' --json
 
# Pipe
echo "sensitive-data" | chainlaunch encrypt

decrypt — Decrypt previously encrypted data

chainlaunch decrypt [encrypted-string] [flags]
Flag Description
-k, --key Encryption key (or KEY_ENCRYPTION_KEY env var)
-f, --file Read encrypted data from a file
-j, --json Pretty-print output as JSON 
chainlaunch decrypt "<base64-ciphertext>" --key "$KEY_ENCRYPTION_KEY"
chainlaunch decrypt --file secrets.enc --json

crypto — Database-level decryption (debug)

chainlaunch crypto <subcommand>

Direct decryption of encrypted columns in the SQLite database — useful for debugging, key rotation, or data recovery. Read-only.

crypto decrypt-db

Flag Description Default
-k, --key Encryption key (or KEY_ENCRYPTION_KEY env var)
-d, --db Path to the database file chainlaunch.db
-t, --table Table name
-c, --column Column with encrypted data
-i, --id Specific record ID to decrypt (all rows)
-j, --json Output as JSON false
-l, --list-tables List candidate tables and exit false 
# List candidate tables / columns
chainlaunch crypto decrypt-db --db chainlaunch.db --list-tables
 
# Decrypt the Vault token for provider id=1
chainlaunch crypto decrypt-db \
  --db chainlaunch.db --table vault_configs --column token --id 1
 
# Decrypt every OIDC client secret
chainlaunch crypto decrypt-db \
  --db chainlaunch.db --table oidc_configs --column client_secret
 
# JSON output
chainlaunch crypto decrypt-db \
  --db chainlaunch.db --table vault_configs --column token --json

Tables documented as candidates: vault_configs (token, root_ca, client_cert, client_key), oidc_configs (client_secret), api_keys (key_hash — hashed, not encrypted).

End-to-end recipes

Spin up a fresh ChainLaunch Pro instance + Fabric testnet

# 1. Set credentials and start the server
export CHAINLAUNCH_USER=admin
export CHAINLAUNCH_PASSWORD="$(openssl rand -hex 16)"
chainlaunch serve --port 8100 --data ~/.chainlaunch &
 
# 2. Configure CLI auth
export CHAINLAUNCH_API_URL=http://localhost:8100/api/v1
 
# 3. Provision a 2-org Fabric testnet
chainlaunch testnet fabric \
  --name demo \
  --org Org1MSP \
  --peerOrgs "Org1MSP,Org2MSP" \
  --ordererOrgs "OrdererOrg" \
  --channels mychannel \
  --peerCounts "Org1MSP=1,Org2MSP=1" \
  --ordererCounts "OrdererOrg=3"
 
# 4. Enable Prometheus metrics
chainlaunch metrics enable
 
# 5. Run a compliance check
chainlaunch compliance summary

FabricX dev loop (idempotent)

export CHAINLAUNCH_FABRICX_LOCAL_DEV=true   # macOS/Windows Docker Desktop
chainlaunch fabricx quickstart \
  --network-name dev --clean \
  --data-path ~/Library/Application\ Support/chainlaunch

Restore + restart everything

chainlaunch backup restore \
  --repo-url s3:https://s3.amazonaws.com/my-backups/chainlaunch \
  --restic-password secret \
  --aws-access-key AKIA... --aws-secret-key ... \
  --output /var/lib/chainlaunch
 
chainlaunch backup start-services --all --timeout 15m

Self-update the Pro binary

export GITHUB_TOKEN=ghp_xxx
chainlaunch update --tag v0.4.5 --force
chainlaunch version

Next steps