Skip to main content

CLI Reference

raba is the client you run on your own machine to expose a local server. Install it with install.sh/install.ps1, then raba --help for the built-in summary — this page covers each command with real examples.

Configuration

Two config files, two different scopes — worth understanding before you have more than one project:

  • ~/.raba/config.toml (global, machine-wide) — your default server (set by raba login --server <url>) and cached project secrets.
  • .raba.toml (local, one per project directory) — that project's name, protocol, local port, team, subdomain, and domain. Written automatically the first time you run raba http/tcp/udp in a directory, so a later raba connect there doesn't need any flags repeated.

The server is only ever global — there's no per-project server. raba login --server https://X makes every subsequent command, from any directory, target server X, until you login again with a different one. http/tcp/udp accept their own --server flag to override the global default for that one invocation, but connect/team/stats don't — they always use whatever the current global default is, with no per-command override at all. If you're working across two different raba instances at once, that means switching your global default (raba login --server ...) is the only way to point connect/team/stats at a different one; there's no persisted "this directory always uses server Y" setting the way there is for team/subdomain.

You can only be meaningfully logged in to one server at a time. ~/.raba/credentials holds one PAT — not one per server — so raba login --server A followed later by raba login --server B doesn't add a second login, it overwrites both the saved PAT and the default server with B's. Server A's PAT is no longer saved locally at that point (it's still valid server-side until revoked, you just don't have it on disk anymore). Passing --server A to raba http after that won't help — it changes which server the command talks to, not which credential it authenticates with, so it'll try (and fail) to use B's PAT against A's API. To go back to A, raba login --server A again.

Auth

raba login

raba login --server https://your-domain.example

Prompts for your dashboard email/password, then stores a Personal Access Token (PAT) locally at ~/.raba/credentials. Every other command that talks to the server (creating projects, team, stats) uses this PAT — it's separate from the opaque per-project secret used for the actual tunnel connection, and neither can substitute for the other.

raba logout

Clears the locally stored PAT. Doesn't revoke it server-side — do that from the dashboard if the token may have leaked.

Tunneling

raba http <port>

raba http 3000
raba http 3000 --name my-app
raba http 3000 --subdomain myapp
raba http 3000 --team acme-inc
raba http 3000 --domain tunnel.acme.com

Exposes a local HTTP server. If the project doesn't exist yet, it's created automatically — --subdomain, if omitted, gets a fun auto-generated name (brave-otter-42-style) rather than anything derived from your current directory. --team/--domain pick which team the project belongs to; omit both and it defaults to your oldest team membership.

raba tcp <port> / raba udp <port>

raba tcp 5432
raba udp 51820

Same idea, no subdomain (TCP/UDP projects get a dedicated port instead of Host-based routing).

raba connect

raba connect
raba connect --team acme-inc

Reconnects using whatever was recorded in this directory's .raba.toml from the last http/tcp/udp call — the usual way to resume tunneling without repeating flags.

raba update

raba update

Checks the latest GitHub release against the version you have installed, and updates in place if newer.

Teams

raba team list

Lists the teams your account belongs to.

raba team domain-set <domain>

raba team domain-set tunnel.acme.com
raba team domain-set tunnel.acme.com --team acme-inc

Sets (or changes) a team's custom domain. Prints the DNS records to add — a CNAME pointing at this instance, and a second CNAME for the ACME DNS-01 challenge (delegated, so raba never needs your DNS provider's credentials).

raba team domain-verify

raba team domain-verify

Re-checks DNS after you've added the records above, and marks the domain verified once it resolves correctly. TLS issuance/renewal for that domain runs automatically after this.

Observability

raba stats

raba stats
raba stats --project my-app
raba stats --team acme-inc
raba stats --window-secs 86400

Traffic stats (request count, requests/sec, average connection duration, bytes in/out) for a project or, with --team, the whole team with a per-project breakdown. Defaults to the last hour; --window-secs overrides that.

raba status

Prints locally known state (server, login status, cached secret, last tunnel) — no network call, purely local.