Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.tolmo.com/llms.txt

Use this file to discover all available pages before exploring further.

The Tolmo CLI reads configuration from environment variables, making it easy to use in CI/CD pipelines and scripts without interactive login. Environment variable values take precedence over profile settings for the variables they cover — the rest of the configuration (such as the active organization) still comes from the profile unless you also set the corresponding variable.

Variable reference

TOLMO_API_TOKEN
string
API token used to authenticate requests. When set, Tolmo skips the profile lookup entirely and authenticates directly with this token. Generate a token from your organization settings in the Tolmo dashboard.
TOLMO_ORG_SLUG
string
Organization slug that identifies which organization to operate against. Required whenever you set TOLMO_API_TOKEN, since the token alone does not encode an org identity.
TOLMO_API_URL
string
Backend API base URL. Defaults to the production endpoint when not set. Override this to point the CLI at a staging or self-hosted environment.
TOLMO_INSTALL_DIR
string
Directory where the install script places the CLI binary. Set this before running curl -fsSL https://tolmo.com/install.sh | sh to control the installation target. The install script defaults to a writable user directory so that sudo is not required.
TOLMO_PROFILE
string
Default profile name used when --profile is not specified on the command line. Useful for switching the active profile for an entire shell session without passing --profile to every command.

CI/CD example

The following GitHub Actions workflow installs Tolmo and runs a security query using environment variables for authentication. No interactive login is needed and no credentials are stored on disk.
.github/workflows/tolmo.yml
jobs:
  security-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install Tolmo
        run: curl -fsSL https://tolmo.com/install.sh | sh
      - name: Run security query
        env:
          TOLMO_API_TOKEN: ${{ secrets.TOLMO_API_TOKEN }}
          TOLMO_ORG_SLUG: ${{ secrets.TOLMO_ORG_SLUG }}
        run: |
          tolmo findings list --status open --severity critical --json
Store TOLMO_API_TOKEN and TOLMO_ORG_SLUG as encrypted secrets in your GitHub repository or organization settings. The env: block injects them into the step at runtime without exposing them in logs.
Never commit API tokens to source control. Use your CI provider’s secrets management to store TOLMO_API_TOKEN. Anyone with access to a committed token can authenticate as your organization.

Precedence

Environment variables override the active profile for the specific settings they cover. For example, setting TOLMO_API_TOKEN and TOLMO_ORG_SLUG bypasses profile-based authentication entirely, but any setting not covered by an environment variable — such as a custom API URL — still comes from the profile unless you also set TOLMO_API_URL. The resolution order for each setting is:
  1. Environment variable — highest priority, always wins when set
  2. Command-line flag — for flags like --org and --profile
  3. Active profile — values stored in ~/.tolmo/ by tolmo auth login
  4. Built-in default — the production API URL and the default profile name