Skip to main content

ferrogw CLI reference

ferrogw is the single binary that both runs the Ferro Labs AI Gateway server and provides a CLI for scaffolding config, validating it, diagnosing your environment, and managing a running instance over its Admin API.

Running ferrogw with no subcommand starts the server (backward compatible with ferrogw serve). Every other subcommand is a CLI operation.

Installation and runningโ€‹

Build the binary from source (the Makefile produces ./bin/ferrogw), or run it through the published container image:

# Build from source
make build
./bin/ferrogw serve

# Or run with Docker
docker run -p 8080:8080 -e OPENAI_API_KEY=sk-... ghcr.io/ferro-labs/ai-gateway serve

The examples below assume ferrogw is on your PATH.

note

CLI subcommands that talk to a running gateway (status, plugins, admin, and the connectivity check in doctor) need a reachable gateway URL and, for protected routes, an API key. Both resolve from global flags or environment variables โ€” see Global flags and Environment variables.

Subcommand referenceโ€‹

CommandPurpose
initScaffold a config file and generate a master key
serveStart the gateway server
validateValidate a config file (offline)
doctorCheck environment, config, and connectivity
statusCheck health of a running gateway
pluginsList plugins registered in a running gateway
versionPrint version information
adminManage a running gateway over the Admin API

ferrogw initโ€‹

Creates a minimal configuration file and generates a master key used to authenticate with the dashboard and Admin API. The key is a random value with an fgw_ prefix.

Usage

ferrogw init [flags]

Flags

FlagDefaultDescription
--config-formatyamlConfig file format: yaml or json
-o, --outputconfig.yaml / config.jsonConfig file path
--non-interactivefalseSkip prompts, use defaults

Example

ferrogw init
  Ferro Labs AI Gateway -- Setup

โœ” Created config.yaml
โœ” Master key: fgw_4f9c2a1b7e3d8650a1c4f0b29d6e7a83

โš  Save this key -- you need it for the dashboard and API.
export MASTER_KEY=fgw_4f9c2a1b7e3d8650a1c4f0b29d6e7a83

Next steps:
1. Set provider API keys (e.g. export OPENAI_API_KEY=sk-...)
2. Start the gateway: ferrogw serve
3. Open dashboard: http://localhost:8080/dashboard
warning

The master key is shown once. Store it securely (export it as MASTER_KEY or place it in your secret manager). If an existing config file is present, init skips writing it but still prints a freshly generated key.

The generated config.yaml starts with a fallback strategy across openai and anthropic targets, with other providers commented out for you to enable.

ferrogw serveโ€‹

Starts the gateway HTTP server. This is also the default action when you run ferrogw with no subcommand.

Usage

ferrogw serve

Example

GATEWAY_CONFIG=config.yaml \
MASTER_KEY=fgw_... \
OPENAI_API_KEY=sk-... \
ferrogw serve

The listen port comes from PORT (default 8080), and the config path from GATEWAY_CONFIG. See Environment variables.

ferrogw validateโ€‹

Loads and validates a configuration file offline โ€” no running gateway is required. Accepts YAML or JSON (auto-detected). Exits non-zero if the file fails to load or fails validation.

Usage

ferrogw validate <config-file>

Example

ferrogw validate config.yaml
โœ” Config is valid
Strategy: fallback
Targets: 2
Providers: openai, anthropic

With --format json or --format yaml, the parsed config is printed in that format instead of the summary table.

ferrogw doctorโ€‹

Runs a set of environment, configuration, and connectivity checks to help diagnose setup problems. It reports:

  • Provider API keys โ€” presence of OPENAI_API_KEY, ANTHROPIC_API_KEY, GEMINI_API_KEY, GROQ_API_KEY, MISTRAL_API_KEY.
  • Configuration โ€” loads and validates the file at GATEWAY_CONFIG (if set).
  • Auth โ€” whether MASTER_KEY is set.
  • Gateway connectivity โ€” a GET /health round-trip to the configured gateway URL, with latency.

Usage

ferrogw doctor

Example

ferrogw doctor
  Provider API Keys
โœ” openai
โœ” anthropic
- gemini
- groq
- mistral

2 found

Configuration
โœ” config.yaml (strategy=fallback, targets=2)

Auth
โœ” MASTER_KEY is set

Gateway Connectivity
โœ” http://localhost:8080 -- healthy (3ms)

ferrogw statusโ€‹

Checks the health of a running gateway by calling GET /health, then reports the version and provider/model counts (when available from /admin/providers).

Usage

ferrogw status

Example

ferrogw status --gateway-url http://localhost:8080
  โœ” http://localhost:8080 -- healthy (4ms)
Version: 1.1.0
Providers: 30 (412 models)

ferrogw pluginsโ€‹

Lists the plugins registered in a running gateway instance, read from GET /admin/plugins.

Usage

ferrogw plugins

Example

ferrogw plugins
NAME                     TYPE             ENABLED
---- ---- -------
word-filter guardrail yes
rate-limit middleware yes
request-logger middleware no

Use --format json or --format yaml for machine-readable output.

ferrogw versionโ€‹

Prints build and runtime version information (version, commit, build date, Go version, OS/arch).

Usage

ferrogw version

Example

ferrogw version
  Version      1.1.0
Commit a1b2c3d
Built 2026-06-01T12:00:00Z
Go go1.25.0
OS/Arch linux/amd64

ferrogw adminโ€‹

Manages a running gateway over its Admin API. Requires a reachable gateway URL and an API key (the master key works). Configure them via --gateway-url / --api-key or the matching environment variables.

The admin command groups operations into four areas: keys, config, logs, and providers.

admin keys โ€” API key managementโ€‹

CommandDescription
admin keys listList all API keys
admin keys get <id>Show details of one key
admin keys createCreate a new key
admin keys revoke <id>Revoke a key
admin keys rotate <id>Rotate a key (issue a new key value)

admin keys create flags:

FlagDefaultDescription
--name""Human-readable label for the key
--scoperead_onlyKey scope: admin or read_only
--expires-in""Expiry duration, e.g. 720h (30 days)
ferrogw admin keys create --name ci-bot --scope read_only --expires-in 720h

admin config โ€” runtime configurationโ€‹

CommandDescription
admin config getPrint the current runtime configuration
admin config historyShow configuration change history
admin config set --file <path>Apply a new configuration (JSON file)
admin config rollback <version>Roll back to a previous config version

admin config set requires --file pointing at a JSON config file (convert YAML first).

ferrogw admin config set --file new-config.json
ferrogw admin config rollback 3

admin logs โ€” request logsโ€‹

CommandDescription
admin logs listList persisted request logs
admin logs statsShow aggregated log statistics

admin logs list flags:

FlagDefaultDescription
--limit50Maximum number of log entries to return
ferrogw admin logs list --limit 100 --format json

admin providers โ€” provider inspectionโ€‹

CommandDescription
admin providers listList registered providers and their model counts
admin providers healthShow per-provider health status
ferrogw admin providers list
ferrogw admin providers health --format json

Global flagsโ€‹

These persistent flags apply to all subcommands.

FlagEnv varDefaultDescription
--gateway-urlFERROGW_URLhttp://localhost:8080Gateway base URL for Admin API calls
--api-keyFERROGW_API_KEY(falls back to MASTER_KEY)Admin API key (sent as Authorization: Bearer)
--formatโ€”tableOutput format: table, json, or yaml
note

The API key resolves in order: --api-key flag โ†’ FERROGW_API_KEY โ†’ MASTER_KEY. This means once you export MASTER_KEY, the admin commands authenticate without any extra flag.

Environment variablesโ€‹

ferrogw reads the following environment variables. Server-side variables are read by serve; CLI variables are read by the Admin API client.

VariableRead byDescription
GATEWAY_CONFIGserve, doctorPath to the config file (YAML or JSON)
PORTserveHTTP listen port (default 8080)
MASTER_KEYserve, admin CLIAdmin + proxy credential; generated by ferrogw init
FERROGW_URLCLIGateway base URL when --gateway-url is not set
FERROGW_API_KEYCLIAdmin API key when --api-key is not set
ALLOW_UNAUTHENTICATED_PROXYserveSet to true to leave proxy routes unauthenticated (development only โ€” not recommended for production)
ENABLE_PPROFserveSet to true to mount /debug/pprof/* profiling routes

Provider credentials (OPENAI_API_KEY, ANTHROPIC_API_KEY, and the rest) are documented in the Providers guide. For the full server configuration schema, see Configuration.