Skip to main content

CLI Reference

The legend-cli binary is a Rust-based tool for managing Legend Prime accounts, signing transactions, and running a local MCP server. It handles P256 key management, OAuth login, and direct API access.
Installation paths below are planned but may not yet be available. Check legend.xyz for the latest installation instructions.

Installation

# From source (requires Rust toolchain)
cargo install legend-cli

# macOS (Homebrew) — coming soon
brew install legend-hq/tap/legend-cli

Authentication

legend-cli login
Opens your browser for Google SSO. On success, saves a JWT (valid for 30 days) to your profile at ~/.legend/prod/profiles/default.json. No manual key management needed.

Query Key

legend-cli config set query-key qk_YOUR_KEY_HERE
Or pass it per-command: 
legend-cli --key qk_YOUR_KEY_HERE accounts list
Or set the environment variable: 
export LEGEND_QUERY_KEY=qk_YOUR_KEY_HERE
Auth resolution order: --key flag > LEGEND_QUERY_KEY env > profile file.

Global Flags

FlagDescription
--profile <name>Use a named profile (default: default)
--key <qk_...>Override auth with a query key
--base-url <url>Override API base URL
--jsonForce JSON output (default when piped)
--quietMinimal output (IDs only)

Commands

login

Authenticate via Google SSO and save the token to your profile. 
legend-cli login

whoami

Show current authentication info. 
legend-cli whoami

accounts

accounts list

List all sub-accounts. 
legend-cli accounts list

accounts get <account_id>

Get details of a specific sub-account. 
legend-cli accounts get acc_xxx

accounts create

Create a new sub-account. 
# Generate a P256 key and create a Turnkey-backed account (recommended)
legend-cli accounts create --keygen

# Use file-based key instead of Secure Enclave
legend-cli accounts create --keygen --use-file-key

# Create an EOA account with an existing Ethereum address
legend-cli accounts create --signer-type eoa --ethereum-signer 0x742d...
With --keygen, the CLI:
  1. Generates a P256 key in your Mac’s Secure Enclave (or on disk with --use-file-key)
  2. Sends the public key to Legend to create a Turnkey-backed sub-account
  3. Saves account details and key reference to your profile

plan

Create execution plans. Add --execute to automatically sign and execute in one step. 
# Create a plan (returns plan_id + digest for manual signing)
legend-cli plan earn acc_xxx --amount 1000000 --asset USDC --network base --protocol compound

# Create, sign, and execute in one step
legend-cli plan earn acc_xxx --amount 1000000 --asset USDC --network base --protocol compound --execute

# Swap
legend-cli plan swap acc_xxx --sell-asset USDC --buy-asset WETH --sell-amount 1000000 --network base --execute

# Transfer
legend-cli plan transfer acc_xxx --amount 1000000 --asset USDC --network base --recipient 0x742d... --execute
Available plan types: earn, swap, withdraw, transfer, borrow, repay.

plan execute

Execute a previously created plan with a signature. 
legend-cli plan execute acc_xxx --plan-id pln_xxx --signature 0xdef456...

# Or auto-sign with the profile's P256 key
legend-cli plan execute acc_xxx --plan-id pln_xxx --auto-sign --digest 0xabc123...

sign

Sign an EIP-712 digest using the profile’s P256 key via Turnkey. 
legend-cli sign 0xabc123...
# Output: 0xdef456... (the signature)

folio

View an account’s portfolio. 
legend-cli folio acc_xxx

activities

View transaction history. 
legend-cli activities acc_xxx
legend-cli activities acc_xxx --id 42

networks

List supported networks. 
legend-cli networks

assets

List supported assets. 
legend-cli assets

keygen

Generate a P256 keypair without creating an account. 
legend-cli keygen
legend-cli keygen --use-file-key

config set

Set a configuration value. 
legend-cli config set query-key qk_YOUR_KEY_HERE

mcp serve

Run a local MCP server via stdio. See MCP Setup for details. 
legend-cli mcp serve

Profile Storage

Profiles are stored at ~/.legend/prod/profiles/<name>.json and contain:
  • Authentication token (query key or JWT)
  • P256 key reference (Secure Enclave label or file path)
  • Associated account and Turnkey sub-org IDs
P256 key files (when using --use-file-key) are stored at ~/.legend/prod/keys/<name>.key with chmod 600.

Output Modes

  • TTY (human): Formatted tables
  • Piped / --json: Raw JSON (default when stdout is not a terminal)
  • --quiet: Just the primary identifier (account_id, plan_id, signature)
JSON-by-default-when-piped means agents can pipe output to jq without extra flags: 
PLAN=$(legend-cli plan earn acc_xxx --amount 1000000 --asset USDC --network base --protocol compound)
echo "$PLAN" | jq -r .plan_id