CT Watch

The ctw CLI

ctw runs the same search as the website and manages your watch rules from the terminal. It talks to your CT Watch account over the HTTP API: run ctw login once, and every command runs against the server as you. There is no offline mode — the CLI holds no local database.

Install it from the download page.

Signing in

$ ctw login
  To sign in, open https://… and enter the code: CODE-1234
  waiting for approval…
  ✓ Logged in to https://ctw.example.com

ctw login uses the OAuth 2.1 device-code flow — it prints a short code and a URL, you approve it in any browser, and the CLI stores the resulting tokens locally (file mode 0600) and refreshes them for you. There are no API keys to mint or rotate. See how auth works.

$ ctw status      # are we logged in, and to where?
$ ctw logout      # discard the stored tokens

Point at a server explicitly with --server https://ctw.example.com or the CTW_SERVER environment variable. Every command needs a login; if you aren’t signed in, ctw tells you to run ctw login rather than doing anything local.

Plan & usage

ctw usage prints your plan, its caps, and what you’ve used today — the same numbers as the dashboard’s Usage tab. Remote-only (usage is a hosted, per-account concept).

$ ctw usage
plan: pro   (via https://ctw.example.com)
  searches/hour : 12 used / 100
  watch rules   : 1000
  deliveries/day: 84 used / 10000
  searches today: 37

A means that cap is unlimited on this deployment. See plans & limits for what each number means and the 403/429 you get when you hit one.

Searching

$ ctw query example.com
  3 certs (local)

Flags:

| Flag | Effect | |---|---| | --exact | Match only the exact host — exclude subdomains. | | --limit <n> | Cap the number of rows returned. |

The output notes whether rows came from the server’s archive or a fresh backfill. See the search model.

Watch rules

$ ctw watch add example.com --kind domain     # apex + subdomains
$ ctw watch add acme-corp   --kind keyword     # substring anywhere
$ ctw watch list
  1  [domain]   example.com
  2  [keyword]  acme-corp
$ ctw watch rm 1

Rules are scoped to your account. Matches are delivered to the webhook targets you’ve configured.