vendo ssh
Open an interactive shell on a running Vendo deployment.
Synopsis
vendo ssh <deployment-slug-or-id>Opens an interactive shell on one of your tenant's deployments. The session is brokered through ssh.vendo.run — Vendo holds the SSH key, audits the session, and proxies stdio over a WebSocket. You never see the underlying provider's SSH key.
Exit with Ctrl-D or by typing exit.
Requires vendo login.
Arguments
| Argument | Description |
|---|---|
deployment-slug-or-id | Required. Either the deployment slug (e.g. support-bot) or the deployment id (e.g. dpl_abc). Must be a deployment you own. |
How it works
- The CLI POSTs to
/api/cli/ssh/${encodeURIComponent(deployment)}with your CLI bearer (the path component is URL-encoded, so unusual slug characters round-trip safely). - The server validates ownership and mints a short-lived session token bound to a
wss://ssh.vendo.run/...URL. - The CLI opens that WebSocket.
- Local stdin is switched to raw mode and forwarded over the socket as
{ type: "data", b64 }frames; remote stdout is written back to the local terminal. - Terminal resize is forwarded as
{ type: "resize", cols, rows }; an initial resize frame is sent right afteropen. Ctrl-Cis forwarded to the remote process — it does not kill the CLI.- The CLI exits with the broker-reported exit code (
{ type: "exit", code }) when the remote shell closes. Defaults to0if the broker never sends anexitframe; brokererrorframes and WS errors both surface as exit1.
Calling vendo ssh with no arguments prints the help text and exits with code 2.
Output
On connect (written to stderr, so it does not pollute piped output):
✓ Connected to support-botFollowed by the remote shell prompt on stdout.
On broker error or timeout (also stderr):
[ssh-broker] session expiredOn WebSocket error:
WS error: <message>Examples
By slug:
vendo ssh support-botBy id:
vendo ssh dpl_abcAudit and security
Every session is logged (start time, end time, duration, user, deployment) and recorded in Vendo's audit trail. The deployment container never has provider-managed SSH keys in its environment — only a scoped vendo_sk_* proxy token, which is rate-limited and spend-capped server-side.
vendo ssh opens a real shell on production infrastructure. Treat it like any other production access channel — prefer reading logs or using the dashboard's restart/rollback UIs when a shell isn't strictly necessary.
Related
- vendo login
- HTTP API > Deploy — managing the deployment from the API