WebCull
En
Fr
Es
De
Documentation cli
cli

E2EE And Safety

Use CLI commands safely with encrypted accounts and hidden passphrase prompts.

E2EE

Encrypted Account Commands Keep Secrets Local

For E2EE accounts, the CLI prompts for the E2EE passphrase only through hidden interactive terminal input. Do not put passphrases in command arguments, environment variables, config files, stdin pipes, logs, examples, or API requests.

Reads and Writes

Decrypt And Encrypt Only In The CLI Process

Search
Encrypted accounts use limited local decrypted search when bookmark text needs to be searched.
Get
Requested encrypted fields are decrypted locally when you provide the passphrase.
Writes
Edited encrypted fields are encrypted locally before being sent to WebCull.
Graph
Graph commands exclude notes unless you request extra fields.
Passphrase Input

Passphrases Stay Out Of Shell Arguments

# Unsafe
webcull bookmarks get --ids 2302 --e2ee-password secret

# Safe
webcull bookmarks get --ids 2302 --fields id,title,notes

The second command prompts safely when encrypted fields require a passphrase. If the terminal is non-interactive and no session key is available, the command fails closed.

Next step agent Overview Choose the right WebCull CLI agent workflow and follow conservative limits, pacing, write, and E2EE rules.