Pult Presence Docs
Pult Agent

CLI Reference

Reference for the Pult Agent command-line flags used by deployment scripts and admin tooling.

This page documents every command-line flag accepted by the Pult Agent binary. Use it when writing deployment scripts, MDM post-install hooks, or troubleshooting an existing install.

Binary location

PlatformPath
macOS/Applications/Pult Agent.app/Contents/MacOS/pult-agent
WindowsC:\Program Files\Pult Agent\pult-agent.exe

The shorthand pult-agent in this page refers to the platform binary above. Substitute the full path in deployment scripts.

General behavior

  • The agent runs as a long-lived process started by login auto-start on Windows or managed login items on macOS. The flags below are short-lived invocations of the same binary that perform a one-shot action.
  • Most flags exit immediately after doing their work without starting the long-lived agent process. Per-flag notes call out any exceptions.
  • Flags that read or write OS secure storage (Keychain on macOS, Credential Manager on Windows) require an active, interactive user session -- the binary cannot run pre-login. Per-flag notes call this out where it applies.

--bootstrap-token <token>

Sets or updates the bootstrap token in secure storage and clears any existing device-auth session key (so the agent will initiate a fresh enrollment attempt).

  • Validates the token format: 1-128 characters, alphanumeric with - and _ allowed.
  • Stores the token in OS secure storage.
  • Clears any stored device-auth session key.
  • Does not start the agent.

Usage:

pult-agent --bootstrap-token "your-token-here"

Notes:

  • The agent does not notice this command if it is already running. To pick up the new token in a running process, follow it with --reload-bootstrap-token, or restart the agent.
  • If the same token is already stored, the command exits successfully with a message and makes no change.
  • An invalid token format prints Invalid bootstrap token provided and exits non-zero.

--reload-bootstrap-token

Signals a running agent to reload its bootstrap token from secure storage.

  • Has no effect if the agent is not running.
  • Typically combined with --bootstrap-token in deployment scripts to update a token in place without restarting.

Usage:

pult-agent --reload-bootstrap-token

--reset-bootstrap-token

Removes the stored bootstrap token and clears the device-auth session key. The agent will need to be configured with a new bootstrap token before enrollment can succeed again.

Usage:

pult-agent --reset-bootstrap-token

--cleanup-credentials

Removes the user access token issued after a successful Device Auth Request approval.

Use this to "fully de-enroll" the agent before re-running enrollment, e.g. when validating a deployment recipe end-to-end. Combine with --reset-bootstrap-token to also clear the stored bootstrap token.

Usage:

pult-agent --cleanup-credentials

Common compositions

Set + reload (rotating a token on a running agent)

pult-agent --bootstrap-token "new-token"
pult-agent --reload-bootstrap-token

Full de-enrollment (testing a deployment recipe)

pult-agent --reset-bootstrap-token
pult-agent --cleanup-credentials

After running these, the agent has no stored token and no access token, equivalent to a fresh install for enrollment purposes.

See also

Last updated on May 13, 2026, 12:21 PM

Bootstrap Token Deployment

Automate Pult Agent enrollment using bootstrap tokens -- no manual sign-in required.

Device Authentication

Review and approve device authentication requests to link agent installations to Pult users.

On this page

Binary locationGeneral behavior--bootstrap-token <token>--reload-bootstrap-token--reset-bootstrap-token--cleanup-credentialsCommon compositionsSet + reload (rotating a token on a running agent)Full de-enrollment (testing a deployment recipe)See also