Every list and get command in the CLI supports the same flags: filtering, paging, and a choice between human-readable tables and machine-readable JSON. The pattern is consistent across certificates, profiles, identifiers, devices, and apple-accounts.
Two output formats
- -o table
- Default. Renders a column-aligned table sized to your terminal, with colour for status badges. Best for interactive use.
- -o json
- Emits the raw JSON the API returned, on stdout. Pipe into
jq, write to a file, or feed it into a Slack bot or status page.
Filter and paginate
List commands accept --type, --status, --page, and --limit. The set of valid values for --type and --status is enumerated in the per-command help (hexsign certificates list --help).
# Valid Apple distribution certificates hexsign certificates list --type DISTRIBUTION --status valid # Page through all active profiles 50 at a time hexsign profiles list --status active --page 1 --limit 50 hexsign profiles list --status active --page 2 --limit 50 # Profiles expiring soon, as JSON hexsign profiles expiring -o json
Filter by bundle ID
identifiers list and profiles list both accept --bundle-id for an exact-match filter. For profiles the join goes through the underlying identifier, so a single bundle ID can return several profiles (typically one per profile type: development, ad-hoc, app store).
# The identifier row for one bundle ID hexsign identifiers list --bundle-id com.example.app # Every profile attached to that bundle ID hexsign profiles list --bundle-id com.example.app
profiles download accepts the same flag to fetch every matching .mobileprovision in one call. Files are written into --output-dir using the server-provided sanitized filename, so you don't need to track IDs.
hexsign profiles download --bundle-id com.example.app --output-dir build/sign
Scope across linked Apple accounts with --team-id
When you've linked more than one Apple Developer team, every list command (certificates, profiles, identifiers, devices) accepts --team-id to scope the results to a single team. The team identifier is the 10-character prefix Apple assigns to your team; hexsign apple-accounts list shows it in the TEAM ID column. The same flag is available on apple-accounts sync and delete, so you can run those by team id instead of the HexSign UUID.
# Find your team ids hexsign apple-accounts list # Distribution certs for one team only hexsign certificates list --type DISTRIBUTION --team-id ABCDE12345 # Bulk-download every distribution cert for one team hexsign certificates download --type DISTRIBUTION --team-id ABCDE12345 \ --output-dir build/sign # Profiles for a bundle id, scoped to one team hexsign profiles list --bundle-id com.example.app --team-id ABCDE12345 # Sync or delete an account by team id hexsign apple-accounts sync ABCDE12345 hexsign apple-accounts delete ABCDE12345
Pipe into jq
JSON output is the standard envelope the API returns: a top-level object with data and (for lists) pagination. jq makes scripting trivial; for example, list every certificate within 14 days of expiry along with its dependent profile count.
hexsign certificates expiring -o json \
| jq '.data[]
| select(.daysUntilExpiry <= 14)
| { id, name, type, daysUntilExpiry }'One-shot status with hexsign summary
hexsign summary prints counts of certificates, profiles, devices, and identifiers across every connected Apple account, plus an expiring block. It's the single command to drop into a cron, a Slack bot, or a daily status page.
hexsign summary # or, for a status page payload: hexsign summary -o json | curl -X POST -d @- https://status.example.com/hooks/hexsign