Build repository graphs once, query them with precision.
Complete reference for the gph CLI, the REST API, authentication flows, and deployment guidance.
Quickstart
From zero to querying your first graph in under three minutes.
Create an account
Sign up at /auth/sign-up or use GitHub OAuth. You can also use the CLI immediately if you already have a server URL and API key.
Index a repository
Generate an API key in the dashboard, run gph login, then gph index ./your-repo --repo <id>. Only changed files are processed on subsequent runs.
Query & export
Run gph search "your question" or gph query "natural language question" to retrieve token-bounded context. Use gph export to generate an agent-ready JSON bundle.
Installation
The gph CLI is a Node.js package. Install it globally or use it via npx.
# Global install (beta) npm install -g @graphchat/gph@beta # Or run without installing npx -p @graphchat/gph@beta gph login --key sk-graphchat-...
Requires Node.js 18 or later. The CLI stores credentials in ~/.graphchat/credentials.json and configuration in ~/.graphchat/config.json.
Authentication
graphchat uses two separate auth flows:
Web / browser
Email + password or GitHub OAuth. Sessions are maintained via HTTP-only cookies. The dashboard and graph UI use this flow.
CLI / API key
Generate an API key (sk-graphchat-…) in the dashboard under Settings → API Keys. Run gph login --key sk-graphchat-…. The CLI exchanges the key for a short-lived JWT access token and a refresh token that auto-renews it.
API key exchange flow
# 1. Mint a key in the dashboard, then:
gph login --key sk-graphchat-abc123
# Internally this calls:
# POST /api/auth/exchange { "api_key": "sk-graphchat-abc123" }
# → { access_token, refresh_token, expires_in }
# All subsequent gph commands attach:
# Authorization: Bearer <access_token>Access tokens expire after a short window; the CLI automatically calls POST /api/auth/refresh before any request when expiry is imminent. To log out and revoke the refresh token:
gph logout
CLI Reference
Every gph command authenticates via the stored JWT and hits the configured server URL. Global help: gph --help. Per-command help: gph <cmd> --help.
gph login--key <api_key>--server <url>Authenticate the CLI with your graphchat server using an API key (prefix sk-graphchat-). Exchanges the key for a JWT access + refresh token pair stored locally. The token is auto-refreshed before expiry.
gph login --key sk-graphchat-abc123 gph login --key sk-graphchat-abc123 --server https://your.graphchat.host
gph logoutRevokes the stored refresh token on the server and removes local credentials. After logout, any cached access token is also invalidated.
gph logout
gph status--jsonShows the currently authenticated user, server URL, and token expiry. Use --json for machine-readable output.
gph status gph status --json
gph repos--jsonLists all repositories accessible to the current user. Returns repo ID, name, branch, last sync time, and node count.
gph repos gph repos --json
gph index <path>--repo <id>--branch <name>Indexes a local repository path and pushes it to the graph service. The path is resolved to an absolute path; only files within it are included. Reuses prior state so only changed files are re-processed.
gph index ./src --repo my-api-id gph index . --repo backend --branch main
gph search <query>--repo <id>--budget <tokens>--confidence <level>--json--agentVector + graph search across indexed repos. The --budget flag caps the token count of returned results, dropping lower-confidence nodes first. --agent emits a compact format ready to paste into an AI chat prompt. --confidence accepts EXTRACTED | INFERRED | SPECULATIVE.
gph search "authentication middleware" --budget 1500 gph search "JWT guard" --repo backend --confidence EXTRACTED --agent
gph query <question>--repo <id>--mode <knn|bfs|dfs>--hops <n>--budget <tokens>--jsonGraph-expanded retrieval. Embeds your natural-language question, runs vector KNN to pick seed nodes, then traverses the graph from those seeds. --mode knn (default) returns neighbours by similarity; bfs / dfs walk structural edges. --hops controls expansion depth, --budget caps the response in tokens.
gph query "how does login work?" --repo my-api-id gph query "request lifecycle" --repo backend --mode bfs --hops 3 --budget 3000
gph explain <label>--repo <id>AI-generated explanation of a single node, grounded in the graph. The CLI looks up the node by label (case-insensitive exact match), pulls its strongest neighbours, and asks the configured LLM to describe what it is, how it relates to those neighbours, and any caveats. Uses your active LLM provider from Settings → Model.
gph explain AuthService --repo my-api-id gph explain ResponseInterceptor --repo backend
gph path <source> <target>--repo <id>Finds the shortest path between two named symbols in the graph and prints every hop. Useful for understanding how middleware or dependency chains connect.
gph path AuthService JwtGuard --repo my-api-id gph path ResponseInterceptor DatabaseService --repo backend
gph watch <path>--repo <id>--debounce <ms>--on-commit--stopKeeps the graph in sync with a working directory. Default mode runs a local file watcher (chokidar) and re-indexes after a debounce window — only the diff is uploaded; source code stays on your machine. With --on-commit, installs idempotent post-commit / post-checkout / post-merge git hooks that re-index in the background. Use --stop with --on-commit to remove the hooks.
gph watch ./src --repo my-api-id gph watch ./src --repo my-api-id --debounce 3000 gph watch ./src --repo my-api-id --on-commit gph watch ./src --repo my-api-id --stop
gph report--repo <id>--out <file>Generates a GRAPH_REPORT.md audit report summarising god nodes, top communities, surprise edges, and file coverage stats. Ready to paste into a PR description or agent prompt.
gph report --repo my-api-id --out GRAPH_REPORT.md gph report --repo backend --out ./reports/backend.md
gph export--repo <id>--out <file>Exports a full agent context payload for a named repo as a structured JSON bundle. The bundle includes graph metadata, communities, nodes, and edges — ready to feed into any LLM session.
gph export --repo my-api-id --out context.json gph export --repo backend --out ./context/backend.json
API Reference
All API routes are prefixed with /api. Authenticated routes require an Authorization: Bearer <access_token> header. Responses are JSON. Rate limiting is enforced per user via a Redis sliding-window counter.
Authentication
/api/auth/registerpublicCreate a new user account. Returns access + refresh tokens.
{ "email": "you@example.com", "password": "..." }/api/auth/loginpublicAuthenticate with email + password. Returns access + refresh tokens.
{ "email": "you@example.com", "password": "..." }/api/auth/githubpublicSign in via GitHub OAuth. Supply the GitHub OAuth code.
{ "code": "<oauth_code>" }/api/auth/sessionauth requiredReturns the current authenticated user (name, email, role).
/api/auth/logoutpublicRevokes a refresh token. Supply the refresh token in the body.
{ "refresh_token": "..." }API Keys (CLI auth)
/api/auth/keysauth requiredMint a new API key for the current user. The plaintext (sk-graphchat-…) is returned once and never stored.
{ "label": "my-ci-key", "scopes": ["search", "export"] }/api/auth/keysauth requiredList all API keys belonging to the current user (IDs, labels, scopes, created date).
/api/auth/keys/:idauth requiredPermanently revoke an API key by its ID. Returns 204 on success.
/api/auth/exchangepublicTrade an API key for a fresh JWT access + refresh token pair. This is what gph login calls internally.
{ "api_key": "sk-graphchat-..." }/api/auth/refreshpublicTrade a refresh token for a new access token. The CLI calls this automatically before expiry.
{ "refresh_token": "..." }Repositories
/api/reposauth requiredList all repos for the current user with metadata (branch, node count, last sync).
/api/repos/:idauth requiredGet a single repo by ID including full graph metadata.
/api/reposauth requiredCreate / register a new repo. Supply name, remote URL, and branch.
{ "name": "my-api", "url": "https://github.com/org/repo", "branch": "main" }/api/repos/import/github/branchesauth requiredList available branches for a GitHub repo before importing.
{ "repoUrl": "https://github.com/org/repo" }/api/repos/import/githubauth requiredImport a GitHub repository and trigger initial graph ingestion.
{ "repoUrl": "https://github.com/org/repo", "branch": "main" }/api/repos/:id/sync/githubauth requiredTrigger an incremental re-sync for a repo — only changed files are re-processed.
/api/repos/:idauth requiredDelete a repo and all associated graph data.
Graph & Search
/api/nodes/searchauth requiredVector + graph search. Supply query, optional repoId, budget (token cap), and confidence filter.
{ "query": "auth middleware", "repoId": "...", "budget": 1500, "confidence": "EXTRACTED" }/api/graph/pathauth requiredShortest path between two node labels. Returns ordered hop array.
?repoId=...&source=AuthService&target=JwtGuard
/api/graph/communities/:repoIdauth requiredReturns all Leiden communities for a repo with member counts and top nodes.
/api/graph/community/:communityId/promptauth requiredReturns a token-bounded, agent-ready context bundle for a single community (cached in Redis).
/api/graph/report/:repoIdauth requiredReturns the GRAPH_REPORT.md content as a string — god nodes, surprise edges, coverage stats.
/api/graph/analyzeauth requiredRun graph analysis (community detection, god-node scoring) on an already-ingested repo.
{ "repoId": "..." }/api/graph/ingestauth requiredReceives a client-extracted graph payload (the CLI runs Tree-sitter locally and ships only nodes + edges). Source code never reaches the API. This is the endpoint behind gph index and gph watch.
{ "repoId": "...", "nodes": [...], "edges": [...] }/api/graph/queryauth requiredGraph-expanded retrieval. Embeds the question, runs vector KNN to pick seed nodes, then asks the sidecar to expand from those seeds. Backs gph query.
{ "repoId": "...", "query": "how does login work?", "mode": "knn", "hops": 2, "budget": 2000 }/api/ai/explainauth requiredGenerates a natural-language explanation of a node, grounded in its graph neighbours. Backs gph explain.
{ "repoId": "...", "label": "AuthService" }/api/ai/suggestauth requiredReturns a structured ContextNode draft (type / label / content / tags) for free-text input. Used by the dashboard UI when adding manual notes.
{ "repoId": "...", "input": "JWT auth middleware" }System
/api/healthpublicReturns service health, Redis cache hit rate, and DB status.
/api/health/configpublicReturns non-sensitive runtime configuration (model, chunk size, rate-limit defaults).
Deployment
graphchat is an Nx monorepo with three deployable apps: the Next.js web frontend, the NestJS API, and the Python graph service. Run them together via Docker Compose or deploy each independently.
Heads up: the repository will be open-sourced soon, so you'll be able to clone, audit, and self-host the entire stack.
Run through Nx (development)
Use pnpm nx serve web, pnpm nx serve api to start apps locally. Nx caches build artifacts so cold starts after the first run are fast.
pnpm nx serve web pnpm nx serve api
Docker Compose (production)
The repository root contains a docker-compose.yml that wires up the web app, API, graph service, Postgres, and Redis together.
docker compose up --build
Environment variables
Copy .env.example to .env and set DATABASE_URL, REDIS_URL, JWT_SECRET (use a long random string in production), GITHUB_CLIENT_ID, and GITHUB_CLIENT_SECRET.
cp .env.example .env # Edit .env with your secrets
Point the CLI at your server
By default the CLI targets the hosted graphchat server. To use a self-hosted instance, pass --server on login or set serverUrl in ~/.graphchat/config.json.
gph login --key sk-graphchat-... --server https://your.host.com