ScaleFT Client

The ScaleFT Client is a lightweight desktop application and command-line tool for Windows, macOS, and Linux.



After installing the client, you will enroll your client in your team with the command sft enroll.

This adds your new client to your client inventory on the ScaleFT Platform, and authorizes it to take actions on your behalf. After your client is enrolled, you will see it on your client list on the ScaleFT Dashboard.


sft [global options] command [command options] [arguments...]


sft config

Get and set sft configuration options

Many configuration options are available. See the Configuration section for details.

sft dash

Open your team’s dashboard in your browser

sft device-info

Shows your client’s device info as JSON

sft enroll

Adds your new client to your client inventory on the ScaleFT Platform

sft list-accounts

  • --columns: comma-delimited list of lowercase column names to print, only used for default output format
  • -l, --selector: Selector (label query) to filter on, see also Selectors
  • --output [format], -o [format] The output format must be one of: default, json, or describe

List the accounts this client is configured to be able to use

sft list-accounts -o json
sft list-accounts --columns account,id
sft list-accounts -l account=teamname --columns id,username

sft list-servers

  • --columns: comma-delimited list of lowercase column names to print, only used for default output format
  • -l, --selector: Selector (label query) to filter on, see also Selectors
  • --output [format], -o [format] The output format must be one of: default, json, or describe

List servers in the current team which your client has access to

sft list-servers -l os_type=windows
sft list-servers -l os_type=windows,project_name=Demo
sft list-servers -l os_type=windows --columns id,hostname
sft list-servers -l os_type=linux -o json

sft login

If logged out of your client’s current team, create a new session, authenticating with your team’s Identity Provider.

An active, authorized client session allows the ScaleFT Client to request credentials in the background as needed.

sft logout

Logout from current session

sft proxycommand

  • --config: Deprecated in favor of sft ssh-config
  • --via, --bastion: SSH bastion host to use to connect to the target

Used with OpenSSH ProxyCommand to enable transparent use of sft with ssh, scp, rsync, ftp, etc.

sft rdp

  • --via, --bastion: SSH bastion host to use to connect to the target

Connect to RDP to a target passed as an argument

sft resolve

Resolves a single server matching the hostname or instance-details specified

sft ssh

  • --via, --bastion: SSH bastion host to use to connect to the target
  • --command: Command to execute over SSH
  • -L: Support local port-forwarding as OpenSSH does
  • -R: Support remote port-forwarding as OpenSSH does

Connect via SSH to a target passed as an argument

Generally, ScaleFT works with ssh using OpenSSH ProxyCommand integration. The sft ssh command is provided for ssh support in environments or contexts where OpenSSH is not available, or for times when you may want to explicitly pass ScaleFT-specific options such as --via.

sft ssh-config

  • --via, --bastion: SSH bastion host to use to connect to the target

Print an OpenSSH configuration block suitable for use in your ~/.ssh/config file which will enable your local ssh binary to use ScaleFT authentication. This SSH configuration will be used only when your client has a currently active and authorized session.

sft unenroll

  • --all: Unenroll all local clients

Remove the currently active client from your client inventory in the ScaleFT Platform

sft use

Set an enrolled team as the current default for use in your current session

sft help

Shows a list of commands or help for one command

Global Command Line Options

  • -h, --help: Display help.
  • -v, --version: Display version.
  • --config-file: Provide alternative configuration file path.
  • --account: Use specified account
  • --team: Use specified team
  • --instance: Use specified instance of the ScaleFT Platform

All options are optional.


  • -l, --selector: Selector (label query) to filter on

Commands which take a selector as an optional argument can filter their results based on an arbitrary selector query.

Selector syntax is based on Kubernetes Label Queries.


sft list-servers -l os_type=windows,project_name=Demo

This command uses a selector to filter the list of servers you have access to, only returning the servers whose Operating System is Windows and which are in a Project named Demo.


You can view or set configuration options with the sft config command.

No configuration file will be present upon initial installation of the ScaleFT Client. The configuration file will be created once you set your first configuration option.

Until you have set an explicit configuration value, all defaults will be used. The defaults provided for the ScaleFT Client are intended to provide the most security and ease of use for the most common situations. Aside from personal preferences, such as rdp.screensize, you may not need to set any client configurations at all.

ScaleFT Client configurations are grouped into sections. Currently sections include rdp, ssh, ssh_agent, service_auth, and update.

Viewing your configuration

  • sft config: Display your current configurations
  • sft config [section.key]: View the current value of a specific configuration indicated by section.key

Setting a configuration value

You can set a configuration value with the command syntax: sft config [section.key] [value].

Configuration Options



A string, such as 1024x768, describing your preferred RDP window size.

sft config rdp.screensize 800x600
sft config rdp.screensize 1024x768

If set to true, RDP sessions will be opened in fullscreen mode. This causes the rdp.screensize configuration to be ignored.

sft config rdp.fullscreen true
sft config rdp.fullscreen false



If set to true, the ScaleFT Client will store any passphrases entered by the user in the workstation’s local cryptographic store.

sft config ssh.save_privatekey_passwords true
sft config ssh.save_privatekey_passwords false

A value of “netcat” causes ScaleFT to remotely execute netcat (nc) as a means of port forwarding, instead of using the default native SSH port forwarding.

sft config ssh.port_forward_method netcat
sft config ssh.port_forward_method native

A value of “host” causes ScaleFT to set the ForwardAgent option when executing SSH commands. Note that ScaleFT-issued credentials are not added to the ssh-agent, so this is for use with hosts which are configured to accept an externally managed credential, such as a SSH public key which is not managed by ScaleFT.

Leaving this unset, or supplying a value of “none”, will cause ScaleFT not to forward SSH agent.

sft config ssh.insecure_forward_agent host
sft config ssh.insecure_forward_agent none

SSH Agent


If set, the ScaleFT Client will use an SSH agent when authenticating.

sft config ssh_agent.enable true
sft config ssh_agent.enable false

The value is a JSON array of paths to SSH private keys to be loaded into the SHH agent. You can append values to it using the --append flag.

sft config ssh_agent.keys '["/Users/alice/.ssh/id_rsa"]'
sft config ssh_agent.keys --append /Users/alice/.ssh/id_rsa
sft config ssh_agent.keys '[]'

Tip: When writing a JSON literal in Windows PowerShell, escape inner quotes, as in: sft config ssh_agent.keys '[\"C:\\Users\\alice\\.ssh\\id_rsa\"]'

Service Auth


If set, the ScaleFT Client will support authentication for service users.

Learn more about Service Users

sft config service_auth.enable true
sft config service_auth.enable false



The ScaleFT Client defaults to the stable update channel, but you can opt into receiving our more-frequent releases by setting this configuration to the test update channel.

sft config update.release_channel test
sft config update.release_channel stable

Environment Variables


When set, any command run will print internal logs and timing messages to stderr

SFT_DEBUG=1 sft list-servers