superfly · jbellerb · May 19, 2026
diff --git a/internal/command/tokens/create.go b/internal/command/tokens/create.go
@@ -39,6 +39,7 @@ func newCreate() *cobra.Command {
 		newOrgRead(),
 		newLiteFSCloud(),
 		newSSH(),
+		newWireGuard(),
 	)
 
 	return cmd
@@ -255,6 +256,37 @@ func newMachineExec() *cobra.Command {
 	return cmd
 }
 
+func newWireGuard() *cobra.Command {
+	const (
+		short = "Create a WireGuard token"
+		long  = "Create an API token limited to WireGuard peer management for an organization. Tokens are valid for 20 years by default. We recommend using a shorter expiry if practical."
+		usage = "wireguard"
+	)
+
+	cmd := command.New(usage, short, long, runWireGuard,
+		command.RequireSession,
+	)
+
+	flag.Add(cmd,
+		flag.JSONOutput(),
+		flag.Duration{
+			Name:        "expiry",
+			Shorthand:   "x",
+			Description: "The duration that the token will be valid",
+			Default:     time.Hour * 24 * 365 * 20,
+		},
+		flag.String{
+			Name:        "name",
+			Shorthand:   "n",
+			Description: "Token name",
+			Default:     "WireGuard token",
+		},
+		flag.Org(),
+	)
+
+	return cmd
+}
+
 func makeToken(ctx context.Context, apiClient flyutil.Client, orgID string, expiry string, profile string, options *gql.LimitedAccessTokenOptions) (*gql.CreateLimitedAccessTokenResponse, error) {
 	resp, err := gql.CreateLimitedAccessToken(
 		ctx,
@@ -551,6 +583,52 @@ func runMachineExec(ctx context.Context) error {
 	return nil
 }
 
+func runWireGuard(ctx context.Context) error {
+	var token string
+	apiClient := flyutil.ClientFromContext(ctx)
+
+	expiry := ""
+	if expiryDuration := flag.GetDuration(ctx, "expiry"); expiryDuration != 0 {
+		expiry = expiryDuration.String()
+	}
+
+	org, err := orgs.OrgFromEnvVarOrFirstArgOrSelect(ctx)
+	if err != nil {
+		return fmt.Errorf("failed retrieving org %w", err)
+	}
+
+	resp, err := makeToken(ctx, apiClient, org.ID, expiry, "deploy_organization", &gql.LimitedAccessTokenOptions{})
+	if err != nil {
+		return err
+	}
+
+	token = resp.CreateLimitedAccessToken.LimitedAccessToken.TokenHeader
+
+	token, err = attenuate(token, &resset.IfPresent{
+		Ifs: macaroon.NewCaveatSet(
+			&flyio.Apps{Apps: resset.ResourceSet[uint64, resset.Action]{}},
+			&flyio.FeatureSet{
+				Features: resset.ResourceSet[string, resset.Action]{
+					flyio.FeatureWireGuard: resset.ActionAll,
+				},
+			},
+		),
+		Else: resset.ActionRead,
+	})
+	if err != nil {
+		return err
+	}
+
+	io := iostreams.FromContext(ctx)
+	if config.FromContext(ctx).JSONOutput {
+		render.JSON(io.Out, map[string]string{"token": token})
+	} else {
+		fmt.Fprintln(io.Out, token)
+	}
+
+	return nil
+}
+
 func attenuate(token string, cavs ...macaroon.Caveat) (string, error) {
 	var atoken string
 	macTok, disToks, err := flyio.ParsePermissionAndDischargeTokens(token)

diff --git a/internal/command/wireguard/root.go b/internal/command/wireguard/root.go
@@ -20,7 +20,6 @@ func New() *cobra.Command {
 		newWireguardRemove(),
 		newWireguardReset(),
 		newWireguardWebsockets(),
-		newWireguardToken(),
 	)
 
 	return cmd
@@ -99,90 +98,3 @@ func newWireguardWebsockets() *cobra.Command {
 
 	return cmd
 }
-
-func newWireguardToken() *cobra.Command {
-	const (
-		short = "Commands that managed WireGuard delegated access tokens"
-		long  = `Commands that managed WireGuard delegated access tokens`
-	)
-	cmd := command.New("token", short, long, nil,
-		command.RequireSession,
-	)
-	cmd.AddCommand(
-		newWireguardTokenCreate(),
-		newWireguardTokenDelete(),
-		newWireguardTokenList(),
-		newWireguardTokenStart(),
-		newWireguardTokenUpdate(),
-	)
-
-	return cmd
-}
-
-func newWireguardTokenList() *cobra.Command {
-	const (
-		short = "List all WireGuard tokens"
-		long  = `List all WireGuard tokens`
-	)
-	cmd := command.New("list [org]", short, long, runWireguardTokenList,
-		command.RequireSession,
-	)
-	flag.Add(cmd,
-		flag.JSONOutput(),
-	)
-	cmd.Args = cobra.MaximumNArgs(1)
-
-	return cmd
-}
-
-func newWireguardTokenCreate() *cobra.Command {
-	const (
-		short = "Create a new WireGuard token"
-		long  = `Create a new WireGuard token`
-	)
-	cmd := command.New("create [org] [name]", short, long, runWireguardTokenCreate,
-		command.RequireSession,
-	)
-	cmd.Args = cobra.MaximumNArgs(2)
-
-	return cmd
-}
-
-func newWireguardTokenDelete() *cobra.Command {
-	const (
-		short = "Delete a WireGuard token; token is name:<name> or token:<token>"
-		long  = `Delete a WireGuard token; token is name:<name> or token:<token>`
-	)
-	cmd := command.New("delete [org] [token]", short, long, runWireguardTokenDelete,
-		command.RequireSession,
-	)
-	cmd.Args = cobra.MaximumNArgs(2)
-
-	return cmd
-}
-
-func newWireguardTokenStart() *cobra.Command {
-	const (
-		short = "Start a new WireGuard peer connection associated with a token (set FLY_WIREGUARD_TOKEN)"
-		long  = `Start a new WireGuard peer connection associated with a token (set FLY_WIREGUARD_TOKEN)`
-	)
-	cmd := command.New("start [name] [group] [region] [file]", short, long, runWireguardTokenStart,
-		command.RequireSession,
-	)
-	cmd.Args = cobra.MaximumNArgs(4)
-
-	return cmd
-}
-
-func newWireguardTokenUpdate() *cobra.Command {
-	const (
-		short = "Rekey a WireGuard peer connection associated with a token (set FLY_WIREGUARD_TOKEN)"
-		long  = `Rekey a WireGuard peer connection associated with a token (set FLY_WIREGUARD_TOKEN)`
-	)
-	cmd := command.New("update [name] [file]", short, long, runWireguardTokenUpdate,
-		command.RequireSession,
-	)
-	cmd.Args = cobra.MaximumNArgs(2)
-
-	return cmd
-}