aspera-cli 4.6.0 → 4.7.0

data/README.md

@@ -2,7 +2,7 @@
 
 [comment1]: # (Do not edit this README.md, edit docs/README.erb.md, for details, read docs/README.md)
 
-Version : 4.6.0
+Version : 4.7.0
 
 Laurent/2016-2022
 
@@ -14,9 +14,10 @@ Ruby Gem: [https://rubygems.org/gems/aspera-cli](https://rubygems.org/gems/asper
 
 Ruby Doc: [https://www.rubydoc.info/gems/aspera-cli](https://www.rubydoc.info/gems/aspera-cli)
 
-Required Ruby version: > 2.4
+Minimum required Ruby version: >= 2.4. Deprecation notice: the minimum will be 2.5 in a future version.
 
-[Aspera APIs](https://developer.ibm.com/?size=30&q=aspera&DWContentType[0]=APIs)
+[Aspera APIs on IBM developer](https://developer.ibm.com/?size=30&q=aspera&DWContentType[0]=APIs)
+[Link 2](https://developer.ibm.com/apis/catalog/?search=aspera)
 
 ## <a id="when_to_use"></a>When to use and when not to use
 
@@ -88,7 +89,7 @@ ascli --version
 ```
 
 ```bash
-4.6.0
+4.7.0
 ```
 
 ### First use
@@ -126,7 +127,7 @@ If you want to use `ascli` with another server, and in order to make further cal
 * download a file
 
 ```bash
-ascli config preset update myserver --url=ssh://demo.asperasoft.com:33001 --username=asperaweb --password=_demo_pass_
+ascli config preset update myserver --url=ssh://demo.asperasoft.com:33001 --username=asperaweb --password=_pass_here_
 ```
 
 ```output
@@ -185,7 +186,7 @@ It is possible to install *either* directly on the host operating system (Linux,
 
 The direct installation is recommended and consists in installing:
 
-* [Ruby](#ruby) version > 2.4
+* [Ruby](#ruby) (version: >= 2.4. Deprecation notice: the minimum will be 2.5 in a future version)
 * [aspera-cli](#the_gem)
 * [Aspera SDK (ascp)](#fasp_prot)
 
@@ -238,7 +239,7 @@ Use this method to install on the native host.
 
 A ruby interpreter is required to run the tool or to use the gem and tool.
 
-Required Ruby version: > 2.4. Ruby version 3 is also supported.
+Required Ruby version: >= 2.4. Deprecation notice: the minimum will be 2.5 in a future version.
 
 *Ruby can be installed using any method* : rpm, yum, dnf, rvm, brew, windows installer, ... .
 
@@ -246,7 +247,7 @@ Refer to the following sections for a proposed method for specific operating sys
 
 The recommended installation method is `rvm` for systems with "bash-like" shell (Linux, macOS, Windows with cygwin, etc...).
 If the generic install is not suitable (e.g. Windows, no cygwin), you can use one of OS-specific install method.
-If you have a simpler better way to install Ruby version > 2.4 : use it !
+If you have a simpler better way to install Ruby : use it ! (version: >= 2.4. Deprecation notice: the minimum will be 2.5 in a future version)
 
 #### Generic: RVM: single user installation (not root)
 
@@ -516,7 +517,7 @@ The `aspera-cli` Gem provides a command line interface (CLI) which interacts wit
 * Any command line options (products URL, credentials or any option) can be provided on command line, in configuration file, in env var, in files
 * Supports Commands, Option values and Parameters shortcuts
 * FASP [Transfer Agents](#agents) can be: local ascp, or Connect Client, or any transfer node
-* Transfer parameters can be altered by modification of _transfer-spec_, this includes requiring multi-session
+* Transfer parameters can be altered by modification of [*transfer-spec*](#transferspec), this includes requiring multi-session
 * Allows transfers from products to products, essentially at node level (using the node transfer agent)
 * Supports FaspStream creation (using Node API)
 * Supports Watchfolder creation (using Node API)
@@ -544,10 +545,10 @@ There are two types of command line arguments: Commands and Options. Example :
 ascli command subcommand --option-name=VAL1 VAL2
 ```
 
-* executes _command_: `command subcommand`
-* with one _option_: `option_name`
-* this option is given a _value_ of: `VAL1`
-* the command has one additional _argument_: `VAL2`
+* executes *command*: `command subcommand`
+* with one *option*: `option_name`
+* this option is given a *value* of: `VAL1`
+* the command has one additional *argument*: `VAL2`
 
 When the value of a command, option or argument is constrained by a fixed list of values, it is possible to use the first letters of the value only, provided that it uniquely identifies a value. For example `ascli conf ov` is the same as `ascli config overview`.
 
@@ -580,7 +581,7 @@ Note that here, `--sample` is taken as an argument, and not as an option, due to
 
 Options can be optional or mandatory, with or without (hardcoded) default value. Options can be placed anywhere on command line and evaluated in order.
 
-The value for _any_ options can come from the following locations (in this order, last value evaluated overrides previous value):
+The value for *any* options can come from the following locations (in this order, last value evaluated overrides previous value):
 
 * [Configuration file](#configfile).
 * Environment variable
@@ -677,6 +678,9 @@ The option `display` controls the level of output:
 * `data` display `data` and `error` messages
 * `error` display only error messages.
 
+By default, secrets are shown on output.
+To hide secrets from results, set option `show_secrets` to `no`.
+
 #### Selection of output object properties
 
 By default, a table output will display one line per entry, and columns for each entries. Depending on the command, columns may include by default all properties, or only some selected properties. It is possible to define specific columns to be displayed, by setting the `fields` option to one of the following value:
@@ -702,11 +706,12 @@ The difference between reader and decoder is order and ordinality. Both act like
 
 The following "readers" are supported (returns value in []):
 
-* @val:VALUE : [String] prevent further special prefix processing, e.g. `--username=@val:laurent` sets the option `username` to value `laurent`.
-* @file:PATH : [String] read value from a file (prefix `~/` is replaced with the users home folder), e.g. `--key=@file:~/.ssh/mykey`
-* @path:PATH : [String] performs path expansion (prefix `~/` is replaced with the users home folder), e.g. `--config-file=@path:~/sample_config.yml`
-* @env:ENVVAR : [String] read from a named env var, e.g.--password=@env:MYPASSVAR
-* @stdin: : [String] read from stdin (no value on right)
+* @val:VALUE   : [String] prevent further special prefix processing, e.g. `--username=@val:laurent` sets the option `username` to value `laurent`.
+* @file:PATH   : [String] read value from a URL, e.g. `--fpac=@uri:http://serv/f.pac`
+* @uri:URL     : [String] read value from a file (prefix `~/` is replaced with the users home folder), e.g. `--key=@file:~/.ssh/mykey`
+* @path:PATH   : [String] performs path expansion (prefix `~/` is replaced with the users home folder), e.g. `--config-file=@path:~/sample_config.yml`
+* @env:ENVVAR  : [String] read from a named env var, e.g.--password=@env:MYPASSVAR
+* @stdin:      : [String] read from stdin (no value on right)
 * @preset:NAME : [Hash] get whole option preset value by name. Subvalues can also be used using `.` as separator. e.g. foo.bar is conf[foo][bar]
 
 In addition it is possible to decode a value, using one or multiple decoders :
@@ -775,7 +780,7 @@ Note that `@incps:@json:'{"incps":["config"]}'` or `@incps:@ruby:'{"incps"=>["co
 
 Some options and parameters expect a _Structured Value_, i.e. a value more complex than a simple string. This is usually a Hash table or an Array, which could also contain sub structures.
 
-For instance, a [_transfer-spec_](#transferspec) is expected to be a _Structured Value_.
+For instance, a [*transfer-spec*](#transferspec) is expected to be a _Structured Value_.
 
 Structured values shall be described using the [Extended Value Syntax](#extended).
 A convenient way to specify a _Structured Value_ is to use the `@json:` decoder, and describe the value in JSON format. The `@ruby:` decoder can also be used. For an array of hash tables, the `@csvt:` decoder can be used.
@@ -784,12 +789,12 @@ It is also possible to provide a _Structured Value_ in a file using `@json:@file
 
 ### <a id="conffolder"></a>Configuration and Persistency Folder
 
-`ascli` configuration and other runtime files (token cache, file lists, persistency files, SDK) are stored in folder `[User's home folder]/.aspera/ascli`.
+`ascli` configuration and other runtime files (token cache, file lists, persistency files, SDK) are stored `[config folder]`: `[User's home folder]/.aspera/ascli`.
 
 Note: `[User's home folder]` is found using ruby's `Dir.home` (`rb_w32_home_dir`).
 It uses the `HOME` env var primarily, and on MS Windows it also looks at `%HOMEDRIVE%%HOMEPATH%` and `%USERPROFILE%`. `ascli` sets the env var `%HOME%` to the value of `%USERPROFILE%` if set and exists. So, on Windows `%USERPROFILE%` is used as it is more reliable than `%HOMEDRIVE%%HOMEPATH%`.
 
-The main folder can be displayed using :
+The [config folder] can be displayed using :
 
 ```bash
 ascli config folder
@@ -811,6 +816,12 @@ ascli config folder
 C:\Users\Kenji\.aspera\ascli
 ```
 
+When OAuth is used (AoC, Faspex4 apiv4, Faspex5) `ascli` keeps a cache of generated bearer tokens in `[config folder]/persist_store` by default.
+Option `cache_tokens` (**yes**/no) allows to control if Oauth tokens are cached on file system, or generated for each request.
+The command `config flush_tokens` deletes all existing tokens.
+Tokens are kept on disk for a maximum of 30 minutes (`TOKEN_CACHE_EXPIRY_SEC`) and garbage collected after that.
+Tokens that can be refreshed are refreshed. Else tokens are re-generated if expired.
+
 ### <a id="configfile"></a>Configuration file
 
 On the first execution of `ascli`, an empty configuration file is created in the configuration folder.
@@ -839,7 +850,7 @@ ascli config preset set|delete|show|initialize|update <option preset>
 The command `update` allows the easy creation of [option preset](#lprt) by simply providing the options in their command line format, e.g. :
 
 ```bash
-ascli config preset update demo_server --url=ssh://demo.asperasoft.com:33001 --username=asperaweb --password=_demo_pass_ --ts=@json:'{"precalculate_job_size":true}'
+ascli config preset update demo_server --url=ssh://demo.asperasoft.com:33001 --username=asperaweb --password=_pass_here_ --ts=@json:'{"precalculate_job_size":true}'
 ```
 
 * This creates a [option preset](#lprt) `demo_server` with all provided options.
@@ -847,13 +858,13 @@ ascli config preset update demo_server --url=ssh://demo.asperasoft.com:33001 --u
 The command `set` allows setting individual options in a [option preset](#lprt).
 
 ```bash
-ascli config preset set demo_server password _demo_pass_
+ascli config preset set demo_server password _pass_here_
 ```
 
-The command `initialize`, like `update` allows to set several parameters at once, but it deletes an existing configuration instead of updating it, and expects a _[Structured Value](#native)_.
+The command `initialize`, like `update` allows to set several parameters at once, but it deletes an existing configuration instead of updating it, and expects a [*Structured Value*](#native).
 
 ```javascript
-ascli config preset initialize demo_server @json:'{"url":"ssh://demo.asperasoft.com:33001","username":"asperaweb","password":"_demo_pass_","ts":{"precalculate_job_size":true}}'
+ascli config preset initialize demo_server @json:'{"url":"ssh://demo.asperasoft.com:33001","username":"asperaweb","password":"_pass_here_","ts":{"precalculate_job_size":true}}'
 ```
 
 A full terminal based overview of the configuration can be displayed using:
@@ -933,7 +944,7 @@ cli_default:
 demo_server:
   url: ssh://demo.asperasoft.com:33001
   username: asperaweb
-  password: _demo_pass_
+  password: _pass_here_
 ```
 
 We can see here:
@@ -956,7 +967,7 @@ Values in the configuration also follow the [Extended Value Syntax](#extended).
 Note: if the user wants to use the [Extended Value Syntax](#extended) inside the configuration file, using the `config preset update` command, the user shall use the `@val:` prefix. Example:
 
 ```bash
-ascli config preset set my_aoc_org private_key @val:@file:"$HOME/.aspera/ascli/aocapikey"
+ascli config preset set my_aoc_org private_key @val:@file:"$HOME/.aspera/ascli/my_private_key"
 ```
 
 This creates the [option preset](#lprt):
@@ -964,7 +975,7 @@ This creates the [option preset](#lprt):
 ```yaml
 ...
 my_aoc_org:
-  private_key: @file:"/Users/laurent/.aspera/ascli/aocapikey"
+  private_key: @file:"/Users/laurent/.aspera/ascli/my_private_key"
 ...
 ```
 
@@ -1008,13 +1019,13 @@ ascli config preset unset cli_default interactive
 Example: Define options using command line:
 
 ```bash
-ascli -N --url=x --password=y --username=y node --show-config
+ascli -N --url=_url_here_ --password=_pass_here_ --username=_name_here_ node --show-config
 ```
 
 Example: Define options using a hash:
 
 ```javascript
-ascli -N --preset=@json:'{"url":"x","password":"y","username":"y"}' node --show-config
+ascli -N --preset=@json:'{"url":"_url_here_","password":"_pass_here_","username":"_name_here_"}' node --show-config
 ```
 
 #### Shares Examples
@@ -1024,7 +1035,7 @@ only username/password and url are required (either on command line, or from con
 Those can usually be provided on the command line:
 
 ```bash
-ascli shares repo browse / --url=https://10.25.0.6 --username=john --password=4sp3ra
+ascli shares repo browse / --url=https://10.25.0.6 --username=john --password=_pass_here_
 ```
 
 This can also be provisioned in a config file:
@@ -1034,19 +1045,19 @@ This can also be provisioned in a config file:
 ```bash
 ascli config preset set shares06 url https://10.25.0.6
 ascli config preset set shares06 username john
-ascli config preset set shares06 password 4sp3ra
+ascli config preset set shares06 password _pass_here_
 ```
 
 This can also be done with one single command:
 
 ```javascript
-ascli config preset init shares06 @json:'{"url":"https://10.25.0.6","username":"john","password":"4sp3ra"}'
+ascli config preset init shares06 @json:'{"url":"https://10.25.0.6","username":"john","password":"_pass_here_"}'
 ```
 
 or
 
 ```bash
-ascli config preset update shares06 --url=https://10.25.0.6 --username=john --password=4sp3ra
+ascli config preset update shares06 --url=https://10.25.0.6 --username=john --password=_pass_here_
 ```
 
 * Define this [option preset](#lprt) as the default [option preset](#lprt) for the specified plugin (`shares`)
@@ -1128,6 +1139,54 @@ To test if a secret can be found use:
 ascli conf vault get --username=access_key1
 ```
 
+### <a id="private_key"></a>Private Key
+
+Some applications allow the user to be authenticated using a private key (Server, AoC, Faspex5...).
+It consists in generating a private key, or using a previouly generated key.
+The same key can be used for multiple applications.
+Technically, a private key contains the public key, which can be extracted.
+Currently, only private key not protected by a passphrase are supported.
+(TODO: add passphrase protection as option for aspera apps).
+
+Several methods can be used to generate a key pair:
+
+* `ascli`
+
+The generated key is of type RSA 4096 bit. For convenience, the public key is also extracted.
+
+```bash
+ascli config genkey ~/.aspera/ascli/my_private_key
+```
+
+* `ssh-keygen`
+
+```bash
+ssh-keygen -t rsa -f ~/.aspera/ascli/my_private_key -N ''
+```
+
+* `openssl`
+
+openssl is sometimes compiled to support option `-nodes` (no DES, i.e. no passphrase, e.g. on macOS). To generate a privatekey pait without passphrase the following shall work on any system:
+
+```bash
+APIKEY=~/.aspera/ascli/my_private_key
+openssl genrsa -passout pass:dummypassword -out ${APIKEY}.protected 2048
+openssl rsa -passin pass:dummypassword -in ${APIKEY}.protected -out ${APIKEY}
+openssl rsa -pubout -in ${APIKEY} -out ${APIKEY}.pub
+rm -f ${APIKEY}.protected
+```
+
+### <a id="certificates"></a>SSL CA certificate bundle
+
+`ascli` uses ruby `openssl` gem, which uses the `openssl` library.
+Certificates are checked against the ruby default certificates [OpenSSL::X509::DEFAULT_CERT_FILE](https://ruby-doc.org/stdlib-3.0.3/libdoc/openssl/rdoc/OpenSSL/X509/Store.html), which are typically the ones of `openssl` on Unix systems (Linux, macOS, etc..).
+The environment variables `SSL_CERT_FILE` and `SSL_CERT_DIR` are used if defined.
+
+`ascp` also needs to validate certificates when using WSS.
+By default, `ascp` uses primarily certificates from hard-coded path (e.g. on macOS: `/Library/Aspera/ssl`).
+`ascli` overrides and sets the default ruby certificate path as well for `ascp` using `-i` switch.
+So to update certificates, update ruby's `openssl` gem, or use env vars `SSL_CERT_*`.
+
 ### Plugins
 
 The CLI tool uses a plugin mechanism.
@@ -1142,13 +1201,13 @@ ascli conf plugin list
 ```
 
 ```output
-+--------------+-----------------------------------------------------------------------------------+
-| plugin       | path                                                                              |
-+--------------+-----------------------------------------------------------------------------------+
-| shares       | /Users/laurent/workspace/aspera/aspera-cli/lib/aspera/cli/plugins/shares.rb       |
-| node         | /Users/laurent/workspace/aspera/aspera-cli/lib/aspera/cli/plugins/node.rb         |
++--------------+--------------------------------------------------------+
+| plugin       | path                                                   |
++--------------+--------------------------------------------------------+
+| shares       | ..../aspera-cli/lib/aspera/cli/plugins/shares.rb       |
+| node         | ..../aspera-cli/lib/aspera/cli/plugins/node.rb         |
 ...
-+--------------+-----------------------------------------------------------------------------------+
++--------------+--------------------------------------------------------+
 ```
 
 #### <a id="createownplugin"></a>Create your own plugin
@@ -1197,7 +1256,7 @@ To increase debug level, use parameter `log_level` (e.g. using command line `--l
 It is also possible to activate traces before initialization using env var `AS_LOG_LEVEL`.
 
 By default passwords and secrets are removed from logs.
-Use option `log_passwords` to change this behaviour.
+Use option `log_secrets` set to `yes` to reveal secrets in logs.
 
 ### Learning Aspera Product APIs (REST)
 
@@ -1219,7 +1278,7 @@ Ruby HTTP socket parameters can be adjusted.
 | `open_timeout`       | 60      |
 | `keep_alive_timeout` | 2       |
 
-Values are in set **seconds** and can be of type either integer or float.
+Values are in set *seconds* and can be of type either integer or float.
 Default values are the ones of Ruby.
 For details refer to the Ruby library: [`Net::HTTP`](https://ruby-doc.org/stdlib/libdoc/net/http/rdoc/Net/HTTP.html).
 
@@ -1244,28 +1303,58 @@ It is also possible to force the graphical mode with option --ui :
 * `--ui=graphical` forces a graphical environment, a browser will be opened for URLs or a text editor for file edition.
 * `--ui=text` forces a text environment, the URL or file path to open is displayed on terminal.
 
-### HTTP proxy for REST
+### Proxy
 
-To specify a HTTP proxy, set the HTTP_PROXY environment variable (or HTTPS_PROXY), those are honored by Ruby when calling REST APIs.
+There are several types of network connections, each of them use a different mechanism to define a *proxy*.
 
-### <a id="certificates"></a>SSL CA certificate bundle
+#### HTTP proxy for REST calls and transfers using HTTP gateway
+
+To specify a HTTP proxy when ruby HTTP is used, set the `http_proxy` environment variable (lower case, preferred, or upper case).
+See [Ruby findproxy](https://rubyapi.org/3.0/o/uri/generic#method-i-find_proxy).
+
+```bash
+export http_proxy=http://myproxy.org.net:3128
+```
 
-`ascli` uses ruby `openssl` gem, which uses the `openssl` library, so certificates are checked against the ruby default certificates [OpenSSL::X509::DEFAULT_CERT_FILE](https://ruby-doc.org/stdlib-3.0.3/libdoc/openssl/rdoc/OpenSSL/X509/Store.html), which are typically the ones of `openssl` on Unix systems (Linux, macOS, etc..). The environment variables `SSL_CERT_FILE` and `SSL_CERT_DIR` are used if defined.
+Note that ruby expects a URL and `myproxy.org.net:3128` alone is not accepted.
 
-`ascp` also needs to validate certificates when using WSS. By default, `ascp` uses primarily certificates from hard coded path (e.g. on macOS: `/Library/Aspera/ssl`). `ascli` overrides and sets the default ruby certificate path as well for `ascp` using `-i` switch. So to update certificates, update ruby's `openssl` gem, or use env vars `SSL_CERT_*`.
+#### FASP proxy (forward) for transfers
 
-### Proxy auto config
+To specify a FASP proxy (forward), set the [*transfer-spec*](#transferspec) parameter: `EX_fasp_proxy_url` (only supported with the `direct` agent).
 
-The `fpac` option allows specification of a Proxy Auto Configuration (PAC) file, by its URL for local FASP agent. Supported schemes are : http:, https: and file:.
+#### HTTP proxy legacy Aspera HTTP fallback transfers
 
-The PAC file can be tested with command: `config proxy_check` , example:
+To specify a proxy for legacy HTTP fallback, set the [*transfer-spec*](#transferspec) parameter: `EX_http_proxy_url` (only supported with the `direct` agent).
+(It is also possible to use `EX_ascp_args` and native options in `direct`)
+
+#### Proxy auto config
+
+The `fpac` option allows use of a [Proxy Auto Configuration (PAC)](https://en.wikipedia.org/wiki/Proxy_auto-config) script defined as javascript value.
+To read the script from a URL (`http:`, `https:` and `file:`), use: `@uri:`.
+A minimal script can be specified, for example like this, to define the use of a local proxy:
+
+```bash
+export ASCLI_FPAC='function FindProxyForURL(url, host){return "PROXY localhost:3128"}'
+```
+
+The PAC file will be used for any HTTP/HTTPS/REST connection, but not other (e.g. FASP, HTTP fallback, HTTPGW)
+
+The PAC file can be tested with command: `config proxy_check`. Example, using command line option:
+
+```
+ascli conf proxy_check --fpac='function FindProxyForURL(url, host) {return "PROXY proxy.example.com:1234;DIRECT";}' http://example.com
+PROXY proxy.example.com:1234;DIRECT
+```
 
 ```bash
-ascli config proxy_check --fpac=file:///./proxy.pac http://www.example.com
+ascli config proxy_check --fpac=@file:./proxy.pac http://www.example.com
 PROXY proxy.example.com:8080
 ```
 
-This is not yet implemented to specify http proxy, so use `http_proxy` env vars.
+```bash
+ascli config proxy_check --fpac=@uri:http://server/proxy.pac http://www.example.com
+PROXY proxy.example.com:8080
+```
 
 ### <a id="client"></a>FASP configuration
 
@@ -1411,14 +1500,14 @@ Downloaded: IBMAsperaConnectInstaller-3.11.2.63.dmg
 
 Some of the actions on Aspera Applications lead to file transfers (upload and download) using the FASP protocol (`ascp`).
 
-When a transfer needs to be started, a [_transfer-spec_](#transferspec) has been internally prepared.
-This [_transfer-spec_](#transferspec) will be executed by a transfer client, here called "Transfer Agent".
+When a transfer needs to be started, a [*transfer-spec*](#transferspec) has been internally prepared.
+This [*transfer-spec*](#transferspec) will be executed by a transfer client, here called "Transfer Agent".
 
 There are currently 3 agents:
 
 * [`direct`](#agt_direct) : a local execution of `ascp`
 * [`connect`](#agt_connect) : use of a local Connect Client
-* [`node`](#agt_node) : use of an Aspera Transfer Node (potentially _remote_).
+* [`node`](#agt_node) : use of an Aspera Transfer Node (potentially *remote*).
 * [`httpgw`](#agt_httpgw) : use of an Aspera HTTP Gateway
 * [`trsdk`](#agt_trsdk) : use of Aspera Transfer SDK
 
@@ -1426,7 +1515,7 @@ Note that all transfer operation are seen from the point of view of the agent.
 For instance, a node agent making an "upload", or "package send" operation,
 will effectively push files to the related server from the agent node.
 
-`ascli` standardizes on the use of a [_transfer-spec_](#transferspec) instead of _raw_ ascp options to provide parameters for a transfer session, as a common method for those three Transfer Agents.
+`ascli` standardizes on the use of a [*transfer-spec*](#transferspec) instead of *raw* ascp options to provide parameters for a transfer session, as a common method for those three Transfer Agents.
 
 #### <a id="agt_direct"></a>Direct
 
@@ -1467,12 +1556,6 @@ ascli ... --transfer-info=@json:'{"wss":true,"resume":{"iter_max":10}}'
 ascli ... --transfer-info=@json:'{"spawn_delay_sec":2.5,"multi_incr_udp":false}'
 ```
 
-To specify a FASP proxy (only supported with the `direct` agent), set the appropriate [_transfer-spec_](#transferspec) parameter:
-
-* `EX_fasp_proxy_url`
-* `EX_http_proxy_url` (proxy for legacy http fallback)
-* `EX_ascp_args`
-
 #### <a id="agt_connect"></a>IBM Aspera Connect Client GUI
 
 By specifying option: `--transfer=connect`, `ascli` will start transfers using the locally installed Aspera Connect Client. There are no option for `transfer_info`.
@@ -1483,7 +1566,6 @@ By specifying option: `--transfer=node`, the CLI will start transfers in an Aspe
 Transfer Server using the Node API, either on a local or remote node.
 Parameters provided in option `transfer_info` are:
 
-<table>
 <tr><th>Name</th><th>Type</th><th>Description</th></tr>
 <tr><td>url</td><td>string</td><td>URL of the node API</br>Mandatory</td></tr>
 <tr><td>username</td><td>string</td><td>node api user or access key</br>Mandatory</td></tr>
@@ -1493,7 +1575,7 @@ Parameters provided in option `transfer_info` are:
 
 Like any other option, `transfer_info` can get its value from a pre-configured [option preset](#lprt) :
 `--transfer-info=@preset:<psetname>` or be specified using the extended value syntax :
-`--transfer-info=@json:'{"url":"https://...","username":"theuser","password":"thepass"}'`
+`--transfer-info=@json:'{"url":"https://...","username":"theuser","password":"_pass_here_"}'`
 
 If `transfer_info` is not specified and a default node has been configured (name in `node` for section `default`) then this node is used by default.
 
@@ -1520,7 +1602,7 @@ By default it will listen on local port `55002` on `127.0.0.1`.
 ### <a id="transferspec"></a>Transfer Specification
 
 Some commands lead to file transfer (upload/download), all parameters necessary for this transfer
-is described in a _transfer-spec_ (Transfer Specification), such as:
+is described in a [*transfer-spec*](#transferspec) (Transfer Specification), such as:
 
 * server address
 * transfer user name
@@ -1528,23 +1610,23 @@ is described in a _transfer-spec_ (Transfer Specification), such as:
 * file list
 * etc...
 
-`ascli` builds a default _transfer-spec_ internally, so it is not necessary to provide additional parameters on the command line for this transfer.
+`ascli` builds a default [*transfer-spec*](#transferspec) internally, so it is not necessary to provide additional parameters on the command line for this transfer.
 
-If needed, it is possible to modify or add any of the supported _transfer-spec_ parameter using the `ts` option. The `ts` option accepts a [Structured Value](#native) containing one or several _transfer-spec_ parameters. Multiple `ts` options on command line are cumulative.
+If needed, it is possible to modify or add any of the supported [*transfer-spec*](#transferspec) parameter using the `ts` option. The `ts` option accepts a [Structured Value](#native) containing one or several [*transfer-spec*](#transferspec) parameters. Multiple `ts` options on command line are cumulative.
 
-It is possible to specify ascp options when the `transfer` option is set to [`direct`](#agt_direct) using the special [_transfer-spec_](#transferspec) parameter: `EX_ascp_args`. Example: `--ts=@json:'{"EX_ascp_args":["-l","100m"]}'`. This is especially useful for ascp command line parameters not supported yet in the transfer spec.
+It is possible to specify ascp options when the `transfer` option is set to [`direct`](#agt_direct) using the special [*transfer-spec*](#transferspec) parameter: `EX_ascp_args`. Example: `--ts=@json:'{"EX_ascp_args":["-l","100m"]}'`. This is especially useful for ascp command line parameters not supported yet in the transfer spec.
 
-The use of a _transfer-spec_ instead of `ascp` parameters has the advantage of:
+The use of a [*transfer-spec*](#transferspec) instead of `ascp` parameters has the advantage of:
 
 * common to all [Transfer Agent](#agents)
 * not dependent on command line limitations (special characters...)
 
-A [_transfer-spec_](#transferspec) is a Hash table, so it is described on the command line with the [Extended Value Syntax](#extended).
+A [*transfer-spec*](#transferspec) is a Hash table, so it is described on the command line with the [Extended Value Syntax](#extended).
 
 ### <a id="transferparams"></a>Transfer Parameters
 
-All standard _transfer-spec_ parameters can be specified.
-[_transfer-spec_](#transferspec) can also be saved/overridden in the config file.
+All standard [*transfer-spec*](#transferspec) parameters can be specified.
+[*transfer-spec*](#transferspec) can also be saved/overridden in the config file.
 
 References:
 
@@ -1569,7 +1651,7 @@ Columns:
 
 Fields with EX_ prefix are extensions to transfer agent [`direct`](#agt_direct). (only in `ascli`).
 
-<table><tr><th>Field</th><th>Type</th><th>D</th><th>N</th><th>C</th><th>Description</th></tr><tr><td>cipher</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>In transit encryption type.<br/>none, aes-128, aes-256<br/>Allowed values: aes128, aes192, aes256, aes128cfb, aes192cfb, aes256cfb, aes128gcm, aes192gcm, aes256gcm<br/>(-c)</td></tr><tr><td>content_protection</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Enable client-side content protection. (encryption at rest)<br/>Allowed values: encrypt, decrypt</td></tr><tr><td>content_protection_password</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Specifies CSEAR password.</td></tr><tr><td>cookie</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Metadata for transfer (older,string)<br/>(env:ASPERA_SCP_COOKIE)</td></tr><tr><td>create_dir</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>Specifies whether to create new directories.<br/>(-d)</td></tr><tr><td>delete_before_transfer</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>(--delete-before-transfer)</td></tr><tr><td>delete_source</td><td>bool</td><td>&nbsp;</td><td>Y</td><td>&nbsp;</td><td>Remove SRC files after transfer success</td></tr><tr><td>direction</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Direction of transfer (on client side)<br/>Allowed values: send, receive<br/>(--mode)</td></tr><tr><td>exclude_newer_than</td><td>int</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>skip src files with mtime > arg<br/>(--exclude-newer-than)</td></tr><tr><td>exclude_older_than</td><td>int</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>skip src files with mtime < arg<br/>(--exclude-older-than)</td></tr><tr><td>fasp_port</td><td>int</td><td>Y</td><td>Y</td><td>Y</td><td>Specifies fasp (UDP) port.<br/>(-O)</td></tr><tr><td>http_fallback</td><td>string<br/>bool</td><td>Y</td><td>Y</td><td>Y</td><td>When true(1), attempts to perform an HTTP transfer if a fasp transfer cannot be performed.<br/>(-y)</td></tr><tr><td>http_fallback_port</td><td>int</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Specifies http port.<br/>(-t)</td></tr><tr><td>https_fallback_port</td><td>int</td><td>Y</td><td>Y</td><td>Y</td><td>Specifies https port.</td></tr><tr><td>move_after_transfer</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>(--move-after-transfer)</td></tr><tr><td>multi_session</td><td>int</td><td>Y</td><td>Y</td><td>Y</td><td>Use multi-session transfer. max 128.<br/> Each participant on one host needs an independent UDP (-O) port.<br/> Large files are split between sessions only when transferring with resume_policy=none.</td></tr><tr><td>multi_session_threshold</td><td>int</td><td>Y</td><td>Y</td><td>&nbsp;</td><td>in bytes<br/>(--multi-session-threshold)</td></tr><tr><td>overwrite</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Overwrite destination files with the source files of the same name.<br/>Allowed values: never, always, diff, older, diff+older<br/>(--overwrite)</td></tr><tr><td>paths</td><td>array</td><td>Y</td><td>Y</td><td>Y</td><td>Required. Contains a path to the source (required) and a path to the destination.</td></tr><tr><td>precalculate_job_size</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>Specifies whether to precalculate the job size.<br/>(--precalculate-job-size)</td></tr><tr><td>preserve_access_time</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>(--preserve-access-time)</td></tr><tr><td>preserve_creation_time</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>(--preserve-creation-time)</td></tr><tr><td>preserve_modification_time</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>(--preserve-modification-time)</td></tr><tr><td>preserve_times</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>(--preserve-times)</td></tr><tr><td>rate_policy</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>The transfer rate policy to use when sharing bandwidth.<br/>Allowed values: low, fair, high, fixed<br/>(--policy)</td></tr><tr><td>remote_access_key</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Node only?</td></tr><tr><td>remote_host</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>IP or fully qualified domain name of the remote server<br/>(--host)</td></tr><tr><td>remote_user</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Remote user. Default value is "xfer" on node or connect.<br/>(--user)</td></tr><tr><td>remote_password</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>SSH session password<br/>(env:ASPERA_SCP_PASS)</td></tr><tr><td>remove_after_transfer</td><td>bool</td><td>Y</td><td>Y</td><td>&nbsp;</td><td>Remove SRC files after transfer success<br/>(--remove-after-transfer)</td></tr><tr><td>remove_empty_directories</td><td>bool</td><td>Y</td><td>Y</td><td>&nbsp;</td><td>Specifies whether to remove empty directories.<br/>(--remove-empty-directories)</td></tr><tr><td>proxy</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Specify the address of the Aspera high-speed proxy server.<br/> dnat(s)://[user[:password]@]server:port<br/> Default ports for DNAT and DNATS protocols are 9091 and 9092.<br/> Password, if specified here, overrides the value of environment variable ASPERA_PROXY_PASS.<br/>(--proxy)</td></tr><tr><td>resume_policy</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>If a transfer is interrupted or fails to finish, resume without re-transferring the whole files.<br/>Allowed values: none, attrs, sparse_csum, full_csum<br/>(-k)</td></tr><tr><td>retry_duration</td><td>string<br/>int</td><td>&nbsp;</td><td>Y</td><td>Y</td><td>Specifies how long to wait before retrying transfer. (e.g. "5min")</td></tr><tr><td>ssh_port</td><td>int</td><td>Y</td><td>Y</td><td>Y</td><td>Specifies ssh (TCP) port. Default: local:22, other:33001<br/>(-P)</td></tr><tr><td>ssh_private_key</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Private key used for SSH authentication.<br/> Shall look like: -----BEGIN RSA PRIVATE KEY-----\nMII...<br/> Note the JSON encoding: \n for newlines.<br/>(env:ASPERA_SCP_KEY)</td></tr><tr><td>symlink_policy</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Handle source side symbolic links by:<br/> following the link (follow),<br/> copying the link itself (copy),<br/> skipping (skip),<br/> or forcibly copying the link itself (copy+force).<br/> Default: follow<br/>Allowed values: follow, copy, copy+force, skip<br/>(--symbolic-links)</td></tr><tr><td>tags</td><td>hash</td><td>Y</td><td>Y</td><td>Y</td><td>Metadata for transfer<br/>(--tags64)</td></tr><tr><td>target_rate_cap_kbps</td><td>int</td><td>&nbsp;</td><td>&nbsp;</td><td>Y</td><td>Returned by upload/download_setup node api.</td></tr><tr><td>target_rate_kbps</td><td>int</td><td>Y</td><td>Y</td><td>Y</td><td>Specifies desired speed for the transfer.<br/>(-l)</td></tr><tr><td>title</td><td>string</td><td>&nbsp;</td><td>Y</td><td>Y</td><td>Title of the transfer</td></tr><tr><td>token</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Authorization token: Bearer, Basic or ATM (Also arg -W)<br/>(env:ASPERA_SCP_TOKEN)</td></tr><tr><td>use_ascp4</td><td>bool</td><td>Y</td><td>Y</td><td>&nbsp;</td><td>specify version of protocol</td></tr><tr><td>destination_root</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Destination root directory.</td></tr><tr><td>source_root</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Path to be prepended to each source path.<br/> This is either a conventional path or it can be a URI but only if there is no root defined.<br/>(--source-prefix64)</td></tr><tr><td>min_rate_cap_kbps</td><td>int</td><td>Y</td><td>Y</td><td>Y</td><td>&nbsp;</td></tr><tr><td>lock_rate_policy</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>&nbsp;</td></tr><tr><td>lock_target_rate_kbps</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>&nbsp;</td></tr><tr><td>lock_min_rate_kbps</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>&nbsp;</td></tr><tr><td>apply_local_docroot</td><td>bool</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>(--apply-local-docroot)</td></tr><tr><td>preserve_acls</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Preserve access control lists.<br/>Allowable values: none, native, metafile<br/>(--preserve-acls)</td></tr><tr><td>remove_empty_source_directory</td><td>bool</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>TODO: check node, sdk<br/>(--remove-empty-source-directory)</td></tr><tr><td>EX_at_rest_password</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Passphrase used for at rest encryption or decryption<br/>(env:ASPERA_SCP_FILEPASS)</td></tr><tr><td>EX_proxy_password</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Password used for Aspera proxy server authentication.<br/> May be overridden by password in URL EX_fasp_proxy_url.<br/>(env:ASPERA_PROXY_PASS)</td></tr><tr><td>EX_license_text</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>License file text override.<br/>By default ascp looks for license file near executable.<br/>(env:ASPERA_SCP_LICENSE)</td></tr><tr><td>dgram_size</td><td>int</td><td>Y</td><td>Y</td><td>Y</td><td>in bytes<br/>(-Z)</td></tr><tr><td>min_rate_kbps</td><td>int</td><td>Y</td><td>Y</td><td>Y</td><td>Set the minimum transfer rate in kilobits per second.<br/>(-m)</td></tr><tr><td>sshfp</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Check it against server SSH host key fingerprint<br/>(--check-sshfp)</td></tr><tr><td>EX_http_proxy_url</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Specify the proxy server address used by HTTP Fallback<br/>(-x)</td></tr><tr><td>EX_ssh_key_paths</td><td>array</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Use public key authentication for SSH and specify the private key file paths<br/>(-i)</td></tr><tr><td>EX_http_transfer_jpeg</td><td>int</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>HTTP transfers as JPEG file<br/>(-j)</td></tr><tr><td>EX_no_read</td><td>bool</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>no read source<br/>(--no-read)</td></tr><tr><td>EX_no_write</td><td>bool</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>no write on destination<br/>(--no-write)</td></tr><tr><td>target_rate_percentage</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>&nbsp;</td></tr><tr><td>rate_policy_allowed</td><td>string</td><td>&nbsp;</td><td>&nbsp;</td><td>Y</td><td>Specifies most aggressive rate policy that is allowed.<br/> Returned by node API.<br/>Allowed values: low, fair, high, fixed</td></tr><tr><td>lock_min_rate</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>&nbsp;</td></tr><tr><td>lock_target_rate</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>&nbsp;</td></tr><tr><td>authentication</td><td>string</td><td>&nbsp;</td><td>&nbsp;</td><td>Y</td><td>value=token for SSH bypass keys, else password asked if not provided.</td></tr><tr><td>cipher_allowed</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>returned by node API. Valid literals include "aes-128" and "none".</td></tr><tr><td>EX_file_list</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>source file list</td></tr><tr><td>EX_file_pair_list</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>source file pair list</td></tr><tr><td>EX_ascp_args</td><td>array</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Add command line arguments to ascp</td></tr><tr><td>wss_enabled</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>&nbsp;</td></tr><tr><td>wss_port</td><td>int</td><td>Y</td><td>Y</td><td>Y</td><td>&nbsp;</td></tr></table>
+<table><tr><th>Field</th><th>Type</th><th>D</th><th>N</th><th>C</th><th>Description</th></tr><tr><td>cipher</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>In transit encryption type.<br/>Allowed values: none, aes-128, aes-192, aes-256, aes-128-cfb, aes-192-cfb, aes-256-cfb, aes-128-gcm, aes-192-gcm, aes-256-gcm<br/>(-c)</td></tr><tr><td>content_protection</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Enable client-side encryption at rest. (CSEAR, content protection)<br/>Allowed values: encrypt, decrypt<br/>(--file-crypt)</td></tr><tr><td>content_protection_password</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Specifies CSEAR password. (content protection)<br/>(env:ASPERA_SCP_FILEPASS)</td></tr><tr><td>cookie</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Metadata for transfer specified by application<br/>(env:ASPERA_SCP_COOKIE)</td></tr><tr><td>create_dir</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>Specifies whether to create new directories.<br/>(-d)</td></tr><tr><td>delete_before_transfer</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>Before transfer, delete files that exist at the destination but not at the source. The source and destination arguments must be directories that have matching names. Objects on the destination that have the same name but different type or size as objects on the source are not deleted.<br/>(--delete-before-transfer)</td></tr><tr><td>delete_source</td><td>bool</td><td>Y</td><td>Y</td><td>&nbsp;</td><td>Remove SRC files after transfer success<br/>(--remove-after-transfer)</td></tr><tr><td>destination_root</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Destination root directory.</td></tr><tr><td>direction</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Direction of transfer (on client side)<br/>Allowed values: send, receive<br/>(--mode)</td></tr><tr><td>exclude_newer_than</td><td>int</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>skip src files with mtime > arg<br/>(--exclude-newer-than)</td></tr><tr><td>exclude_older_than</td><td>int</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>skip src files with mtime < arg<br/>(--exclude-older-than)</td></tr><tr><td>fasp_port</td><td>int</td><td>Y</td><td>Y</td><td>Y</td><td>Specifies fasp (UDP) port.<br/>(-O)</td></tr><tr><td>file_checksum</td><td>string</td><td>Y</td><td>Y</td><td>&nbsp;</td><td>Enable checksum reporting for transferred files by specifying the hash to use.<br/>Allowed values: sha-512, sha-384, sha-256, sha1, md5, none</td></tr><tr><td>http_fallback</td><td>bool<br/>string</td><td>Y</td><td>Y</td><td>Y</td><td>When true(1), attempts to perform an HTTP transfer if a FASP transfer cannot be performed.<br/>(-y)</td></tr><tr><td>http_fallback_port</td><td>int</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Specifies http port when no cipher is used<br/>(-t)</td></tr><tr><td>https_fallback_port</td><td>int</td><td>Y</td><td>Y</td><td>Y</td><td>Specifies https port when cipher is used<br/>(-t)</td></tr><tr><td>move_after_transfer</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>(--move-after-transfer)</td></tr><tr><td>multi_session</td><td>int</td><td>Y</td><td>Y</td><td>Y</td><td>Use multi-session transfer. max 128.<br/> Each participant on one host needs an independent UDP (-O) port.<br/> Large files are split between sessions only when transferring with resume_policy=none.</td></tr><tr><td>multi_session_threshold</td><td>int</td><td>Y</td><td>Y</td><td>&nbsp;</td><td>Split files across multiple ascp sessions if their size in bytes is greater than or equal to the specified value. (0=no file is split)<br/>(--multi-session-threshold)</td></tr><tr><td>overwrite</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Overwrite destination files with the source files of the same name.<br/>Allowed values: never, always, diff, older, diff+older<br/>(--overwrite)</td></tr><tr><td>paths</td><td>array</td><td>Y</td><td>Y</td><td>Y</td><td>Array of path to the source (required) and a path to the destination (optional).</td></tr><tr><td>precalculate_job_size</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>Specifies whether to precalculate the job size.<br/>(--precalculate-job-size)</td></tr><tr><td>preserve_access_time</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>(--preserve-access-time)</td></tr><tr><td>preserve_creation_time</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>(--preserve-creation-time)</td></tr><tr><td>preserve_modification_time</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>(--preserve-modification-time)</td></tr><tr><td>preserve_times</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>(--preserve-times)</td></tr><tr><td>rate_policy</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>The transfer rate policy to use when sharing bandwidth.<br/>Allowed values: low, fair, high, fixed<br/>(--policy)</td></tr><tr><td>remote_host</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>IP or fully qualified domain name of the remote server<br/>(--host)</td></tr><tr><td>remote_user</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Remote user. Default value is "xfer" on node or connect.<br/>(--user)</td></tr><tr><td>remote_password</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>SSH session password<br/>(env:ASPERA_SCP_PASS)</td></tr><tr><td>remove_after_transfer</td><td>bool</td><td>Y</td><td>Y</td><td>&nbsp;</td><td>Remove SRC files after transfer success<br/>(--remove-after-transfer)</td></tr><tr><td>remove_empty_directories</td><td>bool</td><td>Y</td><td>Y</td><td>&nbsp;</td><td>Specifies whether to remove empty directories.<br/>(--remove-empty-directories)</td></tr><tr><td>remove_skipped</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>Must also have remove_after_transfer set to true, Defaults to false, if true, skipped files will be removed as well.<br/>(--remove-skipped)</td></tr><tr><td>proxy</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Specify the address of the Aspera high-speed proxy server.<br/> dnat(s)://[user[:password]@]server:port<br/> Default ports for DNAT and DNATS protocols are 9091 and 9092.<br/> Password, if specified here, overrides the value of environment variable ASPERA_PROXY_PASS.<br/>(--proxy)</td></tr><tr><td>resume_policy</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>If a transfer is interrupted or fails to finish, resume without re-transferring the whole files.<br/>Allowed values: none, attrs, sparse_csum, full_csum<br/>(-k)</td></tr><tr><td>retry_duration</td><td>string<br/>int</td><td>&nbsp;</td><td>Y</td><td>Y</td><td>Specifies how long to wait before retrying transfer. (e.g. "5min")</td></tr><tr><td>source_root_id</td><td>string</td><td>&nbsp;</td><td>Y</td><td>&nbsp;</td><td>The file ID of the source root directory. Required when using Bearer token auth for the source node.</td></tr><tr><td>ssh_port</td><td>int</td><td>Y</td><td>Y</td><td>Y</td><td>Specifies SSH (TCP) port. Default: local:22, other:33001<br/>(-P)</td></tr><tr><td>ssh_private_key</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Private key used for SSH authentication.<br/> Shall look like: -----BEGIN RSA PRIV4TE KEY-----\nMII...<br/> Note the JSON encoding: \n for newlines.<br/>(env:ASPERA_SCP_KEY)</td></tr><tr><td>ssh_private_key_passphrase</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>The passphrase associated with the transfer user's SSH private key. Available as of 3.7.2.<br/>(env:ASPERA_SCP_PASS)</td></tr><tr><td>symlink_policy</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Handle source side symbolic links<br/>Allowed values: follow, copy, copy+force, skip<br/>(--symbolic-links)</td></tr><tr><td>tags</td><td>hash</td><td>Y</td><td>Y</td><td>Y</td><td>Metadata for transfer as JSON<br/>(--tags64)</td></tr><tr><td>target_rate_cap_kbps</td><td>int</td><td>&nbsp;</td><td>&nbsp;</td><td>Y</td><td>Returned by upload/download_setup node API.</td></tr><tr><td>target_rate_kbps</td><td>int</td><td>Y</td><td>Y</td><td>Y</td><td>Specifies desired speed for the transfer.<br/>(-l)</td></tr><tr><td>title</td><td>string</td><td>&nbsp;</td><td>Y</td><td>Y</td><td>Title of the transfer</td></tr><tr><td>token</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Authorization token: Bearer, Basic or ATM (Also arg -W)<br/>(env:ASPERA_SCP_TOKEN)</td></tr><tr><td>use_ascp4</td><td>bool</td><td>Y</td><td>Y</td><td>&nbsp;</td><td>specify version of protocol</td></tr><tr><td>source_root</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Path to be prepended to each source path.<br/> This is either a conventional path or it can be a URI but only if there is no root defined.<br/>(--source-prefix64)</td></tr><tr><td>min_rate_cap_kbps</td><td>int</td><td>Y</td><td>Y</td><td>Y</td><td>&nbsp;</td></tr><tr><td>lock_rate_policy</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>&nbsp;</td></tr><tr><td>lock_target_rate_kbps</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>&nbsp;</td></tr><tr><td>lock_min_rate_kbps</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>&nbsp;</td></tr><tr><td>apply_local_docroot</td><td>bool</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>(--apply-local-docroot)</td></tr><tr><td>preserve_acls</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Preserve access control lists.<br/>Allowed values: none, native, metafile<br/>(--preserve-acls)</td></tr><tr><td>preserve_remote_acls</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Preserve remote access control lists.<br/>Allowed values: none, native, metafile<br/>(--remote-preserve-acls)</td></tr><tr><td>preserve_file_owner_uid</td><td>bool</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Preserve the user ID for a file owner<br/>(--preserve-file-owner-uid)</td></tr><tr><td>preserve_file_owner_gid</td><td>bool</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Preserve the group ID for a file owner<br/>(--preserve-file-owner-gid)</td></tr><tr><td>preserve_source_access_time</td><td>bool</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Preserve the time logged for when the source file was accessed<br/>(--preserve-source-access-time)</td></tr><tr><td>remove_empty_source_directory</td><td>bool</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Remove empty source subdirectories and remove the source directory itself, if empty<br/>(--remove-empty-source-directory)</td></tr><tr><td>EX_at_rest_password</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Passphrase used for at rest encryption or decryption. Prefer to use standard: content_protection_password<br/>(env:ASPERA_SCP_FILEPASS)</td></tr><tr><td>EX_proxy_password</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Password used for Aspera proxy server authentication.<br/> May be overridden by password in URL EX_fasp_proxy_url.<br/>(env:ASPERA_PROXY_PASS)</td></tr><tr><td>EX_license_text</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>License file text override.<br/>By default ascp looks for license file near executable.<br/>(env:ASPERA_SCP_LICENSE)</td></tr><tr><td>dgram_size</td><td>int</td><td>Y</td><td>Y</td><td>Y</td><td>UDP datagram size in bytes<br/>(-Z)</td></tr><tr><td>min_rate_kbps</td><td>int</td><td>Y</td><td>Y</td><td>Y</td><td>Set the minimum transfer rate in kilobits per second.<br/>(-m)</td></tr><tr><td>sshfp</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>Check it against server SSH host key fingerprint<br/>(--check-sshfp)</td></tr><tr><td>EX_http_proxy_url</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Specify the proxy server address used by HTTP Fallback<br/>(-x)</td></tr><tr><td>EX_ssh_key_paths</td><td>array</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Use public key authentication for SSH and specify the private key file paths<br/>(-i)</td></tr><tr><td>EX_http_transfer_jpeg</td><td>int</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>HTTP transfers as JPEG file<br/>(-j)</td></tr><tr><td>EX_no_read</td><td>bool</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>no read source<br/>(--no-read)</td></tr><tr><td>EX_no_write</td><td>bool</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>no write on destination<br/>(--no-write)</td></tr><tr><td>target_rate_percentage</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>&nbsp;</td></tr><tr><td>rate_policy_allowed</td><td>string</td><td>&nbsp;</td><td>&nbsp;</td><td>Y</td><td>Specifies most aggressive rate policy that is allowed.<br/>Returned by node API.<br/>Allowed values: low, fair, high, fixed</td></tr><tr><td>lock_min_rate</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>&nbsp;</td></tr><tr><td>lock_target_rate</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>&nbsp;</td></tr><tr><td>authentication</td><td>string</td><td>&nbsp;</td><td>&nbsp;</td><td>Y</td><td>value=token for SSH bypass keys, else password asked if not provided.</td></tr><tr><td>cipher_allowed</td><td>string</td><td>Y</td><td>Y</td><td>Y</td><td>returned by node API. Valid literals include "aes-128" and "none".</td></tr><tr><td>EX_file_list</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>source file list</td></tr><tr><td>EX_file_pair_list</td><td>string</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>source file pair list</td></tr><tr><td>EX_ascp_args</td><td>array</td><td>Y</td><td>&nbsp;</td><td>&nbsp;</td><td>Add native command line arguments to ascp</td></tr><tr><td>wss_enabled</td><td>bool</td><td>Y</td><td>Y</td><td>Y</td><td>&nbsp;</td></tr><tr><td>wss_port</td><td>int</td><td>Y</td><td>Y</td><td>Y</td><td>TCP port used for websocket service feed.</td></tr></table>
 
 #### Destination folder for transfers
 
@@ -1578,7 +1660,7 @@ The destination folder is set by `ascli` by default to:
 * `.` for downloads
 * `/` for uploads
 
-It is specified by the [_transfer-spec_](#transferspec) parameter `destination_root`.
+It is specified by the [*transfer-spec*](#transferspec) parameter `destination_root`.
 As such, it can be modified with option: `--ts=@json:'{"destination_root":"<path>"}'`.
 The option `to_folder` provides an equivalent and convenient way to change this parameter:
 `--to-folder=<path>` .
@@ -1598,10 +1680,10 @@ This is equivalent to:
 ascli server upload --sources=@args ~/mysample.file secondfile
 ```
 
-More advanced options are provided to adapt to various cases. In fact, list of files to transfer are normally conveyed using the [_transfer-spec_](#transferspec) using the field: "paths" which is a list (array) of pairs of "source" (mandatory) and "destination" (optional).
+More advanced options are provided to adapt to various cases. In fact, list of files to transfer are normally conveyed using the [*transfer-spec*](#transferspec) using the field: "paths" which is a list (array) of pairs of "source" (mandatory) and "destination" (optional).
 
 Note that this is different from the "ascp" command line. The paradigm used by `ascli` is:
-all transfer parameters are kept in [_transfer-spec_](#transferspec) so that execution of a transfer is independent of the transfer agent. Note that other IBM Aspera interfaces use this: connect, node, transfer sdk.
+all transfer parameters are kept in [*transfer-spec*](#transferspec) so that execution of a transfer is independent of the transfer agent. Note that other IBM Aspera interfaces use this: connect, node, transfer sdk.
 
 For ease of use and flexibility, the list of files to transfer is specified by the option `sources`. Accepted values are:
 
@@ -1633,13 +1715,13 @@ providing a file list directly to ascp:
 ... --sources=@ts --ts=@json:'{"paths":[],"EX_file_list":"filelist.txt"}'
 ```
 
-* Not recommended: It is possible to specify bare ascp arguments using the pseudo [_transfer-spec_](#transferspec) parameter `EX_ascp_args`.
+* Not recommended: It is possible to specify bare ascp arguments using the pseudo [*transfer-spec*](#transferspec) parameter `EX_ascp_args`.
 
 ```javascript
 --sources=@ts --ts=@json:'{"paths":[{"source":"dummy"}],"EX_ascp_args":["--file-list","myfilelist"]}'
 ```
 
-This method avoids creating a copy of the file list, but has drawbacks: it applies *only* to the [`direct`](#agt_direct) transfer agent (i.e. bare ascp) and not for Aspera on Cloud. One must specify a dummy list in the [_transfer-spec_](#transferspec), which will be overridden by the bare ascp command line provided. (TODO) In next version, dummy source paths can be removed.
+This method avoids creating a copy of the file list, but has drawbacks: it applies *only* to the [`direct`](#agt_direct) transfer agent (i.e. bare ascp) and not for Aspera on Cloud. One must specify a dummy list in the [*transfer-spec*](#transferspec), which will be overridden by the bare ascp command line provided. (TODO) In next version, dummy source paths can be removed.
 
 In case the file list is provided on the command line i.e. using `--sources=@args` or `--sources=<Array>` (but not `--sources=@ts`), then the list of files will be used either as a simple file list or a file pair list depending on the value of the option: `src_type`:
 
@@ -1690,6 +1772,29 @@ Multi-session spawn is done by `ascli`.
 
 When multi-session is used, one separate UDP port is used per session (refer to `ascp` manual page).
 
+#### Content protection
+
+Also known as Client-side encryption at reast (CSEAR), content protection allows a client to send files to a server
+which will store them encrypted (upload), and decrypt files as they are being downloaded from a server, both
+using a passphrase, only known by users sharing files. Files stay encrypted on server side.
+
+activating CSEAR consists in using transfer spec parameters:
+
+* `content_protection` : activate encryption (`encrypt` for upload) or decryption (`decrypt` for download)
+* `content_protection_password` : the passphrase to be used.
+
+Example: parameter to download a faspex package and decrypt on the fly
+
+```json
+--ts=@json:'{"content_protection":"decrypt","content_protection_password":"_pass_here_"}'
+```
+
+Note that up to version 4.6.0, the following parameters should be used for agent `direct`:
+
+```json
+--ts=@json:'{"EX_ascp_args":["--file-crypt=decrypt"],"EX_at_rest_password":"_secret_here_"}'
+```
+
 #### Transfer Spec Examples
 
 * Change target rate
@@ -1824,15 +1929,14 @@ where:
 * `dirname` is the folder name and can contain `/` to specify a subfolder.
 * supported arguments are:
 
-<table>
-<tr><th>name</th><th>type</th><th>default</th><th>description</th></tr>
-<tr><td>count</td><td>int</td><td>mandatory</td><td>Number of files</td></tr>
-<tr><td>file</td><td>string</td><td>file</td><td>Basename for files</td></tr>
-<tr><td>size</td><td>int</td><td>0</td><td>Size of first file.</td></tr>
-<tr><td>inc</td><td>int</td><td>0</td><td>Increment applied to determine next file size</td></tr>
-<tr><td>seq</td><td>sequential<br/>random</td><td>sequential</td><td>Sequence in determining next file size</td></tr>
-<tr><td>buf_init</td><td>none<br/>zero<br/>random</td><td>zero</td><td>How source data is initialized<br/>Option 'none' is not allowed for downloads.</td></tr>
-</table>
+| Name   | Type | Description |
+|--------|------|-------------|
+|count   |int   |mandatory|Number of files<br/>Mandatory|
+|file    |string|Basename for files<br>Default: "file"|
+|size    |int   |Size of first file.<br>Default: 0|
+|inc     |int   |Increment applied to determine next file size<br>Default: 0|
+|seq     |enum  |Sequence in determining next file size<br/>Values: random, sequential<br/>Default: sequential|
+|buf_init|enum  |How source data is initialized<br/>Option 'none' is not allowed for downloads.<br/>Values:none, zero, random<br/>Default:zero|
 
 The sequence parameter is applied as follows:
 
@@ -1921,16 +2025,16 @@ ascli aoc admin resource node --name=my_aoc_node1_name --secret=my_aoc_node1_sec
 ascli aoc admin resource node v3 name my_aoc_node1_name --secret=my_aoc_node1_secret access_key delete testsub1
 ascli aoc admin resource workspace list
 ascli aoc admin resource workspace_membership list --fields=ALL --query=@json:'{"page":1,"per_page":50,"embed":"member","inherited":false,"workspace_id":11363,"sort":"name"}'
-ascli aoc automation workflow "my_wf_id" action create --value=@json:'{"name":"toto"}' | tee action.info
+ascli aoc automation workflow action my_wf_id create --value=@json:'{"name":"toto"}'
 ascli aoc automation workflow create --value=@json:'{"name":"test_workflow"}'
-ascli aoc automation workflow delete "my_wf_id"
+ascli aoc automation workflow delete my_wf_id
 ascli aoc automation workflow list
-ascli aoc automation workflow list --select=@json:'{"name":"test_workflow"}' --fields=id --format=csv --display=data > test
+ascli aoc automation workflow list --select=@json:'{"name":"test_workflow"}' --fields=id --format=csv --display=data
 ascli aoc automation workflow list --value=@json:'{"show_org_workflows":"true"}' --scope=admin:all
 ascli aoc bearer_token --display=data --scope=user:all
 ascli aoc faspex
 ascli aoc files bearer /
-ascli aoc files bearer_token_node /
+ascli aoc files bearer_token_node / --cache-tokens=no
 ascli aoc files browse /
 ascli aoc files browse / -N --link=my_aoc_publink_folder
 ascli aoc files delete /testsrc
@@ -1981,13 +2085,14 @@ ascli ats cluster list
 ascli ats cluster show --cloud=aws --region=eu-west-1
 ascli ats cluster show 1f412ae7-869a-445c-9c05-02ad16813be2
 ascli conf flush_tokens
-ascli conf wiz --url=https://my_aoc_org.ibmaspera.com --config-file=SAMPLE_CONFIG_FILE --pkeypath='' --username=my_aoc_user_email --test-mode=yes
-ascli conf wiz --url=https://my_aoc_org.ibmaspera.com --config-file=SAMPLE_CONFIG_FILE --pkeypath='' --username=my_aoc_user_email --test-mode=yes --use-generic-client=yes
+ascli conf wiz --url=https://my_aoc_org.ibmaspera.com --config-file=SAMPLE_CONFIG_FILE --pkeypath= --username=my_aoc_user_email --test-mode=yes
+ascli conf wiz --url=https://my_aoc_org.ibmaspera.com --config-file=SAMPLE_CONFIG_FILE --pkeypath= --username=my_aoc_user_email --test-mode=yes --use-generic-client=yes
 ascli config ascp connect info 'Aspera Connect for Windows'
 ascli config ascp connect list
 ascli config ascp connect version 'Aspera Connect for Windows' download 'Windows Installer' --to-folder=.
 ascli config ascp connect version 'Aspera Connect for Windows' list
 ascli config ascp connect version 'Aspera Connect for Windows' open documentation
+ascli config ascp errors
 ascli config ascp info
 ascli config ascp install
 ascli config ascp products list
@@ -2003,7 +2108,7 @@ ascli config export
 ascli config genkey mykey
 ascli config plugin create mycommand T
 ascli config plugin list
-ascli config proxy_check --fpac=file:///examples/proxy.pac https://eudemo.asperademo.com
+ascli config proxy_check --fpac=@file:examples/proxy.pac https://eudemo.asperademo.com
 ascli console transfer current list 
 ascli console transfer smart list 
 ascli console transfer smart sub my_job_id @json:'{"source":{"paths":["my_file_name"]},"source_type":"user_selected"}'
@@ -2013,23 +2118,44 @@ ascli cos node access_key show self
 ascli cos node download testfile.bin --to-folder=.
 ascli cos node info
 ascli cos node upload testfile.bin
+ascli faspex dropbox list --recipient="*my_faspex_dbx"
+ascli faspex dropbox list --recipient="*my_faspex_wkg"
 ascli faspex health
 ascli faspex package list
-ascli faspex package list --box=sent --fields=package_id --format=csv --display=data --query=@json:'{"max":1}')
-ascli faspex package list --fields=package_id --format=csv --display=data --query=@json:'{"max":1}')
+ascli faspex package list --box=sent --fields=package_id --format=csv --display=data --query=@json:'{"max":1}'
+ascli faspex package list --fields=package_id --format=csv --display=data --query=@json:'{"max":1}'
+ascli faspex package list --recipient="*my_faspex_dbx" --format=csv --fields=package_id --query=@json:'{"max":1}'
+ascli faspex package list --recipient="*my_faspex_wkg" --format=csv --fields=package_id --query=@json:'{"max":1}'
 ascli faspex package recv "my_package_id" --to-folder=.
 ascli faspex package recv "my_package_id" --to-folder=. --box=sent
-ascli faspex package recv --to-folder=. "my_package_id"
 ascli faspex package recv --to-folder=. --link="my_faspex_publink_recv_from_fxuser"
 ascli faspex package recv ALL --to-folder=. --once-only=yes
+ascli faspex package recv my_pkgid --recipient="*my_faspex_dbx" --to-folder=.
+ascli faspex package recv my_pkgid --recipient="*my_faspex_wkg" --to-folder=.
+ascli faspex package send --delivery-info=@json:'{"title":"Important files delivery","recipients":["*my_faspex_dbx"]}' testfile.bin
+ascli faspex package send --delivery-info=@json:'{"title":"Important files delivery","recipients":["*my_faspex_wkg"]}' testfile.bin
 ascli faspex package send --delivery-info=@json:'{"title":"Important files delivery","recipients":["my_email_internal_user","my_faspex_username"]}' testfile.bin
 ascli faspex package send --link="my_faspex_publink_send_to_dropbox" --delivery-info=@json:'{"title":"Important files delivery"}' testfile.bin
 ascli faspex package send --link="my_faspex_publink_send_to_fxuser" --delivery-info=@json:'{"title":"Important files delivery"}' testfile.bin
 ascli faspex source name "Server Files" node br /
-ascli faspex5 node list --value=@json:'{"type":"received","subtype":"mypackages"}'
+ascli faspex v4 dmembership list
+ascli faspex v4 dropbox list
+ascli faspex v4 metadata_profile list
+ascli faspex v4 user list
+ascli faspex v4 wmembership list
+ascli faspex v4 workgroup list
+ascli faspex5 admin res accounts list
+ascli faspex5 admin res contacts list
+ascli faspex5 admin res jobs list
+ascli faspex5 admin res node list --value=@json:'{"type":"received","subtype":"mypackages"}'
+ascli faspex5 admin res oauth_clients list
+ascli faspex5 admin res registrations list
+ascli faspex5 admin res saml_configs list
+ascli faspex5 admin res shared_inboxes list
+ascli faspex5 admin res workgroups list
 ascli faspex5 package list --value=@json:'{"mailbox":"inbox","state":["released"]}'
 ascli faspex5 package receive "my_package_id" --to-folder=.
-ascli faspex5 package send --value=@json:'{"title":"test title","recipients":[{"name":"${f5_user}"}]}' testfile.bin
+ascli faspex5 package send --value=@json:'{"title":"test title","recipients":[{"name":"my_f5_user"}]}' testfile.bin
 ascli mycommand --plugin-folder=T
 ascli node -N -Ptst_node_preview access_key create --value=@json:'{"id":"aoc_1","storage":{"type":"local","path":"/"}}'
 ascli node -N -Ptst_node_preview access_key delete aoc_1
@@ -2042,17 +2168,19 @@ ascli node async show ALL
 ascli node basic_token
 ascli node browse / -r
 ascli node delete folder_1/10MB.1
-ascli node delete folder_1/testfile.bin
-ascli node download --to-folder=. folder_1/testfile.bin
+ascli node delete testfile.bin
+ascli node download testfile.bin --to-folder=.
+ascli node download testfile.bin --to-folder=. --token-type=hybrid
 ascli node health
-ascli node info
+ascli node info --fpac='function FindProxyForURL(url,host){return "DIRECT"}'
 ascli node search / --value=@json:'{"sort":"mtime"}'
 ascli node service create @json:'{"id":"service1","type":"WATCHD","run_as":{"user":"user1"}}'
 ascli node service delete service1
 ascli node service list
 ascli node transfer list --value=@json:'{"active_only":true}'
 ascli node upload --to-folder="folder_1" --sources=@ts --ts=@json:'{"paths":[{"source":"/aspera-test-dir-small/10MB.1"}],"precalculate_job_size":true}' --transfer=node --transfer-info=@json:'{"url":"my_node_url","username":"my_node_user","password":"my_node_pass"}'
-ascli node upload --to-folder=folder_1 --ts=@json:'{"target_rate_cap_kbps":10000}' testfile.bin
+ascli node upload testfile.bin --to-folder=folder_1 --ts=@json:'{"target_rate_cap_kbps":10000}'
+ascli node upload testfile.bin --to-folder=folder_1 --ts=@json:'{"target_rate_cap_kbps":10000}' --token-type=hybrid
 ascli orchestrator info
 ascli orchestrator plugins
 ascli orchestrator processes
@@ -2098,22 +2226,22 @@ ascli server mv folder_1/200KB.2 folder_1/to.delete
 ascli server upload --sources=@ts --ts=@json:'{"paths":[{"source":"testfile.bin","destination":"NEW_SERVER_FOLDER/othername"}]}'
 ascli server upload --src-type=pair --sources=@json:'["testfile.bin","NEW_SERVER_FOLDER/othername"]'
 ascli server upload --src-type=pair testfile.bin NEW_SERVER_FOLDER/othername --notif-to=my_recipient_email
+ascli server upload --src-type=pair testfile.bin folder_1/with_options --ts=@json:'{"cipher":"aes-192-gcm","content_protection":"encrypt","content_protection_password":"_secret_here_","cookie":"biscuit","create_dir":true,"delete_before_transfer":false,"delete_source":false,"exclude_newer_than":1,"exclude_older_than":10000,"fasp_port":33001,"http_fallback":false,"multi_session":0,"overwrite":"diff+older","precalculate_job_size":true,"preserve_access_time":true,"preserve_creation_time":true,"rate_policy":"fair","resume_policy":"sparse_csum","symlink_policy":"follow"}'
 ascli server upload --to-folder=folder_1/target_hot --lock-port=12345 --ts=@json:'{"EX_ascp_args":["--remove-after-transfer","--remove-empty-directories","--exclude-newer-than=-8","--src-base","source_hot"]}' source_hot
 ascli server upload testfile.bin --to-folder=NEW_SERVER_FOLDER --ts=@json:'{"multi_session":3,"multi_session_threshold":1,"resume_policy":"none","target_rate_kbps":1500}' --transfer-info=@json:'{"spawn_delay_sec":2.5}' --progress=multi
 ascli shares admin share list
 ascli shares repository browse /
 ascli shares repository delete my_shares_upload/testfile.bin
 ascli shares repository download --to-folder=. my_shares_upload/testfile.bin
-ascli shares repository download --to-folder=. my_shares_upload/testfile.bin --transfer=httpgw --transfer-info=@json:'{"url":"https://"my_http_gw_fqdn"/aspera/http-gwy/v1"}'
+ascli shares repository download --to-folder=. my_shares_upload/testfile.bin --transfer=httpgw --transfer-info=@json:'{"url":"https://my_http_gw_fqdn/aspera/http-gwy/v1"}'
 ascli shares repository upload --to-folder=my_shares_upload testfile.bin
-ascli shares repository upload --to-folder=my_shares_upload testfile.bin --transfer=httpgw --transfer-info=@json:'{"url":"https://"my_http_gw_fqdn"/aspera/http-gwy/v1"}'
+ascli shares repository upload --to-folder=my_shares_upload testfile.bin --transfer=httpgw --transfer-info=@json:'{"url":"https://my_http_gw_fqdn/aspera/http-gwy/v1"}'
 ascli shares2 appinfo
 ascli shares2 organization list
 ascli shares2 project list --organization=Sport
 ascli shares2 repository browse /
 ascli shares2 userinfo
 ascli sync start --parameters=@json:'{"sessions":[{"name":"test","reset":true,"remote_dir":"/sync_test","local_dir":"contents","host":"my_remote_host","tcp_port":33001,"user":"my_remote_user","private_key_path":"my_local_user_key"}]}'
-
 ...and more
 ```
 
@@ -2122,7 +2250,7 @@ ascli sync start --parameters=@json:'{"sessions":[{"name":"test","reset":true,"r
 ```bash
 ascli -h
 NAME
-	ascli -- a command line tool for Aspera Applications (v4.6.0)
+	ascli -- a command line tool for Aspera Applications (v4.7.0)
 
 SYNOPSIS
 	ascli COMMANDS [OPTIONS] [ARGS]
@@ -2131,12 +2259,12 @@ DESCRIPTION
 	Use Aspera application to perform operations on command line.
 	Documentation and examples: https://rubygems.org/gems/aspera-cli
 	execute: ascli conf doc
-	or visit: http://www.rubydoc.info/gems/aspera-cli
+	or visit: https://www.rubydoc.info/gems/aspera-cli
 	source repo: https://github.com/IBM/aspera-cli
 
 ENVIRONMENT VARIABLES
-	ASCLI_HOME  config folder, default: $HOME/.aspera/ascli
-	any option can be set as an environment variable, refer to the manual
+	ASCLI_HOME config folder, default: $HOME/.aspera/ascli
+	Any option can be set as an environment variable, refer to the manual
 
 COMMANDS
 	To list first level commands, execute: ascli
@@ -2145,56 +2273,58 @@ COMMANDS
 OPTIONS
 	Options begin with a '-' (minus), and value is provided on command line.
 	Special values are supported beginning with special prefix @pfx:, where pfx is one of:
-	base64, json, zlib, ruby, csvt, lines, list, incps, val, file, path, env, stdin, preset
+	base64, json, zlib, ruby, csvt, lines, list, incps, val, file, path, env, uri, stdin, preset
 	Dates format is 'DD-MM-YY HH:MM:SS', or 'now' or '-<num>h'
 
 ARGS
 	Some commands require mandatory arguments, e.g. a path.
 
 OPTIONS: global
-        --interactive=ENUM           use interactive input of missing params: yes, no
-        --ask-options=ENUM           ask even optional options: yes, no
-        --format=ENUM                output format: table, ruby, json, jsonpp, yaml, csv, nagios
-        --display=ENUM               output only some information: info, data, error
+        --interactive=ENUM           use interactive input of missing params: yes, [no]
+        --ask-options=ENUM           ask even optional options: yes, [no]
+        --format=ENUM                output format: [table], ruby, json, jsonpp, yaml, csv, nagios
+        --display=ENUM               output only some information: [info], data, error
         --fields=VALUE               comma separated list of fields, or ALL, or DEF
         --select=VALUE               select only some items in lists, extended value: hash (column, value)
         --table-style=VALUE          table display style
-        --flat-hash=ENUM             display hash values as additional keys: yes, no
-        --transpose-single=ENUM      single object fields output vertically: yes, no
+        --flat-hash=ENUM             display hash values as additional keys: [yes], no
+        --transpose-single=ENUM      single object fields output vertically: [yes], no
+        --show-secrets=ENUM          show secrets on command output: [yes], no
     -h, --help                       Show this message.
         --bash-comp                  generate bash completion for command
         --show-config                Display parameters used for the provided action.
     -r, --rest-debug                 more debug for HTTP calls
     -v, --version                    display version
     -w, --warnings                   check for language warnings
-        --ui=ENUM                    method to start browser: text, graphical
-        --log-level=ENUM             Log level: debug, info, warn, error, fatal, unknown
-        --logger=ENUM                log method: stderr, stdout, syslog
+        --ui=ENUM                    method to start browser: text, [graphical]
+        --log-level=ENUM             Log level: debug, info, [warn], error, fatal, unknown
+        --logger=ENUM                log method: [stderr], stdout, syslog
         --lock-port=VALUE            prevent dual execution of a command, e.g. in cron
         --query=VALUE                additional filter for API calls (extended value) (some commands)
         --http-options=VALUE         options for http socket (extended value)
-        --insecure=ENUM              do not validate HTTPS certificate: yes, no
-        --once-only=ENUM             process only new items (some commands): yes, no
-        --log-passwords=ENUM         show passwords in logs: yes, no
+        --insecure=ENUM              do not validate HTTPS certificate: [yes], no
+        --once-only=ENUM             process only new items (some commands): yes, [no]
+        --log-secrets=ENUM           show passwords in logs: yes, [no]
+        --cache-tokens=ENUM          save and reuse Oauth tokens: [yes], no
 
 COMMAND: config
-SUBCOMMANDS: list overview id preset open documentation genkey gem_path plugin flush_tokens echo wizard export_to_cli detect coffee ascp email_test smtp_settings proxy_check folder file check_update initdemo vault
+SUBCOMMANDS: list overview id preset open documentation genkey gem plugin flush_tokens echo wizard export_to_cli detect coffee ascp email_test smtp_settings proxy_check folder file check_update initdemo vault
 OPTIONS:
         --value=VALUE                extended value for create, update, list filter
         --property=VALUE             name of property to set
         --id=VALUE                   resource identifier (modify,delete,show)
-        --config-file=VALUE          read parameters from file in YAML format, current=/Users/FooBar/.aspera/ascli/config.yaml
+        --config-file=VALUE          read parameters from file in YAML format, current=/usershome/.aspera/ascli/config.yaml
     -N, --no-default                 do not load default configuration for plugin
-        --override=ENUM              Wizard: override existing value: yes, no
-        --use-generic-client=ENUM    Wizard: AoC: use global or org specific jwt client id: yes, no
-        --default=ENUM               Wizard: set as default configuration for specified plugin (also: update): yes, no
-        --test-mode=ENUM             Wizard: skip private key check step: yes, no
+        --override=ENUM              Wizard: override existing value: yes, [no]
+        --use-generic-client=ENUM    Wizard: AoC: use global or org specific jwt client id: yes, [no]
+        --default=ENUM               Wizard: set as default configuration for specified plugin (also: update): yes, [no]
+        --test-mode=ENUM             Wizard: skip private key check step: yes, [no]
     -P, --presetVALUE                load the named option preset from current config file
         --pkeypath=VALUE             Wizard: path to private key for JWT
         --ascp-path=VALUE            path to ascp
         --use-product=VALUE          use ascp from specified product
         --smtp=VALUE                 smtp configuration (extended value: hash)
-        --fpac=VALUE                 proxy auto configuration URL
+        --fpac=VALUE                 proxy auto configuration script
         --secret=VALUE               default secret
         --secrets=VALUE              secret vault
         --sdk-url=VALUE              URL to get SDK
@@ -2241,7 +2371,7 @@ OPTIONS:
         --password=VALUE             user's password
         --params=VALUE               parameters hash table, use @json:{"param":"value"}
         --result=VALUE               specify result value as: 'work step:parameter'
-        --synchronous=ENUM           work step:parameter expected as result: yes, no
+        --synchronous=ENUM           work step:parameter expected as result: yes, [no]
         --ret-style=ENUM             how return type is requested in api: header, arg, ext
         --auth-style=ENUM            authentication type: arg_pass, head_basic, apikey
 
@@ -2275,7 +2405,7 @@ OPTIONS:
 
 
 COMMAND: faspex5
-SUBCOMMANDS: node package auth_client jobs
+SUBCOMMANDS: package admin
 OPTIONS:
         --url=VALUE                  URL of application, e.g. https://org.asperafiles.com
         --username=VALUE             username to log in
@@ -2283,14 +2413,14 @@ OPTIONS:
         --client-id=VALUE            OAuth client identifier
         --client-secret=VALUE        OAuth client secret
         --redirect-uri=VALUE         OAuth redirect URI
-        --auth=ENUM                  OAuth type of authentication: body_userpass, header_userpass, web, jwt, url_token, ibm_apikey, boot
+        --auth=ENUM                  OAuth type of authentication: web, jwt, boot
         --private-key=VALUE          Oauth RSA private key PEM value for JWT (prefix file path with @val:@file:)
 
 
 COMMAND: cos
 SUBCOMMANDS: node
 OPTIONS:
-        --bucket=VALUE               IBM Cloud Object storage bucket
+        --bucket=VALUE               IBM Cloud Object Storage bucket name
         --endpoint=VALUE             storage endpoint url
         --apikey=VALUE               storage API key
         --crn=VALUE                  ressource instance id
@@ -2312,17 +2442,6 @@ OPTIONS:
         --box=ENUM                   package box: inbox, archive, sent
 
 
-COMMAND: shares2
-SUBCOMMANDS: repository organization project team share appinfo userinfo admin
-OPTIONS:
-        --url=VALUE                  URL of application, e.g. https://org.asperafiles.com
-        --username=VALUE             username to log in
-        --password=VALUE             user's password
-        --organization=VALUE         organization
-        --project=VALUE              project
-        --share=VALUE                share
-
-
 COMMAND: preview
 SUBCOMMANDS: scan events trevents check test
 OPTIONS:
@@ -2330,7 +2449,7 @@ OPTIONS:
         --username=VALUE             username to log in
         --password=VALUE             user's password
         --skip-format=ENUM           skip this preview format (multiple possible): png, mp4
-        --folder-reset-cache=ENUM    force detection of generated preview by refresh cache: no, header, read
+        --folder-reset-cache=ENUM    force detection of generated preview by refresh cache: [no], header, read
         --skip-types=VALUE           skip types in comma separated list
         --previews-folder=VALUE      preview folder in storage root
         --temp-folder=VALUE          path to temp folder
@@ -2338,15 +2457,16 @@ OPTIONS:
         --case=VALUE                 basename of output for for test
         --scan-path=VALUE            subpath in folder id to start scan in (default=/)
         --scan-id=VALUE              forder id in storage to start scan in, default is access key main folder id
-        --mimemagic=ENUM             use Mime type detection of gem mimemagic: yes, no
-        --overwrite=ENUM             when to overwrite result file: always, never, mtime
-        --file-access=ENUM           how to read and write files in repository: local, remote
+        --mimemagic=ENUM             use Mime type detection of gem mimemagic: yes, [no]
+        --overwrite=ENUM             when to overwrite result file: always, never, [mtime]
+        --file-access=ENUM           how to read and write files in repository: [local], remote
         --max-size=VALUE             maximum size (in bytes) of preview file
         --thumb-vid-scale=VALUE      png: video: size (ffmpeg scale argument)
         --thumb-vid-fraction=VALUE   png: video: position of snapshot
         --thumb-img-size=VALUE       png: non-video: height (and width)
-        --video-conversion=ENUM      mp4: method for preview generation: reencode, blend, clips
-        --video-png-conv=ENUM        mp4: method for thumbnail generation: fixed, animated
+        --thumb-text-font=VALUE      png: plaintext: font to render text with image magick convert, list with: identify -list font
+        --video-conversion=ENUM      mp4: method for preview generation: [reencode], blend, clips
+        --video-png-conv=ENUM        mp4: method for thumbnail generation: [fixed], animated
         --video-start-sec=VALUE      mp4: start offset (seconds) of video preview
         --video-scale=VALUE          mp4: video scale (ffmpeg)
         --blend-keyframes=VALUE      mp4: blend: # key frames
@@ -2370,7 +2490,7 @@ OPTIONS:
         --url=VALUE                  URL of application, e.g. https://org.asperafiles.com
         --username=VALUE             username to log in
         --password=VALUE             user's password
-        --auth=ENUM                  OAuth type of authentication: body_userpass, header_userpass, web, jwt, url_token, ibm_apikey
+        --auth=ENUM                  OAuth type of authentication: web, jwt
         --operation=ENUM             client operation for transfers: push, pull
         --client-id=VALUE            OAuth API client identifier in application
         --client-secret=VALUE        OAuth API client passcode
@@ -2383,8 +2503,8 @@ OPTIONS:
         --new-user-option=VALUE      new user creation option
         --from-folder=VALUE          share to share source folder
         --scope=VALUE                OAuth scope for AoC API calls
-        --bulk=ENUM                  bulk operation: yes, no
-        --default-ports=ENUM         use standard FASP ports or get from node api: yes, no
+        --bulk=ENUM                  bulk operation: yes, [no]
+        --default-ports=ENUM         use standard FASP ports or get from node api: yes, [no]
 
 
 COMMAND: server
@@ -2442,11 +2562,17 @@ You can test with:
 ascli aoc user profile show
 ```
 
-Optionally, it is possible to create a new organization-specific "integration".
+Optionally, it is possible to create a new organization-specific "integration", i.e. client application identification.
 For this, specify the option: `--use-generic-client=no`.
 
 This will guide you through the steps to create.
 
+If the wizard does not detect the application but you know the application, you can force it using option `value`:
+
+```bash
+ascli config wizard --value=aoc
+```
+
 ### <a id="aocmanual"></a>Configuration: using manual setup
 
 If you used the wizard (recommended): skip this section.
@@ -2461,7 +2587,7 @@ Several types of OAuth authentication are supported:
 
 The authentication method is controlled by option `auth`.
 
-For a _quick start_, follow the mandatory and sufficient section: [API Client Registration](#clientreg) (auth=web) as well as [[option preset](#lprt) for Aspera on Cloud](#aocpreset).
+For a *quick start*, follow the mandatory and sufficient section: [API Client Registration](#clientreg) (auth=web) as well as [[option preset](#lprt) for Aspera on Cloud](#aocpreset).
 
 For a more convenient, browser-less, experience follow the [JWT](#jwt) section (auth=jwt) in addition to Client Registration.
 
@@ -2500,7 +2626,7 @@ Lets create an [option preset](#lprt) called: `my_aoc_org` using `ask` interacti
 ```bash
 ascli config preset ask my_aoc_org url client_id client_secret
 option: url> https://myorg.ibmaspera.com/
-option: client_id> BJLPObQiFw
+option: client_id> my_BJbQiFw
 option: client_secret> yFS1mu-crbKuQhGFtfhYuoRW...
 updated: my_aoc_org
 ```
@@ -2519,37 +2645,8 @@ Note: Default `auth` method is `web` and default `redirect_uri` is `http://local
 
 For a Browser-less, Private Key-based authentication, use the following steps.
 
-##### Key Pair Generation
-
 In order to use JWT for Aspera on Cloud API client authentication,
-a private/public key pair must be generated (without passphrase)
-This can be done using any of the following method:
-
-(TODO: add passphrase protection as option).
-
-* using the CLI:
-
-```bash
-ascli config genkey ~/.aspera/ascli/aocapikey
-```
-
-* `ssh-keygen`:
-
-```bash
-ssh-keygen -t rsa -f ~/.aspera/ascli/aocapikey -N ''
-```
-
-* `openssl`
-
-(on some openssl implementation (mac) there is option: -nodes (no DES))
-
-```bash
-APIKEY=~/.aspera/ascli/aocapikey
-openssl genrsa -passout pass:dummypassword -out ${APIKEY}.protected 2048
-openssl rsa -passin pass:dummypassword -in ${APIKEY}.protected -out ${APIKEY}
-openssl rsa -pubout -in ${APIKEY} -out ${APIKEY}.pub
-rm -f ${APIKEY}.protected
-```
+a [private/public key pair](#private_key) must be used (without passphrase)
 
 ##### API Client JWT activation
 
@@ -2574,12 +2671,12 @@ ascli aoc admin res client list
 :............:...............:
 :     id     :  name         :
 :............:...............:
-: BJLPObQiFw : my-client-app :
+: my_BJbQiFw : my-client-app :
 :............:...............:
 ```
 
 ```javascript
-ascli aoc admin res client modify BJLPObQiFw @json:'{"jwt_grant_enabled":true,"explicit_authorization_required":false}'
+ascli aoc admin res client modify my_BJbQiFw @json:'{"jwt_grant_enabled":true,"explicit_authorization_required":false}'
 ```
 
 ```output
@@ -2592,12 +2689,12 @@ The public key must be assigned to your user. This can be done in two manners:
 
 ##### Graphically
 
-open the previously generated public key located here: `$HOME/.aspera/ascli/aocapikey.pub`
+Open the previously generated public key located here: `$HOME/.aspera/ascli/my_private_key.pub`
 
 * Open a web browser, log to your instance: https://myorg.ibmaspera.com/
 * Click on the user's icon (top right)
 * Select "Account Settings"
-* Paste the _Public Key_ in the "Public Key" section
+* Paste the *Public Key* in the "Public Key" section
 * Click on "Submit"
 
 ##### Using command line
@@ -2616,7 +2713,7 @@ ascli aoc admin res user list
 ```
 
 ```ruby
-ascli aoc user profile modify @ruby:'{"public_key"=>File.read(File.expand_path("~/.aspera/ascli/aocapikey.pub"))}'
+ascli aoc user profile modify @ruby:'{"public_key"=>File.read(File.expand_path("~/.aspera/ascli/my_private_key.pub"))}'
 ```
 
 ```output
@@ -2636,7 +2733,7 @@ To activate default use of JWT authentication for `ascli` using the [option pres
 Execute:
 
 ```bash
-ascli config preset update my_aoc_org --auth=jwt --private-key=@val:@file:~/.aspera/ascli/aocapikey --username=laurent.martin.aspera@fr.ibm.com
+ascli config preset update my_aoc_org --auth=jwt --private-key=@val:@file:~/.aspera/ascli/my_private_key --username=laurent.martin.aspera@fr.ibm.com
 ```
 
 Note: the private key argument represents the actual PEM string. In order to read the content from a file, use the @file: prefix. But if the @file: argument is used as is, it will read the file and set in the config file. So to keep the "@file" tag in the configuration file, the @val: prefix is added.
@@ -2723,7 +2820,7 @@ Resources are identified by a unique `id`, as well as a unique `name` (case inse
 
 To execute an action on a specific resource, select it using one of those methods:
 
-* **recommended:** give id directly on command line *after the action*: `aoc admin res node show 123`
+* *recommended*: give id directly on command line *after the action*: `aoc admin res node show 123`
 * give name on command line *after the action*: `aoc admin res node show name abc`
 * provide option `id` : `aoc admin res node show --id=123`
 * provide option `name` : `aoc admin res node show --name=abc`
@@ -3261,19 +3358,19 @@ f["type"].eql?("file") and (DateTime.now-DateTime.parse(f["modified_time"]))<100
 * Find files older than 1 year on a given node and store in file list
 
 ```bash
-ascli aoc admin res node --name='my node name' --secret='my secret' v4 find / --fields=path --value='exec:f["type"].eql?("file") and (DateTime.now-DateTime.parse(f["modified_time"]))<100' --format=csv > my_file_list.txt
+ascli aoc admin res node --name='my node name' --secret='_secret_here_' v4 find / --fields=path --value='exec:f["type"].eql?("file") and (DateTime.now-DateTime.parse(f["modified_time"]))<100' --format=csv > my_file_list.txt
 ```
 
 * Delete the files, one by one
 
 ```bash
-cat my_file_list.txt|while read path;do echo ascli aoc admin res node --name='my node name' --secret='my secret' v4 delete "$path" ;done
+cat my_file_list.txt|while read path;do echo ascli aoc admin res node --name='my node name' --secret='_secret_here_' v4 delete "$path" ;done
 ```
 
 * Delete the files in bulk
 
 ```bash
-cat my_file_list.txt | ascli aoc admin res node --name='my node name' --secret='my secret' v3 delete @lines:@stdin:
+cat my_file_list.txt | ascli aoc admin res node --name='my node name' --secret='_secret_here_' v3 delete @lines:@stdin:
 ```
 
 ## <a id="ats"></a>Plugin: Aspera Transfer Service
@@ -3359,13 +3456,13 @@ ascli config preset update my_ibm_ats --ats-key=ats_XXXXXXXXXXXXXXXXXXXXXXXX --a
 Example: create access key on IBM Cloud (softlayer):
 
 ```javascript
-ascli ats access_key create --cloud=softlayer --region=ams --params=@json:'{"storage":{"type":"softlayer_swift","container":"_container_name_","credentials":{"api_key":"value","username":"_name_:_usr_name_"},"path":"/"},"id":"_optional_id_","name":"_optional_name_"}'
+ascli ats access_key create --cloud=softlayer --region=ams --params=@json:'{"storage":{"type":"softlayer_swift","container":"_container_name_","credentials":{"api_key":"_secret_here_","username":"_name_:_usr_name_"},"path":"/"},"id":"_optional_id_","name":"_optional_name_"}'
 ```
 
 Example: create access key on AWS:
 
 ```javascript
-ascli ats access_key create --cloud=aws --region=eu-west-1 --params=@json:'{"id":"testkey3","name":"laurent key AWS","storage":{"type":"aws_s3","bucket":"my-bucket","credentials":{"access_key_id":"AKIA_MY_API_KEY","secret_access_key":"my/secret/here"},"path":"/laurent"}}'
+ascli ats access_key create --cloud=aws --region=eu-west-1 --params=@json:'{"id":"testkey3","name":"laurent key AWS","storage":{"type":"aws_s3","bucket":"my-bucket","credentials":{"access_key_id":"AKIA_MY_API_KEY","secret_access_key":"_secret_here_"},"path":"/laurent"}}'
 ```
 
 Example: create access key on Azure SAS:
@@ -3474,7 +3571,8 @@ It is possible to:
 
 For transfers, it is possible to control how transfer is authorized using option: `token_type`:
 
-* `aspera` : api `<upload|download>_setup` is called to create the transfer spec including the Aspera token
+* `aspera` : api `<upload|download>_setup` is called to create the transfer spec including the Aspera token, used as is.
+* `hybrid` : same as `aspera`, but token is replaced with basic token like `basic`
 * `basic` : transfer spec is created like this:
 
 ```javascript
@@ -3483,11 +3581,11 @@ For transfers, it is possible to control how transfer is authorized using option
   "remote_user": "xfer",
   "ssh_port": 33001,
   "token": "Basic <base 64 encoded user/pass>",
-  "direction": send/recv
+  "direction": send/receive
 }
 ```
 
-* `hybrid` : same as `aspera`, but token is replaced with basic token like `basic`
+Note that the port is assumed to be the default SSH port `33001` and transfer user is assumed to be `xfer`.
 
 ### Central
 
@@ -3505,10 +3603,10 @@ by providing the `validator` option, offline transfer validation can be done.
 
 It is possible to start a FASPStream session using the node API:
 
-Use the "node stream create" command, then arguments are provided as a [_transfer-spec_](#transferspec).
+Use the "node stream create" command, then arguments are provided as a [*transfer-spec*](#transferspec).
 
 ```javascript
-ascli node stream create --ts=@json:'{"direction":"send","source":"udp://233.3.3.4:3000?loopback=1&ttl=2","destination":"udp://233.3.3.3:3001/","remote_host":"localhost","remote_user":"stream","remote_password":"XXXX"}' --preset=stream
+ascli node stream create --ts=@json:'{"direction":"send","source":"udp://233.3.3.4:3000?loopback=1&ttl=2","destination":"udp://233.3.3.3:3001/","remote_host":"localhost","remote_user":"stream","remote_password":"_pass_here_"}' --preset=stream
 ```
 
 ### Watchfolder
@@ -3573,15 +3671,63 @@ ascli node access_key create --value=@json:'{"id":"eudemo-sedemo","secret":"myst
 
 ## Plugin: IBM Aspera Faspex5
 
+This is currently in beta, limited operations are supported.
+
+This was tested with version Beta 5.
+
+The API is listed in [Faspex 5 API Reference](https://developer.ibm.com/apis/catalog/?search=faspex) under "IBM Aspera Faspex API".
+
+### Faspex 5 authentication
+
 3 authentication methods are supported:
 
 * jwt
 * web
 * boot
 
-For JWT, create an API client in Faspex with jwt support, and use: `--auth=jwt`.
+#### Faspex 5 using JWT
+
+This is the preferred method to use.
+
+For JWT, create an API client in Faspex with JWT support:
+
+* Identify a private key, if you don't have any refer to section [Private Key](#private_key)
+* Navigate to the web UI: Admin &rarr; Configurations &rarr; API Clients &rarr; Create
+* Activate JWT
+* Paste public key in the appropriate section
+* Click on Create Button
+* Take note of Client Id and Secret
+
+Then use options:
+
+```text
+--auth=jwt
+--client-id=xxx
+--client-secret=xxx
+--username=xxx
+--password=xxx
+--private-key=@file:../path/to/key.pem
+```
+
+#### Faspex 5 using web browser
+
+For web method, create an API client in Faspex without JWT:
+
+* Navigate to the web UI: Admin &rarr; Configurations &rarr; API Clients &rarr; Create
+* Do not Activate JWT
+* enter https://127.0.0.1:8888 in the redirect URI
+* Click on Create Button
+* Take note of Client Id
 
-For web method, create an API client in Faspex, and use: --auth=web
+Then use options:
+
+```text
+--auth=web
+--client-id=xxx
+--redirect-uri=https://127.0.0.1:8888
+```
+
+#### Faspex 5 using bootstrap
 
 For boot method: (will be removed in future)
 
@@ -3596,8 +3742,6 @@ Use it as password and use `--auth=boot`.
 ascli conf id f5boot update --url=https://localhost/aspera/faspex --auth=boot --password=ABC.DEF.GHI...
 ```
 
-Ready to use Faspex5 with CLI.
-
 ## Plugin: IBM Aspera Faspex (4.x)
 
 Notes:
@@ -3618,7 +3762,7 @@ By default it looks in box `inbox`, but the following boxes are also supported:
 A user can receive a package because the recipient is:
 
 * the user himself (default)
-* the user is part of a dropbox or a workgroup (select with option `recipient` with value `*<name of WG or DB>`
+* the user is member of a dropbox/workgroup: filter using option `recipient` set with value `*<name of dropbox/workgroup>`
 
 #### Option `query`
 
@@ -3657,10 +3801,11 @@ ascli faspex package recv --id=12345
 ascli faspex package recv --link=faspe://...
 ```
 
-If the package is in a specific dropbox, add option `recipient` for both the `list` and `recv` commands.
+If the package is in a specific **dropbox**/**workgroup**, add option `recipient` for both the `list` and `recv` commands.
 
 ```bash
 ascli faspex package list --recipient='*thedropboxname'
+ascli faspex package recv 125 --recipient='*thedropboxname'
 ```
 
 if `id` is set to `ALL`, then all packages are downloaded, and if option `once_only`is used, then a persistency file is created to keep track of already downloaded packages.
@@ -3675,7 +3820,8 @@ Example:
 ascli faspex package send --delivery-info=@json:'{"title":"my title","recipients":["laurent.martin.aspera@fr.ibm.com"]}' --url=https://faspex.corp.com/aspera/faspex --username=foo --password=bar /tmp/file1 /home/bar/file2
 ```
 
-If the recipient is a dropbox, just provide the name of the dropbox in `recipients`: `"recipients":["My Dropbox Name"]`
+If the recipient is a dropbox or workgroup: provide the name of the dropbox or workgroup preceded with `*` in the `recipients` field of the `delivery_info` option:
+`"recipients":["*MyDropboxName"]`
 
 Additional optional parameters in `delivery_info`:
 
@@ -3716,7 +3862,7 @@ Example:
 my_faspex_conf:
   url: https://10.25.0.3/aspera/faspex
   username: admin
-  password: MyPassword
+  password: MyUserPassword
   storage:
     testlaurent:
       node: "@preset:my_faspex_node"
@@ -3724,14 +3870,14 @@ my_faspex_conf:
 my_faspex_node:
   url: https://10.25.0.3:9092
   username: node_faspex
-  password: MyPassword
+  password: MyNodePassword
 ```
 
 In this example, a faspex storage named "testlaurent" exists in Faspex, and is located
 under the docroot in "/myfiles" (this must be the same as configured in Faspex).
 The node configuration name is "my_faspex_node" here.
 
-Note: the v4 API provide an API for nodes and shares.
+Note: the v4 API provides an API for nodes and shares.
 
 ### Automated package download (cargo)
 
@@ -3746,12 +3892,6 @@ ascli faspex packages recv --id=ALL --once-only=yes --lock-port=12345
 
 Aspera Shares supports the "node API" for the file transfer part. (Shares 1 and 2)
 
-In Shares2, users, groups listing are paged, to display sequential pages:
-
-```bash
-for p in 1 2 3;do ascli shares2 admin users list --value=@json:'{"page":'$p'}';done
-```
-
 ## Plugin: IBM Cloud Object Storage
 
 The IBM Cloud Object Storage provides the possibility to execute transfers using FASP.
@@ -3799,14 +3939,14 @@ It consists in the following structure:
 
 ```javascript
 {
-  "apikey": "xxxxxxx.....",
+  "apikey": "_api_key_here_",
   "cos_hmac_keys": {
-    "access_key_id": "xxxxxxx.....",
-    "secret_access_key": "xxxxxxx....."
+    "access_key_id": "_access_key_here_",
+    "secret_access_key": "_secret_here_"
   },
   "endpoints": "https://control.cloud-object-storage.cloud.ibm.com/v2/endpoints",
-  "iam_apikey_description": "my description ...",
-  "iam_apikey_name": "my key name",
+  "iam_apikey_description": "my description _here_ ...",
+  "iam_apikey_name": "my key name _here_",
   "iam_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Writer",
   "iam_serviceid_crn": "crn:v1:bluemix:public:iam-identity::a/xxxxxxx.....",
   "resource_instance_id": "crn:v1:bluemix:public:cloud-object-storage:global:a/xxxxxxx....."
@@ -3904,7 +4044,6 @@ The tool requires the following external tools available in the `PATH`:
 * OptiPNG : `optipng`
 * FFmpeg : `ffmpeg` `ffprobe`
 * Libreoffice : `libreoffice`
-* ruby gem `mimemagic`
 
 Here shown on Redhat/CentOS.
 
@@ -3916,32 +4055,16 @@ To check if all tools are found properly, execute:
 ascli preview check
 ```
 
-#### mimemagic
-
-To benefit from extra mime type detection install gem mimemagic:
-
-```bash
-gem install mimemagic
-```
-
-or to install an earlier version if any problem:
-
-```bash
-gem install mimemagic -v '~> 0.3.0'
-```
-
-To use it, set option `mimemagic` to `yes`: `--mimemagic=yes`
-
-If not used, Mime type used for conversion is the one provided by the node API.
-
-If used, it the `preview` command will first analyze the file content using mimemagic, and if no match, will try by extension.
-
 #### Image: ImageMagick and optipng
 
 ```bash
 yum install -y ImageMagick optipng
 ```
 
+You may also install `ghostscript` which adds fonts to ImageMagick.
+Available fonts, used to generate png for text, can be listed with `magick identify -list font`.
+Prefer ImageMagick version >=7.
+
 #### Video: FFmpeg
 
 The easiest method is to download and install the latest released version of ffmpeg with static libraries from [https://johnvansickle.com/ffmpeg/](https://johnvansickle.com/ffmpeg/)
@@ -4114,7 +4237,13 @@ The mp4 video preview file is only for category `video`
 
 File type is primarily based on file extension detected by the node API and translated info a mime type returned by the node API.
 
-The tool can also locally detect the mime type using gem `mimemagic`.
+The tool can also locally detect the mime type using option `mimemagic`.
+
+To use it, set option `mimemagic` to `yes`: `--mimemagic=yes`
+
+If not used, Mime type used for conversion is the one provided by the node API.
+
+If used, the `preview` command will first analyze the file content using mimemagic, and if no match, will try by extension.
 
 ### Access to original files and preview creation
 
@@ -4149,19 +4278,19 @@ The `smtp` option is a hash table (extended value) with the following fields:
 ```bash
 ascli config preset set smtp_google server smtp.google.com
 ascli config preset set smtp_google username john@gmail.com
-ascli config preset set smtp_google password P@ssw0rd
+ascli config preset set smtp_google password _pass_here_
 ```
 
 or
 
 ```javascript
-ascli config preset init smtp_google @json:'{"server":"smtp.google.com","username":"john@gmail.com","password":"P@ssw0rd"}'
+ascli config preset init smtp_google @json:'{"server":"smtp.google.com","username":"john@gmail.com","password":"_pass_here_"}'
 ```
 
 or
 
 ```bash
-ascli config preset update smtp_google --server=smtp.google.com --username=john@gmail.com --password=P@ssw0rd
+ascli config preset update smtp_google --server=smtp.google.com --username=john@gmail.com --password=_pass_here_
 ```
 
 Set this configuration as global default, for instance:
@@ -4224,7 +4353,7 @@ Transfer is: <%=global_transfer_status%>
 This gem comes with a second executable tool providing a simplified standardized interface
 to start a FASP session: `asession`.
 
-It aims at simplifying the startup of a FASP session from a programmatic stand point as formatting a [_transfer-spec_](#transferspec) is:
+It aims at simplifying the startup of a FASP session from a programmatic stand point as formatting a [*transfer-spec*](#transferspec) is:
 
 * common to Aspera Node API (HTTP POST /ops/transfer)
 * common to Aspera Connect API (browser javascript startTransfer)
@@ -4234,20 +4363,20 @@ Hopefully, IBM integrates this diectly in `ascp`, and this tool is made redundan
 
 This makes it easy to integrate with any language provided that one can spawn a sub process, write to its STDIN, read from STDOUT, generate and parse JSON.
 
-The tool expect one single argument: a [_transfer-spec_](#transferspec).
+The tool expect one single argument: a [*transfer-spec*](#transferspec).
 
-If not argument is provided, it assumes a value of: `@json:@stdin:`, i.e. a JSON formatted [_transfer-spec_](#transferspec) on stdin.
+If not argument is provided, it assumes a value of: `@json:@stdin:`, i.e. a JSON formatted [*transfer-spec*](#transferspec) on stdin.
 
 Note that if JSON is the format, one has to specify `@json:` to tell the tool to decode the hash using JSON.
 
 During execution, it generates all low level events, one per line, in JSON format on stdout.
 
-Note that there are special "extended" [_transfer-spec_](#transferspec) parameters supported by `asession`:
+Note that there are special "extended" [*transfer-spec*](#transferspec) parameters supported by `asession`:
 
 * `EX_loglevel` to change log level of the tool
 * `EX_file_list_folder` to set the folder used to store (exclusively, because of garbage collection) generated file lists. By default it is `[system tmp folder]/[username]_asession_filelists`
 
-Note that in addition, many "EX_" [_transfer-spec_](#transferspec) parameters are supported for the [`direct`](#agt_direct) transfer agent (used by `asession`), refer to section [_transfer-spec_](#transferspec).
+Note that in addition, many "EX_" [*transfer-spec*](#transferspec) parameters are supported for the [`direct`](#agt_direct) transfer agent (used by `asession`), refer to section [*transfer-spec*](#transferspec).
 
 ### Comparison of interfaces
 
@@ -4262,7 +4391,7 @@ Note that in addition, many "EX_" [_transfer-spec_](#transferspec) parameters ar
 ### Simple session
 
 ```javascript
-MY_TSPEC='{"remote_host":"demo.asperasoft.com","remote_user":"asperaweb","ssh_port":33001,"remote_password":"_demo_pass_","direction":"receive","destination_root":"./test.dir","paths":[{"source":"/aspera-test-dir-tiny/200KB.1"}],"resume_level":"none"}'
+MY_TSPEC='{"remote_host":"demo.asperasoft.com","remote_user":"asperaweb","ssh_port":33001,"remote_password":"_pass_here_","direction":"receive","destination_root":"./test.dir","paths":[{"source":"/aspera-test-dir-tiny/200KB.1"}],"resume_level":"none"}'
 
 echo "${MY_TSPEC}"|asession
 ```
@@ -4271,11 +4400,11 @@ echo "${MY_TSPEC}"|asession
 
 `asession` also supports asynchronous commands (on the management port). Instead of the traditional text protocol as described in ascp manual, the format for commands is: one single line per command, formatted in JSON, where parameters shall be "snake" style, for example: `LongParameter` -&gt; `long_parameter`
 
-This is particularly useful for a persistent session ( with the [_transfer-spec_](#transferspec) parameter: `"keepalive":true` )
+This is particularly useful for a persistent session ( with the [*transfer-spec*](#transferspec) parameter: `"keepalive":true` )
 
 ```javascript
 asession
-{"remote_host":"demo.asperasoft.com","ssh_port":33001,"remote_user":"asperaweb","remote_password":"_demo_pass_","direction":"receive","destination_root":".","keepalive":true,"resume_level":"none"}
+{"remote_host":"demo.asperasoft.com","ssh_port":33001,"remote_user":"asperaweb","remote_password":"_pass_here_","direction":"receive","destination_root":".","keepalive":true,"resume_level":"none"}
 {"type":"START","source":"/aspera-test-dir-tiny/200KB.2"}
 {"type":"DONE"}
 ```
@@ -4348,7 +4477,7 @@ Note that:
 
 * `ascli` takes transfer parameters exclusively as a transfer_spec, with `--ts` parameter.
 * most, but not all native ascp arguments are available as standard transfer_spec parameters
-* native ascp arguments can be provided with the [_transfer-spec_](#transferspec) parameter: EX_ascp_args (array), only for the [`direct`](#agt_direct) transfer agent (not connect or node)
+* native ascp arguments can be provided with the [*transfer-spec*](#transferspec) parameter: EX_ascp_args (array), only for the [`direct`](#agt_direct) transfer agent (not connect or node)
 
 #### server side and configuration
 
@@ -4419,11 +4548,11 @@ Main components:
 A working example can be found in the gem, example:
 
 ```bash
-ascli config gem_path
+ascli config gem path
 ```
 
 ```bash
-cat $(ascli config gem_path)/../examples/transfer.rb
+cat $(ascli config gem path)/../examples/transfer.rb
 ```
 
 This sample code shows some example of use of the API as well as REST API.
@@ -4454,11 +4583,27 @@ So, it evolved into `ascli`:
 
 * portable: works on platforms supporting `ruby` (and `ascp`)
 * easy to install with the `gem` utility
-* supports transfers with multiple [Transfer Agents](#agents), that&apos;s why transfer parameters moved from ascp command line to [_transfer-spec_](#transferspec) (more reliable , more standard)
+* supports transfers with multiple [Transfer Agents](#agents), that&apos;s why transfer parameters moved from ascp command line to [*transfer-spec*](#transferspec) (more reliable , more standard)
 * `ruby` is consistent with other Aspera products
 
 ## Changes (Release notes)
 
+* 4.7.0
+
+  * new: option to specify font used to generate image of text file in `preview`
+  * new: #66 improvement for content protection (support standard transfer spec options for direct agent)
+  * new: option `fpac` is now applicable to all ruby based HTTP connections, i.e. API calls
+  * new: option `show_secrets` to reveal secrets in command output
+  * new: added and updated commands for Faspex 5
+  * new: option `cache_tokens`
+  * new: Faspex4 dropbox packages can now be received by id
+  * change: (break) command `conf gem path` replaces `conf gem_path`
+  * change: (break) option `fpac` expects a value instead of URL
+  * change: (break) option `cipher` in transfer spec must have hyphen
+  * change: (break) renamed option `log_passwords` to `log_secrets`
+  * change: (break) removed plugin `shares2` as products is now EOL
+  * fix: After AoC version update, wizard did not detect AoC properly
+
 * 4.6.0
 
   * new: command `conf plugin create`
@@ -4823,7 +4968,7 @@ So, it evolved into `ascli`:
 
 * 0.9.7
 
-  * homogeneous [_transfer-spec_](#transferspec) for `node` and [`direct`](#agt_direct) transfer agents
+  * homogeneous [*transfer-spec*](#transferspec) for `node` and [`direct`](#agt_direct) transfer agents
   * preview persistency goes to unique file by default
   * catch mxf extension in preview as video
   * Faspex: possibility to download all packages by specifying id=ALL
@@ -4898,24 +5043,21 @@ So, it evolved into `ascli`:
 
   * Breaking change: "files" application renamed to "aspera" (for "Aspera on Cloud"). "repository" renamed to "files". Default is automatically reset, e.g. in config files and change key "files" to "aspera" in [option preset](#lprt) "default".
 
-## BUGS, FEATURES, CONTRIBUTION
-
-For issues or feature requests use the Github repository and issues.
+## Common problems
 
-You can also contribute to this open source project.
+### Error "Remote host is not who we expected"
 
-One can also [create one's own plugin](#createownplugin).
+Cause: `ascp` >= 4.x checks fingerprint of highest server host key, including ECDSA. `ascp` < 4.0 (3.9.6 and earlier) support only to RSA level (and ignore ECDSA presented by server). `aspera.conf` supports a single fingerprint.
 
-### Only one value for any option
+Workaround on client side: To ignore the certificate (SSH fingerprint) add option on client side (this option can also be added permanently to the config file):
 
-Some commands and sub commands may ask for the same option name.
-Currently, since option definition is position independent (last one wins), it is not possible
-to give an option to a command and the same option with different value to a sub command.
+```json
+--ts=@json:'{"sshfp":null}'
+```
 
-For instance, if an entity is identified by the option `id` but later on the command line another `id` option is required, then the later will override the earlier one, and both entity will use the same id.
-As a solution, use the position specific notation for selection, i.e. provide the identified just after command and do not use option `id`.
+Workaround on server side: Either remove the fingerprint from `aspera.conf`, or keep only RSA host keys in `sshd_config`.
 
-This happens typically for the `node` sub command, e.g. identify the node by name instead of id.
+References: ES-1944 in release notes of 4.1 and to [HSTS admin manual section "Configuring Transfer Server Authentication With a Host-Key Fingerprint"](https://www.ibm.com/docs/en/ahts/4.2?topic=upgrades-configuring-ssh-server).
 
 ### ED255519 key not supported
 
@@ -4930,33 +5072,18 @@ OpenSSH keys only supported if ED25519 is available
 Which meant that you do not have ruby support for ED25519 SSH keys.
 You may either install the suggested Gems, or remove your ed25519 key from your `.ssh` folder to solve the issue.
 
-### Error "Remote host is not who we expected"
-
-Cause: `ascp` >= 4.x checks fingerprint of highest server host key, including ECDSA. `ascp` < 4.0 (3.9.6 and earlier) support only to RSA level (and ignore ECDSA presented by server). `aspera.conf` supports a single fingerprint.
-
-Workaround on client side: To ignore the certificate (SSH fingerprint) add option on client side (this option can also be added permanently to the config file):
-
-```bash
---ts=@json:'{"sshfp":null}'
-```
+## BUGS, FEATURES, CONTRIBUTION
 
-Workaround on server side: Either remove the fingerprint from `aspera.conf`, or keep only RSA host keys in `sshd_config`.
+For issues reports or feature requests use the Github repository and issues.
 
-References: ES-1944 in release notes of 4.1 and to [HSTS admin manual section "Configuring Transfer Server Authentication With a Host-Key Fingerprint"](https://www.ibm.com/docs/en/ahts/4.2?topic=upgrades-configuring-ssh-server).
+You can also contribute to this open source project.
 
-### Miscellaneous
+One can also [create one's own plugin](#createownplugin).
 
-* remove rest and oauth classes and use ruby standard gems:
+## Miscellaneous
 
-  * oauth
+* replace rest and oauth classes with ruby standard gems:
   * <https://github.com/rest-client/rest-client>
-
-* use Thor or any standard Ruby CLI manager
-
-* provide metadata in packages
-
-* deliveries to dropboxes
-
-* Going through proxy: use env var http_proxy and https_proxy, no_proxy
-
-* easier use with <https://github.com/pmq20/ruby-packer>
+  * <https://github.com/oauth-xx/oauth2>
+* use gem Thor <http://whatisthor.com/> (or other standard Ruby CLI manager)
+* Package with <https://github.com/pmq20/ruby-packer> (rubyc)