feat(auth): add token command and remove /users/me/ dependency

BYK · BYK · commit 3255cfcdca27 · 2026-02-06T00:39:44.000Z
- Add `sentry auth token` command that prints the unmasked auth token
- Use `/users/me/regions/` for token validation (works with all token types)
- Optionally fetch user info via `/users/me/` after validation (works with API tokens)
- Suppress upgrade notification for `auth token` (scripting use case)

Note: User identity for OAuth login comes from the token response.
For manual API tokens, we try /users/me/ which works with API tokens
but may not work with OAuth App tokens - failures are handled gracefully.
diff --git a/plugins/sentry-cli/skills/sentry-cli/SKILL.md b/plugins/sentry-cli/skills/sentry-cli/SKILL.md
@@ -90,6 +90,10 @@ View authentication status
 sentry auth status
 ```
 
+#### `sentry auth token`
+
+Print the stored authentication token
+
 ### Org
 
 Work with Sentry organizations
diff --git a/src/commands/auth/index.ts b/src/commands/auth/index.ts
@@ -3,19 +3,22 @@ import { loginCommand } from "./login.js";
 import { logoutCommand } from "./logout.js";
 import { refreshCommand } from "./refresh.js";
 import { statusCommand } from "./status.js";
+import { tokenCommand } from "./token.js";
 
 export const authRoute = buildRouteMap({
   routes: {
     login: loginCommand,
     logout: logoutCommand,
     refresh: refreshCommand,
     status: statusCommand,
+    token: tokenCommand,
   },
   docs: {
     brief: "Authenticate with Sentry",
     fullDescription:
       "Manage authentication with Sentry. Use 'sentry auth login' to authenticate, " +
       "'sentry auth logout' to remove credentials, 'sentry auth refresh' to manually refresh your token, " +
-      "and 'sentry auth status' to check your authentication status.",
+      "'sentry auth status' to check your authentication status, " +
+      "and 'sentry auth token' to print your token for use in scripts.",
   },
 });
diff --git a/src/commands/auth/login.ts b/src/commands/auth/login.ts
@@ -1,16 +1,13 @@
-// biome-ignore lint/performance/noNamespaceImport: Sentry SDK recommends namespace import
-import * as Sentry from "@sentry/bun";
 import { buildCommand, numberParser } from "@stricli/core";
 import type { SentryContext } from "../../context.js";
-import { getCurrentUser } from "../../lib/api-client.js";
+import { getCurrentUser, getUserRegions } from "../../lib/api-client.js";
 import { clearAuth, isAuthenticated, setAuthToken } from "../../lib/db/auth.js";
 import { getDbPath } from "../../lib/db/index.js";
 import { setUserInfo } from "../../lib/db/user.js";
 import { AuthError } from "../../lib/errors.js";
 import { muted, success } from "../../lib/formatters/colors.js";
 import { formatUserIdentity } from "../../lib/formatters/human.js";
 import { runInteractiveLogin } from "../../lib/interactive-login.js";
-import type { SentryUser } from "../../types/index.js";
 
 type LoginFlags = {
   readonly token?: string;
@@ -55,13 +52,12 @@ export const loginCommand = buildCommand({
 
     // Token-based authentication
     if (flags.token) {
-      // Save token first, then validate by fetching user info
+      // Save token first, then validate by fetching user regions
       await setAuthToken(flags.token);
 
-      // Validate token by fetching user info
-      let user: SentryUser;
+      // Validate token by fetching user regions
       try {
-        user = await getCurrentUser();
+        await getUserRegions();
       } catch {
         // Token is invalid - clear it and throw
         await clearAuth();
@@ -71,21 +67,24 @@ export const loginCommand = buildCommand({
         );
       }
 
-      // Store user info for telemetry (non-critical, don't block auth)
+      // Try to get user info (works with API tokens, may not work with OAuth App tokens)
+      let user: Awaited<ReturnType<typeof getCurrentUser>> | undefined;
       try {
+        user = await getCurrentUser();
         setUserInfo({
           userId: user.id,
           email: user.email,
           username: user.username,
           name: user.name,
         });
-      } catch (error) {
-        // Report to Sentry but don't block auth - user info is not critical
-        Sentry.captureException(error);
+      } catch {
+        // Ignore - user info is optional, token may not have permission
       }
 
       stdout.write(`${success("✓")} Authenticated with API token\n`);
-      stdout.write(`  Logged in as: ${muted(formatUserIdentity(user))}\n`);
+      if (user) {
+        stdout.write(`  Logged in as: ${muted(formatUserIdentity(user))}\n`);
+      }
       stdout.write(`  Config saved to: ${getDbPath()}\n`);
       return;
     }
diff --git a/src/commands/auth/token.ts b/src/commands/auth/token.ts
@@ -0,0 +1,36 @@
+/**
+ * sentry auth token
+ *
+ * Print the stored authentication token (unmasked).
+ * Useful for piping to other commands or scripts.
+ */
+
+import { buildCommand } from "@stricli/core";
+import type { SentryContext } from "../../context.js";
+import { getAuthToken } from "../../lib/db/auth.js";
+import { AuthError } from "../../lib/errors.js";
+
+export const tokenCommand = buildCommand({
+  docs: {
+    brief: "Print the stored authentication token",
+    fullDescription:
+      "Print the stored authentication token to stdout.\n\n" +
+      "This outputs the raw token without any formatting, making it suitable for " +
+      "piping to other commands or scripts. The token is printed without a trailing newline " +
+      "when stdout is not a TTY (e.g., when piped).",
+  },
+  parameters: {},
+  func(this: SentryContext): void {
+    const { stdout } = this;
+
+    const token = getAuthToken();
+    if (!token) {
+      throw new AuthError("not_authenticated");
+    }
+
+    // Add newline only if stdout is a TTY (interactive terminal)
+    // When piped, omit newline for cleaner output
+    const suffix = process.stdout.isTTY ? "\n" : "";
+    stdout.write(`${token}${suffix}`);
+  },
+});
diff --git a/src/lib/api-client.ts b/src/lib/api-client.ts
@@ -991,6 +991,9 @@ export function triggerSolutionPlanning(
 /**
  * Get the currently authenticated user's information.
  * Used for setting user context in telemetry.
+ *
+ * Note: This endpoint may not work with OAuth App tokens, but works with
+ * manually created API tokens. Callers should handle failures gracefully.
  */
 export function getCurrentUser(): Promise<SentryUser> {
   return apiRequest<SentryUser>("/users/me/", {
diff --git a/src/lib/version-check.ts b/src/lib/version-check.ts
@@ -22,7 +22,13 @@ const CHECK_INTERVAL_MS = 24 * 60 * 60 * 1000;
 const JITTER_FACTOR = 0.2;
 
 /** Commands/flags that should not show update notifications */
-const SUPPRESSED_ARGS = new Set(["upgrade", "--version", "-V", "--json"]);
+const SUPPRESSED_ARGS = new Set([
+  "upgrade",
+  "--version",
+  "-V",
+  "--json",
+  "token",
+]);
 
 /** AbortController for pending version check fetch */
 let pendingAbortController: AbortController | null = null;
