You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat!: move login/logout to auth subcommand, add auth status (#84)
* feat!: move login/logout to auth subcommand, add auth status
BREAKING CHANGE: `workos login` and `workos logout` are now
`workos auth login` and `workos auth logout`.
New `workos auth status` command shows current auth state:
- Logged in email/userId
- Token expiry (time remaining or how long ago it expired)
- Refresh token presence
- Active environment name and type
- Supports --json for machine-readable output
All error messages referencing `workos login` updated to
`workos auth login`.
* chore: formatting and linting fixes
* feat: add credential audit log for debugging auth loss
Writes timestamped entries to ~/.workos/audit.log for every credential
mutation: SAVE_CREDENTIALS, CLEAR_CREDENTIALS, UPDATE_TOKENS, and
GET_CREDENTIALS (when returning null). Logs only non-sensitive metadata:
email, userId, token expiry, refresh token presence, storage backend,
and caller stack frame. Never logs tokens or API keys.
Disabled automatically in test environments (VITEST).
* fix: guard keyring operations behind insecure storage flag
When forceInsecureStorage is true, all keyring read/write/delete
operations are now no-ops. Previously, deleteFromKeyring() would
still hit the real system keychain even in insecure-storage mode,
meaning tests using setInsecureStorage(true) could wipe real
credentials from the keychain.
This was the root cause of credentials mysteriously vanishing
after running tests.
* Revert "fix: guard keyring operations behind insecure storage flag"
This reverts commit e8b74d1.
* Revert "feat: add credential audit log for debugging auth loss"
This reverts commit 2d78cf5.
* docs: update README auth commands to use auth subcommand
* fix: use plain colored output for auth status instead of clack
* fix: add blank line after update notice to separate from command output
* fix: use plain colored output for login already-authenticated messages
* fix: suppress update notice in JSON mode to keep stdout clean
* fix: review fixes — isJsonMode guard, missed string ref, double newline
- bin.ts: use isJsonMode() instead of hasJsonFlag to suppress update
notice in all JSON contexts (including non-TTY auto-detection)
- ensure-auth.ts: fix missed workos login → workos auth login at line 94
- version-check.ts: fix double blank line (console.log already adds \n)
- Update CLAUDE.md, DEVELOPMENT.md, SKILL.md references
Copy file name to clipboardExpand all lines: README.md
+5-2Lines changed: 5 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -470,10 +470,13 @@ The CLI uses WorkOS Connect OAuth device flow for authentication:
470
470
471
471
```bash
472
472
# Login (opens browser for authentication)
473
-
workos login
473
+
workos auth login
474
+
475
+
# Check current auth status
476
+
workos auth status
474
477
475
478
# Logout (clears stored credentials)
476
-
workos logout
479
+
workos auth logout
477
480
```
478
481
479
482
OAuth credentials are stored in the system keychain (with `~/.workos/credentials.json` fallback). Access tokens are not persisted long-term for security - users re-authenticate when tokens expire.
Use these commands to manage WorkOS resources directly from the terminal. The CLI must be authenticated via `workos login` or `WORKOS_API_KEY` env var.
8
+
Use these commands to manage WorkOS resources directly from the terminal. The CLI must be authenticated via `workos auth login` or `WORKOS_API_KEY` env var.
9
9
10
10
All commands support `--json` for structured output. Use `--json` when you need to parse output (e.g., extract an ID).
0 commit comments