diff --git a/skills/outline-cli/SKILL.md b/skills/outline-cli/SKILL.md
index 78b7ab2..b228966 100644
--- a/skills/outline-cli/SKILL.md
+++ b/skills/outline-cli/SKILL.md
@@ -15,6 +15,7 @@ Use this skill when the user wants to interact with their Outline wiki/knowledge
 - `ol doc open <id>` - Open document in browser
 - `ol doc create --title "Title" --collection <id>` - Create document
 - `ol col list` - List collections
+- `ol account` - List stored accounts; `ol account use <id|name>` sets the default
 
 ## Output Formats
 
@@ -89,6 +90,19 @@ ol auth logout                         # Clear saved credentials
 ol auth logout --json | --ndjson       # Machine-readable logout envelope ({ok: true}; --ndjson is silent)
 ```
 
+### Accounts
+```bash
+ol account                             # List stored accounts (default subcommand)
+ol account list                        # List stored accounts, default marked
+ol account list --json | --ndjson      # Machine-readable list ({accounts, default}; --ndjson streams one per line)
+ol account current                     # Show the active account (honours --user and OUTLINE_API_TOKEN)
+ol account current --json | --ndjson   # Discriminated by source: {source:"stored", account:{id, label, teamName, baseUrl, isDefault}} | {source:"env"} | {source:"legacy"}
+ol account use <id|name>               # Set the default account used when --user is omitted
+ol account use <id|name> --json        # Machine-readable envelope ({ok: true, default: <id>}; --ndjson is silent)
+ol account remove <id|name>            # Remove a stored account (clears keyring + config entry)
+ol account remove <id|name> --json     # Machine-readable envelope ({ok: true, removed: <id>}; --ndjson is silent)
+```
+
 ### Update & Changelog
 ```bash
 ol update                        # Update CLI to latest version
diff --git a/src/_fixtures/auth.ts b/src/_fixtures/auth.ts
index 61ac351..c407f73 100644
--- a/src/_fixtures/auth.ts
+++ b/src/_fixtures/auth.ts
@@ -11,6 +11,15 @@ export const STORED_ACCOUNT: OutlineAccount = {
     teamName: 'Analytics',
 }
 
+/** Secondary persisted `OutlineAccount` on a different instance — for multi-account tests. */
+export const STORED_ACCOUNT_BOB: OutlineAccount = {
+    id: 'bob-uuid',
+    label: 'Bob',
+    baseUrl: 'https://bob.example.com',
+    oauthClientId: 'cid-bob',
+    teamName: 'Engineering',
+}
+
 /** v1 plaintext config snapshot that round-trips to `STORED_ACCOUNT`. */
 export const LEGACY_CONFIG = {
     api_token: 'tk_legacy_plaintext',
diff --git a/src/commands/account.test.ts b/src/commands/account.test.ts
new file mode 100644
index 0000000..98933b1
--- /dev/null
+++ b/src/commands/account.test.ts
@@ -0,0 +1,247 @@
+import { captureConsole, createTestProgram } from '@doist/cli-core/testing'
+import type { Command } from 'commander'
+import { type MockInstance, afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import { STORED_ACCOUNT, STORED_ACCOUNT_BOB } from '../_fixtures/auth.js'
+import { CliError } from '../lib/errors.js'
+
+// `account` consumes two auth-provider exports: the token store (list/use/remove
+// drive its `list`/`setDefault`/`clear`) and `resolveActiveAccountSource` (which
+// `current` uses to classify the active credential). Both are stubbed per-test —
+// the source-precedence logic itself is covered in auth-provider.test.ts.
+const storeMocks = vi.hoisted(() => ({
+    list: vi.fn(),
+    setDefault: vi.fn(),
+    clear: vi.fn(),
+    getLastClearResult: vi.fn(() => undefined),
+}))
+const resolveMock = vi.hoisted(() => vi.fn())
+
+vi.mock('../lib/auth-provider.js', async (importOriginal) => {
+    const actual = await importOriginal<typeof import('../lib/auth-provider.js')>()
+    return {
+        ...actual,
+        createOutlineTokenStore: () => storeMocks,
+        resolveActiveAccountSource: resolveMock,
+    }
+})
+
+function lines(spy: MockInstance): string {
+    return spy.mock.calls.map((args) => args.join(' ')).join('\n')
+}
+
+async function buildProgram(): Promise<Command> {
+    const { registerAccountCommand } = await import('./account.js')
+    return createTestProgram(registerAccountCommand)
+}
+
+let logSpy: MockInstance
+let errSpy: MockInstance
+
+beforeEach(() => {
+    vi.resetModules()
+    delete process.env.OUTLINE_API_TOKEN
+    logSpy = captureConsole('log')
+    errSpy = captureConsole('error')
+})
+
+afterEach(() => {
+    vi.clearAllMocks()
+    delete process.env.OUTLINE_API_TOKEN
+    // Reset argv so a `--user` set by one test can't leak into the next via the
+    // (real) global-args parser.
+    process.argv = ['node', 'ol']
+})
+
+describe('account command', () => {
+    describe('list', () => {
+        it('renders all stored accounts with the default marker', async () => {
+            storeMocks.list.mockResolvedValue([
+                { account: STORED_ACCOUNT, isDefault: true },
+                { account: STORED_ACCOUNT_BOB, isDefault: false },
+            ])
+            const program = await buildProgram()
+            await program.parseAsync(['node', 'ol', 'account', 'list'])
+            const out = lines(logSpy)
+            expect(out).toContain('Ada')
+            expect(out).toContain('Bob')
+            expect(out).toContain(`id:${STORED_ACCOUNT.id}`)
+            expect(out).toMatch(/default/)
+        })
+
+        it('prints the empty-state message when nothing is stored', async () => {
+            storeMocks.list.mockResolvedValue([])
+            const program = await buildProgram()
+            await program.parseAsync(['node', 'ol', 'account', 'list'])
+            expect(lines(logSpy)).toMatch(/No stored accounts/)
+        })
+
+        it('runs by default when no subcommand is given (ol account)', async () => {
+            storeMocks.list.mockResolvedValue([{ account: STORED_ACCOUNT, isDefault: true }])
+            const program = await buildProgram()
+            await program.parseAsync(['node', 'ol', 'account'])
+            expect(lines(logSpy)).toContain('Ada')
+        })
+
+        it('emits a {accounts, default} envelope under --json', async () => {
+            storeMocks.list.mockResolvedValue([
+                { account: STORED_ACCOUNT, isDefault: true },
+                { account: STORED_ACCOUNT_BOB, isDefault: false },
+            ])
+            const program = await buildProgram()
+            await program.parseAsync(['node', 'ol', 'account', 'list', '--json'])
+            const payload = JSON.parse(lines(logSpy))
+            expect(payload.default).toBe(STORED_ACCOUNT.id)
+            expect(payload.accounts).toHaveLength(2)
+            expect(payload.accounts[0]).toMatchObject({ id: STORED_ACCOUNT.id, isDefault: true })
+            // The OAuth client id is intentionally dropped from machine output.
+            expect(payload.accounts[0]).not.toHaveProperty('oauthClientId')
+        })
+    })
+
+    describe('use', () => {
+        it('sets the default account and echoes the ref', async () => {
+            storeMocks.setDefault.mockResolvedValue(undefined)
+            const program = await buildProgram()
+            await program.parseAsync(['node', 'ol', 'account', 'use', STORED_ACCOUNT_BOB.id])
+            expect(storeMocks.setDefault).toHaveBeenCalledWith(STORED_ACCOUNT_BOB.id)
+            expect(lines(logSpy)).toContain(`Default account set to ${STORED_ACCOUNT_BOB.id}`)
+        })
+
+        it('propagates ACCOUNT_NOT_FOUND from setDefault for an unknown ref', async () => {
+            storeMocks.setDefault.mockRejectedValue(
+                new CliError('ACCOUNT_NOT_FOUND', 'No stored account matches "nobody".'),
+            )
+            const program = await buildProgram()
+            await expect(
+                program.parseAsync(['node', 'ol', 'account', 'use', 'nobody']),
+            ).rejects.toHaveProperty('code', 'ACCOUNT_NOT_FOUND')
+            expect(storeMocks.setDefault).toHaveBeenCalledWith('nobody')
+        })
+    })
+
+    describe('remove', () => {
+        it('clears the account by the raw ref and prints the removed label', async () => {
+            storeMocks.clear.mockResolvedValue({ account: STORED_ACCOUNT_BOB, wasDefault: false })
+            const program = await buildProgram()
+            await program.parseAsync(['node', 'ol', 'account', 'remove', 'bob'])
+            expect(storeMocks.clear).toHaveBeenCalledWith('bob')
+            expect(lines(logSpy)).toContain('Removed Bob')
+        })
+
+        it('notes a cleared default when removing the default account', async () => {
+            storeMocks.clear.mockResolvedValue({ account: STORED_ACCOUNT, wasDefault: true })
+            const program = await buildProgram()
+            await program.parseAsync(['node', 'ol', 'account', 'remove', STORED_ACCOUNT.id])
+            const out = lines(logSpy)
+            expect(out).toContain('Removed Ada')
+            expect(out).toMatch(/Cleared default account/)
+        })
+
+        it('throws ACCOUNT_NOT_FOUND when clear matches nothing', async () => {
+            storeMocks.clear.mockResolvedValue(null)
+            const program = await buildProgram()
+            await expect(
+                program.parseAsync(['node', 'ol', 'account', 'remove', 'ghost']),
+            ).rejects.toHaveProperty('code', 'ACCOUNT_NOT_FOUND')
+        })
+
+        it('surfaces a keyring-fallback warning on stderr', async () => {
+            storeMocks.clear.mockResolvedValue({ account: STORED_ACCOUNT, wasDefault: true })
+            storeMocks.getLastClearResult.mockReturnValue({
+                storage: 'config-file',
+                warning: 'OS keyring unavailable; cleared the config-file token instead.',
+            })
+            const program = await buildProgram()
+            await program.parseAsync(['node', 'ol', 'account', 'remove', STORED_ACCOUNT.id])
+            expect(lines(errSpy)).toContain('OS keyring unavailable')
+        })
+    })
+
+    describe('current', () => {
+        it('renders the active stored account', async () => {
+            resolveMock.mockResolvedValue({
+                source: 'stored',
+                account: STORED_ACCOUNT,
+                isDefault: true,
+            })
+            const program = await buildProgram()
+            await program.parseAsync(['node', 'ol', 'account', 'current'])
+            const out = lines(logSpy)
+            expect(out).toContain('Ada')
+            expect(out).toContain(STORED_ACCOUNT.baseUrl)
+        })
+
+        it('emits a {source:"stored", account} envelope under --json', async () => {
+            resolveMock.mockResolvedValue({
+                source: 'stored',
+                account: STORED_ACCOUNT,
+                isDefault: true,
+            })
+            const program = await buildProgram()
+            await program.parseAsync(['node', 'ol', 'account', 'current', '--json'])
+            const payload = JSON.parse(lines(logSpy))
+            expect(payload.source).toBe('stored')
+            expect(payload.account).toMatchObject({ id: STORED_ACCOUNT.id, isDefault: true })
+            expect(payload.account).not.toHaveProperty('oauthClientId')
+        })
+
+        it('threads --user through to the source resolver, bypassing an env token', async () => {
+            process.env.OUTLINE_API_TOKEN = 'tok-env'
+            // The root `--user` is stripped from argv before commander in the real
+            // flow; the global-args parser still reads it off the original argv.
+            process.argv = ['node', 'ol', '--user', 'Bob', 'account', 'current']
+            resolveMock.mockImplementation(async (ref?: string) =>
+                ref === 'Bob'
+                    ? { source: 'stored', account: STORED_ACCOUNT_BOB, isDefault: false }
+                    : { source: 'env' },
+            )
+            const program = await buildProgram()
+            await program.parseAsync(['node', 'ol', 'account', 'current'])
+            expect(resolveMock).toHaveBeenCalledWith('Bob')
+            const out = lines(logSpy)
+            expect(out).toContain('Bob')
+            expect(out).not.toContain('OUTLINE_API_TOKEN')
+        })
+
+        it('reports the env-token source (human + --json)', async () => {
+            resolveMock.mockResolvedValue({ source: 'env' })
+            await (await buildProgram()).parseAsync(['node', 'ol', 'account', 'current'])
+            expect(lines(logSpy)).toContain('OUTLINE_API_TOKEN')
+
+            logSpy.mockClear()
+            resolveMock.mockResolvedValue({ source: 'env' })
+            await (await buildProgram()).parseAsync(['node', 'ol', 'account', 'current', '--json'])
+            expect(JSON.parse(lines(logSpy))).toEqual({ source: 'env' })
+        })
+
+        it('reports the legacy source (human + --json)', async () => {
+            resolveMock.mockResolvedValue({ source: 'legacy' })
+            await (await buildProgram()).parseAsync(['node', 'ol', 'account', 'current'])
+            expect(lines(logSpy)).toMatch(/legacy single-user credentials/)
+
+            logSpy.mockClear()
+            resolveMock.mockResolvedValue({ source: 'legacy' })
+            await (
+                await buildProgram()
+            ).parseAsync(['node', 'ol', 'account', 'current', '--ndjson'])
+            expect(JSON.parse(lines(logSpy))).toEqual({ source: 'legacy' })
+        })
+
+        it('throws NOT_AUTHENTICATED when nothing is active', async () => {
+            resolveMock.mockResolvedValue(null)
+            const program = await buildProgram()
+            await expect(
+                program.parseAsync(['node', 'ol', 'account', 'current']),
+            ).rejects.toHaveProperty('code', 'NOT_AUTHENTICATED')
+        })
+
+        it('throws ACCOUNT_NOT_FOUND when an explicit --user matches nothing', async () => {
+            process.argv = ['node', 'ol', '--user', 'Ghost', 'account', 'current']
+            resolveMock.mockResolvedValue(null)
+            const program = await buildProgram()
+            await expect(
+                program.parseAsync(['node', 'ol', 'account', 'current']),
+            ).rejects.toHaveProperty('code', 'ACCOUNT_NOT_FOUND')
+        })
+    })
+})
diff --git a/src/commands/account.ts b/src/commands/account.ts
new file mode 100644
index 0000000..7f3ddea
--- /dev/null
+++ b/src/commands/account.ts
@@ -0,0 +1,138 @@
+import { emitView } from '@doist/cli-core'
+import {
+    attachAccountListCommand,
+    attachAccountRemoveCommand,
+    attachAccountUseCommand,
+} from '@doist/cli-core/auth'
+import chalk from 'chalk'
+import type { Command } from 'commander'
+import { TOKEN_ENV_VAR } from '../lib/auth-constants.js'
+import { logClearResult } from '../lib/auth-output.js'
+import {
+    createOutlineTokenStore,
+    type OutlineAccount,
+    resolveActiveAccountSource,
+} from '../lib/auth-provider.js'
+import { CliError } from '../lib/errors.js'
+import { getRequestedUserRef, isAccessible } from '../lib/global-args.js'
+
+/** `<label> (id:<id>)` with an accessibility-aware default marker. */
+function accountLine(account: OutlineAccount, isDefault: boolean): string {
+    const marker = isDefault ? (isAccessible() ? ' [default]' : chalk.green(' (default)')) : ''
+    return `${account.label} ${chalk.dim(`(id:${account.id})`)}${marker}`
+}
+
+/** Tidy machine projection shared by `list` and `current` — drops the OAuth client id. */
+function projectAccount(account: OutlineAccount, isDefault: boolean) {
+    return {
+        id: account.id,
+        label: account.label,
+        teamName: account.teamName,
+        baseUrl: account.baseUrl,
+        isDefault,
+    }
+}
+
+export function registerAccountCommand(program: Command): void {
+    const account = program.command('account').description('Manage stored CLI accounts')
+    const store = createOutlineTokenStore()
+
+    const list = attachAccountListCommand<OutlineAccount>(account, {
+        store,
+        description: 'List stored Outline accounts',
+        renderText: ({ accounts }) => {
+            if (accounts.length === 0) {
+                return 'No stored accounts. Run `ol auth login` to add one.'
+            }
+            return accounts.map(({ account, isDefault }) => accountLine(account, isDefault))
+        },
+        renderJson: ({ account, isDefault }) => projectAccount(account, isDefault),
+    })
+
+    attachAccountUseCommand<OutlineAccount>(account, {
+        store,
+        description: 'Set the default account (matched by Outline user id or display name)',
+    })
+
+    // `current` resolves the active credential's source directly (env / stored /
+    // legacy) rather than going through the generic account attacher, which only
+    // models stored accounts. `--json` / `--ndjson` emit a discriminated envelope.
+    account
+        .command('current')
+        .description('Show the active account (honours --user and OUTLINE_API_TOKEN)')
+        .option('--json', 'Emit machine-readable JSON output')
+        .option('--ndjson', 'Emit machine-readable NDJSON output')
+        .action(async (options: { json?: boolean; ndjson?: boolean }) => {
+            const view = { json: Boolean(options.json), ndjson: Boolean(options.ndjson) }
+            const requested = getRequestedUserRef()
+            const resolution = await resolveActiveAccountSource(requested)
+            if (resolution?.source === 'stored') {
+                const { account: acc, isDefault } = resolution
+                emitView(
+                    view,
+                    { source: 'stored', account: projectAccount(acc, isDefault) },
+                    () => {
+                        const lines = [accountLine(acc, isDefault), `  Base URL: ${acc.baseUrl}`]
+                        if (acc.teamName) lines.push(`  Team: ${acc.teamName}`)
+                        return lines
+                    },
+                )
+                return
+            }
+            if (resolution?.source === 'env') {
+                emitView(view, { source: 'env' }, () => [
+                    `Using ${TOKEN_ENV_VAR} environment variable (no stored account).`,
+                ])
+                return
+            }
+            if (resolution?.source === 'legacy') {
+                emitView(view, { source: 'legacy' }, () => [
+                    'Using legacy single-user credentials. Run `ol auth login` to migrate to a stored account.',
+                ])
+                return
+            }
+            if (requested !== undefined) {
+                throw new CliError(
+                    'ACCOUNT_NOT_FOUND',
+                    `No stored account matches "${requested}".`,
+                    ['Check the account id or display name, or run `ol auth login` to add it.'],
+                )
+            }
+            throw new CliError('NOT_AUTHENTICATED', 'Not authenticated. Run: ol auth login')
+        })
+
+    attachAccountRemoveCommand<OutlineAccount>(account, {
+        store,
+        description: 'Remove a stored account (clears keyring + config entry)',
+        renderText: ({ account, wasDefault }) => {
+            const lines = [`${chalk.green('✓')} Removed ${account.label}`]
+            if (wasDefault) {
+                lines.push(
+                    chalk.dim(
+                        'Cleared default account. Set a new one with `ol account use <id|name>`.',
+                    ),
+                )
+            }
+            return lines
+        },
+        onRemoved: ({ view }) => logClearResult(store, view.json || view.ndjson),
+    })
+
+    // Make bare `ol account` list. A parent action runs only when no subcommand
+    // matches, so `ol account list` still routes to the subcommand directly —
+    // this just delegates the no-subcommand case via the public API (no reliance
+    // on commander internals).
+    account.action(async () => {
+        await list.parseAsync([], { from: 'user' })
+    })
+
+    account.addHelpText(
+        'after',
+        `
+Examples:
+  ol account                     # list stored accounts (default subcommand)
+  ol account current             # show the active account
+  ol account use "Ada Lovelace"  # set the default account (id or display name)
+  ol account remove id-bob       # forget an account (clears keyring + config entry)`,
+    )
+}
diff --git a/src/commands/auth-command.test.ts b/src/commands/auth-command.test.ts
index bc87916..1eb11e8 100644
--- a/src/commands/auth-command.test.ts
+++ b/src/commands/auth-command.test.ts
@@ -261,7 +261,7 @@ describe('logTokenStorageResult', () => {
     it('prints the secure-store confirmation to stdout in human mode', async () => {
         const log = captureConsole()
         const errorSpy = captureConsole('error')
-        const { logTokenStorageResult } = await import('./auth.js')
+        const { logTokenStorageResult } = await import('../lib/auth-output.js')
 
         logTokenStorageResult({ storage: 'secure-store' }, 'Token stored securely', false)
 
@@ -271,7 +271,7 @@ describe('logTokenStorageResult', () => {
 
     it('suppresses the stdout confirmation in machine-output mode', async () => {
         const log = captureConsole()
-        const { logTokenStorageResult } = await import('./auth.js')
+        const { logTokenStorageResult } = await import('../lib/auth-output.js')
 
         logTokenStorageResult({ storage: 'secure-store' }, 'Token stored securely', true)
 
@@ -281,7 +281,7 @@ describe('logTokenStorageResult', () => {
     it('routes the keyring-fallback warning to stderr (in both human and machine modes)', async () => {
         const log = captureConsole()
         const errorSpy = captureConsole('error')
-        const { logTokenStorageResult } = await import('./auth.js')
+        const { logTokenStorageResult } = await import('../lib/auth-output.js')
 
         logTokenStorageResult(
             { storage: 'config-file', warning: 'system credential manager unavailable' },
diff --git a/src/commands/auth.ts b/src/commands/auth.ts
index a56b9ad..93a67b7 100644
--- a/src/commands/auth.ts
+++ b/src/commands/auth.ts
@@ -1,12 +1,8 @@
-import {
-    attachLoginCommand,
-    attachLogoutCommand,
-    attachStatusCommand,
-    type TokenStorageResult,
-} from '@doist/cli-core/auth'
+import { attachLoginCommand, attachLogoutCommand, attachStatusCommand } from '@doist/cli-core/auth'
 import chalk from 'chalk'
 import type { Command } from 'commander'
 import { apiRequest } from '../lib/api.js'
+import { logClearResult, logTokenStorageResult } from '../lib/auth-output.js'
 import { renderError, renderSuccess } from '../lib/auth-pages.js'
 import {
     type AuthInfoResponse,
@@ -37,29 +33,6 @@ function resolvePreferredCallbackPort(): number {
     return parsed
 }
 
-/**
- * Surface a `TokenStorageResult` from a save/clear: the human-readable
- * confirmation goes to stdout, any keyring-fallback warning goes to stderr.
- * Pass `isMachineOutput: true` to suppress the stdout confirmation in
- * `--json` / `--ndjson` mode while still routing the warning to stderr.
- *
- * Exported for direct unit testing — the alternative (driving this via
- * mocked cli-core login/logout hooks) would require stubbing the entire
- * store contract just to assert two console calls.
- */
-export function logTokenStorageResult(
-    result: TokenStorageResult,
-    secureStoreMessage: string,
-    isMachineOutput = false,
-): void {
-    if (!isMachineOutput && result.storage === 'secure-store') {
-        console.log(chalk.dim(secureStoreMessage))
-    }
-    if (result.warning) {
-        console.error(chalk.yellow('Warning:'), result.warning)
-    }
-}
-
 export function registerAuthCommand(program: Command): void {
     const auth = program.command('auth').description('Manage authentication')
 
@@ -176,13 +149,7 @@ export function registerAuthCommand(program: Command): void {
         store: refAware,
         description: 'Clear saved authentication',
         onCleared({ view }) {
-            const result = store.getLastClearResult()
-            if (!result) return
-            logTokenStorageResult(
-                result,
-                'Stored token removed from the system credential manager',
-                view.json || view.ndjson,
-            )
+            logClearResult(store, view.json || view.ndjson)
         },
     })
 }
diff --git a/src/index.ts b/src/index.ts
index 6a9b365..b9c5634 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 import { Command } from 'commander'
 import packageJson from '../package.json' with { type: 'json' }
+import { registerAccountCommand } from './commands/account.js'
 import { registerAuthCommand } from './commands/auth.js'
 import { registerChangelogCommand } from './commands/changelog.js'
 import { registerCollectionCommand } from './commands/collection.js'
@@ -33,6 +34,7 @@ Note for AI/LLM agents:
     )
 
 registerAuthCommand(program)
+registerAccountCommand(program)
 registerSearchCommand(program)
 registerDocumentCommand(program)
 registerCollectionCommand(program)
diff --git a/src/lib/auth-output.ts b/src/lib/auth-output.ts
new file mode 100644
index 0000000..75cee7f
--- /dev/null
+++ b/src/lib/auth-output.ts
@@ -0,0 +1,37 @@
+import type { TokenStorageResult } from '@doist/cli-core/auth'
+import chalk from 'chalk'
+import type { OutlineTokenStore } from './auth-provider.js'
+
+/**
+ * Surface a `TokenStorageResult` from a save/clear: the human-readable
+ * confirmation goes to stdout, any keyring-fallback warning goes to stderr.
+ * Pass `isMachineOutput: true` to suppress the stdout confirmation in
+ * `--json` / `--ndjson` mode while still routing the warning to stderr.
+ */
+export function logTokenStorageResult(
+    result: TokenStorageResult,
+    secureStoreMessage: string,
+    isMachineOutput = false,
+): void {
+    if (!isMachineOutput && result.storage === 'secure-store') {
+        console.log(chalk.dim(secureStoreMessage))
+    }
+    if (result.warning) {
+        console.error(chalk.yellow('Warning:'), result.warning)
+    }
+}
+
+/**
+ * Surface the result of a token clear (`auth logout` / `account remove`): the
+ * confirmation goes to stdout, any keyring-fallback warning to stderr. Shared so
+ * both call sites stay in lockstep.
+ */
+export function logClearResult(store: OutlineTokenStore, isMachineOutput: boolean): void {
+    const result = store.getLastClearResult()
+    if (!result) return
+    logTokenStorageResult(
+        result,
+        'Stored token removed from the system credential manager',
+        isMachineOutput,
+    )
+}
diff --git a/src/lib/auth-provider.test.ts b/src/lib/auth-provider.test.ts
index b06b7e1..24d238e 100644
--- a/src/lib/auth-provider.test.ts
+++ b/src/lib/auth-provider.test.ts
@@ -22,6 +22,7 @@ const keyringMocks = vi.hoisted(() => ({
     createKeyringTokenStore: vi.fn(),
     inner: {
         active: vi.fn(),
+        activeAccount: vi.fn(),
         activeBundle: vi.fn(),
         set: vi.fn(),
         setBundle: vi.fn(),
@@ -495,6 +496,93 @@ describe('createOutlineTokenStore', () => {
     })
 })
 
+describe('resolveActiveAccountSource', () => {
+    async function loadResolve(): Promise<
+        typeof import('./auth-provider.js').resolveActiveAccountSource
+    > {
+        vi.resetModules()
+        return (await import('./auth-provider.js')).resolveActiveAccountSource
+    }
+
+    beforeEach(() => {
+        delete process.env[TOKEN_ENV_VAR]
+        keyringMocks.inner.activeAccount.mockReset().mockResolvedValue(null)
+        migrateMocks.runMigrateLegacyAuth
+            .mockReset()
+            .mockResolvedValue({ status: 'no-legacy-state' })
+        configMocks.getConfig.mockReset().mockResolvedValue({})
+    })
+
+    afterEach(() => {
+        vi.unstubAllEnvs()
+    })
+
+    it('reports env (and bypasses migration + the v2 store) when OUTLINE_API_TOKEN is set and no ref', async () => {
+        vi.stubEnv(TOKEN_ENV_VAR, 'env_token_value')
+        const resolveActiveAccountSource = await loadResolve()
+
+        await expect(resolveActiveAccountSource()).resolves.toEqual({ source: 'env' })
+        expect(keyringMocks.inner.activeAccount).not.toHaveBeenCalled()
+        expect(migrateMocks.runMigrateLegacyAuth).not.toHaveBeenCalled()
+    })
+
+    it('reports the stored v2 account with its default marker', async () => {
+        keyringMocks.inner.activeAccount.mockResolvedValue({
+            account: STORED_ACCOUNT,
+            isDefault: true,
+        })
+        const resolveActiveAccountSource = await loadResolve()
+
+        await expect(resolveActiveAccountSource()).resolves.toEqual({
+            source: 'stored',
+            account: STORED_ACCOUNT,
+            isDefault: true,
+        })
+    })
+
+    it('prefers a stored v2 account over a lingering legacy token (inconclusive migration)', async () => {
+        // A legacy api_token is still on disk and migration is inconclusive, but
+        // the v2 store resolves a default — the stored account must win.
+        migrateMocks.runMigrateLegacyAuth.mockResolvedValue(SKIPPED_RESULT)
+        configMocks.getConfig.mockResolvedValue(LEGACY_CONFIG)
+        keyringMocks.inner.activeAccount.mockResolvedValue({
+            account: STORED_ACCOUNT,
+            isDefault: true,
+        })
+        const resolveActiveAccountSource = await loadResolve()
+
+        await expect(resolveActiveAccountSource()).resolves.toMatchObject({ source: 'stored' })
+    })
+
+    it('reports legacy only when the v2 store has no matching record', async () => {
+        migrateMocks.runMigrateLegacyAuth.mockResolvedValue(SKIPPED_RESULT)
+        configMocks.getConfig.mockResolvedValue(LEGACY_CONFIG)
+        keyringMocks.inner.activeAccount.mockResolvedValue(null)
+        const resolveActiveAccountSource = await loadResolve()
+
+        await expect(resolveActiveAccountSource()).resolves.toEqual({ source: 'legacy' })
+    })
+
+    it('does not misreport a renamed legacy snapshot as stored when --user matches the old name only', async () => {
+        // Regression for UUID-equality misclassification: the v2 record was
+        // renamed (so it no longer matches the old display name), while the
+        // legacy snapshot still carries it. `--user <old-name>` must resolve to
+        // legacy, not stored.
+        migrateMocks.runMigrateLegacyAuth.mockResolvedValue(SKIPPED_RESULT)
+        configMocks.getConfig.mockResolvedValue(LEGACY_CONFIG) // legacy label "Ada"
+        keyringMocks.inner.activeAccount.mockResolvedValue(null) // v2 record no longer matches "Ada"
+        const resolveActiveAccountSource = await loadResolve()
+
+        await expect(resolveActiveAccountSource('Ada')).resolves.toEqual({ source: 'legacy' })
+        expect(keyringMocks.inner.activeAccount).toHaveBeenCalledWith('Ada')
+    })
+
+    it('returns null when nothing is active', async () => {
+        const resolveActiveAccountSource = await loadResolve()
+        await expect(resolveActiveAccountSource()).resolves.toBeNull()
+    })
+})
+
 describe('matchOutlineAccount', () => {
     it('matches the UUID exactly and the label case-insensitively', async () => {
         const { matchOutlineAccount } = await import('./auth-provider.js')
diff --git a/src/lib/auth-provider.ts b/src/lib/auth-provider.ts
index a53c9a9..9ef8d26 100644
--- a/src/lib/auth-provider.ts
+++ b/src/lib/auth-provider.ts
@@ -216,13 +216,48 @@ export async function isLegacyAuthActive(): Promise<boolean> {
  * propagates it so a failed logout fails loudly instead of leaving the
  * user authenticated via the legacy fallback.
  */
-export function createOutlineTokenStore(): OutlineTokenStore {
-    const inner = createKeyringTokenStore<OutlineAccount>({
+/** The bare cli-core keyring store (v2 records only — no env/legacy fallback). */
+function createInnerStore(): KeyringTokenStore<OutlineAccount> {
+    return createKeyringTokenStore<OutlineAccount>({
         serviceName: SECURE_STORE_SERVICE,
         userRecords: createOutlineUserRecordStore(),
         recordsLocation: getConfigPath(),
         matchAccount: matchOutlineAccount,
     })
+}
+
+/** Where `ol account current` resolves the active credential from. */
+export type ActiveAccountSource =
+    | { source: 'stored'; account: OutlineAccount; isDefault: boolean }
+    | { source: 'env' }
+    | { source: 'legacy' }
+    | null
+
+/**
+ * Authoritatively classify the active credential without re-deriving the
+ * cascade from membership heuristics. Mirrors `active()`'s precedence — env
+ * (only when no explicit ref) → stored v2 → legacy snapshot — but reports
+ * *which* branch matched, so `ol account current` can render the right shape.
+ *
+ * The v2 lookup uses the bare keyring store (no legacy fallback) and matches by
+ * `ref`, so a renamed legacy snapshot sharing a UUID with a v2 record can't be
+ * misreported as `stored`: a `--user <old-name>` that the v2 record no longer
+ * matches falls through to the legacy branch.
+ */
+export async function resolveActiveAccountSource(ref?: AccountRef): Promise<ActiveAccountSource> {
+    if (ref === undefined && process.env[TOKEN_ENV_VAR]?.trim()) return { source: 'env' }
+    await ensureMigrated()
+    const stored = await createInnerStore().activeAccount(ref)
+    if (stored) return { source: 'stored', account: stored.account, isDefault: stored.isDefault }
+    const legacy = await readLegacyTokenSnapshot()
+    if (legacy && (ref === undefined || matchOutlineAccount(legacy.account, ref))) {
+        return { source: 'legacy' }
+    }
+    return null
+}
+
+export function createOutlineTokenStore(): OutlineTokenStore {
+    const inner = createInnerStore()
     async function migrationIsInconclusive(): Promise<boolean> {
         const result = await ensureMigrated() // memoised
         return result === null || !migrationIsConclusive(result)
diff --git a/src/lib/skills/content.ts b/src/lib/skills/content.ts
index f4992a2..0db8cb8 100644
--- a/src/lib/skills/content.ts
+++ b/src/lib/skills/content.ts
@@ -14,6 +14,7 @@ Use this skill when the user wants to interact with their Outline wiki/knowledge
 - \`ol doc open <id>\` - Open document in browser
 - \`ol doc create --title "Title" --collection <id>\` - Create document
 - \`ol col list\` - List collections
+- \`ol account\` - List stored accounts; \`ol account use <id|name>\` sets the default
 
 ## Output Formats
 
@@ -88,6 +89,19 @@ ol auth logout                         # Clear saved credentials
 ol auth logout --json | --ndjson       # Machine-readable logout envelope ({ok: true}; --ndjson is silent)
 \`\`\`
 
+### Accounts
+\`\`\`bash
+ol account                             # List stored accounts (default subcommand)
+ol account list                        # List stored accounts, default marked
+ol account list --json | --ndjson      # Machine-readable list ({accounts, default}; --ndjson streams one per line)
+ol account current                     # Show the active account (honours --user and OUTLINE_API_TOKEN)
+ol account current --json | --ndjson   # Discriminated by source: {source:"stored", account:{id, label, teamName, baseUrl, isDefault}} | {source:"env"} | {source:"legacy"}
+ol account use <id|name>               # Set the default account used when --user is omitted
+ol account use <id|name> --json        # Machine-readable envelope ({ok: true, default: <id>}; --ndjson is silent)
+ol account remove <id|name>            # Remove a stored account (clears keyring + config entry)
+ol account remove <id|name> --json     # Machine-readable envelope ({ok: true, removed: <id>}; --ndjson is silent)
+\`\`\`
+
 ### Update & Changelog
 \`\`\`bash
 ol update                        # Update CLI to latest version