Bug
cio auth status reports the account_id from ~/.cio/config.json even when CIO_TOKEN env var is set with a token from a different account. The actual API calls correctly use the env-var token (so the bug is purely in the status display, not in auth dispatch), but it makes debugging cross-account setups very confusing — a user can be looking at account_id: A in auth status while every API call goes to account B.
Reproduction
cio auth login --with-token with a token for account A (cached to ~/.cio/config.json with account_id A).export CIO_TOKEN=<token-for-account-B> where B ≠ A.cio auth status reports:
account_id: A — wrong, that's from the cached configtoken: <last 4 chars match token B> — correct, matches env vartoken_source: environment — correct, confirms env var is being used
cio api /v1/accounts/B succeeds — confirms API dispatch uses the env-var token correctly.cio api /v1/accounts/A succeeds too if token B has access to A, but account.email returns B's email — confirming the active principal is B, not A.
After cio auth logout followed by echo \$CIO_TOKEN | cio auth login --with-token, the cached config is rewritten with the correct account_id and cio auth status then reports correctly.
Expected behavior
When token_source: environment, cio auth status should derive account_id from the env-var token (e.g., decode the JWT after exchange, or call a self-introspection endpoint) rather than reading it from the cached config — or at minimum surface a warning that the env-var token may belong to a different account than the displayed account_id.
Context
Discovered while working with two service-account tokens in parallel (a global one in ~/.cio/config.json and a project-scoped one piped in via CIO_TOKEN from .dev.vars). The display mismatch was very confusing — I spent a while convinced the wrong token was being used before realizing API calls were going to the right account all along.
Environment
@customerio/cli 0.0.4 (installed via npm i -g @customerio/cli)- macOS (Darwin 25.4.0)
Bug
cio auth statusreports theaccount_idfrom~/.cio/config.jsoneven whenCIO_TOKENenv var is set with a token from a different account. The actual API calls correctly use the env-var token (so the bug is purely in the status display, not in auth dispatch), but it makes debugging cross-account setups very confusing — a user can be looking ataccount_id: Ainauth statuswhile every API call goes to account B.Reproduction
cio auth login --with-tokenwith a token for account A (cached to~/.cio/config.jsonwithaccount_idA).export CIO_TOKEN=<token-for-account-B>where B ≠ A.cio auth statusreports:account_id: A— wrong, that's from the cached configtoken: <last 4 chars match token B>— correct, matches env vartoken_source: environment— correct, confirms env var is being usedcio api /v1/accounts/Bsucceeds — confirms API dispatch uses the env-var token correctly.cio api /v1/accounts/Asucceeds too if token B has access to A, butaccount.emailreturns B's email — confirming the active principal is B, not A.After
cio auth logoutfollowed byecho \$CIO_TOKEN | cio auth login --with-token, the cached config is rewritten with the correctaccount_idandcio auth statusthen reports correctly.Expected behavior
When
token_source: environment,cio auth statusshould deriveaccount_idfrom the env-var token (e.g., decode the JWT after exchange, or call a self-introspection endpoint) rather than reading it from the cached config — or at minimum surface a warning that the env-var token may belong to a different account than the displayedaccount_id.Context
Discovered while working with two service-account tokens in parallel (a global one in
~/.cio/config.jsonand a project-scoped one piped in viaCIO_TOKENfrom.dev.vars). The display mismatch was very confusing — I spent a while convinced the wrong token was being used before realizing API calls were going to the right account all along.Environment
@customerio/cli0.0.4 (installed vianpm i -g @customerio/cli)