Bug: 401 "No credentials provided" on all API calls after successful gws auth login (Windows, v0.4.4) #220
Description
Description
After running gws auth login successfully (with encrypted credentials saved and account registered as default), all API calls return a 401 error: "Access denied. No credentials provided." This happens consistently across all services (Drive, Gmail, etc.).
Environment
OS: Windows 11
PowerShell: Windows PowerShell 5.1
GWS CLI version: 0.4.4
Node.js: (installed globally via npm)
Authentication: OAuth2 with encrypted credentials (AES-256-GCM)
Steps to Reproduce
Configure OAuth app with client_secret.json
Run authentication with specific scopes:
bashgws auth login --scopes "https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/documents,https://www.googleapis.com/auth/gmail.send,https://www.googleapis.com/auth/gmail.readonly,https://www.googleapis.com/auth/spreadsheets,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/cloud-platform" --account user@gmail.com
Authentication completes successfully in browser
CLI confirms success:
json{
"account": "user@gmail.com",
"credentials_file": "C:\Users\user\.config\gws\credentials.xxxxx.enc",
"encryption": "AES-256-GCM (key secured by OS Keyring or local .encryption_key)",
"message": "Authentication successful. Encrypted credentials saved.",
"status": "success"
}
Verify account is registered and set as default:
bashgws auth list
json{
"accounts": [
{
"added": "2026-03-05T19:11:38.886028300+00:00",
"email": "user@gmail.com",
"is_default": true
}
],
"count": 1,
"default": "user@gmail.com"
}
Verify auth status shows everything valid:
bashgws auth status
Key fields from status:
encrypted_credentials_exists: true
encryption_valid: true
has_refresh_token: true
token_valid: true
token_cache_exists: false ← potential issue
Attempt any API call:
bashgws drive about get
Expected Behavior
The command should return Drive account information (storage quota, user info, etc.).
Actual Behavior
json{
"error": {
"code": 401,
"message": "Access denied. No credentials provided. Run gws auth login or set GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE to an OAuth credentials JSON file.",
"reason": "authError"
}
}
Troubleshooting Already Attempted
All of the following were tried without success:
Re-authenticating multiple times with gws auth login — same result
Exporting credentials with gws auth export — outputs valid JSON with client_id, client_secret, refresh_token, and type: "authorized_user"
Setting environment variable GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE pointing to the exported credentials.json — same 401 error
Writing credentials.json manually using gws auth export output (both with Out-File and [System.IO.File]::WriteAllText to avoid BOM issues) — same 401 error
Setting default account with gws auth default user@gmail.com — confirmed as default but same 401 error
First login attempt without --account flag — resulted in accounts: [] and count: 0, suggesting the account wasn't registered
Analysis
The issue appears to be in the token refresh flow. The CLI:
✅ Successfully completes OAuth flow
✅ Saves encrypted credentials with valid refresh token
✅ Registers account and sets as default
✅ Reports token_valid: true in auth status
❌ Reports token_cache_exists: false — no cached access token
❌ Fails to obtain/use access token when making API requests
The token_cache_exists: false combined with token_valid: true suggests the refresh token exists and is valid, but the CLI is not using it to obtain an access token for API calls.
Workaround
Using the credentials from gws auth export directly with Python (google-auth + google-api-python-client) works correctly, confirming the OAuth credentials themselves are valid.
Files in .config/gws/
Mode LastWriteTime Length Name
d----- 05/03/2026 14:39 cache
-a---- 05/03/2026 15:09 44 .encryption_key
-a---- 05/03/2026 14:37 474 client_secret.json
-a---- 05/03/2026 15:55 334 credentials.enc