Bug
After running gws auth login to authenticate with a different Google account than the previously logged-in one, ~/.config/gws/credentials.enc is correctly overwritten with the new account's credentials, but ~/.config/gws/token_cache.json retains the old account's access token.
This causes all subsequent API calls to use the old account's token (until it expires ~1h later), even though gws auth status reports the new account as active.
Repro
# Account 1
gws auth login # browser → select account-A@example.com
gws auth status # user: account-A@example.com ✓
gws gmail users getProfile --params '{"userId":"me"}' # emailAddress: account-A@example.com ✓
# Account 2 (re-login)
gws auth login # browser → select account-B@example.com
gws auth status # user: account-B@example.com ✓ (correct)
gws gmail users getProfile --params '{"userId":"me"}' # emailAddress: account-A@example.com ✗ (still old account!)
gws drive files list --params '{"pageSize":3}' # owners: account-A@example.com ✗
# Workaround: manually clear the token cache
rm ~/.config/gws/token_cache.json
gws gmail users getProfile --params '{"userId":"me"}' # emailAddress: account-B@example.com ✓Expected
gws auth login should invalidate (or remove) ~/.config/gws/token_cache.json whenever the encrypted credentials in credentials.enc change to a different account. Otherwise the cached access token from the previous account masks the new credentials until it expires.
Environment
- gws version:
0.22.5
- macOS 26.4.1 (arm64, Apple Silicon)
- Install: Homebrew (
brew install googleworkspace-cli)
- Keyring backend:
keyring (default macOS Keychain)
Suggested fix
In the auth login command path, after writing credentials.enc, either:
- Remove
token_cache.json if it exists, OR
- Compare the new account email against the cached token's identity and invalidate the cache on mismatch.
Side note (related but separate)
While we're here — multi-account workflow appears unsupported in 0.22.5:
gws auth login has no --account flaggws auth list does not existgws --account <email> flag mentioned in some docs/runbooks isn't recognized
The current model is single-credential (one account at a time, with re-login required to switch). If multi-account is on the roadmap, this token-cache bug should be fixed regardless, since the single-credential workflow itself stumbles on it.
Contact
Filed by gabor.kosa@tewelon.at — happy to provide further repro details or test patches.
Bug
After running
gws auth loginto authenticate with a different Google account than the previously logged-in one,~/.config/gws/credentials.encis correctly overwritten with the new account's credentials, but~/.config/gws/token_cache.jsonretains the old account's access token.This causes all subsequent API calls to use the old account's token (until it expires ~1h later), even though
gws auth statusreports the new account as active.Repro
Expected
gws auth loginshould invalidate (or remove)~/.config/gws/token_cache.jsonwhenever the encrypted credentials incredentials.encchange to a different account. Otherwise the cached access token from the previous account masks the new credentials until it expires.Environment
0.22.5brew install googleworkspace-cli)keyring(default macOS Keychain)Suggested fix
In the
auth logincommand path, after writingcredentials.enc, either:token_cache.jsonif it exists, ORSide note (related but separate)
While we're here — multi-account workflow appears unsupported in
0.22.5:gws auth loginhas no--accountflaggws auth listdoes not existgws --account <email>flag mentioned in some docs/runbooks isn't recognizedThe current model is single-credential (one account at a time, with re-login required to switch). If multi-account is on the roadmap, this token-cache bug should be fixed regardless, since the single-credential workflow itself stumbles on it.
Contact
Filed by gabor.kosa@tewelon.at — happy to provide further repro details or test patches.