401: Failed to parse authorized user credentials on all API calls after successful gws auth login (v0.4.3, macOS)

[raludi]

Description

After a successful gws auth login, all API calls fail with:

{
"error": {
"code": 401,
"message": "Gmail auth failed: Failed to parse authorized user credentials",
"reason": "authError"
}
}

Environment

• gws version: 0.4.3
• OS: macOS (Darwin 25.3.0)
• Encryption: AES-256-GCM with local .encryption_key

Steps to Reproduce

1. gws auth setup → success
2. gws auth login → completes OAuth flow, saves credentials.enc
3. gws auth status → shows token_valid: true, correct scopes, encryption_valid: true
4. gws gmail +triage → fails with 401
5. gws gmail users messages list --params '{"userId": "me"}' → also fails with 401

Investigation

• gws auth export works and shows (masked) credentials — confirming the encrypted file can be decrypted.
• Manually decrypting credentials.enc using the .encryption_key with Node.js crypto.createDecipheriv('aes-256-gcm', ...) produces valid JSON with all fields (client_id, client_secret, refresh_token, type).
• Exchanging the decrypted refresh_token for an access token via curl to https://oauth2.googleapis.com/token succeeds.
• Using GOOGLE_WORKSPACE_CLI_TOKEN=<access_token> gws gmail +triage works correctly.

This confirms the credentials are valid but gws fails to parse them during API call authentication, despite successfully decrypting them during auth export and auth status.

Attempted Workarounds

• Deleted .encryption_key + credentials.enc and re-ran gws auth login → same error
• Exported credentials to a plain JSON file and set GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE → fails with Failed to get token
• Setting GOOGLE_WORKSPACE_CLI_TOKEN with a manually obtained access token → works (but tokens expire after 1 hour)

[bino98]

The same thing is happening.

[mariusCatalin]

same on my side: Debian 13 (trixie) Raspberry Pi 4B, kernel 6.12.62+rpt-rpi-v8 (aarch64).

gws version: 0.4.3

[srgfrancisco]

Update: My previous comment was wrong. --account alone does not fix the issue. After deeper investigation, here's the full picture:

Environment

• gws version: 0.4.4 (latest as of today)
• OS: macOS Darwin 25.3.0, Apple Silicon
• Installed via: brew install googleworkspace/tap/gws

Problem

gws auth login --account my@email.com completes the OAuth flow successfully and reports:

{
  "credentials_file": "~/.config/gws/credentials.<base64-account>.enc",
  "encryption": "AES-256-GCM (key secured by OS Keyring or local .encryption_key)",
  "message": "Authentication successful. Encrypted credentials saved.",
  "status": "success"
}

But every subsequent command fails with:

{
  "code": 401,
  "message": "Access denied. No credentials provided.",
  "reason": "authError"
}

gws auth status shows "auth_method": "none" and "storage": "none", meaning the CLI does not detect the encrypted credentials it just wrote.

Investigation

• The .encryption_key file exists in ~/.config/gws/ and is valid (32 bytes, base64-encoded).
• The .enc file is valid AES-256-GCM ciphertext (12-byte nonce + ciphertext + 16-byte auth tag).
• Manually decrypting with Node.js crypto.createDecipheriv('aes-256-gcm', ...) produces valid JSON with client_id, client_secret, refresh_token, and type: "authorized_user".
• The refresh token is valid. Exchanging it via curl to https://oauth2.googleapis.com/token returns a working access token.

Conclusion: The credentials and encryption are fine. The bug is in the credential reading path. gws writes encrypted credentials successfully but fails to read them back.

Workaround

Decrypt the .enc file and save it as plain-text credentials.json, which gws auto-detects:

node -e "
const c=require('crypto'),f=require('fs'),p=require('path');
const d=p.join(require('os').homedir(),'.config','gws');
const k=Buffer.from(f.readFileSync(p.join(d,'.encryption_key'),'utf8').trim(),'base64');
const enc=f.readdirSync(d).find(x=>x.endsWith('.enc'));
const data=f.readFileSync(p.join(d,enc));
const dc=c.createDecipheriv('aes-256-gcm',k,data.slice(0,12));
dc.setAuthTag(data.slice(-16));
let o=dc.update(data.slice(12,-16),null,'utf8')+dc.final('utf8');
f.writeFileSync(p.join(d,'credentials.json'),o,{mode:0o600});
console.log('Done: credentials.json written');
"

After this, all gws commands work without any env vars or flags — the CLI picks up credentials.json automatically.

What should be fixed

The encrypted credential read path is broken. It writes .enc files correctly but cannot read them back, despite the .encryption_key being present and valid. This affects v0.3.4 (#137), v0.4.3 (this issue), and v0.4.4 (my case), across macOS, Linux (comment above by @mariusCatalin), and Windows (#156).