diff --git a/.changeset/fix-auth-error-logging.md b/.changeset/fix-auth-error-logging.md
new file mode 100644
index 0000000..d3b1fbf
--- /dev/null
+++ b/.changeset/fix-auth-error-logging.md
@@ -0,0 +1,12 @@
+---
+"@anthropic/gws": patch
+---
+
+Log auth errors to stderr instead of silently swallowing them
+
+Previously, when OAuth authentication failed in the main CLI flow, the error
+was silently discarded and the request proceeded unauthenticated. This caused
+confusing 401/403 responses from the API with no indication of the root cause.
+
+Now prints the original auth error and a hint to stderr, making it clear why
+authentication failed (expired token, missing credentials, wrong account, etc.).
diff --git a/src/main.rs b/src/main.rs
index 4497731..d0bdd65 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -238,7 +238,11 @@ async fn run() -> Result<(), GwsError> {
     // Authenticate: try OAuth, otherwise proceed unauthenticated
     let (token, auth_method) = match auth::get_token(&scopes, account.as_deref()).await {
         Ok(t) => (Some(t), executor::AuthMethod::OAuth),
-        Err(_) => (None, executor::AuthMethod::None),
+        Err(e) => {
+            eprintln!("warning: authentication failed: {e:#}");
+            eprintln!("hint: run `gws auth login` to authenticate, or set GOOGLE_WORKSPACE_CLI_TOKEN or GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE");
+            (None, executor::AuthMethod::None)
+        }
     };
 
     // Execute