From 8408910f2b20fded4aaabf1b8ee173b595b6e751 Mon Sep 17 00:00:00 2001
From: Andrew Barnes <bortstheboat@gmail.com>
Date: Thu, 5 Mar 2026 12:29:37 -0500
Subject: [PATCH 1/2] fix: log auth errors to stderr instead of silently
 discarding

When OAuth authentication fails in the main CLI flow, the error was
silently discarded (`Err(_) => (None, AuthMethod::None)`) and the
request proceeded unauthenticated. Users then received confusing
401/403 API errors with no indication of the actual root cause.

Now prints the original error message and a hint to run
`gws auth login` to stderr, so users immediately understand
why their request failed.
---
 .changeset/fix-auth-error-logging.md | 12 ++++++++++++
 src/main.rs                          |  6 +++++-
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 .changeset/fix-auth-error-logging.md

diff --git a/.changeset/fix-auth-error-logging.md b/.changeset/fix-auth-error-logging.md
new file mode 100644
index 0000000..d3b1fbf
--- /dev/null
+++ b/.changeset/fix-auth-error-logging.md
@@ -0,0 +1,12 @@
+---
+"@anthropic/gws": patch
+---
+
+Log auth errors to stderr instead of silently swallowing them
+
+Previously, when OAuth authentication failed in the main CLI flow, the error
+was silently discarded and the request proceeded unauthenticated. This caused
+confusing 401/403 responses from the API with no indication of the root cause.
+
+Now prints the original auth error and a hint to stderr, making it clear why
+authentication failed (expired token, missing credentials, wrong account, etc.).
diff --git a/src/main.rs b/src/main.rs
index 4497731..796f2b7 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -238,7 +238,11 @@ async fn run() -> Result<(), GwsError> {
     // Authenticate: try OAuth, otherwise proceed unauthenticated
     let (token, auth_method) = match auth::get_token(&scopes, account.as_deref()).await {
         Ok(t) => (Some(t), executor::AuthMethod::OAuth),
-        Err(_) => (None, executor::AuthMethod::None),
+        Err(e) => {
+            eprintln!("warning: authentication failed: {e:#}");
+            eprintln!("hint: run `gws auth login` to authenticate, or set GOOGLE_WORKSPACE_CLI_TOKEN");
+            (None, executor::AuthMethod::None)
+        }
     };
 
     // Execute

From f1a09e95b772d3a15515b5e552ad5d79c6f9c1f8 Mon Sep 17 00:00:00 2001
From: Justin Poehnelt <justin.poehnelt@gmail.com>
Date: Thu, 5 Mar 2026 15:10:10 -0800
Subject: [PATCH 2/2] Update src/main.rs

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
---
 src/main.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main.rs b/src/main.rs
index 796f2b7..d0bdd65 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -240,7 +240,7 @@ async fn run() -> Result<(), GwsError> {
         Ok(t) => (Some(t), executor::AuthMethod::OAuth),
         Err(e) => {
             eprintln!("warning: authentication failed: {e:#}");
-            eprintln!("hint: run `gws auth login` to authenticate, or set GOOGLE_WORKSPACE_CLI_TOKEN");
+            eprintln!("hint: run `gws auth login` to authenticate, or set GOOGLE_WORKSPACE_CLI_TOKEN or GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE");
             (None, executor::AuthMethod::None)
         }
     };