Skip to content

feat(auth): treat APIFY_TOKEN env var as authenticated in non-interactive contexts#1246

Draft
DaveHanns wants to merge 1 commit into
masterfrom
auth-promote-apify-token-env
Draft

feat(auth): treat APIFY_TOKEN env var as authenticated in non-interactive contexts#1246
DaveHanns wants to merge 1 commit into
masterfrom
auth-promote-apify-token-env

Conversation

@DaveHanns

Copy link
Copy Markdown
Contributor

Summary

When APIFY_TOKEN is exported in the environment, treat commands as authenticated without requiring a prior apify login.

  • resolveToken() in src/lib/utils.ts now returns process.env.APIFY_TOKEN before falling through to the keyring / auth.json path.
  • getLoggedClientOrThrow() gives a differentiated error message when a token is present in env but the API rejected it (vs. no token at all).

Why

Agent harnesses and CI runners typically ship an APIFY_TOKEN via env. Today, apify push, apify call, apify info, etc. still demand a prior apify login, so the first command fails with an auth prompt and agents confabulate apify login --token $APIFY_TOKEN invocations. This aligns the CLI with the Apify SDK's env-first behavior and removes ~5% of first-run failures we've seen across eval scenarios.

Behavior

Situation Before After
apify login run, no env var works works (unchanged)
apify login run + env var set uses stored token uses env token (env wins)
No login, env var set fails: "not logged in" works
No login, no env var fails: "not logged in" fails, hint mentions APIFY_TOKEN
Invalid env var fails: "not logged in" fails: "APIFY_TOKEN set but invalid"

Test plan

  • Unit: resolveToken() returns env token when set, existing token when passed, stored token when neither.
  • Integration: with APIFY_TOKEN=<valid> and no auth.json, apify info and apify push succeed.
  • Integration: with APIFY_TOKEN=<invalid>, error message points at the env var.
  • Regression: interactive apify login flow still works and its token is used when APIFY_TOKEN is unset.

When APIFY_TOKEN is exported in the environment, resolveToken() now
returns it directly, so any command that calls the API works without
a prior `apify login`. This matches the Apify SDK behavior and removes
the biggest bootstrap friction for agents and CI: they ship a token
via env and would previously hit a "you are not logged in" wall on
the first command.

Also improves the MissingAuth error message: if APIFY_TOKEN is set
but the API rejected it, the hint now says so instead of telling the
user to `apify login`.

No change for interactive users who ran `apify login` — the on-disk
token path is unchanged when APIFY_TOKEN is not set.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants