feat: gws auth status command to display current auth state #416
Description
Hey all,
A gws auth status command that shows the current authentication state at a glance, which account is active, what scopes are granted, whether the token is valid/expired, and credential storage details.
Auth is the a big source of friction in this project (see #197, #205, #187, #188, #236, #232). Almost every auth-related issue follows the same debugging pattern: the user doesn't know which account is active, which scopes were actually granted, or whether their token has expired. Right now the only way to find out is to make an API call and see if it fails.
A dedicated status command would:
- Give users a single command to run before filing auth bugs ("please paste the output of
gws auth status") - Help multi-account users (
--accountflag from Bug: Gmail skills (+triage, +send) ignore --account flag and GOOGLE_WORKSPACE_CLI_ACCOUNT env var #248) confirm which account is active - Surface scope mismatches early (e.g. gws auth login -s chat does not request Chat API OAuth scope #236 where Chat scopes weren't requested)
- Make it obvious when tokens have expired vs. when the issue is something else
Proposed behavior
$ gws auth status
Account: user@example.com
Auth method: OAuth (user credentials)
Token status: Valid (expires in 47m)
Scopes: gmail.readonly, drive, calendar (12 total)
Credential store: OS keyring
Config path: ~/.config/gws/credentials/user@example.com.enc
Possible flags:
--jsonfor structured output (consistent with the rest of the CLI)--scopesto list all granted scopes individually--account <email>to check a specific account rather than the active one
When no credentials are found:
$ gws auth status
No credentials found. Run `gws auth login` to authenticate.
Additional context
This would also be useful for AI agents — an agent could call gws auth status --json before attempting any API call to verify it has the right scopes, rather than failing mid-workflow.
Thank you,
Michael.