Accept OATs in the mcp auth flow

myftija · myftija · commit f60d4b521bcb · 2025-08-27T10:51:16.000+02:00
diff --git a/packages/cli-v3/src/mcp/auth.ts b/packages/cli-v3/src/mcp/auth.ts
@@ -3,10 +3,7 @@ import { env } from "std-env";
 import { CliApiClient } from "../apiClient.js";
 import { CLOUD_API_URL } from "../consts.js";
 import { readAuthConfigProfile, writeAuthConfigProfile } from "../utilities/configFiles.js";
-import {
-  isPersonalAccessToken,
-  NotPersonalAccessTokenError,
-} from "../utilities/isPersonalAccessToken.js";
+import { NotAccessTokenError, validateAccessToken } from "../utilities/accessTokens.js";
 import { LoginResult, LoginResultOk } from "../utilities/session.js";
 import { getPersonalAccessToken } from "../commands/login.js";
 import open from "open";
@@ -30,8 +27,12 @@ export async function mcpAuth(options: McpAuthOptions): Promise<LoginResult> {
   const accessTokenFromEnv = env.TRIGGER_ACCESS_TOKEN;
 
   if (accessTokenFromEnv) {
-    if (!isPersonalAccessToken(accessTokenFromEnv)) {
-      throw new NotPersonalAccessTokenError(
+    const validationResult = validateAccessToken(accessTokenFromEnv);
+
+    if (!validationResult.success) {
+      // We deliberately don't surface the existence of organization access tokens to the user for now, as they're only used internally.
+      // Once we expose them in the application, we should also communicate that option here.
+      throw new NotAccessTokenError(
         "Your TRIGGER_ACCESS_TOKEN is not a Personal Access Token, they start with 'tr_pat_'. You can generate one here: https://cloud.trigger.dev/account/tokens"
       );
     }
@@ -57,6 +58,7 @@ export async function mcpAuth(options: McpAuthOptions): Promise<LoginResult> {
       auth: {
         accessToken: auth.accessToken,
         apiUrl: auth.apiUrl,
+        tokenType: validationResult.type,
       },
     };
   }
@@ -83,6 +85,7 @@ export async function mcpAuth(options: McpAuthOptions): Promise<LoginResult> {
       auth: {
         accessToken: authConfig.accessToken,
         apiUrl: authConfig.apiUrl ?? opts.defaultApiUrl,
+        tokenType: "personal" as const,
       },
     };
   }
@@ -148,6 +151,7 @@ export async function mcpAuth(options: McpAuthOptions): Promise<LoginResult> {
     auth: {
       accessToken: indexResult.token,
       apiUrl: opts.defaultApiUrl,
+      tokenType: "personal" as const,
     },
   };
 }
