More token storage options.

Author: stevensJourney

cli/README.md

@@ -7,13 +7,14 @@ CLI for PowerSync
 [![Downloads/week](https://img.shields.io/npm/dw/@powersync/cli.svg)](https://npmjs.org/package/@powersync/cli)
 
 <!-- toc -->
-* [@powersync/cli](#powersynccli)
-* [Overview](#overview)
-* [Cloud](#cloud)
-* [Self-hosted](#self-hosted)
-* [Known Limitations](#known-limitations)
-* [Usage](#usage)
-* [Commands](#commands)
+
+- [@powersync/cli](#powersynccli)
+- [Overview](#overview)
+- [Cloud](#cloud)
+- [Self-hosted](#self-hosted)
+- [Known Limitations](#known-limitations)
+- [Usage](#usage)
+- [Commands](#commands)
 <!-- tocstop -->
 
 # Overview
@@ -34,17 +35,21 @@ The CLI supports **PowerSync Cloud** for creating instances, deploying config, p
 Cloud commands require a PowerSync **personal access token (PAT)**. You can authenticate in two ways:
 
 **1. Interactive login (recommended for local use)**  
-Run **`powersync login`**. You can either open a browser to create a token in the [PowerSync Dashboard](https://dashboard.powersync.com/account/access-tokens/create) or paste an existing token. On **macOS**, the token is stored in Keychain so you don’t need to pass it again. On **Windows and Linux**, secure storage is not yet supported—use the **`TOKEN`** environment variable instead (see below).
+Run **`powersync login`**. You can either open a browser to create a token in the [PowerSync Dashboard](https://dashboard.powersync.com/account/access-tokens/create) or paste an existing token.
+
+- If secure storage is available, the token is saved there (for example, macOS Keychain).
+- If secure storage is unavailable, the CLI asks for confirmation before storing the token in plaintext at **`$XDG_CONFIG_HOME/powersync/config.yaml`** (or **`~/.config/powersync/config.yaml`** when `XDG_CONFIG_HOME` is unset).
+- If you decline, login exits without storing a token.
 
-**2. Environment variable (CI, scripts, or when not using macOS)**  
+**2. Environment variable (CI, scripts, or non-persistent use)**  
 Set **`TOKEN`** to your PAT. The CLI uses **`TOKEN`** when set; otherwise it uses the token from **`powersync login`**. Example:
 
 ```sh
 export TOKEN=your-personal-access-token
 powersync fetch instances --project-id=<project-id>
 ```
 
-To stop using stored credentials, run **`powersync logout`**.
+To stop using stored credentials, run **`powersync logout`**. This clears the stored token from the active backend (secure storage or config-file fallback).
 
 ## Creating a new instance
 
@@ -99,7 +104,7 @@ The CLI can run a subset of commands against **self-hosted** PowerSync instances
 For any self-hosted instance (local or remote), you must link the running API to the CLI and configure an API key. On the **server** (your PowerSync instance config), define the tokens that are valid in **`service.yaml`**:
 
 ```yaml
-  # powersync/service.yaml (self-hosted instance config)
+# powersync/service.yaml (self-hosted instance config)
 api:
   tokens:
     - dev-token-do-not-use-in-production # or use !env MY_API_TOKEN for secrets
@@ -108,7 +113,7 @@ api:
 Then tell the CLI which token to use when running commands. Run **`powersync link self-hosted --api-url <url>`** to write **`cli.yaml`** with the API URL, and either set the **`TOKEN`** environment variable or set **`api_key`** in **`cli.yaml`**:
 
 ```yaml
-  # powersync/cli.yaml (self-hosted)
+# powersync/cli.yaml (self-hosted)
 type: self-hosted
 api_url: https://powersync.example.com
 api_key: !env TOKEN # or a literal value matching one of the tokens in service.yaml
@@ -139,11 +144,12 @@ Only some CLI commands work with self-hosted instances. Supported commands inclu
 
 # Known Limitations
 
-- **Login secure storage**: Secure storage for auth tokens is only supported on macOS (via Keychain). On Windows and Linux, `powersync login` will not persist credentials; use the `TOKEN` environment variable instead for Cloud commands.
+- **Plaintext fallback storage**: When secure storage is unavailable, login can store the token in plaintext config (`$XDG_CONFIG_HOME/powersync/config.yaml` or `~/.config/powersync/config.yaml`) only after explicit confirmation.
 
 # Usage
 
 <!-- usage -->
+
 ```sh-session
 $ npm install -g @powersync/cli
 $ powersync COMMAND
@@ -155,51 +161,53 @@ USAGE
   $ powersync COMMAND
 ...
 ```
+
 <!-- usagestop -->
 
 # Commands
 
 <!-- commands -->
-* [`powersync deploy`](#powersync-deploy)
-* [`powersync destroy`](#powersync-destroy)
-* [`powersync docker`](#powersync-docker)
-* [`powersync docker configure`](#powersync-docker-configure)
-* [`powersync docker reset`](#powersync-docker-reset)
-* [`powersync docker start`](#powersync-docker-start)
-* [`powersync docker stop`](#powersync-docker-stop)
-* [`powersync fetch`](#powersync-fetch)
-* [`powersync fetch config`](#powersync-fetch-config)
-* [`powersync fetch instances`](#powersync-fetch-instances)
-* [`powersync fetch status`](#powersync-fetch-status)
-* [`powersync generate`](#powersync-generate)
-* [`powersync generate schema`](#powersync-generate-schema)
-* [`powersync generate token`](#powersync-generate-token)
-* [`powersync help [COMMAND]`](#powersync-help-command)
-* [`powersync init`](#powersync-init)
-* [`powersync init base`](#powersync-init-base)
-* [`powersync init cloud`](#powersync-init-cloud)
-* [`powersync init self-hosted`](#powersync-init-self-hosted)
-* [`powersync link`](#powersync-link)
-* [`powersync link cloud`](#powersync-link-cloud)
-* [`powersync link self-hosted`](#powersync-link-self-hosted)
-* [`powersync login`](#powersync-login)
-* [`powersync logout`](#powersync-logout)
-* [`powersync migrate`](#powersync-migrate)
-* [`powersync plugins`](#powersync-plugins)
-* [`powersync plugins add PLUGIN`](#powersync-plugins-add-plugin)
-* [`powersync plugins:inspect PLUGIN...`](#powersync-pluginsinspect-plugin)
-* [`powersync plugins install PLUGIN`](#powersync-plugins-install-plugin)
-* [`powersync plugins link PATH`](#powersync-plugins-link-path)
-* [`powersync plugins remove [PLUGIN]`](#powersync-plugins-remove-plugin)
-* [`powersync plugins reset`](#powersync-plugins-reset)
-* [`powersync plugins uninstall [PLUGIN]`](#powersync-plugins-uninstall-plugin)
-* [`powersync plugins unlink [PLUGIN]`](#powersync-plugins-unlink-plugin)
-* [`powersync plugins update`](#powersync-plugins-update)
-* [`powersync pull`](#powersync-pull)
-* [`powersync pull config`](#powersync-pull-config)
-* [`powersync pull instance`](#powersync-pull-instance)
-* [`powersync stop`](#powersync-stop)
-* [`powersync validate`](#powersync-validate)
+
+- [`powersync deploy`](#powersync-deploy)
+- [`powersync destroy`](#powersync-destroy)
+- [`powersync docker`](#powersync-docker)
+- [`powersync docker configure`](#powersync-docker-configure)
+- [`powersync docker reset`](#powersync-docker-reset)
+- [`powersync docker start`](#powersync-docker-start)
+- [`powersync docker stop`](#powersync-docker-stop)
+- [`powersync fetch`](#powersync-fetch)
+- [`powersync fetch config`](#powersync-fetch-config)
+- [`powersync fetch instances`](#powersync-fetch-instances)
+- [`powersync fetch status`](#powersync-fetch-status)
+- [`powersync generate`](#powersync-generate)
+- [`powersync generate schema`](#powersync-generate-schema)
+- [`powersync generate token`](#powersync-generate-token)
+- [`powersync help [COMMAND]`](#powersync-help-command)
+- [`powersync init`](#powersync-init)
+- [`powersync init base`](#powersync-init-base)
+- [`powersync init cloud`](#powersync-init-cloud)
+- [`powersync init self-hosted`](#powersync-init-self-hosted)
+- [`powersync link`](#powersync-link)
+- [`powersync link cloud`](#powersync-link-cloud)
+- [`powersync link self-hosted`](#powersync-link-self-hosted)
+- [`powersync login`](#powersync-login)
+- [`powersync logout`](#powersync-logout)
+- [`powersync migrate`](#powersync-migrate)
+- [`powersync plugins`](#powersync-plugins)
+- [`powersync plugins add PLUGIN`](#powersync-plugins-add-plugin)
+- [`powersync plugins:inspect PLUGIN...`](#powersync-pluginsinspect-plugin)
+- [`powersync plugins install PLUGIN`](#powersync-plugins-install-plugin)
+- [`powersync plugins link PATH`](#powersync-plugins-link-path)
+- [`powersync plugins remove [PLUGIN]`](#powersync-plugins-remove-plugin)
+- [`powersync plugins reset`](#powersync-plugins-reset)
+- [`powersync plugins uninstall [PLUGIN]`](#powersync-plugins-uninstall-plugin)
+- [`powersync plugins unlink [PLUGIN]`](#powersync-plugins-unlink-plugin)
+- [`powersync plugins update`](#powersync-plugins-update)
+- [`powersync pull`](#powersync-pull)
+- [`powersync pull config`](#powersync-pull-config)
+- [`powersync pull instance`](#powersync-pull-instance)
+- [`powersync stop`](#powersync-stop)
+- [`powersync validate`](#powersync-validate)
 
 ## `powersync deploy`
 
@@ -1233,4 +1241,5 @@ DESCRIPTION
 ```
 
 _See code: [src/commands/validate.ts](https://github.com/powersync-ja/powersync-js/blob/v0.0.0/src/commands/validate.ts)_
+
 <!-- commandsstop -->

cli/src/commands/login.ts

@@ -5,19 +5,25 @@ import { startPATLoginServer } from '../api/login-server.js';
 
 export default class Login extends PowerSyncCommand {
   static description =
-    'Store a PowerSync auth token (PAT) in secure storage so later Cloud commands run without passing a token. Use TOKEN env var for CI or scripts instead.';
-  static summary = 'Store auth token in secure storage for Cloud commands.';
+    'Store a PowerSync auth token (PAT) in secure storage so later Cloud commands run without passing a token. If secure storage is unavailable, login can optionally store it in a local config file. Use TOKEN env var for CI or scripts instead.';
+  static summary = 'Store auth token for Cloud commands.';
 
   async run(): Promise<void> {
     this.parse(Login);
 
     const { authentication, storage } = Services;
+    const shouldUseInsecureStorage =
+      !storage.capabilities.supportsSecureStorage &&
+      (await confirm({
+        message: `Keychain storage is unavailable on this platform. Store token in plaintext at ${storage.insecureStoragePath}? Set the ${ux.colorize('blue', 'TOKEN')} environment variable instead to avoid this.`,
+        default: false
+      }));
 
-    if (!storage.capabilities.supportsSecureStorage) {
-      this.styledError({
-        message: 'Secure storage is not yet supported on this platform.',
-        suggestions: [`Export and use the ${ux.colorize('blue', 'TOKEN')} environment variable for commands.`]
-      });
+    if (!storage.capabilities.supportsSecureStorage && !shouldUseInsecureStorage) {
+      this.log(
+        `Login cancelled. Use ${ux.colorize('blue', 'TOKEN')} environment variable for commands, or rerun login and allow local fallback storage.`
+      );
+      this.exit(0);
     }
 
     const listOrgs = async (): Promise<string> => {

cli/src/commands/logout.ts

@@ -4,8 +4,8 @@ import { PowerSyncCommand, Services } from '@powersync/cli-core';
 
 export default class Logout extends PowerSyncCommand {
   static description =
-    'Remove the stored PowerSync auth token from secure storage. Cloud commands will no longer use stored credentials until you run login again.';
-  static summary = 'Remove stored auth token from secure storage.';
+    'Remove the stored PowerSync auth token from secure storage or local fallback config storage. Cloud commands will no longer use stored credentials until you run login again.';
+  static summary = 'Remove stored auth token.';
 
   async run(): Promise<void> {
     const { authentication } = Services;

docs/usage.md

@@ -76,7 +76,7 @@ The sections below split usage by **Cloud** and **Self-hosted**, then provide re
 
 # Cloud usage
 
-Authentication is usually the first step. Use `powersync login` to store a token in secure storage (e.g. macOS Keychain), or set the `TOKEN` environment variable if you prefer not to persist the token. See [Authentication (Tokens)](#authentication-tokens) for details.
+Authentication is usually the first step. Use `powersync login` to store a token, or set the `TOKEN` environment variable. Storage behavior depends on platform capabilities and your login choice; see [Authentication (Tokens)](#authentication-tokens) for details.
 
 ## Creating a new Cloud instance
 
@@ -157,10 +157,13 @@ Use `--api-url` with link file or `API_URL` and `TOKEN` when you prefer not to l
 
 # Authentication (Tokens)
 
-Cloud commands need an auth token (e.g. a PowerSync PAT). You can supply it in two ways; the CLI uses the first that is available:
+Cloud commands need an auth token (e.g. a PowerSync PAT). The CLI uses the first available source:
 
 1. **Environment variable** — `TOKEN`
-2. **Stored via login** — token saved by `powersync login` (secure storage, e.g. macOS Keychain)
+2. **Stored via login**
+
+- **Secure storage** when available (for example, macOS Keychain)
+- **Config-file fallback** when secure storage is unavailable **and** you explicitly confirm at login
 
 **Environment variable** — useful for CI, scripts, or one-off runs:
 
@@ -175,7 +178,7 @@ Inline:
 TOKEN=your-token-here powersync fetch config --output=json
 ```
 
-**Stored via login** — convenient for local use; token is stored securely and reused:
+**Stored via login** — convenient for local use; token is reused by later commands:
 
 ```bash
 powersync login
@@ -184,7 +187,17 @@ powersync login
 powersync fetch config
 ```
 
-Login is supported on macOS (other platforms coming soon). If you use another platform or prefer not to store the token, set `TOKEN` in the environment instead.
+If secure storage is not available, `powersync login` asks whether to store the token in plaintext at:
+
+```bash
+$XDG_CONFIG_HOME/powersync/config.yaml
+# or, when XDG_CONFIG_HOME is not set:
+~/.config/powersync/config.yaml
+```
+
+If you decline this prompt, login exits without storing a token. Use `TOKEN` in that case.
+
+`powersync logout` removes the stored token from whichever backend is active (secure storage or config-file fallback).
 
 # Supplying Linking Information for Cloud and Self-Hosted Commands
 

packages/cli-core/src/clients/CloudClient.ts

@@ -24,7 +24,7 @@ export function createCloudClient(): PowerSyncManagementClient {
         const token = env.TOKEN || (await Services.authentication.getToken());
         if (!token) {
           throw new Error(
-            `Not logged in. Run ${ux.colorize('blue', 'powersync login')} to authenticate (you will be prompted for your token). Login is supported on macOS (other platforms coming soon), or provide the ${ux.colorize('blue', 'TOKEN')} environment variable.`
+            `Not logged in. Run ${ux.colorize('blue', 'powersync login')} to authenticate (you will be prompted for your token), or provide the ${ux.colorize('blue', 'TOKEN')} environment variable.`
           );
         }
         return {

packages/cli-core/src/clients/accounts-client.ts

@@ -65,7 +65,7 @@ export async function createAccountsHubClient(): Promise<AccountsHubClientSDKCli
   const token = env.TOKEN || (await authentication.getToken());
   if (!token) {
     throw new Error(
-      `Not logged in. Run ${ux.colorize('blue', 'powersync login')} to authenticate (you will be prompted for your token). Login is supported on macOS (other platforms coming soon), or provide the ${ux.colorize('blue', 'TOKEN')} environment variable.`
+      `Not logged in. Run ${ux.colorize('blue', 'powersync login')} to authenticate (you will be prompted for your token), or provide the ${ux.colorize('blue', 'TOKEN')} environment variable.`
     );
   }
   return new AccountsHubClientSDKClient({

packages/cli-core/src/services/authentication/AuthenticationServiceImpl.ts

@@ -1,4 +1,3 @@
-import { env } from '../../utils/env.js';
 import { StorageService } from '../storage/StorageService.js';
 import { AuthenticationService } from './AuthenticationService.js';
 
@@ -9,36 +8,50 @@ export type AuthenticationServiceImplOptions = {
 const TOKEN_KEY = 'auth-token';
 
 export class AuthenticationServiceImpl implements AuthenticationService {
-  protected storage: StorageService | null;
+  protected storage: StorageService;
 
   constructor(options: AuthenticationServiceImplOptions) {
-    const storageService = options.storage;
-    // Fallback to internal storage if secure storage is not supported
-    if (storageService.capabilities.supportsSecureStorage) {
-      this.storage = storageService;
-    } else {
-      this.storage = null;
-    }
+    this.storage = options.storage;
   }
 
   async getToken(): Promise<string | null> {
-    if (!this.storage) {
-      return env.TOKEN || null;
+    if (this.storage.capabilities.supportsSecureStorage) {
+      return this.storage.secureStorage.getItem(TOKEN_KEY);
     }
-    return this.storage.secureStorage.getItem(TOKEN_KEY);
+
+    const config = await this.storage.getInsecureConfig();
+    return config.auth?.token ?? null;
   }
 
   async setToken(token: string): Promise<void> {
-    if (!this.storage) {
-      throw new Error('Secure storage is not supported on this platform.');
+    if (this.storage.capabilities.supportsSecureStorage) {
+      await this.storage.secureStorage.setItem(TOKEN_KEY, token);
+      return;
     }
-    await this.storage.secureStorage.setItem(TOKEN_KEY, token);
+
+    const config = await this.storage.getInsecureConfig();
+    config.auth = {
+      ...(config.auth ?? {}),
+      token
+    };
+    await this.storage.updateInsecureConfig(config);
   }
 
   async deleteToken(): Promise<void> {
-    if (!this.storage) {
-      throw new Error('Secure storage is not supported on this platform.');
+    if (this.storage.capabilities.supportsSecureStorage) {
+      await this.storage.secureStorage.removeItem(TOKEN_KEY);
+      return;
+    }
+
+    const config = await this.storage.getInsecureConfig();
+    if (!config.auth || typeof config.auth.token === 'undefined') {
+      return;
+    }
+
+    delete config.auth.token;
+    if (Object.keys(config.auth).length === 0) {
+      delete config.auth;
     }
-    await this.storage.secureStorage.removeItem(TOKEN_KEY);
+    await this.storage.updateInsecureConfig(config);
   }
 }