From 32b9d57d9218aeac10d081edb00470f65d002add Mon Sep 17 00:00:00 2001
From: Nick Nisi <nick.nisi@workos.com>
Date: Tue, 31 Mar 2026 16:09:08 -0500
Subject: [PATCH] fix: stop reading WORKOS_CLIENT_ID for CLI auth
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The CLI's device auth flow read WORKOS_CLIENT_ID from the environment to
resolve its OAuth client ID. This collides with the same env var that
every WorkOS-integrated app sets for its own client ID, causing 401
errors on `workos auth login` when the user's app client ID lacks the
device_code grant type.

The CLI's auth client ID is a fixed value — hardcode it directly instead
of reading from the environment.
---
 src/commands/debug.ts    | 1 -
 src/commands/login.ts    | 5 -----
 src/lib/run-with-core.ts | 4 ----
 src/lib/settings.ts      | 2 +-
 4 files changed, 1 insertion(+), 11 deletions(-)

diff --git a/src/commands/debug.ts b/src/commands/debug.ts
index 7e9a8a74..c523d402 100644
--- a/src/commands/debug.ts
+++ b/src/commands/debug.ts
@@ -322,7 +322,6 @@ interface EnvVarInfo {
 
 const ENV_VAR_CATALOG: { name: string; effect: string }[] = [
   { name: 'WORKOS_API_KEY', effect: 'Bypasses credential resolution — used directly for API calls' },
-  { name: 'WORKOS_CLIENT_ID', effect: 'Overrides client ID from settings' },
   { name: 'WORKOS_FORCE_TTY', effect: 'Forces human (non-JSON) output mode, even when piped' },
   { name: 'WORKOS_NO_PROMPT', effect: 'Forces non-interactive/JSON mode' },
   { name: 'WORKOS_TELEMETRY', effect: 'Set to "false" to disable telemetry' },
diff --git a/src/commands/login.ts b/src/commands/login.ts
index e1d0efae..0fa7a60d 100644
--- a/src/commands/login.ts
+++ b/src/commands/login.ts
@@ -106,11 +106,6 @@ export async function provisionStagingEnvironment(accessToken: string): Promise<
 export async function runLogin(): Promise<void> {
   const clientId = getCliAuthClientId();
 
-  if (!clientId) {
-    clack.log.error('CLI auth not configured. Set WORKOS_CLI_CLIENT_ID environment variable.');
-    process.exit(1);
-  }
-
   // Check if already logged in with valid token
   if (getAccessToken()) {
     const creds = getCredentials();
diff --git a/src/lib/run-with-core.ts b/src/lib/run-with-core.ts
index e79b7d71..79c106eb 100644
--- a/src/lib/run-with-core.ts
+++ b/src/lib/run-with-core.ts
@@ -329,10 +329,6 @@ export async function runWithCore(options: InstallerOptions): Promise<void> {
         const clientId = getCliAuthClientId();
         const authkitDomain = getAuthkitDomain();
 
-        if (!clientId) {
-          throw new Error('CLI auth not configured. Set WORKOS_CLI_CLIENT_ID environment variable.');
-        }
-
         const deviceAuth = await requestDeviceCode({
           clientId,
           authkitDomain,
diff --git a/src/lib/settings.ts b/src/lib/settings.ts
index b8a320cd..285eec8d 100644
--- a/src/lib/settings.ts
+++ b/src/lib/settings.ts
@@ -60,7 +60,7 @@ export function getConfig(): InstallerConfig {
  * Env var overrides config default.
  */
 export function getCliAuthClientId(): string {
-  return process.env.WORKOS_CLIENT_ID || config.workos.clientId;
+  return config.workos.clientId;
 }
 
 /**