Encrypted credentials fail to authenticate; exported plaintext credentials work

[SantiPandal]

Bug

After running gws auth login, all API calls fail with:

{
  "error": {
    "code": 401,
    "message": "Access denied. No credentials provided.",
    "reason": "authError"
  }
}

However, gws auth status reports everything is valid:

• token_valid: true
• has_refresh_token: true
• encryption_valid: true
• storage: encrypted
• All scopes present

Reproduction

1. gws auth login (select scopes, complete OAuth flow — succeeds)
2. gws auth status (shows valid credentials)
3. gws calendar +agenda → 401 authError
4. gws auth export --unmasked > creds.json
5. GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE=creds.json gws calendar +agenda → works

Environment

• macOS (Darwin 25.3.0, Mac mini)
• gws installed via npm
• Encryption key stored at ~/.config/gws/.encryption_key (keyring backend: file)
• Encrypted credentials exist at ~/.config/gws/credentials.enc

Workaround

Export credentials to plaintext and point the env var at them:

gws auth export --unmasked > ~/.config/gws/credentials_plain.json
export GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE="$HOME/.config/gws/credentials_plain.json"

Notes

The encrypted credentials file exists and gws auth status correctly reads it, but actual API calls seem unable to decrypt/use them. Possibly a keyring/decryption issue on macOS when using the file-based encryption key backend.

[icostan]

I confirm that the issue happens on Arch Linux system as well and workaround works just fine.