Token Caching
Tokens are stored in the operating system keyring, not in config.toml.
| Platform | Store |
|---|---|
| macOS | Keychain |
| Windows | Credential Manager |
| Linux | Secret Service-compatible keyring |
Access tokens are refreshed automatically when the stored token is expired or close to expiry and a refresh token is available.
Use auth refresh when you need to pick up newly consented scopes without a browser prompt:
teams auth refresh
teams auth refresh --scopes "User.Read People.Read Files.Read.All offline_access"
If refresh fails because the token is too old, revoked, or was created without offline_access, sign in again with teams auth login --device-code.
Use teams auth logout or teams auth logout --all to remove stored credentials.
TEAMS_CLI_ACCESS_TOKEN bypasses the keyring for one process. It must contain a Microsoft Graph access token. Captured Teams client tokens, including fossteams/teams-token JWT files, are not compatible with Graph commands.