Skip to main content

Token Caching

Tokens are stored in the operating system keyring, not in config.toml.

PlatformStore
macOSKeychain
WindowsCredential Manager
LinuxSecret Service-compatible keyring

Access tokens are refreshed automatically when the stored token is expired or close to expiry and a refresh token is available.

Use auth refresh when you need to pick up newly consented scopes without a browser prompt:

teams auth refresh
teams auth refresh --scopes "User.Read People.Read Files.Read.All offline_access"

If refresh fails because the token is too old, revoked, or was created without offline_access, sign in again with teams auth login --device-code.

Use teams auth logout or teams auth logout --all to remove stored credentials.

TEAMS_CLI_ACCESS_TOKEN bypasses the keyring for one process. It must contain a Microsoft Graph access token. Captured Teams client tokens, including fossteams/teams-token JWT files, are not compatible with Graph commands.