When --json is used, the one-time token warning is never shown: the human formatter (formatTokenCreated) is skipped, and the return { hint: ... } is explicitly suppressed by the framework in JSON mode — exactly the mode CI/automation pipelines use. If the full token field in the JSON output is not captured immediately, the token value is permanently lost with no indication.

OrgAuthTokenSchema marks token as z.string().optional() because the same schema is reused for both listOrgAuthTokens (GET, never returns the full token) and createOrgAuthToken (POST, returns the full token once). Because token is optional, a POST response that omits the field still parses successfully with token === undefined. In create.ts, formatTokenCreated only prints the value when if (result.token.token) is truthy, so a missing field yields a success message containing the name, ID, and scopes but no token value. Since the full token is only available at creation time, a silent omission leaves the user with an unusable token they cannot recover. The fix is to enforce presence on the creation path (e.g., a dedicated create-response schema with token: z.string(), or an explicit error in create.ts when token is absent) rather than silently skipping the print.

Also found at:

• src/lib/api-client.ts:180

resolveToken lists the org tokens to resolve the ID/name, and deleteOrgAuthToken(orgSlug, token.id) then issues a separate DELETE request. If the token was already deleted (by another process, or because the resolved ID is stale by the time DELETE runs), the endpoint returns 404 and apiRequestToRegionNoContent calls throwRawApiError, propagating a raw ApiError. Because there is no try/catch around the deleteOrgAuthToken call in func, the user sees a raw API error message rather than a helpful "token not found / already deleted" message. This is purely a UX/error-handling nit — there is no security or state-corruption impact (the delete is effectively idempotent), so the practical effect is a less helpful error message.