Workers SDK Issue Reports

← Back to Dashboard

#10538 wrangler incorrectly believes a CLOUDFLARE_API_TOKEN is set and refuses to login

Recommendation:KEEP OPEN
Difficulty:n/a
Reasoning:

Confirmed bug: wrangler loads .env files into process.env, then blocks OAuth login when CLOUDFLARE_API_TOKEN is found. Creates deadlock between stale OAuth tokens and API token detection.

Suggested Action:

Keep open - valid bug affecting user onboarding. Workarounds documented in comments.

View on GitHub →

Analysis Report

Issue Review: cloudflare/workers-sdk#10538

Summary

Wrangler incorrectly detects CLOUDFLARE_API_TOKEN as set and refuses to login via OAuth, even when the env var is not set in the shell.

Findings

  • Created: 2025-09-02
  • Updated: 2025-11-28
  • Version: 4.33.1 → 4.60.0 (current)
  • Component: wrangler (authentication)
  • Labels: bug
  • Comments: 4 (includes workarounds from users)

Key Evidence

  • Root cause identified by reporter: When a user previously logged in via OAuth and later the OAuth tokens become stale/expired, wrangler attempts to refresh them. However, if wrangler also detects what it thinks is an API token, it refuses to start the login flow, creating a deadlock.

  • Additional cause found in comments: User @jamiechapman noted that having CLOUDFLARE_API_TOKEN in a .env file (not set in the shell env) causes the same error, because wrangler loads .env files and merges them into process.env before checking for auth credentials.

  • No fix found:

    • No merged PRs explicitly fix this issue
    • Issue #10538 not mentioned in changelogs
    • Related issues (#10364, #2978) still open with similar auth problems

  • Code analysis: The getAuthFromEnv() function in user.ts checks process.env for CLOUDFLARE_API_TOKEN. If found, it blocks OAuth login with the error message "You are logged in with an API Token. Unset the CLOUDFLARE_API_TOKEN in the environment to log in via OAuth." The problem is wrangler loads .env files into process.env, then later code checks process.env and finds the token.

  • Multiple users affected: 4 comments from different users experiencing this issue, with workarounds:

    1. Delete stale OAuth credentials from local state
    2. Remove CLOUDFLARE_API_TOKEN from any .env files
    3. Run wrangler logout then wrangler login

Recommendation

Status: KEEP OPEN

Reasoning: This is a confirmed bug with multiple users affected. The root cause is a race condition/order-of-operations issue where wrangler loads .env files containing CLOUDFLARE_API_TOKEN into process.env, then the auth check incorrectly blocks OAuth login even when the user wants to use OAuth. The bug hasn't been fixed in 4+ months despite affecting user onboarding ("dead on arrival").

Action: Keep open - this is a valid bug affecting user experience. Consider adding a comment acknowledging the bug and workarounds.

Suggested Comment

Thank you for reporting this issue, and thanks to the community for the helpful workarounds.

To summarize the workarounds found:

  1. If you have CLOUDFLARE_API_TOKEN in a .env file in your project, remove it or rename it before running wrangler login
  2. If you previously logged in via OAuth, try wrangler logout followed by wrangler login
  3. Delete stale OAuth credentials from the local state directory (~/.wrangler)

The underlying issue appears to be that wrangler loads .env files into process.env before checking authentication state, which can cause conflicts between OAuth and API token auth methods. We're keeping this issue open to track a proper fix.

Notes & Feedback (0)

No notes yet.

Add Note