docs: update credential storage docs and remove stale config.json references (#408)

betegon · web-flow · commit 585b88a58a8b · 2026-03-13T09:15:56.000Z
## Summary

Auth credentials were migrated to SQLite (`cli.db`) but docs and code
comments still referenced `~/.sentry/config.json`. This updates
everything to match reality:

- Rewrites the auth command docs "Credential Storage" section to note
that credentials live in `cli.db` with restricted permissions, and
points users to `sentry auth token` / `sentry auth status` instead of
exposing the internal schema
- Updates the configuration page's credential storage section to name
`cli.db`, mention WAL permissions, and link to the auth docs
- Removes DB schema details (column/type table), `sqlite3` query
examples, and "Direct Database Access" subsection — users shouldn't read
the DB directly
- Removes sqlite3 examples from the SKILL.md agent skill file
- Fixes three stale comments/strings in `logout.ts`, `oauth.ts`, and
`dsn/types.ts`

## Test Plan

- `bun run typecheck` — passes (pre-existing trial module errors only)
- `bun run lint` — clean
- `bun run test:unit` — no new failures
- Verified no `sqlite3` or schema content remains in docs
diff --git a/docs/src/content/docs/commands/auth.md b/docs/src/content/docs/commands/auth.md
@@ -84,18 +84,18 @@ sentry auth refresh
 
 This is typically handled automatically when tokens expire.
 
-## Configuration
+## Credential Storage
 
-Credentials are stored in `~/.sentry/config.json` with restricted file permissions (mode 600).
+Credentials are stored in a SQLite database at `~/.sentry/cli.db` with restricted file permissions (mode 600).
 
-**Config structure:**
+Use `sentry auth token` to retrieve your current access token, or `sentry auth status` to check authentication state.
 
-```json
-{
-  "auth": {
-    "token": "...",
-    "refreshToken": "...",
-    "expiresAt": "2024-12-31T00:00:00Z"
-  }
-}
-```
+### Environment Variable Precedence
+
+The CLI checks for auth tokens in the following order, using the first one found:
+
+1. `SENTRY_AUTH_TOKEN` environment variable (legacy)
+2. `SENTRY_TOKEN` environment variable
+3. The stored token in the SQLite database
+
+When a token comes from an environment variable, the CLI skips expiry checks and automatic refresh.
diff --git a/docs/src/content/docs/configuration.md b/docs/src/content/docs/configuration.md
@@ -144,9 +144,11 @@ The `sentry api` command also uses `--verbose` to show full HTTP request/respons
 
 ## Credential Storage
 
-Credentials are stored in a SQLite database at `~/.sentry/` (or the path set by `SENTRY_CONFIG_DIR`) with restricted file permissions (mode 600) for security. The database also caches:
+We store credentials and caches in a SQLite database (`cli.db`) inside the config directory (`~/.sentry/` by default, overridable via `SENTRY_CONFIG_DIR`). The database file and its WAL side-files are created with restricted permissions (mode 600) so that only the current user can read them. The database also caches:
 
 - Organization and project defaults
 - DSN resolution results
 - Region URL mappings
 - Project aliases (for monorepo support)
+
+See [Credential Storage](./commands/auth/#credential-storage) in the auth command docs for more details.
diff --git a/src/commands/auth/logout.ts b/src/commands/auth/logout.ts
@@ -30,7 +30,7 @@ export const logoutCommand = buildCommand({
   docs: {
     brief: "Log out of Sentry",
     fullDescription:
-      "Remove stored authentication credentials from the configuration file.",
+      "Remove stored authentication credentials from the local database.",
   },
   output: { json: true, human: formatLogoutResult },
   parameters: {
diff --git a/src/lib/dsn/types.ts b/src/lib/dsn/types.ts
@@ -66,7 +66,7 @@ export type ResolvedProject = ResolvedProjectInfo & {
 /**
  * Cached DSN entry with full resolution info
  *
- * Stored in ~/.sentry/config.json under dsnCache[directory]
+ * Stored in ~/.sentry/cli.db in the dsn_cache table
  */
 export type CachedDsnEntry = {
   /** The raw DSN string */
diff --git a/src/lib/oauth.ts b/src/lib/oauth.ts
@@ -302,7 +302,7 @@ export async function performDeviceFlow(
 }
 
 /**
- * Complete the OAuth flow by storing the token in the config file.
+ * Complete the OAuth flow by storing the token in the database.
  *
  * @param tokenResponse - The token response from performDeviceFlow
  */

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ export type ResolvedProject = ResolvedProjectInfo & {`
`66`	`66`	`/**`
`67`	`67`	`* Cached DSN entry with full resolution info`
`68`	`68`	`*`
`69`		`- * Stored in ~/.sentry/config.json under dsnCache[directory]`
	`69`	`+ * Stored in ~/.sentry/cli.db in the dsn_cache table`
`70`	`70`	`*/`
`71`	`71`	`export type CachedDsnEntry = {`
`72`	`72`	`/** The raw DSN string */`
Original file line number	Diff line number	Diff line change
`@@ -302,7 +302,7 @@ export async function performDeviceFlow(`
`302`	`302`	`}`
`303`	`303`
`304`	`304`	`/**`
`305`		`- * Complete the OAuth flow by storing the token in the config file.`
	`305`	`+ * Complete the OAuth flow by storing the token in the database.`
`306`	`306`	`*`
`307`	`307`	`* @param tokenResponse - The token response from performDeviceFlow`
`308`	`308`	`*/`