docs: update credential storage docs and remove stale config.json references

betegon · claude · betegon · commit cbe4a68b5497 · 2026-03-12T18:19:42.000+01:00
Auth credentials moved to SQLite (cli.db) but several docs pages and code
comments still referenced the old ~/.sentry/config.json file. Rewrites the
auth command docs with the actual schema, env var precedence, and external
access instructions. Fixes stale comments in logout, oauth, and dsn types.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/docs/src/content/docs/commands/auth.md b/docs/src/content/docs/commands/auth.md
@@ -84,18 +84,38 @@ sentry auth refresh
 
 This is typically handled automatically when tokens expire.
 
-## Configuration
+## Credential Storage
 
-Credentials are stored in `~/.sentry/config.json` with restricted file permissions (mode 600).
+We store credentials in a SQLite database at `~/.sentry/cli.db` with restricted file permissions (mode 600). The database uses a single-row `auth` table with the following columns:
 
-**Config structure:**
+| Column | Type | Description |
+|--------|------|-------------|
+| `token` | TEXT | OAuth access token |
+| `refresh_token` | TEXT | OAuth refresh token |
+| `expires_at` | INTEGER | Token expiry (ms since epoch) |
+| `issued_at` | INTEGER | Token issue time (ms since epoch) |
+| `updated_at` | INTEGER | Last modification time (ms since epoch) |
 
-```json
-{
-  "auth": {
-    "token": "...",
-    "refreshToken": "...",
-    "expiresAt": "2024-12-31T00:00:00Z"
-  }
-}
+### Environment Variable Precedence
+
+The CLI checks for auth tokens in the following order, using the first one found:
+
+1. `SENTRY_AUTH_TOKEN` environment variable
+2. `SENTRY_TOKEN` environment variable (legacy)
+3. The `auth` table in the SQLite database
+
+When a token comes from an environment variable, the CLI skips expiry checks and automatic refresh.
+
+### Reading the Token Externally
+
+Other tools can read the stored token directly from the database. The config directory defaults to `~/.sentry/` but can be overridden with the `SENTRY_CONFIG_DIR` environment variable.
+
+```bash
+sqlite3 ~/.sentry/cli.db "SELECT token FROM auth WHERE id = 1;"
 ```
+
+Keep in mind a few caveats when accessing the database from outside the CLI:
+
+- **Token expiry** — Check `expires_at` before using the token. The CLI automatically refreshes tokens when they are close to expiring, but an external reader will not trigger a refresh.
+- **WAL mode** — The database uses SQLite WAL (Write-Ahead Logging). Open it in read-only mode to avoid lock contention with a running CLI process.
+- **Env var precedence** — If `SENTRY_AUTH_TOKEN` or `SENTRY_TOKEN` is set, the CLI uses that instead of the database value. We recommend following the same precedence in external tools.
diff --git a/docs/src/content/docs/configuration.md b/docs/src/content/docs/configuration.md
@@ -138,9 +138,11 @@ The `sentry api` command also uses `--verbose` to show full HTTP request/respons
 
 ## Credential Storage
 
-Credentials are stored in a SQLite database at `~/.sentry/` (or the path set by `SENTRY_CONFIG_DIR`) with restricted file permissions (mode 600) for security. The database also caches:
+We store credentials and caches in a SQLite database (`cli.db`) inside the config directory (`~/.sentry/` by default, overridable via `SENTRY_CONFIG_DIR`). The database file and its WAL side-files are created with restricted permissions (mode 600) so that only the current user can read them. The database also caches:
 
 - Organization and project defaults
 - DSN resolution results
 - Region URL mappings
 - Project aliases (for monorepo support)
+
+Other tools can query the database directly to read the stored auth token. See [Credential Storage](./commands/auth/#credential-storage) in the auth command docs for the schema and usage details.
diff --git a/src/commands/auth/logout.ts b/src/commands/auth/logout.ts
@@ -30,7 +30,7 @@ export const logoutCommand = buildCommand({
   docs: {
     brief: "Log out of Sentry",
     fullDescription:
-      "Remove stored authentication credentials from the configuration file.",
+      "Remove stored authentication credentials from the local database.",
   },
   output: { json: true, human: formatLogoutResult },
   parameters: {
diff --git a/src/lib/dsn/types.ts b/src/lib/dsn/types.ts
@@ -66,7 +66,7 @@ export type ResolvedProject = ResolvedProjectInfo & {
 /**
  * Cached DSN entry with full resolution info
  *
- * Stored in ~/.sentry/config.json under dsnCache[directory]
+ * Stored in ~/.sentry/cli.db in the dsn_cache table
  */
 export type CachedDsnEntry = {
   /** The raw DSN string */
diff --git a/src/lib/oauth.ts b/src/lib/oauth.ts
@@ -301,7 +301,7 @@ export async function performDeviceFlow(
 }
 
 /**
- * Complete the OAuth flow by storing the token in the config file.
+ * Complete the OAuth flow by storing the token in the database.
  *
  * @param tokenResponse - The token response from performDeviceFlow
  */

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ export type ResolvedProject = ResolvedProjectInfo & {`
`66`	`66`	`/**`
`67`	`67`	`* Cached DSN entry with full resolution info`
`68`	`68`	`*`
`69`		`- * Stored in ~/.sentry/config.json under dsnCache[directory]`
	`69`	`+ * Stored in ~/.sentry/cli.db in the dsn_cache table`
`70`	`70`	`*/`
`71`	`71`	`export type CachedDsnEntry = {`
`72`	`72`	`/** The raw DSN string */`
Original file line number	Diff line number	Diff line change
`@@ -301,7 +301,7 @@ export async function performDeviceFlow(`
`301`	`301`	`}`
`302`	`302`
`303`	`303`	`/**`
`304`		`- * Complete the OAuth flow by storing the token in the config file.`
	`304`	`+ * Complete the OAuth flow by storing the token in the database.`
`305`	`305`	`*`
`306`	`306`	`* @param tokenResponse - The token response from performDeviceFlow`
`307`	`307`	`*/`