Enable deployments with the CLI using OATs

myftija · myftija · commit b31565666aa8 · 2025-08-14T11:19:09.000+02:00
diff --git a/packages/cli-v3/src/commands/deploy.ts b/packages/cli-v3/src/commands/deploy.ts
@@ -308,7 +308,7 @@ async function _deployCommand(dir: string, options: DeployCommandOptions) {
 
   const deploymentResponse = await projectClient.client.initializeDeployment({
     contentHash: buildManifest.contentHash,
-    userId: authorization.userId,
+    userId: authorization.auth.tokenType === "personal" ? authorization.userId : undefined,
     gitMeta,
     type: features.run_engine_v2 ? "MANAGED" : "V1",
     runtime: buildManifest.runtime,
diff --git a/packages/cli-v3/src/commands/login.ts b/packages/cli-v3/src/commands/login.ts
@@ -30,7 +30,10 @@ import { env, isCI } from "std-env";
 import { CLOUD_API_URL } from "../consts.js";
 import {
   isPersonalAccessToken,
+  isOrganizationAccessToken,
+  validateAccessToken,
   NotPersonalAccessTokenError,
+  NotAccessTokenError,
 } from "../utilities/isPersonalAccessToken.js";
 import { links } from "@trigger.dev/core/v3";
 
@@ -94,8 +97,12 @@ export async function login(options?: LoginOptions): Promise<LoginResult> {
       const accessTokenFromEnv = env.TRIGGER_ACCESS_TOKEN;
 
       if (accessTokenFromEnv) {
-        if (!isPersonalAccessToken(accessTokenFromEnv)) {
-          throw new NotPersonalAccessTokenError(
+        const validationResult = validateAccessToken(accessTokenFromEnv);
+
+        if (!validationResult.success) {
+          // We deliberately don't surface the existence of organization access tokens to the user for now, as they're only used internally.
+          // Once we expose them in the application, we should also communicate that option here.
+          throw new NotAccessTokenError(
             "Your TRIGGER_ACCESS_TOKEN is not a Personal Access Token, they start with 'tr_pat_'. You can generate one here: https://cloud.trigger.dev/account/tokens"
           );
         }
@@ -119,6 +126,7 @@ export async function login(options?: LoginOptions): Promise<LoginResult> {
           dashboardUrl: userData.data.dashboardUrl,
           auth: {
             accessToken: auth.accessToken,
+            tokenType: validationResult.type,
             apiUrl: auth.apiUrl,
           },
         };
@@ -188,6 +196,7 @@ export async function login(options?: LoginOptions): Promise<LoginResult> {
                 auth: {
                   accessToken: authConfig.accessToken,
                   apiUrl: authConfig.apiUrl ?? opts.defaultApiUrl,
+                  tokenType: "personal" as const,
                 },
               };
             }
@@ -209,6 +218,7 @@ export async function login(options?: LoginOptions): Promise<LoginResult> {
               auth: {
                 accessToken: authConfig.accessToken,
                 apiUrl: authConfig.apiUrl ?? opts.defaultApiUrl,
+                tokenType: "personal" as const,
               },
             };
           }
@@ -270,7 +280,10 @@ export async function login(options?: LoginOptions): Promise<LoginResult> {
         getPersonalAccessTokenSpinner.stop(`Logged in with token ${indexResult.obfuscatedToken}`);
 
         writeAuthConfigProfile(
-          { accessToken: indexResult.token, apiUrl: opts.defaultApiUrl },
+          {
+            accessToken: indexResult.token,
+            apiUrl: opts.defaultApiUrl,
+          },
           options?.profile
         );
 
@@ -309,6 +322,7 @@ export async function login(options?: LoginOptions): Promise<LoginResult> {
           auth: {
             accessToken: indexResult.token,
             apiUrl: authConfig?.apiUrl ?? opts.defaultApiUrl,
+            tokenType: "personal" as const,
           },
         };
       } catch (e) {
diff --git a/packages/cli-v3/src/utilities/isOrganizationAccessToken.ts b/packages/cli-v3/src/utilities/isOrganizationAccessToken.ts
@@ -0,0 +1,12 @@
+const tokenPrefix = "tr_oat_";
+
+export function isOrganizationAccessToken(token: string) {
+  return token.startsWith(tokenPrefix);
+}
+
+export class NotOrganizationAccessTokenError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = "NotOrganizationAccessTokenError";
+  }
+}
diff --git a/packages/cli-v3/src/utilities/session.ts b/packages/cli-v3/src/utilities/session.ts
@@ -13,6 +13,7 @@ export type LoginResultOk = {
   auth: {
     apiUrl: string;
     accessToken: string;
+    tokenType: "personal" | "organization";
   };
 };
 
@@ -24,6 +25,7 @@ export type LoginResult =
       auth?: {
         apiUrl: string;
         accessToken: string;
+        tokenType: "personal" | "organization";
       };
     };
 
@@ -45,6 +47,7 @@ export async function isLoggedIn(profile: string = "default"): Promise<LoginResu
         auth: {
           apiUrl: config.apiUrl,
           accessToken: config.accessToken,
+          tokenType: "personal",
         },
       };
     }
@@ -58,6 +61,7 @@ export async function isLoggedIn(profile: string = "default"): Promise<LoginResu
       auth: {
         apiUrl: config.apiUrl,
         accessToken: config.accessToken,
+        tokenType: "personal",
       },
     };
   } catch (e) {
