macOS: Credential decryption always fails - OS Keyring not storing encryption key

[jamesg546]

Description

gws auth login completes successfully and reports encrypted credentials saved, but all subsequent commands fail with:

Authentication failed: Failed to decrypt credentials: Decryption failed. Credentials may have been created on a different machine.

This happens consistently, including when running gws auth login and subsequent commands from the same terminal session.

Environment

• macOS Sequoia (Darwin 25.3.0)
• gws 0.9.1
• Apple Silicon (M-series)
• zsh shell

Steps to Reproduce

1. gws auth setup (or manually configure OAuth client)
2. gws auth login → completes successfully, browser OAuth flow works
3. gws drive files list --params '{"pageSize": 3}' → fails with decryption error
4. gws auth export → also fails with same error

Investigation

• No keychain entries found for gws via security find-generic-password or security dump-keychain
• The Rust keyring crate appears to not be writing to macOS Keychain
• Created .encryption_key file in ~/.config/gws/ as mentioned in the status output ("OS Keyring or local .encryption_key") — still fails
• GWS_STORAGE=plain env var has no effect
• gws auth status confirms encryption_valid: false

Expected Behavior

Either:

1. OS Keyring integration should work on macOS, or
2. The .encryption_key fallback should be functional, or
3. A --no-encrypt / plain storage option should be available

Workaround

None found. The tool is currently unusable on macOS.

[Maurilio-Saddoud]

Can confirm, I'm facing the same issue over here

[seungwonme]

+1 Same issue on macOS Sequoia 15.6.1, Apple Silicon, gws 0.9.1

[sandcastle]

having the same issue on Omarchy 3.4.2

[reco]

+1 — Same issue on macOS 15 (Sequoia) with gws 0.9.1. Auth login completes successfully via browser, credentials.enc is written, but every subsequent command fails with 'Decryption failed. Credentials may have been created on a different machine.' Tried logging out and back in multiple times, same result.

[seungwonme]

Workaround: ADC (Application Default Credentials) Fallback

Until this is fixed, you can bypass the broken encrypted credential path by using ADC instead.

Steps

1. Remove the broken encrypted credentials:

   gws auth logout

2. Authenticate via gcloud with the required scopes:

   gcloud auth application-default login \
     --client-id-file=/path/to/your/client_secret.json \
     --scopes="https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/spreadsheets,https://www.googleapis.com/auth/gmail.modify,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/documents,https://www.googleapis.com/auth/presentations,https://www.googleapis.com/auth/tasks,openid,https://www.googleapis.com/auth/userinfo.email"

3. Use gws normally — it falls back to ADC at ~/.config/gcloud/application_default_credentials.json.

Why it works

gws v0.6.0+ has a credential lookup chain (release notes):

1. GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE env var
2. Encrypted credentials (credentials.enc) ← broken on macOS
3. Plaintext credentials (credentials.json)
4. ADC ← this works

The key is to gws auth logout first to remove credentials.enc, otherwise gws tries to decrypt it and fails before reaching the ADC fallback.

Important notes

• Do not run gws auth login again — it will recreate credentials.enc and break things.
• gcloud auth application-default login requires cloud-platform scope or it errors.
• You may see a token cache warning — safe to ignore, or remove with rm ~/.config/gws/token_cache.json.

Environment

• macOS Sequoia 15.6.1 (Darwin 25.3.0)
• Apple Silicon (M-series)
• gws 0.9.1

[davidiov42]

Same issue on Windows - this isn't Mac specific. Exactly the same symptoms.

[kongwy]

Same issue on Windows - this isn't Mac specific. Exactly the same symptoms.

Experiencing the same on a remote Ubuntu Linux VPS. I guess it's not a platform-specific issue.

[jotatriana]

Same issue on Windows - this isn't Mac specific. Exactly the same symptoms.

I had same issue on Windows as well. Token workaround works.

[cleacos]

The workaround works but it's still annoying because the warning messages: warning: failed to decrypt token cache (token_cache.json) even if you remove the cache file. [MacOS-Tahoe 26.3]

[davidiov42]

The workaround works but it's still annoying because the warning messages: warning: failed to decrypt token cache (token_cache.json) even if you remove the cache file. [MacOS-Tahoe 26.3]

I get the same, workaround works (I have created a skill so if I need to add a scope I don't have to go through the faff) but I still get the warning even though it works.

[kinowarrior]

Had same issue. Got it working with the suggested workaround. MacOS.