Expand description
Action for dsp auth token.
Prints the resolved bearer token verbatim to stdout, bare — no
envelope, no --format, no Renderer. This is the read-out
counterpart to dsp auth set-token (which reads a JWT from stdin into the
cache): today set-token writes a token in, and this command is the only
way to read one back out for use in shell pipelines (export DSP_TOKEN=$(dsp auth token -s dev)).
No server round-trip is made — this is a pure cache/env inspection, like
dsp auth status (see status.rs), from which the resolution and expiry
logic below is lifted. Before printing, a local, best-effort expiry
check is done: if the resolved token is locally detected as expired, or no
token is cached for the server, the command returns
Diagnostic::AuthRequired (exit 3, ADR-0012) instead of printing
anything. This check is advisory only — the JWT signature is not verified
(see crate::client::jwt) — so exit 0 means only “the token looks
unexpired locally,” not “the server will accept it.” See ADR-0007 for the
token-resolution/precedence model this command reuses unchanged.
Functions§
- run
- Print the resolved bearer token for
cfg.serverto stdout.