@zapier/zapier-sdk-cli 0.47.0 → 0.48.0

package/dist/index.cjs

@@ -1,20 +1,21 @@
 'use strict';
 
-var Conf = require('conf');
-var fs = require('fs');
 var jwt = require('jsonwebtoken');
 var crossKeychain = require('cross-keychain');
+var Conf = require('conf');
+var fs = require('fs');
 var crypto = require('crypto');
 var path = require('path');
 var lockfile = require('proper-lockfile');
+var zod = require('zod');
 var zapierSdk = require('@zapier/zapier-sdk');
+var os = require('os');
+var inquirer = require('inquirer');
 var open = require('open');
 var express = require('express');
 var pkceChallenge = require('pkce-challenge');
 var ora = require('ora');
 var chalk3 = require('chalk');
-var inquirer = require('inquirer');
-var zod = require('zod');
 var zapierSdkMcp = require('@zapier/zapier-sdk-mcp');
 var esbuild = require('esbuild');
 var promises = require('fs/promises');
@@ -46,18 +47,18 @@ function _interopNamespace(e) {
   return Object.freeze(n);
 }
 
+var jwt__namespace = /*#__PURE__*/_interopNamespace(jwt);
 var Conf__default = /*#__PURE__*/_interopDefault(Conf);
 var fs__namespace = /*#__PURE__*/_interopNamespace(fs);
-var jwt__namespace = /*#__PURE__*/_interopNamespace(jwt);
 var crypto__default = /*#__PURE__*/_interopDefault(crypto);
 var path__namespace = /*#__PURE__*/_interopNamespace(path);
 var lockfile__namespace = /*#__PURE__*/_interopNamespace(lockfile);
+var inquirer__default = /*#__PURE__*/_interopDefault(inquirer);
 var open__default = /*#__PURE__*/_interopDefault(open);
 var express__default = /*#__PURE__*/_interopDefault(express);
 var pkceChallenge__default = /*#__PURE__*/_interopDefault(pkceChallenge);
 var ora__default = /*#__PURE__*/_interopDefault(ora);
 var chalk3__default = /*#__PURE__*/_interopDefault(chalk3);
-var inquirer__default = /*#__PURE__*/_interopDefault(inquirer);
 var ts__namespace = /*#__PURE__*/_interopNamespace(ts);
 var Handlebars__default = /*#__PURE__*/_interopDefault(Handlebars);
 
@@ -71,8 +72,11 @@ var __export = (target, all) => {
 var login_exports = {};
 __export(login_exports, {
   AUTH_MODE_HEADER: () => AUTH_MODE_HEADER,
+  DEFAULT_AUTH_BASE_URL: () => DEFAULT_AUTH_BASE_URL,
   ZapierAuthenticationError: () => ZapierAuthenticationError,
+  clearTokensFromKeychain: () => clearTokensFromKeychain,
   createCache: () => createCache,
+  getActiveCredentials: () => getActiveCredentials,
   getAuthAuthorizeUrl: () => getAuthAuthorizeUrl,
   getAuthTokenUrl: () => getAuthTokenUrl,
   getConfig: () => getConfig,
@@ -80,6 +84,7 @@ __export(login_exports, {
   getLoggedInUser: () => getLoggedInUser,
   getLoginStorageMode: () => getLoginStorageMode,
   getPkceLoginConfig: () => getPkceLoginConfig,
+  getStoredClientCredentials: () => getStoredClientCredentials,
   getToken: () => getToken,
   logout: () => logout,
   unloadConfig: () => unloadConfig,
@@ -160,6 +165,38 @@ async function clearTokensFromKeychain({
     }
   });
 }
+var DEFAULT_AUTH_BASE_URL = "https://zapier.com";
+var config = null;
+function getConfig() {
+  if (!config) {
+    config = new Conf__default.default({ projectName: "zapier-sdk-cli" });
+    if (!config.has("login_storage_mode")) {
+      config.set(
+        "login_storage_mode",
+        fs.existsSync(config.path) ? "config" : "keychain"
+      );
+    }
+  }
+  return config;
+}
+function resetConfig() {
+  config = null;
+}
+
+// src/login/legacy-jwt.ts
+function clearLegacyJwtConfigKeys(config2) {
+  config2.delete("login_jwt");
+  config2.delete("login_refresh_token");
+  config2.delete("login_expires_at");
+}
+async function clearLegacyJwtState() {
+  clearLegacyJwtConfigKeys(getConfig());
+  await clearTokensFromKeychain();
+}
+function hasLegacyJwtConfig() {
+  const cfg = getConfig();
+  return typeof cfg.get("login_jwt") === "string" || typeof cfg.get("login_refresh_token") === "string" || typeof cfg.get("login_expires_at") === "number";
+}
 var SERVICE2 = "zapier-sdk-cache";
 var CONFIG_KEY = "cache";
 var LOCK_UPDATE_MS = 5e3;
@@ -287,6 +324,163 @@ function createCache() {
     }
   };
 }
+var SERVICE3 = "zapier-sdk-cli";
+var CREDENTIALS_KEY = "credentials";
+var REGISTRY_KEY = "credentialsRegistry";
+var CredentialsEntrySchema = zod.z.object({
+  name: zod.z.string(),
+  clientId: zod.z.string(),
+  createdAt: zod.z.number(),
+  scopes: zod.z.array(zod.z.string()),
+  baseUrl: zod.z.string()
+});
+function normalizeBaseUrl(baseUrl) {
+  return baseUrl ?? DEFAULT_AUTH_BASE_URL;
+}
+function keychainAccount2(key) {
+  return crypto.createHash("sha256").update(key).digest("hex");
+}
+function buildKeychainKey(clientId, scopes, baseUrl) {
+  const sortedScopes = [...scopes].sort().join(",");
+  return `zapier-sdk/client-credentials-secret/${clientId}:${sortedScopes}:${baseUrl}`;
+}
+function findEntry(registry, name, baseUrl) {
+  return registry.find((e) => e.name === name && e.baseUrl === baseUrl);
+}
+function readRegistry() {
+  const stored = getConfig().get(REGISTRY_KEY);
+  if (!Array.isArray(stored)) return [];
+  return stored.flatMap((entry) => {
+    const result = CredentialsEntrySchema.safeParse(entry);
+    return result.success ? [result.data] : [];
+  });
+}
+function getActiveCredentials(options) {
+  const name = getConfig().get(CREDENTIALS_KEY);
+  if (!name) return void 0;
+  return findEntry(readRegistry(), name, normalizeBaseUrl(options?.baseUrl));
+}
+async function storeClientCredentials({
+  name,
+  clientId,
+  clientSecret,
+  scopes,
+  baseUrl
+}) {
+  if (!name || typeof name !== "string") {
+    throw new Error("storeClientCredentials: name is required");
+  }
+  if (!clientId || typeof clientId !== "string") {
+    throw new Error("storeClientCredentials: clientId is required");
+  }
+  if (!clientSecret || typeof clientSecret !== "string") {
+    throw new Error("storeClientCredentials: clientSecret is required");
+  }
+  if (!Array.isArray(scopes) || scopes.length === 0) {
+    throw new Error("storeClientCredentials: scopes must be a non-empty array");
+  }
+  const sortedScopes = [...scopes].sort();
+  const resolvedBaseUrl = normalizeBaseUrl(baseUrl);
+  const keychainKey = buildKeychainKey(clientId, sortedScopes, resolvedBaseUrl);
+  const existingEntry = findEntry(readRegistry(), name, resolvedBaseUrl);
+  const existingKeychainKey = existingEntry ? buildKeychainKey(
+    existingEntry.clientId,
+    existingEntry.scopes,
+    existingEntry.baseUrl
+  ) : void 0;
+  await enqueue(async () => {
+    await getBackendInfo();
+    await crossKeychain.setPassword(SERVICE3, keychainAccount2(keychainKey), clientSecret);
+  });
+  const entry = {
+    name,
+    clientId,
+    createdAt: Date.now(),
+    scopes: sortedScopes,
+    baseUrl: resolvedBaseUrl
+  };
+  const registry = readRegistry().filter(
+    (e) => !(e.name === name && e.baseUrl === resolvedBaseUrl)
+  );
+  registry.push(entry);
+  const cfg = getConfig();
+  cfg.set(REGISTRY_KEY, registry);
+  cfg.set(CREDENTIALS_KEY, name);
+  if (existingEntry && existingKeychainKey !== keychainKey) {
+    await deleteKeychainSecret(existingEntry);
+  }
+}
+function credentialsNameExists({
+  name,
+  baseUrl
+}) {
+  return !!findEntry(readRegistry(), name, normalizeBaseUrl(baseUrl));
+}
+async function getStoredClientCredentials(options) {
+  const entry = options?.name ? findEntry(readRegistry(), options.name, normalizeBaseUrl(options.baseUrl)) : getActiveCredentials(options);
+  if (!entry) return void 0;
+  const keychainKey = buildKeychainKey(
+    entry.clientId,
+    entry.scopes,
+    entry.baseUrl
+  );
+  const clientSecret = await enqueue(async () => {
+    await getBackendInfo();
+    return crossKeychain.getPassword(SERVICE3, keychainAccount2(keychainKey));
+  });
+  if (!clientSecret) return void 0;
+  return {
+    type: "client_credentials",
+    clientId: entry.clientId,
+    clientSecret,
+    baseUrl: entry.baseUrl,
+    scope: [...entry.scopes].sort().join(" ")
+  };
+}
+function deleteRegistryEntry(registry, name, baseUrl) {
+  const idx = registry.findIndex(
+    (e) => e.name === name && e.baseUrl === baseUrl
+  );
+  if (idx === -1) return void 0;
+  const [removed] = registry.splice(idx, 1);
+  return removed;
+}
+function unsetMatchingCredentialsKey(cfg, name) {
+  const activeName = cfg.get(CREDENTIALS_KEY);
+  if (activeName === name && !readRegistry().some((e) => e.name === name)) {
+    cfg.delete(CREDENTIALS_KEY);
+  }
+}
+async function deleteKeychainSecret(entry) {
+  const keychainKey = buildKeychainKey(
+    entry.clientId,
+    entry.scopes,
+    entry.baseUrl
+  );
+  try {
+    await enqueue(async () => {
+      await getBackendInfo();
+      await crossKeychain.deletePassword(SERVICE3, keychainAccount2(keychainKey));
+    });
+  } catch {
+  }
+}
+async function deleteStoredClientCredentials({
+  name,
+  baseUrl
+}) {
+  const registry = readRegistry();
+  const removed = deleteRegistryEntry(
+    registry,
+    name,
+    normalizeBaseUrl(baseUrl)
+  );
+  if (!removed) return;
+  const cfg = getConfig();
+  cfg.set(REGISTRY_KEY, registry);
+  unsetMatchingCredentialsKey(cfg, name);
+  await deleteKeychainSecret(removed);
+}
 
 // src/login/index.ts
 var ZapierAuthenticationError = class extends Error {
@@ -295,7 +489,6 @@ var ZapierAuthenticationError = class extends Error {
     this.name = "ZapierAuthenticationError";
   }
 };
-var config = null;
 var DEFAULT_AUTH_CLIENT_ID = "grwWZD5hUWGvb4V8ODBuOtXer3h0DBEZ2HR8aay6";
 var TOKEN_REFRESH_BUFFER_MS = 5 * 60 * 1e3;
 function createDebugLog(enabled) {
@@ -321,7 +514,6 @@ function getAuthClientId(clientId) {
   return clientId || DEFAULT_AUTH_CLIENT_ID;
 }
 var AUTH_MODE_HEADER = "X-Auth";
-var DEFAULT_AUTH_BASE_URL = "https://zapier.com";
 function getAuthTokenUrl(options) {
   const authBaseUrl = options?.baseUrl || DEFAULT_AUTH_BASE_URL;
   return `${authBaseUrl}/oauth/token/`;
@@ -331,29 +523,16 @@ function getAuthAuthorizeUrl(options) {
   return `${authBaseUrl}/oauth/authorize/`;
 }
 function getPkceLoginConfig(options) {
+  const effectiveBaseUrl = options?.credentials?.baseUrl ?? options?.baseUrl;
   return {
     clientId: getAuthClientId(options?.credentials?.clientId),
-    tokenUrl: getAuthTokenUrl({ baseUrl: options?.credentials?.baseUrl }),
-    authorizeUrl: getAuthAuthorizeUrl({
-      baseUrl: options?.credentials?.baseUrl
-    })
+    tokenUrl: getAuthTokenUrl({ baseUrl: effectiveBaseUrl }),
+    authorizeUrl: getAuthAuthorizeUrl({ baseUrl: effectiveBaseUrl })
   };
 }
 var cachedLogin;
-function getConfig() {
-  if (!config) {
-    config = new Conf__default.default({ projectName: "zapier-sdk-cli" });
-    if (!config.has("login_storage_mode")) {
-      config.set(
-        "login_storage_mode",
-        fs.existsSync(config.path) ? "config" : "keychain"
-      );
-    }
-  }
-  return config;
-}
 function unloadConfig() {
-  config = null;
+  resetConfig();
   cachedLogin = void 0;
 }
 async function updateLogin(loginData, options = {}) {
@@ -626,9 +805,7 @@ async function logout(options = {}) {
   await clearTokensFromKeychain();
   const cfg = getConfig();
   cfg.set("login_storage_mode", mode);
-  cfg.delete("login_expires_at");
-  cfg.delete("login_jwt");
-  cfg.delete("login_refresh_token");
+  clearLegacyJwtConfigKeys(cfg);
   onEvent?.({
     type: "auth_logout",
     payload: { message: "Logged out successfully", operation: "logout" },
@@ -640,6 +817,79 @@ function getConfigPath() {
   return cfg.path;
 }
 
+// src/utils/retry.ts
+function sleep(ms) {
+  return new Promise((resolve4) => setTimeout(resolve4, ms));
+}
+async function withRetry({
+  action,
+  attempts = 3,
+  initialDelayMs = 100
+}) {
+  if (attempts <= 0) {
+    throw new Error("withRetry: attempts must be greater than 0");
+  }
+  let lastError;
+  for (let i = 0; i < attempts; i++) {
+    try {
+      return await action();
+    } catch (err) {
+      lastError = err;
+      if (i < attempts - 1) {
+        await sleep(initialDelayMs * 2 ** i);
+      }
+    }
+  }
+  throw lastError;
+}
+
+// src/login/credentials-revoke.ts
+function emitAuthLogout(onEvent) {
+  onEvent?.({
+    type: "auth_logout",
+    payload: { message: "Logged out successfully", operation: "logout" },
+    timestamp: Date.now()
+  });
+}
+function isNotFoundError(err) {
+  return typeof err === "object" && err !== null && "statusCode" in err && err.statusCode === 404;
+}
+async function revokeCredentials({
+  api: api2,
+  credentials,
+  onEvent
+}) {
+  await withRetry({
+    action: async () => {
+      try {
+        await api2.delete(
+          `/api/v0/client-credentials/${credentials.clientId}`,
+          void 0,
+          { authRequired: true, requiredScopes: ["credentials"] }
+        );
+      } catch (err) {
+        if (isNotFoundError(err)) return;
+        throw err;
+      }
+    }
+  });
+  try {
+    await deleteStoredClientCredentials({
+      name: credentials.name,
+      baseUrl: credentials.baseUrl
+    });
+  } catch (err) {
+    console.warn("[revokeCredentials] Local store cleanup failed:", err);
+  }
+  await clearLegacyJwtState();
+  await zapierSdk.invalidateCachedToken({
+    clientId: credentials.clientId,
+    scopes: credentials.scopes,
+    baseUrl: credentials.baseUrl
+  });
+  emitAuthLogout(onEvent);
+}
+
 // src/utils/constants.ts
 var LOGIN_PORTS = [49505, 50575, 52804, 55981, 61010, 63851];
 var LOGIN_TIMEOUT_MS = 3e5;
@@ -753,6 +1003,8 @@ var getCallablePromise = () => {
   };
 };
 var getCallablePromise_default = getCallablePromise;
+
+// src/utils/auth/oauth-flow.ts
 var findAvailablePort = () => {
   return new Promise((resolve4, reject) => {
     let portIndex = 0;
@@ -787,10 +1039,9 @@ var findAvailablePort = () => {
 var generateRandomString = () => {
   const array = new Uint32Array(28);
   crypto__default.default.getRandomValues(array);
-  return Array.from(
-    array,
-    (dec) => ("0" + dec.toString(16)).substring(-2)
-  ).join("");
+  return Array.from(array, (dec) => ("0" + dec.toString(16)).slice(-2)).join(
+    ""
+  );
 };
 function ensureOfflineAccess(scope) {
   if (scope.includes("offline_access")) {
@@ -798,17 +1049,18 @@ function ensureOfflineAccess(scope) {
   }
   return `${scope} offline_access`;
 }
-var login = async ({
+async function runOauthFlow({
   timeoutMs = LOGIN_TIMEOUT_MS,
-  credentials
-}) => {
+  pkceCredentials,
+  baseUrl
+}) {
   const { clientId, tokenUrl, authorizeUrl } = getPkceLoginConfig({
-    credentials
+    credentials: pkceCredentials,
+    baseUrl
   });
   const scope = ensureOfflineAccess(
-    credentials?.scope || "internal credentials"
+    pkceCredentials?.scope || "internal credentials"
   );
-  await logout();
   const availablePort = await findAvailablePort();
   const redirectUri = `http://localhost:${availablePort}/oauth`;
   log_default.info(`Using port ${availablePort} for OAuth callback`);
@@ -817,13 +1069,30 @@ var login = async ({
     resolve: setCode,
     reject: rejectCode
   } = getCallablePromise_default();
-  const app = express__default.default();
-  app.get("/oauth", (req, res) => {
-    setCode(String(req.query.code));
+  const oauthState = generateRandomString();
+  const expressApp = express__default.default();
+  expressApp.get("/oauth", (req, res) => {
     res.setHeader("Connection", "close");
+    if (req.query.state !== oauthState) {
+      rejectCode(new Error("OAuth state mismatch \u2014 possible CSRF"));
+      res.status(400).end("Invalid state. You can close this tab.");
+      return;
+    }
+    if (req.query.error) {
+      const desc = req.query.error_description ?? req.query.error;
+      rejectCode(new Error(`Authorization denied: ${desc}`));
+      res.end("Authorization was denied. You can close this tab.");
+      return;
+    }
+    if (!req.query.code) {
+      rejectCode(new Error("No authorization code received"));
+      res.end("No authorization code received. You can close this tab.");
+      return;
+    }
+    setCode(String(req.query.code));
     res.end("You can now close this tab and return to the CLI.");
   });
-  const server = app.listen(availablePort);
+  const server = expressApp.listen(availablePort);
   const connections = /* @__PURE__ */ new Set();
   server.on("connection", (conn) => {
     connections.add(conn);
@@ -842,7 +1111,7 @@ var login = async ({
     client_id: clientId,
     redirect_uri: redirectUri,
     scope,
-    state: generateRandomString(),
+    state: oauthState,
     code_challenge: codeChallenge,
     code_challenge_method: "S256"
   }).toString()}`;
@@ -901,36 +1170,79 @@ var login = async ({
       }
     }
   );
-  let targetStorage;
-  if (getLoginStorageMode() === "config") {
-    const { upgrade } = await inquirer__default.default.prompt([
-      {
-        type: "confirm",
-        name: "upgrade",
-        message: "Would you like to upgrade to system keychain storage? This is recommended to securely store your credentials. However, note that older SDK/CLI versions will NOT be able to read these credentials, so you will want to upgrade them to the latest version.",
-        default: true
-      }
-    ]);
-    targetStorage = upgrade ? "keychain" : "config";
-  } else {
-    targetStorage = "keychain";
-  }
+  log_default.info("Token exchange completed successfully");
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    expiresIn: data.expires_in
+  };
+}
+
+// src/utils/auth/client-credentials.ts
+var CREDENTIALS_SCOPES = ["external", "credentials"];
+async function createCredentialsOnServer(api2, name) {
+  const response = await api2.post(
+    "/api/v0/client-credentials",
+    { name, allowed_scopes: CREDENTIALS_SCOPES },
+    { authRequired: true, requiredScopes: ["credentials"] }
+  );
+  return {
+    clientId: response.data.client_id,
+    clientSecret: response.data.client_secret
+  };
+}
+async function deleteCredentialsOnServer(api2, clientId) {
+  await api2.delete(`/api/v0/client-credentials/${clientId}`, void 0, {
+    authRequired: true,
+    requiredScopes: ["credentials"]
+  });
+}
+async function setupClientCredentials({
+  api: api2,
+  name,
+  credentialsBaseUrl
+}) {
+  const { clientId, clientSecret } = await createCredentialsOnServer(api2, name);
   try {
-    await updateLogin(data, { storage: targetStorage });
-  } catch (err) {
-    if (targetStorage === "keychain") {
-      log_default.warn(
-        `Could not store credentials in system keychain. Storing in plaintext at ${getConfigPath()}.`
+    await withRetry({
+      action: () => storeClientCredentials({
+        name,
+        clientId,
+        clientSecret,
+        scopes: [...CREDENTIALS_SCOPES],
+        baseUrl: credentialsBaseUrl
+      })
+    });
+  } catch (storeErr) {
+    try {
+      await withRetry({
+        action: () => deleteCredentialsOnServer(api2, clientId)
+      });
+    } catch {
+      console.error(
+        `Failed to roll back orphaned credential ${clientId}. Delete it manually with: zapier-sdk delete-client-credentials ${clientId}`
       );
-      await updateLogin(data, { storage: "config" });
-    } else {
-      throw err;
     }
+    throw storeErr;
   }
-  log_default.info("Token exchange completed successfully");
-  return data.access_token;
-};
-var login_default = login;
+  return { clientId };
+}
+function getBaseUrlFromResolvedCredentials(credentials) {
+  if (credentials && zapierSdk.isCredentialsObject(credentials)) {
+    return credentials.baseUrl;
+  }
+  return void 0;
+}
+function getBaseUrlFromOptionsCredentials(credentials) {
+  if (credentials && typeof credentials === "object" && "baseUrl" in credentials && typeof credentials.baseUrl === "string") {
+    return credentials.baseUrl;
+  }
+  return void 0;
+}
+async function resolveCredentialsBaseUrl(context) {
+  const resolvedCredentials = "resolvedCredentials" in context ? context.resolvedCredentials : await context.resolveCredentials?.();
+  return getBaseUrlFromResolvedCredentials(resolvedCredentials) ?? getBaseUrlFromOptionsCredentials(context.options?.credentials) ?? context.options?.baseUrl;
+}
 var LoginSchema = zod.z.object({
   timeout: zod.z.string().optional().describe("Login timeout in seconds (default: 300)")
 }).describe("Log in to Zapier to access your account");
@@ -947,6 +1259,105 @@ function toPkceCredentials(credentials) {
   }
   return void 0;
 }
+async function confirmRevokeAndRelogin(activeCredentials) {
+  const { confirmed } = await inquirer__default.default.prompt([
+    {
+      type: "confirm",
+      name: "confirmed",
+      message: `You are already logged in as "${activeCredentials.name}".
+Logging out will delete these credentials and may interrupt other Zapier SDK or CLI sessions using them.
+Log out and log in again?`,
+      default: false
+    }
+  ]);
+  if (!confirmed) {
+    console.log("Login cancelled.");
+    return false;
+  }
+  return true;
+}
+async function confirmJwtMigration() {
+  const { confirmed } = await inquirer__default.default.prompt([
+    {
+      type: "confirm",
+      name: "confirmed",
+      message: "We're upgrading your login to client credentials for a simpler, more reliable experience and to support future security controls. Older Zapier SDK/CLI versions on this machine may stop working after the upgrade. Continue?",
+      default: true
+    }
+  ]);
+  if (!confirmed) {
+    console.log("Login cancelled.");
+    return false;
+  }
+  return true;
+}
+async function confirmLocalLoginReset() {
+  const { confirmed } = await inquirer__default.default.prompt([
+    {
+      type: "confirm",
+      name: "confirmed",
+      message: "Login cleanup failed. Reset local session state and continue?",
+      default: false
+    }
+  ]);
+  if (!confirmed) {
+    console.log("Login cancelled.");
+    return false;
+  }
+  return true;
+}
+function parseTimeoutSeconds(timeout) {
+  const timeoutSeconds = timeout ? parseInt(timeout, 10) : 300;
+  if (isNaN(timeoutSeconds) || timeoutSeconds <= 0) {
+    throw new Error("Timeout must be a positive number");
+  }
+  return timeoutSeconds;
+}
+async function promptCredentialsName(email, baseUrl) {
+  const { credentialName } = await inquirer__default.default.prompt([
+    {
+      type: "input",
+      name: "credentialName",
+      message: "Enter a name to identify them:",
+      default: `${email}@${os.hostname()}`,
+      validate: (input) => {
+        if (!input.trim()) return "Name cannot be empty";
+        if (credentialsNameExists({ name: input.trim(), baseUrl })) {
+          return `Credentials named "${input.trim()}" already exist. Please provide a different name.`;
+        }
+        return true;
+      }
+    }
+  ]);
+  return credentialName;
+}
+function emitLoginSuccess({
+  sdk,
+  profile
+}) {
+  sdk.context.eventEmission.emit(
+    "platform.sdk.ApplicationLifecycleEvent",
+    zapierSdk.buildApplicationLifecycleEvent(
+      { lifecycle_event_type: "login_success" },
+      {
+        customuser_id: profile.user_id,
+        account_id: profile.roles[0]?.account_id ?? null
+      }
+    )
+  );
+}
+async function getProfile(api2) {
+  return api2.get("/zapier/api/v4/profile/", {
+    authRequired: true
+  });
+}
+async function bestEffortClearLegacyJwtState() {
+  try {
+    await clearLegacyJwtState();
+  } catch (err) {
+    console.error("[login] Best-effort legacy JWT cleanup failed:", err);
+  }
+}
 var loginPlugin = zapierSdk.definePlugin(
   (sdk) => zapierSdk.createPluginMethod(sdk, {
     name: "login",
@@ -954,25 +1365,61 @@ var loginPlugin = zapierSdk.definePlugin(
     inputSchema: LoginSchema,
     supportsJsonOutput: false,
     handler: async ({ sdk: sdk2, options }) => {
-      const timeoutSeconds = options.timeout ? parseInt(options.timeout, 10) : 300;
-      if (isNaN(timeoutSeconds) || timeoutSeconds <= 0) {
-        throw new Error("Timeout must be a positive number");
-      }
+      const timeoutSeconds = parseTimeoutSeconds(options.timeout);
       const resolvedCredentials = await sdk2.context.resolveCredentials();
       const pkceCredentials = toPkceCredentials(resolvedCredentials);
-      await login_default({
+      const credentialsBaseUrl = await resolveCredentialsBaseUrl({
+        ...sdk2.context,
+        resolvedCredentials
+      });
+      const activeCredentials = getActiveCredentials({
+        baseUrl: credentialsBaseUrl
+      });
+      if (activeCredentials) {
+        if (!await confirmRevokeAndRelogin(activeCredentials)) return;
+        try {
+          await revokeCredentials({
+            api: sdk2.context.api,
+            credentials: activeCredentials
+          });
+        } catch {
+          if (!await confirmLocalLoginReset()) return;
+          await deleteStoredClientCredentials({
+            name: activeCredentials.name,
+            baseUrl: activeCredentials.baseUrl
+          });
+        }
+      } else if (hasLegacyJwtConfig()) {
+        if (!await confirmJwtMigration()) return;
+      }
+      const { accessToken } = await runOauthFlow({
         timeoutMs: timeoutSeconds * 1e3,
-        credentials: pkceCredentials
+        pkceCredentials,
+        baseUrl: credentialsBaseUrl
       });
-      const user = await getLoggedInUser();
-      sdk2.context.eventEmission.emit(
-        "platform.sdk.ApplicationLifecycleEvent",
-        zapierSdk.buildApplicationLifecycleEvent(
-          { lifecycle_event_type: "login_success" },
-          { customuser_id: user.customUserId, account_id: user.accountId }
-        )
+      const scopedApi = zapierSdk.getOrCreateApiClient({
+        credentials: accessToken,
+        baseUrl: credentialsBaseUrl
+      });
+      const profile = await getProfile(scopedApi);
+      console.log(`\u{1F464} Logged in as ${profile.email}`);
+      console.log(
+        "\nGenerating credentials so this machine can make authenticated requests on your behalf."
+      );
+      const credentialName = await promptCredentialsName(
+        profile.email,
+        credentialsBaseUrl
       );
-      console.log(`\u2705 Successfully logged in as ${user.email}`);
+      await setupClientCredentials({
+        api: scopedApi,
+        name: credentialName,
+        credentialsBaseUrl
+      });
+      await bestEffortClearLegacyJwtState();
+      console.log(
+        `\u2705 Credentials "${credentialName}" created and set as default. You are ready to use the Zapier SDK.`
+      );
+      emitLoginSuccess({ sdk: sdk2, profile });
     }
   })
 );
@@ -985,8 +1432,36 @@ var logoutPlugin = zapierSdk.definePlugin(
     categories: ["account"],
     inputSchema: LogoutSchema,
     supportsJsonOutput: false,
-    handler: async () => {
-      await logout();
+    handler: async ({ sdk: sdk2 }) => {
+      const credentialsBaseUrl = await resolveCredentialsBaseUrl(sdk2.context);
+      const activeCredentials = getActiveCredentials({
+        baseUrl: credentialsBaseUrl
+      });
+      const onEvent = sdk2.context.options?.onEvent;
+      if (!activeCredentials) {
+        await logout({ onEvent });
+        console.log("\u2705 Successfully logged out");
+        return;
+      }
+      const { confirmed } = await inquirer__default.default.prompt([
+        {
+          type: "confirm",
+          name: "confirmed",
+          message: `Logging out will delete credentials "${activeCredentials.name}".
+This may interrupt other Zapier SDK or CLI sessions using them.
+Do you want to continue?`,
+          default: true
+        }
+      ]);
+      if (!confirmed) {
+        console.log("Logout cancelled.");
+        return;
+      }
+      await revokeCredentials({
+        api: sdk2.context.api,
+        credentials: activeCredentials,
+        onEvent
+      });
       console.log("\u2705 Successfully logged out");
     }
   })
@@ -3486,7 +3961,7 @@ zapierSdk.definePlugin(
 // package.json with { type: 'json' }
 var package_default = {
   name: "@zapier/zapier-sdk-cli",
-  version: "0.47.0"};
+  version: "0.48.0"};
 
 // src/sdk.ts
 zapierSdk.injectCliLogin(login_exports);
@@ -3514,7 +3989,7 @@ function createZapierCliSdk(options = {}) {
 
 // package.json
 var package_default2 = {
-  version: "0.47.0"};
+  version: "0.48.0"};
 
 // src/telemetry/builders.ts
 function createCliBaseEvent(context = {}) {