hexpm · maennchen · Jun 16, 2026 · Jun 16, 2026
diff --git a/src/hex_cli_auth.erl b/src/hex_cli_auth.erl
@@ -234,6 +234,9 @@ with_api(Permission, BaseConfig, Fun, Opts) ->
         {error, no_auth} ->
             %% auth_inline is false, just return error
             {error, {auth_error, no_credentials}};
+        {error, {auth_error, token_refresh_failed}} when Optional =:= true ->
+            %% Token refresh failed but auth is optional, fall back to no credentials
+            execute_optional_with_retry(BaseConfig, Fun, Opts);
         {error, _} = Error ->
             Error
     end.

diff --git a/test/hex_cli_auth_SUITE.erl b/test/hex_cli_auth_SUITE.erl
@@ -60,6 +60,7 @@ all() ->
 
         %% with_api tests - wrapper behavior
         with_api_optional_test,
+        with_api_optional_token_refresh_failed_test,
         with_api_auth_inline_test,
         with_api_device_auth_test,
 
@@ -731,6 +732,28 @@ with_api_optional_test(_Config) ->
     ?assertEqual(undefined, Result),
     ok.
 
+with_api_optional_token_refresh_failed_test(_Config) ->
+    %% When resolve_api_auth fails with token_refresh_failed and optional is true,
+    %% fall back to executing the request without credentials.
+    Now = erlang:system_time(second),
+    Config = config_with_callbacks(#{
+        oauth_tokens =>
+            {ok, #{
+                access_token => <<"expired_token">>,
+                %% Expired with no refresh_token => token_refresh_failed immediately
+                expires_at => Now - 100
+            }}
+    }),
+
+    Result = hex_cli_auth:with_api(
+        read,
+        Config,
+        fun(Cfg) -> maps:get(api_key, Cfg, undefined) end,
+        [{optional, true}]
+    ),
+    ?assertEqual(undefined, Result),
+    ok.
+
 with_api_auth_inline_test(_Config) ->
     %% Test auth_inline => false returns error instead of prompting
     Config = config_with_callbacks(#{oauth_tokens => error}),