How do you ensure the cli can use the auth without knowing how to read it ? It’s potentially a bearer Token