feat(auth): add multi-org login

Author: steipete

CHANGELOG.md

@@ -1,19 +1,20 @@
 # Changelog
 
-## Unreleased
+## 0.9.0 - 2026-01-22
+
+### Highlights
+
+- Auth: multi-org login with per-client OAuth credentials + token isolation. (#96)
 
 ### Added
 
-- Chat: spaces, messages, threads, and DM commands (Workspace only). (#84) — thanks @salmonumbrella.
-- People: profile lookup, directory search, and relations commands. (#84) — thanks @salmonumbrella.
 - Calendar: show event timezone and local times; add --weekday output. (#92) — thanks @salmonumbrella.
 - Gmail: show thread message count in search output. (#99) — thanks @jeanregisser.
 - Gmail: message-level search with optional body decoding. (#88) — thanks @mbelinky.
 
 ### Fixed
 
 - Auth: fix Gmail search example in auth success template. (#89) — thanks @rvben.
-- Chat: normalize thread IDs and show a clearer error for consumer accounts. (#84)
 - CLI: remove redundant newlines in text output for calendar, chat, Gmail, and groups commands. (#91) — thanks @salmonumbrella.
 - Gmail: include primary account display name in send From header when available. (#93) — thanks @salmonumbrella.
 - Keyring: persist OAuth tokens across Homebrew upgrades. (#94) — thanks @salmonumbrella.
@@ -22,6 +23,17 @@
 - Calendar: force custom reminders payload to send UseDefault=false. (#100) — thanks @salmonumbrella.
 - Gmail: add read alias + default thread get. (#103) — thanks @salmonumbrella.
 
+## 0.8.0 - 2026-01-19
+
+### Added
+
+- Chat: spaces, messages, threads, and DM commands (Workspace only). (#84) — thanks @salmonumbrella.
+- People: profile lookup, directory search, and relations commands. (#84) — thanks @salmonumbrella.
+
+### Fixed
+
+- Chat: normalize thread IDs and show a clearer error for consumer accounts. (#84)
+
 ## 0.7.0 - 2026-01-17
 
 ### Highlights

README.md

@@ -88,6 +88,13 @@ Before adding an account, create OAuth2 credentials from Google Cloud Console:
 gog auth credentials ~/Downloads/client_secret_....json
 ```
 
+For multiple OAuth clients/projects:
+
+```bash
+gog --client work auth credentials ~/Downloads/work-client.json
+gog auth credentials list
+```
+
 ### 3. Authorize Your Account
 
 ```bash
@@ -109,7 +116,7 @@ gog gmail labels list
 
 `gog` stores your OAuth refresh tokens in a “keyring” backend. Default is `auto` (best available backend for your OS/environment).
 
-Before you can run `gog auth add`, you must store OAuth client credentials once via `gog auth credentials <credentials.json>` (download a Desktop app OAuth client JSON from the Cloud Console).
+Before you can run `gog auth add`, you must store OAuth client credentials once via `gog auth credentials <credentials.json>` (download a Desktop app OAuth client JSON from the Cloud Console). For multiple clients, use `gog --client <name> auth credentials ...`; tokens are isolated per client.
 
 List accounts:
 
@@ -131,6 +138,52 @@ Show current auth state/services for the active account:
 gog auth status
 ```
 
+### Multiple OAuth clients
+
+Use `--client` (or `GOG_CLIENT`) to select a named OAuth client:
+
+```bash
+gog --client work auth credentials ~/Downloads/work.json
+gog --client work auth add [email protected]
+```
+
+Optional domain mapping for auto-selection:
+
+```bash
+gog --client work auth credentials ~/Downloads/work.json --domain example.com
+```
+
+How it works:
+
+- Default client is `default` (stored in `credentials.json`).
+- Named clients are stored as `credentials-<client>.json`.
+- Tokens are isolated per client (`token:<client>:<email>`); defaults are per client too.
+
+Client selection order (when `--client` is not set):
+
+1) `--client` / `GOG_CLIENT`
+2) `account_clients` config (email -> client)
+3) `client_domains` config (domain -> client)
+4) Credentials file named after the email domain (`credentials-example.com.json`)
+5) `default`
+
+Config example (JSON5):
+
+```json5
+{
+  account_clients: { "[email protected]": "work" },
+  client_domains: { "example.com": "work" },
+}
+```
+
+List stored credentials:
+
+```bash
+gog auth credentials list
+```
+
+See `docs/auth-clients.md` for the full client selection and mapping rules.
+
 ### Keyring backend: Keychain vs encrypted file
 
 Backends:
@@ -317,6 +370,7 @@ gog keep get <noteId> --account [email protected]
 ### Environment Variables
 
 - `GOG_ACCOUNT` - Default account email or alias to use (avoids repeating `--account`; otherwise uses keyring default or a single stored token)
+- `GOG_CLIENT` - OAuth client name (selects stored credentials + token bucket)
 - `GOG_JSON` - Default JSON output
 - `GOG_PLAIN` - Default plain output
 - `GOG_COLOR` - Color mode: `auto` (default), `always`, or `never`
@@ -346,6 +400,14 @@ Example (JSON5 supports comments and trailing commas):
     work: "[email protected]",
     personal: "[email protected]",
   },
+  // Optional per-account OAuth client selection
+  account_clients: {
+    "[email protected]": "work",
+  },
+  // Optional domain -> client mapping
+  client_domains: {
+    "example.com": "work",
+  },
 }
 ```
 
@@ -423,6 +485,8 @@ Flag aliases:
 
 ```bash
 gog auth credentials <path>           # Store OAuth client credentials
+gog auth credentials list             # List stored OAuth client credentials
+gog --client work auth credentials <path>  # Store named OAuth client credentials
 gog auth add <email>                  # Authorize and store refresh token
 gog auth service-account set <email> --key <path>  # Configure service account impersonation (Workspace only)
 gog auth service-account status <email>            # Show service account status
@@ -1247,6 +1311,7 @@ Opt-in tests that hit real Google APIs using your stored `gog` credentials/token
 ```bash
 # Optional: override which account to use
 export [email protected]
+export GOG_CLIENT=work
 go test -tags=integration ./...
 ```
 
@@ -1259,11 +1324,13 @@ Fast end-to-end smoke checks against live APIs:
 ```bash
 scripts/live-test.sh --fast
 scripts/live-test.sh --account [email protected] --skip groups,keep,calendar-enterprise
+scripts/live-test.sh --client work --account [email protected]
 ```
 
 Script toggles:
 
 - `--auth all,groups` to re-auth before running
+- `--client <name>` to select OAuth client credentials
 - `--strict` to fail on optional features (groups/keep/enterprise)
 - `--allow-nontest` to override the test-account guardrail
 

docs/auth-clients.md

@@ -0,0 +1,66 @@
+# OAuth Clients
+
+Use multiple OAuth client credentials (for different Google Cloud projects or brands) without mixing refresh tokens.
+
+## How it works
+
+- Default client name: `default`
+- Default credentials file: `$(os.UserConfigDir())/gogcli/credentials.json`
+- Named credentials files: `$(os.UserConfigDir())/gogcli/credentials-<client>.json`
+- Tokens are stored per client (`token:<client>:<email>`). Default client also writes legacy keys for backwards compatibility.
+- Default account is stored per client, with a legacy global fallback for the default client.
+
+## Selecting a client
+
+Use `--client` (or `GOG_CLIENT`) to pick which credentials + token bucket to use:
+
+```
+gog --client work auth credentials ~/Downloads/work-client.json
+gog --client work auth add [email protected]
+gog --client work gmail search "is:unread"
+```
+
+When `--client` is not set, `gog` resolves the client in this order:
+
+1) `--client` / `GOG_CLIENT` override
+2) `account_clients` map in config
+3) `client_domains` map in config
+4) Credentials file named after the email domain (e.g. `credentials-example.com.json`)
+5) `default`
+
+## Domain auto-map
+
+To auto-select a client for a domain:
+
+```
+gog --client work auth credentials ~/Downloads/work.json --domain example.com
+```
+
+This writes `client_domains` into `config.json` so any `@example.com` account selects the `work` client.
+
+## Listing stored credentials
+
+```
+gog auth credentials list
+```
+
+Shows stored credential files plus any configured domain mappings.
+
+## Config example
+
+```
+{
+  keyring_backend: "auto",
+  account_clients: {
+    "[email protected]": "work",
+  },
+  client_domains: {
+    "example.com": "work",
+  },
+}
+```
+
+## Migration notes
+
+- Legacy `token:<email>` entries are copied to `token:default:<email>` the first time they are read.
+- Legacy `default_account` is still respected for the default client.

docs/spec.md

@@ -65,10 +65,13 @@ Implementation: `internal/ui/ui.go`.
 ### OAuth client credentials (non-secret-ish)
 
 - Stored on disk in the per-user config directory:
-  - `$(os.UserConfigDir())/gogcli/credentials.json`
+  - `$(os.UserConfigDir())/gogcli/credentials.json` (default client)
+  - `$(os.UserConfigDir())/gogcli/credentials-<client>.json` (named clients)
 - Written with mode `0600`.
 - Command:
   - `gog auth credentials <credentials.json>`
+  - `gog --client <name> auth credentials <credentials.json>`
+  - `gog auth credentials list`
 - Supports Google’s downloaded JSON format:
   - `installed.client_id/client_secret` or `web.client_id/client_secret`
 
@@ -78,7 +81,8 @@ Implementation: `internal/config/*`.
 
 - Stored in OS credential store via `github.com/99designs/keyring`.
 - Key namespace is `gogcli` (keyring `ServiceName`).
-- Key format: `token:<email>`
+- Key format: `token:<client>:<email>` (default client uses `token:default:<email>`)
+- Legacy key format: `token:<email>` (migrated on first read)
 - Stored payload is JSON (refresh token + metadata like selected services/scopes).
 - Fallback: if no OS credential store is available, keyring may use its encrypted "file" backend:
   - Directory: `$(os.UserConfigDir())/gogcli/keyring/` (one file per key)
@@ -111,7 +115,8 @@ Scope selection note:
 - Base config dir: `$(os.UserConfigDir())/gogcli/`
 - Files:
   - `config.json` (JSON5; comments and trailing commas allowed)
-  - `credentials.json` (OAuth client id/secret)
+  - `credentials.json` (OAuth client id/secret; default client)
+  - `credentials-<client>.json` (OAuth client id/secret; named clients)
 - State:
   - `state/gmail-watch/<account>.json` (Gmail watch state)
 - Secrets:
@@ -122,13 +127,15 @@ We intentionally avoid storing refresh tokens in plain JSON on disk.
 Environment:
 
 - `[email protected]` (email or alias; used when `--account` is not set; otherwise uses keyring default or a single stored token)
+- `GOG_CLIENT=work` (select OAuth client bucket; see `--client`)
 - `GOG_KEYRING_PASSWORD=...` (used when keyring falls back to encrypted file backend in non-interactive environments)
 - `GOG_KEYRING_BACKEND={auto|keychain|file}` (force backend; use `file` to avoid Keychain prompts and pair with `GOG_KEYRING_PASSWORD` for non-interactive)
 - `GOG_TIMEZONE=America/New_York` (default output timezone; IANA name or `UTC`; `local` forces local timezone)
 - `GOG_ENABLE_COMMANDS=calendar,tasks` (optional allowlist of top-level commands)
 - `config.json` can also set `keyring_backend` (JSON5; env vars take precedence)
 - `config.json` can also set `default_timezone` (IANA name or `UTC`)
 - `config.json` can also set `account_aliases` for `gog auth alias` (JSON5)
+- `config.json` can also set `account_clients` (email -> client) and `client_domains` (domain -> client)
 
 Flag aliases:
 - `--out` also accepts `--output`.
@@ -139,6 +146,8 @@ Flag aliases:
 ### Implemented
 
 - `gog auth credentials <credentials.json|->`
+- `gog auth credentials list`
+- `gog --client <name> auth credentials <credentials.json|->`
 - `gog auth add <email> [--services user|all|gmail,calendar,classroom,drive,docs,contacts,tasks,sheets,people,groups] [--readonly] [--drive-scope full|readonly|file] [--manual] [--force-consent]`
 - `gog auth services [--markdown]`
 - `gog auth keep <email> --key <service-account.json>` (Google Keep; Workspace only)
@@ -297,6 +306,8 @@ Flag aliases:
 
 - `gog auth …`
   - `gog auth credentials <credentials.json>`
+  - `gog auth credentials list`
+  - `gog --client <name> auth credentials <credentials.json>`
 - `gog gmail …`
 - `gog chat …`
 - `gog calendar …`
@@ -400,10 +411,11 @@ Commands:
 There is an opt-in integration test suite guarded by build tags (not run in CI).
 
 - Requires:
-  - stored `credentials.json` via `gog auth credentials ...`
+  - stored `credentials.json` (or `credentials-<client>.json`) via `gog auth credentials ...`
   - refresh token in keyring via `gog auth add <email>`
 - Run:
   - `[email protected] go test -tags=integration ./internal/integration`
+  - optional: `GOG_CLIENT=work` to select a non-default OAuth client
 
 ## CI (GitHub Actions)
 

internal/authclient/authclient.go

@@ -0,0 +1,63 @@
+package authclient
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/steipete/gogcli/internal/config"
+)
+
+type contextKey struct{}
+
+func WithClient(ctx context.Context, client string) context.Context {
+	client = strings.TrimSpace(client)
+	if client == "" {
+		return ctx
+	}
+
+	return context.WithValue(ctx, contextKey{}, client)
+}
+
+func ClientOverrideFromContext(ctx context.Context) string {
+	if ctx == nil {
+		return ""
+	}
+
+	if v := ctx.Value(contextKey{}); v != nil {
+		if s, ok := v.(string); ok {
+			return s
+		}
+	}
+
+	return ""
+}
+
+func ResolveClient(ctx context.Context, email string) (string, error) {
+	cfg, err := config.ReadConfig()
+	if err != nil {
+		return "", fmt.Errorf("read config: %w", err)
+	}
+	override := ClientOverrideFromContext(ctx)
+
+	client, err := config.ResolveClientForAccount(cfg, email, override)
+	if err != nil {
+		return "", fmt.Errorf("resolve client: %w", err)
+	}
+
+	return client, nil
+}
+
+func ResolveClientWithOverride(email string, override string) (string, error) {
+	cfg, err := config.ReadConfig()
+	if err != nil {
+		return "", fmt.Errorf("read config: %w", err)
+	}
+
+	client, err := config.ResolveClientForAccount(cfg, email, override)
+	if err != nil {
+		return "", fmt.Errorf("resolve client: %w", err)
+	}
+
+	return client, nil
+}