2 months ago
Description
Certain Railway CLI commands return Unauthorized. Please run railway login again. even though the session is valid and other commands (railway up, railway variables set, railway domain without arguments, railway logs, railway whoami) all succeed in the same session.
The two commands that consistently fail:
railway add --repo <repo>— adding a GitHub repo as a service sourcerailway domain <custom-domain>— adding a custom domain to a service
I dug through my railway settings and I'm definitely an admin, and definitely gave Railway CLI unconditional access to my stuff. I'm using Cursor as my IDE, and running most of these commands agentically.
Environment
- Railway CLI version:
4.35.0 - OS: macOS (darwin 24.6.0)
- Authenticated user confirmed via
railway whoami - Project context confirmed via
railway status(project, environment, and service all set)
Steps to reproduce
# Confirm session is valid
$ railway whoami
Logged in as 👋
# Confirm project context is set
$ railway status
Project:
Environment: production
Service:
# These work fine:
$ railway up # deploys successfully
$ railway variables set FOO=bar # sets variable
$ railway domain # generates railway subdomain
$ railway logs # streams logs
# These fail:
$ railway add --repo / --service
Unauthorized. Please run railway login again.
$ railway domain mycustomdomain.com
Unauthorized. Please run railway login again.
Re-running railway login does not resolve the issue ----- both commands fail again immediately after re-authenticating.
Expected behavior
Both commands should succeed using the same authenticated session that railway up, railway variables, and other commands use.
Notes
It appears add --repo and domain <custom> may hit a different API endpoint or require a different OAuth scope than other CLI commands. The token has sufficient permissions for deployment and variable management but not for GitHub repo linking or custom domain attachment.
1 Replies
Status changed to Awaiting Railway Response Railway • about 2 months ago
Status changed to Open Railway • about 2 months ago
2 months ago
Hello, I have gotten your point here you are likely running with a RAILWAY_TOKEN project token not which is very different from OAUTH token.
When railway CLI runs inside cursor its often picks up a RAILWAY_TOKEN environment varibale scoped specifically with the project level.
One thing you need to note is that proejct tokens are intentionally limitied, yes they can deploy, stream logs and manage varibales but they cannot:
- link Github repositories becasue this requires user-level GITHUB Oauth Scope.
- Attach custom domains,, requires user level account permissions.
thats why RAILWAY_WHOAMI succeeds becasue yes the token is valid but the other two commands are hitting RAILWAY USER-SCOPED API not PROJECT API so they are failing.
Fix:
echo $RAILWAY_TOKEN
if the command retunrs a token then Unset it via
unset RAILWAY_TOKEN
then re-authenticate with a full browser login outside of cursor agent. Do not do inisde the cursor terminal but directly in your terminal.
railway login
that will open a full browser or if you do now atn to open browser you can run
railway login --browserless
and confirm the character if they match.
after that then both commands will work now,,, also ensure railway is istalled in github apps.