a month ago
Environment
- Railway CLI version: 4.42.1
- OS: macOS (Darwin 25.4.0, Apple Silicon)
- Shell: zsh
- Installed via: Homebrew
What I'm trying to do
I have a Neo4j Community Edition service deployed using the neo4j:5.26-community Docker image. I want to create a
local port-forward tunnel to bolt port 7687 so I can load data from my local machine into the Railway-hosted Neo4j
over the private network.
The problem
railway login succeeds (browser opens, authentication completes, CLI confirms login) but any subsequent railway ssh
command immediately returns Unauthorized. Please run railway login again. Re-running railway login produces the same
loop — the session does not persist across commands.
Notably, railway link works fine in the same session, so the token is partially functional. Only railway ssh and
railway ssh keys add fail.
Reproduction steps
% railway login
Logged in as [user]
% railway link
# Successfully linked to project
% railway ssh --service neo4j --native -- -L 7687:localhost:7687 -N
Unauthorized. Please run railway login again.
Setting RAILWAY_TOKEN explicitly with a valid personal API token (scoped to personal projects) produces the same
result.
Questions
1. Is this a known auth persistence issue on macOS with CLI 4.42.1? Is there a workaround?
2. Does railway ssh support Docker-image-based services? Or is it limited to repo-deployed services? If the latter, is
there an officially supported way to establish a TCP tunnel to a private service from a local machine?
3 Replies
a month ago
Ouch, this seems like an open bug https://github.com/railwayapp/cli/issues/657
Status changed to Awaiting Railway Response Railway • 26 days ago
Status changed to Open Railway • 25 days ago
2 days ago
Yes, this is a known issue with railway ssh on macOS — the auth token stored during railway login uses the macOS Keychain but railway ssh (which uses a separate SSH auth flow) doesn't always read it correctly, causing the "Unauthorized" loop even though the token is valid for other commands like railway link.
Workarounds while the CLI bug is open:
1. Use RAILWAY_TOKEN environment variable explicitly in the same command
RAILWAY_TOKEN=your_token railway ssh --service neo4j -- -L 7687:localhost:7687 -NGet your token from Railway Dashboard → Account → Tokens. Make sure to use a token with full scope (not a scoped read-only token).
2. For the port-forward use case specifically — use railway tunnel instead
Railway has a tunnel command that may work better for your use case:
railway tunnel --service neo4j 7687This creates a local tunnel to the service port without going through SSH.
3. Docker-image-based services and railway ssh
To answer your second question: railway ssh does work with Docker-image-based services, but the service container must have a shell (sh or bash) available. The neo4j:5.26-community image does include bash, so that should not be the issue — it is purely the auth token persistence bug.
4. Alternative: Use Railway's TCP proxy for persistent port-forward
For loading data into Neo4j, you can also expose the Bolt port via a Railway TCP proxy instead of SSH tunneling:
- Go to your Neo4j service → Settings → Networking → Add TCP Proxy
-
- This gives you a public host:port to connect to directly with
bolt://from your local machine
- This gives you a public host:port to connect to directly with
This is likely the most reliable approach for your data loading use case.
2 days ago
Railway’s current SSH docs make one important distinction here: SSH key management is not supported with project tokens (RAILWAY_TOKEN). For SSH you need either an interactive railway login session or an account/workspace scoped RAILWAY_API_TOKEN.
So I would first make sure no project token is shadowing the browser login session:
unset RAILWAY_TOKEN
unset RAILWAY_API_TOKEN
railway logout
railway login
railway whoami
railway ssh keys listThen try SSH again using the copied command from the Railway dashboard.
If you want token-based auth instead of browser login, use RAILWAY_API_TOKEN, not RAILWAY_TOKEN.
Also, if the project is under a workspace, compare personal vs workspace keys:
railway ssh keys list
railway ssh keys list --workspace <workspace-id>Railway docs say workspace-scoped RAILWAY_API_TOKEN operates on workspace keys automatically, while project tokens do not support SSH key management.