User token in command line tool
I'm trying to build a cli tool for an application that provides a web-based API. The use-case is to allow performing common tasks through a command-line client, and perform quick admin actions from a cli without having to gnaw at the gui to the one setting you want to change.
This however requires that the (admin) user logs in to the API using their (admin) credentials, which then responds with a user token that is required for accessing the other endpoints. Natch, this token needs to be kept safe, however, only using the token once and requiring the user to type in their passwords each time defeats the purpose of the quick-and-dirty admin access to the system from the terminal.
Thusly, I'd like to store this token for the user, but I have no idea how to do it securely. I could just write in a file in the users home and hope nobody yanks it from there, but that doesn't really feel like a secure option. (The app is used on Windows, with a shared Windows user among the staff: the PC is turned on, and someone just sits there to do a thing, logs in to the app, does the thing, (hopefully) logs out and leaves.) Or is it enough, as it is equivalent to just not logging out from the desktop gui, and I'm just being paranoid? My main concern is that it is easier for a user to "forget" that you logged into a cli, that it is with a desktop client, since a gui is completely in your face, but the fact that you are logged in to a cli tool is totally invisible.
The question is, is there standard practice for this? I know cloud platforms' cli tools (az, gcloud, oci, etc.) allow for something like this, but I'm not exactly keen on source-code diving just to find out how they store a token, unless there is no other way to figure it out.
