coder · EhabY · Jun 16, 2026 · Jun 17, 2026 · Jun 18, 2026 · Jun 23, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,9 @@
 
 ### Added
 
+- New `coder.globalConfig` setting to override the Coder CLI `--global-config`
+  directory, with `CODER_CONFIG_DIR` fallback, so file-backed CLI login/auth can
+  be shared with the VS Code extension when keyring auth is not active.
 - New **Shared Workspaces** view in the Coder sidebar that lists workspaces
   other users have shared with you, with search and refresh actions, so you
   can find and open them just like your own.

diff --git a/package.json b/package.json
@@ -181,8 +181,14 @@
 					],
 					"scope": "machine"
 				},
+				"coder.globalConfig": {
+					"markdownDescription": "Path to the global Coder CLI config directory passed with `--global-config`. Defaults to `CODER_CONFIG_DIR` if not set, otherwise the extension's per-deployment global storage directory. Set this to a shared CLI config directory such as `~/.config/coderv2` to share login/auth with the Coder CLI. Ignored when `#coder.useKeyring#` is active and supported.\n\nSupports `${env:VAR}`, `${userHome}`, and a leading `~`.",
+					"type": "string",
+					"default": "",
+					"scope": "machine"
+				},
 				"coder.globalFlags": {
-					"markdownDescription": "Global flags to pass to every Coder CLI invocation. Enter each flag as a separate array item, in order. Do **not** include the `coder` command itself. See the [CLI reference](https://coder.com/docs/reference/cli) for available global flags.\n\nSupports `${env:VAR}`, `${userHome}`, and a leading `~`. For `--flag=value` items the expansion applies to the value half, so `--cfg=~/coder` works.\n\nFor `--header-command`, precedence is: `#coder.headerCommand#` setting, then `CODER_HEADER_COMMAND` environment variable, then the value specified here. The `--global-config` and `--use-keyring` flags are silently ignored as the extension manages them via `#coder.useKeyring#`.",
+					"markdownDescription": "Global flags to pass to every Coder CLI invocation. Enter each flag as a separate array item, in order. Do **not** include the `coder` command itself. See the [CLI reference](https://coder.com/docs/reference/cli) for available global flags.\n\nSupports `${env:VAR}`, `${userHome}`, and a leading `~`. For `--flag=value` items the expansion applies to the value half, so `--cfg=~/coder` works.\n\nFor `--header-command`, precedence is: `#coder.headerCommand#` setting, then `CODER_HEADER_COMMAND` environment variable, then the value specified here. The `--global-config` and `--use-keyring` flags are silently ignored; use `#coder.globalConfig#` and `#coder.useKeyring#` instead.",
 					"type": "array",
 					"items": {
 						"type": "string"

diff --git a/src/api/authInterceptor.ts b/src/api/authInterceptor.ts
@@ -2,7 +2,7 @@ import { type AxiosError, isAxiosError } from "axios";
 
 import { AuthTelemetry } from "../instrumentation/auth";
 import { OAuthError } from "../oauth/errors";
-import { toSafeHost } from "../util";
+import { toSafeHost } from "../util/uri";
 
 import type * as vscode from "vscode";
 

diff --git a/src/commands.ts b/src/commands.ts
@@ -46,7 +46,8 @@ import {
 import { resolveCliAuth } from "./settings/cli";
 import { appendVsCodeLogs } from "./supportBundle/appendVsCodeLogs";
 import { runExportTelemetryCommand } from "./telemetry/export/command";
-import { openInBrowser, toRemoteAuthority, toSafeHost } from "./util";
+import { toRemoteAuthority } from "./util/authority";
+import { openInBrowser, toSafeHost } from "./util/uri";
 import { vscodeProposed } from "./vscodeProposed";
 import { parseSpeedtestResult } from "./webviews/speedtest/types";
 import {

diff --git a/src/core/cliCredentialManager.ts b/src/core/cliCredentialManager.ts
@@ -6,7 +6,7 @@ import { promisify } from "node:util";
 import * as semver from "semver";
 
 import { isAbortError } from "../error/errorUtils";
-import { featureSetForVersion } from "../featureSet";
+import { featureSetForVersion, type FeatureSet } from "../featureSet";
 import {
 	CredentialCliError,
 	CredentialFileError,
@@ -15,8 +15,8 @@ import {
 import { isKeyringEnabled } from "../settings/cli";
 import { getHeaderArgs } from "../settings/headers";
 import { type TelemetryReporter } from "../telemetry/reporter";
-import { toSafeHost } from "../util";
 import { writeAtomically } from "../util/fs";
+import { normalizeUrl, toSafeHost } from "../util/uri";
 
 import { version } from "./cliExec";
 
@@ -30,6 +30,15 @@ import type { PathResolver } from "./pathResolver";
 const execFileAsync = promisify(execFile);
 
 type KeyringFeature = "keyringAuth" | "keyringTokenRead";
+type TokenReadSource =
+	| { mode: "files" }
+	| { mode: "keyring"; binPath: string }
+	| { mode: "none" };
+
+export interface CliCredential {
+	token: string;
+	source: "keyring" | "files";
+}
 
 const EXEC_TIMEOUT_MS = 60_000;
 const EXEC_LOG_INTERVAL_MS = 5_000;
@@ -122,37 +131,46 @@ export class CliCredentialManager {
 	}
 
 	/**
-	 * Read a token via `coder login token --url`. Returns trimmed stdout,
-	 * or undefined on any failure (resolver, CLI, empty output).
-	 * Throws AbortError when the signal is aborted.
+	 * Read a token from CLI-managed credentials. Uses `coder login token --url`
+	 * when keyring auth is active, otherwise reads the file credentials under
+	 * --global-config. Returns the token and the source it came from, or
+	 * undefined on any failure (resolver, CLI, empty output). Throws AbortError
+	 * when the signal is aborted.
 	 */
 	public async readToken(
 		url: string,
 		configs: Pick<WorkspaceConfiguration, "get">,
 		options?: { signal?: AbortSignal },
-	): Promise<string | undefined> {
-		let binPath: string | undefined;
-		try {
-			binPath = await this.resolveKeyringBinary(
-				url,
-				configs,
-				"keyringTokenRead",
-			);
-		} catch (error) {
-			this.logger.warn("Could not resolve CLI binary for token read:", error);
-			return undefined;
+	): Promise<CliCredential | undefined> {
+		const source = await this.resolveTokenReadSource(url, configs);
+		if (source.mode === "files") {
+			const token = await this.readCredentialFiles(url);
+			return token ? { token, source: "files" } : undefined;
 		}
-		if (!binPath) {
+		if (source.mode === "none") {
 			return undefined;
 		}
+		const token = await this.readKeyringToken(
+			source.binPath,
+			url,
+			configs,
+			options,
+		);
+		return token ? { token, source: "keyring" } : undefined;
+	}
 
+	private async readKeyringToken(
+		binPath: string,
+		url: string,
+		configs: Pick<WorkspaceConfiguration, "get">,
+		options?: { signal?: AbortSignal },
+	): Promise<string | undefined> {
 		const args = [...getHeaderArgs(configs), "login", "token", "--url", url];
 		try {
 			const { stdout } = await this.execWithTimeout(binPath, args, {
 				signal: options?.signal,
 			});
-			const token = stdout.trim();
-			return token || undefined;
+			return nonEmpty(stdout);
 		} catch (error) {
 			if (isAbortError(error)) {
 				throw error;
@@ -200,8 +218,33 @@ export class CliCredentialManager {
 			return undefined;
 		}
 		const binPath = await this.resolveBinary(url);
-		const cliVersion = semver.parse(await version(binPath));
-		return featureSetForVersion(cliVersion)[feature] ? binPath : undefined;
+		return (await this.getFeatureSet(binPath))[feature] ? binPath : undefined;
+	}
+
+	private async resolveTokenReadSource(
+		url: string,
+		configs: Pick<WorkspaceConfiguration, "get">,
+	): Promise<TokenReadSource> {
+		if (!isKeyringEnabled(configs)) {
+			return { mode: "files" };
+		}
+		try {
+			const binPath = await this.resolveBinary(url);
+			const featureSet = await this.getFeatureSet(binPath);
+			if (!featureSet.keyringAuth) {
+				return { mode: "files" };
+			}
+			return featureSet.keyringTokenRead
+				? { mode: "keyring", binPath }
+				: { mode: "none" };
+		} catch (error) {
+			this.logger.warn("Could not resolve CLI binary for token read:", error);
+			return { mode: "none" };
+		}
+	}
+
+	private async getFeatureSet(binPath: string): Promise<FeatureSet> {
+		return featureSetForVersion(semver.parse(await version(binPath)));
 	}
 
 	/**
@@ -248,6 +291,34 @@ export class CliCredentialManager {
 		}
 	}
 
+	/**
+	 * Read URL and token files under --global-config.
+	 */
+	private async readCredentialFiles(url: string): Promise<string | undefined> {
+		try {
+			const files = await this.readCredentialFilePair(url);
+			return sameNormalizedUrl(files.url, url)
+				? nonEmpty(files.token)
+				: undefined;
+		} catch (error) {
+			if ((error as NodeJS.ErrnoException)?.code !== "ENOENT") {
+				this.logger.warn("Failed to read credential files:", error);
+			}
+			return undefined;
+		}
+	}
+
+	private async readCredentialFilePair(
+		url: string,
+	): Promise<{ url: string; token: string }> {
+		const safeHostname = toSafeHost(url);
+		const [storedUrl, token] = await Promise.all([
+			fs.readFile(this.pathResolver.getUrlPath(safeHostname), "utf8"),
+			fs.readFile(this.pathResolver.getSessionTokenPath(safeHostname), "utf8"),
+		]);
+		return { url: storedUrl, token };
+	}
+
 	/**
 	 * Delete URL and token files. Best-effort: never throws.
 	 */
@@ -317,3 +388,12 @@ export class CliCredentialManager {
 		);
 	}
 }
+
+function sameNormalizedUrl(storedUrl: string, expectedUrl: string): boolean {
+	return normalizeUrl(storedUrl) === normalizeUrl(expectedUrl);
+}
+
+function nonEmpty(value: string): string | undefined {
+	const trimmed = value.trim();
+	return trimmed || undefined;
+}
diff --git a/src/core/cliManager.ts b/src/core/cliManager.ts
@@ -23,8 +23,8 @@ import {
 import * as pgp from "../pgp";
 import { withCancellableProgress, withOptionalProgress } from "../progress";
 import { isKeyringEnabled } from "../settings/cli";
-import { toSafeHost } from "../util";
 import { tempFilePath } from "../util/fs";
+import { toSafeHost } from "../util/uri";
 import { vscodeProposed } from "../vscodeProposed";
 
 import { BinaryLock } from "./binaryLock";

diff --git a/src/core/pathResolver.ts b/src/core/pathResolver.ts
@@ -10,13 +10,15 @@ export class PathResolver {
 	) {}
 
 	/**
-	 * Return the directory for the deployment with the provided hostname to
-	 * where the global Coder configs are stored.
+	 * Return the directory where the global Coder configs are stored.
 	 *
 	 * The caller must ensure this directory exists before use.
 	 */
 	public getGlobalConfigDir(safeHostname: string): string {
-		return path.join(this.basePath, safeHostname);
+		return (
+			PathResolver.resolveOverride("coder.globalConfig", "CODER_CONFIG_DIR") ||
+			path.join(this.basePath, safeHostname)
+		);
 	}
 
 	/**

diff --git a/src/core/secretsManager.ts b/src/core/secretsManager.ts
@@ -1,7 +1,7 @@
 import { z } from "zod";
 
 import { DeploymentSchema, type Deployment } from "../deployment/types";
-import { toSafeHost } from "../util";
+import { toSafeHost } from "../util/uri";
 
 import type { OAuth2ClientRegistrationResponse } from "coder/site/src/api/typesGenerated";
 import type { Memento, SecretStorage, Disposable } from "vscode";

diff --git a/src/login/loginCoordinator.ts b/src/login/loginCoordinator.ts
@@ -10,7 +10,7 @@ import { buildOAuthTokenData } from "../oauth/utils";
 import { withOptionalProgress } from "../progress";
 import { maybeAskAuthMethod, maybeAskUrl } from "../promptUtils";
 import { isKeyringEnabled } from "../settings/cli";
-import { openInBrowser } from "../util";
+import { openInBrowser } from "../util/uri";
 import { vscodeProposed } from "../vscodeProposed";
 
 import type { User } from "coder/site/src/api/typesGenerated";
@@ -314,30 +314,41 @@ export class LoginCoordinator implements vscode.Disposable {
 			}
 		}
 
-		// Try keyring token (picks up tokens written by `coder login` in the terminal)
+		// Try CLI-managed credentials. This reads from the OS keyring when
+		// enabled, otherwise from the resolved global config directory.
 		const configs = vscode.workspace.getConfiguration();
-		const keyringResult = await withOptionalProgress(
+		const keyringEnabled = isKeyringEnabled(configs);
+		const cliCredentialResult = await withOptionalProgress(
 			({ signal }) =>
 				this.cliCredentialManager.readToken(deployment.url, configs, {
 					signal,
 				}),
 			{
-				enabled: isKeyringEnabled(configs),
+				enabled: keyringEnabled,
 				location: vscode.ProgressLocation.Notification,
 				title: "Reading token from OS keyring...",
 				cancellable: true,
 			},
 		);
-		const keyringToken = keyringResult.ok ? keyringResult.value : undefined;
+		const cliCredential = cliCredentialResult.ok
+			? cliCredentialResult.value
+			: undefined;
 		if (
-			keyringToken &&
-			keyringToken !== providedToken &&
-			keyringToken !== auth?.token
+			cliCredential &&
+			cliCredential.token !== providedToken &&
+			cliCredential.token !== auth?.token
 		) {
-			this.logger.debug("Trying token from OS keyring");
-			const result = await this.tryTokenAuth(client, keyringToken, isAutoLogin);
+			this.logger.debug("Trying token from CLI credentials");
+			const result = await this.tryTokenAuth(
+				client,
+				cliCredential.token,
+				isAutoLogin,
+			);
 			if (result !== "unauthorized") {
-				return withLoginMethod("keyring_token", result);
+				return withLoginMethod(
+					cliCredential.source === "keyring" ? "keyring_token" : "cli_token",
+					result,
+				);
 			}
 		}
 

diff --git a/src/oauth/authorizer.ts b/src/oauth/authorizer.ts
@@ -1,7 +1,7 @@
 import * as vscode from "vscode";
 
 import { CoderApi } from "../api/coderApi";
-import { resolveUiUrl } from "../util";
+import { resolveUiUrl } from "../util/uri";
 
 import {
 	AUTH_GRANT_TYPE,

diff --git a/src/remote/remote.ts b/src/remote/remote.ts
@@ -51,13 +51,12 @@ import {
 	resolveCliAuth,
 } from "../settings/cli";
 import { getHeaderCommand } from "../settings/headers";
+import { escapeCommandArg, expandPath } from "../util";
 import {
 	AuthorityPrefix,
 	type AuthorityParts,
-	escapeCommandArg,
-	expandPath,
 	parseRemoteAuthority,
-} from "../util";
+} from "../util/authority";
 import { vscodeProposed } from "../vscodeProposed";
 import { WorkspaceMonitor } from "../workspace/workspaceMonitor";
 
@@ -437,6 +436,12 @@ export class Remote {
 				title: string;
 				getValue: () => unknown;
 			}> = [
+				{
+					setting: "coder.globalConfig",
+					title: "Global Config",
+					getValue: () =>
+						this.pathResolver.getGlobalConfigDir(parts.safeHostname),
+				},
 				{
 					setting: "coder.globalFlags",
 					title: "Global Flags",

diff --git a/src/remote/workspaceStateMachine.ts b/src/remote/workspaceStateMachine.ts
@@ -37,7 +37,7 @@ import type { StartupMode } from "../core/mementoManager";
 import type { FeatureSet } from "../featureSet";
 import type { Logger } from "../logging/logger";
 import type { CliAuth } from "../settings/cli";
-import type { AuthorityParts } from "../util";
+import type { AuthorityParts } from "../util/authority";
 
 /**
  * Manages workspace and agent state transitions until ready for SSH connection.

diff --git a/src/supportBundle/settings.ts b/src/supportBundle/settings.ts
@@ -23,6 +23,7 @@ const COLLECTED_SETTINGS: readonly string[] = [
 	"coder.disableUpdateNotifications",
 	"coder.enableDownloads",
 	"coder.experimental.oauth",
+	"coder.globalConfig",
 	"coder.httpClientLogLevel",
 	"coder.insecure",
 	"coder.networkThreshold.latencyMs",

diff --git a/src/uri/uriHandler.ts b/src/uri/uriHandler.ts
@@ -4,7 +4,7 @@ import { errToStr } from "../api/api-helper";
 import { AuthTelemetry } from "../instrumentation/auth";
 import { CALLBACK_PATH } from "../oauth/utils";
 import { maybeAskUrl } from "../promptUtils";
-import { toSafeHost } from "../util";
+import { toSafeHost } from "../util/uri";
 import { vscodeProposed } from "../vscodeProposed";
 
 import type { Commands } from "../commands";