fix: improve error message for revoked API tokens with --reach

When using `socket scan create --reach` with an invalid or revoked API token, the CLI now shows a clear "Authentication failed" message instead of the misleading "Unable to verify plan permissions" error. Also splits 401/403 handling in the API layer so unauthorized tokens get a distinct message from insufficient permissions. Bumps @coana-tech/cli from 14.12.200 to 14.12.201 and Socket CLI to v1.1.77.
SocketDev · Martin Torp (mtorp) · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026
commit 5eac4bed6a5e0d30e6c727716eb2b97a1c828242
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.77](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.77) - 2026-04-01
+
+### Fixed
+- Improved error message when using `--reach` with an invalid, expired, or revoked API token. Previously showed a misleading "Unable to verify plan permissions" error; now clearly indicates the authentication failure.
+
+### Changed
+- Updated the Coana CLI to v `14.12.201`.
+
 ## [1.1.74](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.74) - 2026-03-19
 
 ### Fixed

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "1.1.76",
+  "version": "1.1.77",
   "description": "CLI for Socket.dev",
   "homepage": "https://github.com/SocketDev/socket-cli",
   "license": "MIT AND OFL-1.1",
@@ -97,7 +97,7 @@
     "@babel/preset-typescript": "7.27.1",
     "@babel/runtime": "7.28.4",
     "@biomejs/biome": "2.2.4",
-    "@coana-tech/cli": "14.12.200",
+    "@coana-tech/cli": "14.12.201",
     "@cyclonedx/cdxgen": "12.1.2",
     "@dotenvx/dotenvx": "1.49.0",
     "@eslint/compat": "1.3.2",

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/src/commands/organization/fetch-organization-list.mts b/src/commands/organization/fetch-organization-list.mts
@@ -1,3 +1,5 @@
+import { logger } from '@socketsecurity/registry/lib/logger'
+
 import { handleApiCall } from '../../utils/api.mts'
 import { setupSdk } from '../../utils/sdk.mts'
 
@@ -54,6 +56,7 @@ export async function fetchOrganization(
     silence,
   })
   if (!orgsCResult.ok) {
+    logger.fail(orgsCResult.message, orgsCResult.cause)
     return orgsCResult
   }
 

diff --git a/src/commands/scan/perform-reachability-analysis.mts b/src/commands/scan/perform-reachability-analysis.mts
@@ -75,6 +75,15 @@ export async function performReachabilityAnalysis(
   // Check if user has enterprise plan for reachability analysis.
   const orgsCResult = await fetchOrganization()
   if (!orgsCResult.ok) {
+    const httpCode = (orgsCResult.data as { code?: number } | undefined)?.code
+    if (httpCode === constants.HTTP_STATUS_UNAUTHORIZED) {
+      return {
+        ok: false,
+        message: 'Authentication failed',
+        cause:
+          'Your API token appears to be invalid, expired, or revoked. Please check your token and try again.',
+      }
+    }
     return {
       ok: false,
       message: 'Unable to verify plan permissions',

diff --git a/src/utils/api.mts b/src/utils/api.mts
@@ -248,7 +248,10 @@ export async function getErrorMessageForHttpStatusCode(code: number) {
   if (code === HTTP_STATUS_BAD_REQUEST) {
     return 'One of the options passed might be incorrect'
   }
-  if (code === HTTP_STATUS_FORBIDDEN || code === HTTP_STATUS_UNAUTHORIZED) {
+  if (code === HTTP_STATUS_UNAUTHORIZED) {
+    return 'Your Socket API token appears to be invalid, expired, or revoked. Please verify your token is correct and active'
+  }
+  if (code === HTTP_STATUS_FORBIDDEN) {
     return 'Your Socket API token may not have the required permissions for this command or you might be trying to access (data from) an organization that is not linked to the API token you are logged in with'
   }
   if (code === HTTP_STATUS_NOT_FOUND) {