Resend login saves API keys without validating against the API

[Calm-Rock]

CLI Version: v1.1.0 and v1.3.1 (latest)

Environment: macOS, Homebrew (brew install resend/cli/resend)

resend_cli_api_key_bug.mov

The API key should be validated against the Resend API before being saved. This is not the case.

Entering a fake key (re_thisisafakekey) during resend login results in:

✔ API key is valid
API key stored for team 'Cheeto' at ~/.config/resend/credentials.json

// credentials.json
{
  "active_team": "Cheeto",
  "teams": {
    "Cheeto": {
      "api_key": "re_thisisafakekey"
    }
  }
}

The ✔ API key is valid message probably only checks that the key starts with re_ and no API call is made.

---

whoami has zero validation of its own — it trusts whatever is configured locally, and doesn't even enforce the re_ prefix format:

$resend whoami --json
{
  "authenticated": true,
  "team": "Cheeto",
  "api_key": "re_...ekey",
  "source": "config"
}

The authenticated: true field in the JSON response confirms the CLI considers the fake key valid.

$ resend whoami --api-key qwertyuiop --json
{
  "authenticated": true,
  "team": "Cheeto",
  "api_key": "qwe...uiop",
  "source": "flag"
}

whoami accepts a key with no re_ prefix and returns authenticated: true.

Steps to reproduce:

1. resend login → enter re_thisisafakekey
2. Observe ✔ API key is valid
3. cat ~/.config/resend/credentials.json → fake key is saved
4. resend whoami → shows fake key as active with no error
5. resend whoami --api-key qwertyuiop → accepts a key with no re_ prefix, no error

Expected: A real API call should be made during resend login to verify the key is accepted by the Resend API before saving.

Impact: Within the CLI, there is no reliable way to verify a key is valid without attempting a real operation.