When using set-auth, the key is stored with permissions to be read by the world:

❯ ls -al ~/.tunnelto/key.token 
.rw-rw-r-- brad brad 22 B Wed Aug 17 08:43:14 2022  /home/brad/.tunnelto/key.token

Instead, these should be set to 0600 or similar.