We currently tell people to configure the CLI access token as an environment variable, but as
Sancho Godinho points out, it's not always the best option because environment variables can plausibly leak more easily than .env files, for example.

Let's look into ways to improve the HTML page help text to make people aware of this issue.

#762 is likely the best fix for this.

Thanks for considering my report 🙂