diff --git a/.changeset/fix-cli-agent-experience.md b/.changeset/fix-cli-agent-experience.md
new file mode 100644
index 000000000..808d417bf
--- /dev/null
+++ b/.changeset/fix-cli-agent-experience.md
@@ -0,0 +1,6 @@
+---
+'@sanity/cli': minor
+'@sanity/cli-core': minor
+---
+
+Add `organizations list` command, improve non-interactive login and project initialization for automated environments
diff --git a/AGENTS.md b/AGENTS.md
index a691bef06..fed228200 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -163,6 +163,12 @@ jq '{total: .numTotalTests, passed: .numPassedTests, failed: .numFailedTests, fi
 - Enable debug logs: `DEBUG=sanity:* npx sanity <command>`
 - Most commands need to be run within one of the fixture folders.
 
+# Auth Background Login
+
+- `backgroundLoginChild.ts` is spawned dynamically by `backgroundLogin.ts`; keep it listed as a `knip` entry.
+- The background login child writes `.auth-callback.json` before printing the login URL, and removes it on exit when the PID and nonce match.
+- Token persistence side effects live in `actions/auth/login/storeAuthToken.ts`; use it for both foreground and background login token writes.
+
 ## Cursor Cloud specific instructions
 
 - The update script runs `pnpm install --frozen-lockfile` and `pnpm build:cli` on startup. Dependencies and build artifacts should already be up to date when a session begins.
diff --git a/knip.config.ts b/knip.config.ts
index 6719df355..ddd0e834d 100644
--- a/knip.config.ts
+++ b/knip.config.ts
@@ -56,6 +56,8 @@ const baseConfig = {
         'src/hooks/**/*.ts',
         // Worker files
         'src/**/*.worker.ts',
+        // Spawned dynamically by backgroundLogin.ts
+        'src/actions/auth/backgroundLoginChild.ts',
         'package.config.ts',
       ],
       oclif: {
@@ -69,8 +71,6 @@ const baseConfig = {
         'src/**/*.worker.ts',
         'package.config.ts',
       ],
-      // debug is used for type checking
-      ignoreDependencies: ['@types/debug'],
       project,
     },
     'packages/@sanity/cli-core': {
diff --git a/packages/@sanity/cli-core/src/SanityCommand.ts b/packages/@sanity/cli-core/src/SanityCommand.ts
index 3448e49ea..aaf1b5784 100644
--- a/packages/@sanity/cli-core/src/SanityCommand.ts
+++ b/packages/@sanity/cli-core/src/SanityCommand.ts
@@ -139,6 +139,13 @@ export abstract class SanityCommand<T extends typeof Command> extends Command {
       if (flagProjectId) return flagProjectId
     }
 
+    // Check --project (hidden alias for --project-id)
+    const projectAlias =
+      'project' in this.flags && typeof this.flags.project === 'string'
+        ? this.flags.project
+        : undefined
+    if (projectAlias) return projectAlias
+
     // Check deprecated flag (e.g. --project) before CLI config
     if (options?.deprecatedFlagName) {
       const deprecatedValue =
diff --git a/packages/@sanity/cli/oclif.config.js b/packages/@sanity/cli/oclif.config.js
index 7c2245123..9acecfebd 100644
--- a/packages/@sanity/cli/oclif.config.js
+++ b/packages/@sanity/cli/oclif.config.js
@@ -14,6 +14,7 @@ export default {
   },
   plugins: ['@oclif/plugin-help', '@sanity/runtime-cli', '@sanity/migrate', '@sanity/codegen'],
   topics: {
+    auth: {description: 'Manage authentication'},
     backups: {description: 'Manage dataset backups'},
     cors: {description: 'Manage CORS origins for your project'},
     datasets: {description: 'Manage datasets in your project'},
@@ -25,6 +26,7 @@ export default {
     mcp: {description: 'Configure Sanity MCP server for AI editors'},
     media: {description: 'Manage media assets and aspect definitions'},
     openapi: {description: 'Manage OpenAPI specifications'},
+    organizations: {description: 'Manage Sanity organizations'},
     projects: {description: 'Manage Sanity projects'},
     schemas: {description: 'Manage and validate schemas'},
     telemetry: {description: 'Manage telemetry consent'},
diff --git a/packages/@sanity/cli/scripts/check-topic-aliases.ts b/packages/@sanity/cli/scripts/check-topic-aliases.ts
index e9f4b9bfe..2f704de09 100644
--- a/packages/@sanity/cli/scripts/check-topic-aliases.ts
+++ b/packages/@sanity/cli/scripts/check-topic-aliases.ts
@@ -28,6 +28,7 @@ import {topicAliases} from '../src/topicAliases.ts'
 // runtime config with topics that will never have aliases.
 // ---------------------------------------------------------------------------
 const knownTopicsWithoutAliases: Set<string> = new Set([
+  'auth',
   'cors',
   'docs',
   'graphql',
diff --git a/packages/@sanity/cli/src/actions/auth/backgroundLogin.ts b/packages/@sanity/cli/src/actions/auth/backgroundLogin.ts
new file mode 100644
index 000000000..e01e35ee6
--- /dev/null
+++ b/packages/@sanity/cli/src/actions/auth/backgroundLogin.ts
@@ -0,0 +1,219 @@
+import {spawn} from 'node:child_process'
+import {randomUUID} from 'node:crypto'
+import {mkdirSync, readFileSync, unlinkSync, writeFileSync} from 'node:fs'
+import {connect} from 'node:net'
+import {homedir} from 'node:os'
+import {dirname, join} from 'node:path'
+import {fileURLToPath} from 'node:url'
+
+import {subdebug} from '@sanity/cli-core'
+
+const debug = subdebug('login:background')
+const CHILD_TIMEOUT_MS = 300_000
+const PIDFILE_TTL_MS = CHILD_TIMEOUT_MS + 10_000
+
+export function getBackgroundLoginConfigPath(): string {
+  if (process.env.SANITY_CLI_CONFIG_PATH) {
+    return process.env.SANITY_CLI_CONFIG_PATH
+  }
+  const suffix = process.env.SANITY_INTERNAL_ENV === 'staging' ? '-staging' : ''
+  return join(homedir(), '.config', `sanity${suffix}`, 'config.json')
+}
+
+function getConfigDir(): string {
+  return dirname(getBackgroundLoginConfigPath())
+}
+
+function getPidFilePath(): string {
+  return join(getConfigDir(), '.auth-callback.json')
+}
+
+interface PidFileInfo {
+  createdAt: number
+  loginUrl: string
+  nonce: string
+  pid: number
+  port: number
+  providerUrl: string
+}
+
+function readPidFile(): PidFileInfo | null {
+  try {
+    const parsed: unknown = JSON.parse(readFileSync(getPidFilePath(), 'utf8'))
+    if (
+      !parsed ||
+      typeof parsed !== 'object' ||
+      !('createdAt' in parsed) ||
+      !('loginUrl' in parsed) ||
+      !('nonce' in parsed) ||
+      !('pid' in parsed) ||
+      !('port' in parsed) ||
+      !('providerUrl' in parsed) ||
+      typeof parsed.createdAt !== 'number' ||
+      typeof parsed.loginUrl !== 'string' ||
+      typeof parsed.nonce !== 'string' ||
+      typeof parsed.pid !== 'number' ||
+      typeof parsed.port !== 'number' ||
+      typeof parsed.providerUrl !== 'string'
+    ) {
+      return null
+    }
+    return {
+      createdAt: parsed.createdAt,
+      loginUrl: parsed.loginUrl,
+      nonce: parsed.nonce,
+      pid: parsed.pid,
+      port: parsed.port,
+      providerUrl: parsed.providerUrl,
+    }
+  } catch {
+    return null
+  }
+}
+
+export function writeBackgroundLoginPidFile(info: PidFileInfo): void {
+  const dir = getConfigDir()
+  mkdirSync(dir, {recursive: true})
+  writeFileSync(getPidFilePath(), JSON.stringify(info))
+}
+
+function isProcessAlive(pid: number): boolean {
+  try {
+    process.kill(pid, 0)
+    return true
+  } catch {
+    return false
+  }
+}
+
+function isPidFileFresh(info: PidFileInfo): boolean {
+  return Date.now() - info.createdAt < PIDFILE_TTL_MS
+}
+
+function isPortOpen(port: number): Promise<boolean> {
+  return new Promise((resolve) => {
+    const socket = connect({host: '127.0.0.1', port})
+    const done = (open: boolean) => {
+      socket.destroy()
+      resolve(open)
+    }
+    socket.setTimeout(500)
+    socket.once('connect', () => done(true))
+    socket.once('error', () => done(false))
+    socket.once('timeout', () => done(false))
+  })
+}
+
+function readChildPort(child: ReturnType<typeof spawn>): Promise<{loginUrl: string; port: number}> {
+  return new Promise((resolve, reject) => {
+    let buf = ''
+    const timeout = setTimeout(() => reject(new Error('Child did not report port in time')), 5000)
+
+    child.stdout?.on('data', (chunk: Buffer) => {
+      buf += chunk.toString()
+      const lines = buf.split('\n')
+      if (lines.length >= 2) {
+        clearTimeout(timeout)
+        try {
+          const info = JSON.parse(lines[0])
+          resolve({loginUrl: info.loginUrl, port: info.port})
+        } catch {
+          reject(new Error(`Invalid child output: ${lines[0]}`))
+        }
+      }
+    })
+
+    child.on('error', (err) => {
+      clearTimeout(timeout)
+      reject(err)
+    })
+
+    child.on('exit', (code) => {
+      if (code !== 0) {
+        clearTimeout(timeout)
+        reject(new Error(`Background login child exited with code ${code}`))
+      }
+    })
+  })
+}
+
+/**
+ * Spawn a detached child that handles the OAuth callback flow.
+ * Returns immediately with the child's PID, port, and login URL.
+ *
+ * If a background login child is already running, returns its info
+ * instead of spawning a new one (pidfile guard).
+ */
+export async function startBackgroundLogin(
+  providerUrl: string,
+  options: {open?: boolean} = {},
+): Promise<{loginUrl: string; pid: number; port: number}> {
+  const existing = readPidFile()
+  if (
+    existing &&
+    existing.providerUrl === providerUrl &&
+    isPidFileFresh(existing) &&
+    isProcessAlive(existing.pid) &&
+    (await isPortOpen(existing.port))
+  ) {
+    debug('Background login already running (PID %d, port %d)', existing.pid, existing.port)
+    return {loginUrl: existing.loginUrl, pid: existing.pid, port: existing.port}
+  }
+
+  const childScript = join(dirname(fileURLToPath(import.meta.url)), 'backgroundLoginChild.js')
+  const nonce = randomUUID()
+  const args = [childScript, providerUrl, nonce]
+  if (options.open !== false) {
+    args.push('--open')
+  }
+
+  const child = spawn(process.execPath, args, {
+    detached: true,
+    env: {...process.env},
+    stdio: ['ignore', 'pipe', 'ignore'],
+  })
+
+  const {loginUrl, port} = await readChildPort(child)
+
+  child.stdout?.destroy()
+  child.unref()
+
+  const pid = child.pid
+  if (!pid) {
+    throw new Error('Failed to spawn background login process')
+  }
+
+  debug('Background login child (PID %d) listening on port %d', pid, port)
+  return {loginUrl, pid, port}
+}
+
+export function isBackgroundLoginInProgress(): boolean {
+  const info = readPidFile()
+  if (!info) return false
+  return isPidFileFresh(info) && isProcessAlive(info.pid)
+}
+
+export function cancelBackgroundLogin(): {cancelled: boolean; pid?: number} {
+  const info = readPidFile()
+  if (!info) {
+    return {cancelled: false}
+  }
+
+  const pidFilePath = getPidFilePath()
+  try {
+    unlinkSync(pidFilePath)
+  } catch {
+    // already removed
+  }
+
+  if (isProcessAlive(info.pid)) {
+    try {
+      process.kill(info.pid, 'SIGTERM')
+    } catch {
+      // already dead
+    }
+    return {cancelled: true, pid: info.pid}
+  }
+
+  return {cancelled: false}
+}
diff --git a/packages/@sanity/cli/src/actions/auth/backgroundLoginChild.ts b/packages/@sanity/cli/src/actions/auth/backgroundLoginChild.ts
new file mode 100644
index 000000000..d3be1fad8
--- /dev/null
+++ b/packages/@sanity/cli/src/actions/auth/backgroundLoginChild.ts
@@ -0,0 +1,107 @@
+/**
+ * Standalone entry point for the background login child process.
+ * Spawned detached by `startBackgroundLogin` — do not import directly.
+ *
+ * Usage: node backgroundLoginChild.js <providerUrl> <nonce> [--open]
+ *
+ * 1. Starts a callback server (reuses authServer.ts logic)
+ * 2. Optionally opens the login URL in a browser
+ * 3. Reports the port and login URL as JSON on stdout
+ * 4. Waits for OAuth callback
+ * 5. Writes the token to CLI config
+ * 6. Exits
+ */
+import {existsSync, readFileSync, unlinkSync} from 'node:fs'
+import {dirname, join} from 'node:path'
+
+import {getCliToken} from '@sanity/cli-core'
+import open from 'open'
+
+import {startServerForTokenCallback} from './authServer.js'
+import {getBackgroundLoginConfigPath, writeBackgroundLoginPidFile} from './backgroundLogin.js'
+import {storeAuthToken} from './login/storeAuthToken.js'
+
+const TIMEOUT_MS = 300_000
+
+const providerUrl = process.argv[2]
+if (!providerUrl) {
+  process.stderr.write('Usage: backgroundLoginChild.js <providerUrl> <nonce> [--open]\n')
+  process.exit(1)
+}
+const nonce = process.argv[3]
+if (!nonce) {
+  process.stderr.write('Usage: backgroundLoginChild.js <providerUrl> <nonce> [--open]\n')
+  process.exit(1)
+}
+
+const shouldOpen = process.argv.includes('--open')
+const pidFilePath = join(dirname(getBackgroundLoginConfigPath()), '.auth-callback.json')
+
+function cleanupPidFile(): void {
+  if (!existsSync(pidFilePath)) return
+  try {
+    const parsed: unknown = JSON.parse(readFileSync(pidFilePath, 'utf8'))
+    if (
+      parsed &&
+      typeof parsed === 'object' &&
+      'pid' in parsed &&
+      'nonce' in parsed &&
+      parsed.pid === process.pid &&
+      parsed.nonce === nonce
+    ) {
+      unlinkSync(pidFilePath)
+    }
+  } catch {
+    return
+  }
+}
+
+process.once('exit', cleanupPidFile)
+process.once('SIGTERM', () => {
+  cleanupPidFile()
+  process.exit(1)
+})
+
+const {loginUrl, server, token: tokenPromise} = await startServerForTokenCallback(providerUrl)
+const port = (server.address() as {port: number}).port
+
+writeBackgroundLoginPidFile({
+  createdAt: Date.now(),
+  loginUrl: loginUrl.href,
+  nonce,
+  pid: process.pid,
+  port,
+  providerUrl,
+})
+
+process.stdout.write(JSON.stringify({loginUrl: loginUrl.href, port}) + '\n')
+
+if (shouldOpen) {
+  try {
+    await open(loginUrl.href)
+  } catch (error) {
+    void error
+  }
+}
+
+const timeout = setTimeout(() => {
+  server.close()
+  process.exit(1)
+}, TIMEOUT_MS)
+
+try {
+  const previousToken = await getCliToken()
+  const {token} = await tokenPromise
+  await storeAuthToken(token, previousToken, {
+    warn: (message: Error | string) => {
+      return message
+    },
+  })
+  clearTimeout(timeout)
+  server.close()
+  process.exit(0)
+} catch {
+  clearTimeout(timeout)
+  server.close()
+  process.exit(1)
+}
diff --git a/packages/@sanity/cli/src/actions/auth/login/__tests__/login.vercel.test.ts b/packages/@sanity/cli/src/actions/auth/login/__tests__/login.vercel.test.ts
index 9c098aeb7..b19d2d249 100644
--- a/packages/@sanity/cli/src/actions/auth/login/__tests__/login.vercel.test.ts
+++ b/packages/@sanity/cli/src/actions/auth/login/__tests__/login.vercel.test.ts
@@ -17,6 +17,7 @@ vi.mock('@sanity/cli-core', async (importOriginal) => {
       get: vi.fn(),
       set: vi.fn(),
     }),
+    isInteractive: vi.fn().mockReturnValue(true),
     setCliUserConfig: vi.fn(),
     subdebug: vi.fn(() => vi.fn()),
   }
@@ -44,6 +45,9 @@ vi.mock('../validateToken.js', () => ({
 vi.mock('../../../../util/canLaunchBrowser.js', () => ({
   canLaunchBrowser: vi.fn(() => true),
 }))
+vi.mock('../../backgroundLogin.js', () => ({
+  startBackgroundLogin: vi.fn(),
+}))
 
 const mockedGetCliToken = vi.mocked(getCliToken)
 const mockedSetCliUserConfig = vi.mocked(setCliUserConfig)
diff --git a/packages/@sanity/cli/src/actions/auth/login/getProvider.ts b/packages/@sanity/cli/src/actions/auth/login/getProvider.ts
index 805f0dd75..a8d0514ad 100644
--- a/packages/@sanity/cli/src/actions/auth/login/getProvider.ts
+++ b/packages/@sanity/cli/src/actions/auth/login/getProvider.ts
@@ -3,6 +3,7 @@ import {input, spinner, type SpinnerInstance} from '@sanity/cli-core/ux'
 
 import {promptForProviders} from '../../../prompts/promptForProviders.js'
 import {getProviders, getVercelProviderUrl} from '../../../services/auth.js'
+import {formatHint} from '../../../util/formatHint.js'
 import {type LoginProvider} from '../types.js'
 import {getSSOProvider} from './getSSOProvider.js'
 
@@ -71,8 +72,8 @@ export async function getProvider({
 
     if (!isInteractive() && realProviderNames.length > 1) {
       throw new Error(
-        `Multiple login providers available: ${realProviderNames.join(', ')}. ` +
-          'Use `--provider <name>` to select one in unattended mode.',
+        `Multiple login providers available: ${realProviderNames.join(', ')}.` +
+          formatHint(`sanity login --provider ${realProviderNames[0]}`),
       )
     }
 
diff --git a/packages/@sanity/cli/src/actions/auth/login/login.ts b/packages/@sanity/cli/src/actions/auth/login/login.ts
index beeb6e3d9..9138415ce 100644
--- a/packages/@sanity/cli/src/actions/auth/login/login.ts
+++ b/packages/@sanity/cli/src/actions/auth/login/login.ts
@@ -2,20 +2,21 @@ import {
   type CLITelemetryStore,
   getCliToken,
   getUserConfig,
+  isInteractive,
   type Output,
-  setCliUserConfig,
   subdebug,
 } from '@sanity/cli-core'
 import {spinner} from '@sanity/cli-core/ux'
-import {isHttpError} from '@sanity/client'
 import open from 'open'
 
-import {logout} from '../../../services/auth.js'
 import {LoginTrace} from '../../../telemetry/login.telemetry.js'
 import {canLaunchBrowser} from '../../../util/canLaunchBrowser.js'
 import {startServerForTokenCallback} from '../authServer.js'
+import {getBackgroundLoginConfigPath, startBackgroundLogin} from '../backgroundLogin.js'
+import {validateSession} from '../ensureAuthenticated.js'
 import {getProvider} from './getProvider.js'
-import {isSanityApiToken, validateToken} from './validateToken.js'
+import {storeAuthToken} from './storeAuthToken.js'
+import {validateToken} from './validateToken.js'
 
 const debug = subdebug('login')
 
@@ -30,6 +31,7 @@ interface LoginOptions {
   sso?: string
   ssoProvider?: string
   token?: string
+  wait?: boolean
 }
 
 /**
@@ -75,22 +77,78 @@ export async function login(options: LoginOptions) {
     throw new Error('No authentication providers found')
   }
 
+  // In non-interactive mode (CI, containers, AI agents), self-background the
+  // callback server so the CLI returns immediately. The browser-agent or user
+  // completes OAuth in the background; the token is written to config when the
+  // callback fires. The caller can retry `sanity init` until auth succeeds.
+  if (!isInteractive()) {
+    // Pre-populate telemetryDisclosed so the next CLI command's prerun hook
+    // doesn't do a read-modify-write that clobbers the token the child writes.
+    const userConfig = getUserConfig()
+    if (!userConfig.get('telemetryDisclosed')) {
+      userConfig.set('telemetryDisclosed', Date.now())
+    }
+
+    const shouldOpen = options.open !== false
+    const {loginUrl, pid, port} = await startBackgroundLogin(provider.url, {open: shouldOpen})
+
+    if (shouldOpen) {
+      output.log(`\nOpening browser at ${loginUrl}\n`)
+    } else {
+      output.log(`\nPlease open a browser at ${loginUrl}\n`)
+    }
+    debug('Background login child PID %d listening on port %d', pid, port)
+
+    if (options.wait) {
+      output.log(
+        `Authentication is running in the background. Waiting for the user to complete the login in their browser...\n`,
+      )
+      const maxWait = 300_000
+      const interval = 3000
+      const deadline = Date.now() + maxWait
+      while (Date.now() < deadline) {
+        const user = await validateSession()
+        if (user) {
+          output.log(`Logged in as ${user.email}.`)
+          trace.complete()
+          return
+        }
+        await new Promise((r) => setTimeout(r, interval))
+      }
+      throw new Error(
+        'Login timed out after 5 minutes. Run `sanity auth status` to check, or `sanity auth cancel` to stop.',
+      )
+    }
+
+    output.log(`Authentication is running in the background.`)
+    output.log(
+      `Wait for the user to complete the login in their browser. Token saves to ${getBackgroundLoginConfigPath()} when done.`,
+    )
+    output.log('')
+    output.log(`Wait ~30-60 seconds, then check: sanity auth status`)
+    output.log(`To switch providers or cancel: sanity auth cancel`)
+    output.log(`Or rerun with \`--wait\` to block until login completes.\n`)
+
+    trace.complete()
+    return
+  }
+
   const {loginUrl, server, token: tokenPromise} = await startServerForTokenCallback(provider.url)
 
   trace.log({step: 'waitForToken'})
 
   // Open a browser on the login page (or tell the user to)
   const shouldLaunchBrowser = canLaunchBrowser() && options.open !== false
-  const actionText = shouldLaunchBrowser ? 'Opening browser at' : 'Please open a browser at'
-
-  output.log(`\n${actionText} ${loginUrl.href}\n`)
-
-  const spin = spinner('Waiting for browser login to complete... Press Ctrl + C to cancel').start()
 
   if (shouldLaunchBrowser) {
     open(loginUrl.href)
+    output.log(`\nOpening browser at ${loginUrl.href}\n`)
+  } else {
+    output.log(`\nPlease open a browser at ${loginUrl.href}\n`)
   }
 
+  const spin = spinner('Waiting for browser login to complete... Press Ctrl + C to cancel').start()
+
   // Wait for a success/error on the HTTP callback server
   let authToken: string
   try {
@@ -111,33 +169,3 @@ export async function login(options: LoginOptions) {
 
   trace.complete()
 }
-
-async function storeAuthToken(
-  authToken: string,
-  previousToken: string | undefined,
-  output: Output,
-) {
-  setCliUserConfig('authToken', authToken)
-  getUserConfig().delete('telemetryConsent')
-
-  // If we had a session previously, attempt to clear it
-  if (previousToken && previousToken !== authToken) {
-    await invalidateAuthToken(previousToken, output)
-  }
-}
-
-async function invalidateAuthToken(token: string, output: Output) {
-  try {
-    if (await isSanityApiToken(token)) return
-  } catch (err) {
-    if (isHttpError(err) && err.statusCode === 401) return
-  }
-
-  try {
-    await logout(token)
-  } catch (err) {
-    if (!isHttpError(err) || err.statusCode !== 401) {
-      output.warn('Failed to invalidate previous session')
-    }
-  }
-}
diff --git a/packages/@sanity/cli/src/actions/auth/login/storeAuthToken.ts b/packages/@sanity/cli/src/actions/auth/login/storeAuthToken.ts
new file mode 100644
index 000000000..e7cc7d978
--- /dev/null
+++ b/packages/@sanity/cli/src/actions/auth/login/storeAuthToken.ts
@@ -0,0 +1,34 @@
+import {getUserConfig, type Output, setCliUserConfig} from '@sanity/cli-core'
+import {isHttpError} from '@sanity/client'
+
+import {logout} from '../../../services/auth.js'
+import {isSanityApiToken} from './validateToken.js'
+
+export async function storeAuthToken(
+  authToken: string,
+  previousToken: string | undefined,
+  output: Pick<Output, 'warn'>,
+) {
+  setCliUserConfig('authToken', authToken)
+  getUserConfig().delete('telemetryConsent')
+
+  if (previousToken && previousToken !== authToken) {
+    await invalidateAuthToken(previousToken, output)
+  }
+}
+
+async function invalidateAuthToken(token: string, output: Pick<Output, 'warn'>) {
+  try {
+    if (await isSanityApiToken(token)) return
+  } catch (err) {
+    if (isHttpError(err) && err.statusCode === 401) return
+  }
+
+  try {
+    await logout(token)
+  } catch (err) {
+    if (!isHttpError(err) || err.statusCode !== 401) {
+      output.warn('Failed to invalidate previous session')
+    }
+  }
+}
diff --git a/packages/@sanity/cli/src/actions/debug/gatherDebugInfo.ts b/packages/@sanity/cli/src/actions/debug/gatherDebugInfo.ts
index d2fff023c..d0c5e0b5c 100644
--- a/packages/@sanity/cli/src/actions/debug/gatherDebugInfo.ts
+++ b/packages/@sanity/cli/src/actions/debug/gatherDebugInfo.ts
@@ -10,6 +10,7 @@ import {
 
 import {getProjectById} from '../../services/projects.js'
 import {getCliUser, getProjectUser} from '../../services/user.js'
+import {isBackgroundLoginInProgress} from '../auth/backgroundLogin.js'
 import {getCliVersion} from '../../util/getCliVersion.js'
 import {detectCliInstallation} from '../../util/packageManager/installationInfo/index.js'
 import {
@@ -24,6 +25,11 @@ import {
 export async function gatherUserInfo(projectId: string | undefined): Promise<Error | UserInfo> {
   const token = await getCliToken()
   if (!token) {
+    if (isBackgroundLoginInProgress()) {
+      return new Error(
+        'Login pending — callback server is running, waiting for OAuth redirect. Wait 30-60 seconds and re-check, or run `sanity auth cancel` to stop.',
+      )
+    }
     return new Error('Not logged in')
   }
 
diff --git a/packages/@sanity/cli/src/actions/deploy/deployStudioSchemasAndManifests.ts b/packages/@sanity/cli/src/actions/deploy/deployStudioSchemasAndManifests.ts
index 4a17e0690..379cdc5f0 100644
--- a/packages/@sanity/cli/src/actions/deploy/deployStudioSchemasAndManifests.ts
+++ b/packages/@sanity/cli/src/actions/deploy/deployStudioSchemasAndManifests.ts
@@ -1,7 +1,7 @@
 import {styleText} from 'node:util'
 
-import {SchemaExtractionError} from '@sanity/cli-build/_internal'
 import {ux} from '@oclif/core/ux'
+import {SchemaExtractionError} from '@sanity/cli-build/_internal'
 import {getCliTelemetry, studioWorkerTask, subdebug} from '@sanity/cli-core'
 import {type SchemaValidationProblemGroup} from '@sanity/types'
 import {type StudioManifest} from 'sanity'
diff --git a/packages/@sanity/cli/src/actions/init/__tests__/initAction.test.ts b/packages/@sanity/cli/src/actions/init/__tests__/initAction.test.ts
index c35794609..0a149a66f 100644
--- a/packages/@sanity/cli/src/actions/init/__tests__/initAction.test.ts
+++ b/packages/@sanity/cli/src/actions/init/__tests__/initAction.test.ts
@@ -1,8 +1,14 @@
+import {mkdtempSync, rmSync, writeFileSync} from 'node:fs'
+import {tmpdir} from 'node:os'
+import path from 'node:path'
+
 import {createTestClient, mockApi} from '@sanity/cli-test'
 import nock from 'nock'
 import {afterEach, describe, expect, test, vi} from 'vitest'
 
 import {PROJECT_FEATURES_API_VERSION} from '../../../services/getProjectFeatures.js'
+import {ORGANIZATIONS_API_VERSION} from '../../../services/organizations.js'
+import {CREATE_PROJECT_API_VERSION} from '../../../services/projects.js'
 import {initAction} from '../initAction.js'
 import {InitError} from '../initError.js'
 import {type InitContext, type InitOptions} from '../types.js'
@@ -49,6 +55,7 @@ vi.mock('@sanity/cli-core', async (importOriginal) => {
 
       return {
         datasets: {
+          create: vi.fn().mockResolvedValue(undefined),
           list: vi.fn().mockResolvedValue([{aclMode: 'public', name: 'production'}]),
         },
         request: client.request,
@@ -82,7 +89,7 @@ const defaultOptions: InitOptions = {
   unattended: false,
 }
 
-function createTestContext(): InitContext {
+function createTestContext(workDir = '/tmp/test-work-dir'): InitContext {
   return {
     output: {
       // output.error has a `never` return type in the Output interface, but
@@ -101,7 +108,7 @@ function createTestContext(): InitContext {
         start: vi.fn(),
       }),
     } as unknown as InitContext['telemetry'],
-    workDir: '/tmp/test-work-dir',
+    workDir,
   }
 }
 
@@ -178,8 +185,9 @@ describe('initAction (direct)', () => {
     expect(combined).toContain('production')
   })
 
-  test('throws InitError when not authenticated in unattended mode', async () => {
+  test('auto-triggers login when not authenticated in unattended mode', async () => {
     mockValidateSession.mockResolvedValue(null)
+    mockLogin.mockRejectedValue(new Error('No providers available'))
 
     const context = createTestContext()
     const options: InitOptions = {
@@ -197,11 +205,275 @@ describe('initAction (direct)', () => {
       caughtError = error
     }
 
+    expect(mockLogin).toHaveBeenCalled()
     expect(caughtError).toBeInstanceOf(InitError)
     const initError = caughtError as InitError
-    expect(initError.message).toBe(
-      'Must be logged in to run this command in unattended mode, run `sanity login`',
-    )
+    expect(initError.message).toContain('Login failed')
     expect(initError.exitCode).toBe(1)
   })
+
+  test('unattended --project-name with single org with attach grant auto-picks org', async () => {
+    mockValidateSession.mockResolvedValue({
+      email: 'test@example.com',
+      id: 'user-123',
+      name: 'Test User',
+      provider: 'google',
+    })
+
+    mockApi({
+      apiVersion: ORGANIZATIONS_API_VERSION,
+      uri: '/organizations',
+    }).reply(200, [{id: 'org-1', name: 'Only Org', slug: 'only-org'}])
+
+    mockApi({
+      apiVersion: ORGANIZATIONS_API_VERSION,
+      uri: '/organizations/org-1/grants',
+    }).reply(200, {
+      'sanity.organization.projects': [{grants: [{name: 'attach'}]}],
+    })
+
+    mockApi({
+      apiVersion: CREATE_PROJECT_API_VERSION,
+      method: 'post',
+      uri: '/projects',
+    }).reply(200, {displayName: 'My New Project', projectId: 'test-project'})
+
+    mockApi({
+      apiVersion: PROJECT_FEATURES_API_VERSION,
+      method: 'get',
+      uri: '/features',
+    }).reply(200, ['privateDataset'])
+
+    const context = createTestContext()
+    const options: InitOptions = {
+      ...defaultOptions,
+      bare: true,
+      projectName: 'My New Project',
+      unattended: true,
+    }
+
+    await initAction(options, context)
+
+    const logCalls = vi.mocked(context.output.log).mock.calls.map((call) => call[0])
+    const combined = logCalls.join('\n')
+
+    expect(combined).toContain('test-project')
+  })
+
+  test('unattended --project-name with zero orgs auto-creates an organization', async () => {
+    mockValidateSession.mockResolvedValue({
+      email: 'test@example.com',
+      id: 'user-123',
+      name: 'Test User',
+      provider: 'google',
+    })
+
+    mockApi({
+      apiVersion: ORGANIZATIONS_API_VERSION,
+      uri: '/organizations',
+    }).reply(200, [])
+
+    mockApi({
+      apiVersion: ORGANIZATIONS_API_VERSION,
+      method: 'post',
+      uri: '/organizations',
+    }).reply(200, {
+      createdByUserId: 'user-123',
+      defaultRoleName: null,
+      features: [],
+      id: 'org-auto',
+      members: [],
+      name: 'Test User',
+      slug: 'test-user',
+    })
+
+    mockApi({
+      apiVersion: CREATE_PROJECT_API_VERSION,
+      method: 'post',
+      uri: '/projects',
+    }).reply(200, {displayName: 'My New Project', projectId: 'test-project'})
+
+    mockApi({
+      apiVersion: PROJECT_FEATURES_API_VERSION,
+      method: 'get',
+      uri: '/features',
+    }).reply(200, ['privateDataset'])
+
+    const context = createTestContext()
+    const options: InitOptions = {
+      ...defaultOptions,
+      bare: true,
+      projectName: 'My New Project',
+      unattended: true,
+    }
+
+    await initAction(options, context)
+
+    const logCalls = vi.mocked(context.output.log).mock.calls.map((call) => call[0])
+    const combined = logCalls.join('\n')
+
+    expect(combined).toContain('test-project')
+  })
+
+  test('unattended --project-name with multiple orgs lists them and hints', async () => {
+    mockValidateSession.mockResolvedValue({
+      email: 'test@example.com',
+      id: 'user-123',
+      name: 'Test User',
+      provider: 'google',
+    })
+
+    mockApi({
+      apiVersion: ORGANIZATIONS_API_VERSION,
+      uri: '/organizations',
+    }).reply(200, [
+      {id: 'org-a', name: 'Alpha Org', slug: 'alpha'},
+      {id: 'org-b', name: 'Beta Org', slug: 'beta'},
+    ])
+
+    mockApi({
+      apiVersion: ORGANIZATIONS_API_VERSION,
+      uri: '/organizations/org-a/grants',
+    }).reply(200, {
+      'sanity.organization.projects': [{grants: [{name: 'attach'}]}],
+    })
+
+    mockApi({
+      apiVersion: ORGANIZATIONS_API_VERSION,
+      uri: '/organizations/org-b/grants',
+    }).reply(200, {
+      'sanity.organization.projects': [{grants: [{name: 'attach'}]}],
+    })
+
+    const context = createTestContext()
+    const options: InitOptions = {
+      ...defaultOptions,
+      bare: true,
+      projectName: 'My New Project',
+      unattended: true,
+    }
+
+    let caughtError: unknown
+    try {
+      await initAction(options, context)
+    } catch (error) {
+      caughtError = error
+    }
+
+    expect(caughtError).toBeInstanceOf(InitError)
+    const initError = caughtError as InitError
+    expect(initError.message).toContain('Multiple organizations available')
+    expect(initError.message).toContain('org-a (Alpha Org)')
+    expect(initError.message).toContain('org-b (Beta Org)')
+    expect(initError.message).toContain('[Hint]')
+    expect(initError.message).toContain('sanity init --organization org-a')
+    expect(initError.exitCode).toBe(1)
+  })
+
+  test('unattended without --project/--project-name derives projectName from package.json name', async () => {
+    mockValidateSession.mockResolvedValue({
+      email: 'test@example.com',
+      id: 'user-123',
+      name: 'Test User',
+      provider: 'google',
+    })
+
+    const tmpDir = mkdtempSync(path.join(tmpdir(), 'sanity-init-test-'))
+    writeFileSync(
+      path.join(tmpDir, 'package.json'),
+      JSON.stringify({name: 'my-pkg-name', version: '1.0.0'}),
+    )
+
+    try {
+      mockApi({
+        apiVersion: ORGANIZATIONS_API_VERSION,
+        uri: '/organizations',
+      }).reply(200, [{id: 'org-1', name: 'Only Org', slug: 'only-org'}])
+
+      mockApi({
+        apiVersion: ORGANIZATIONS_API_VERSION,
+        uri: '/organizations/org-1/grants',
+      }).reply(200, {
+        'sanity.organization.projects': [{grants: [{name: 'attach'}]}],
+      })
+
+      mockApi({
+        apiVersion: CREATE_PROJECT_API_VERSION,
+        method: 'post',
+        uri: '/projects',
+      }).reply(200, (_uri, body: Record<string, unknown>) => {
+        expect(body.displayName).toBe('my-pkg-name')
+        return {displayName: 'my-pkg-name', projectId: 'test-project'}
+      })
+
+      mockApi({
+        apiVersion: PROJECT_FEATURES_API_VERSION,
+        method: 'get',
+        uri: '/features',
+      }).reply(200, ['privateDataset'])
+
+      const context = createTestContext(tmpDir)
+      const options: InitOptions = {
+        ...defaultOptions,
+        bare: true,
+        unattended: true,
+      }
+
+      await initAction(options, context)
+    } finally {
+      rmSync(tmpDir, {force: true, recursive: true})
+    }
+  })
+
+  test('unattended without --project/--project-name and no package.json derives projectName from basename(cwd)', async () => {
+    mockValidateSession.mockResolvedValue({
+      email: 'test@example.com',
+      id: 'user-123',
+      name: 'Test User',
+      provider: 'google',
+    })
+
+    const tmpDir = mkdtempSync(path.join(tmpdir(), 'my-folder-name-'))
+    const expectedName = path.basename(tmpDir)
+
+    try {
+      mockApi({
+        apiVersion: ORGANIZATIONS_API_VERSION,
+        uri: '/organizations',
+      }).reply(200, [{id: 'org-1', name: 'Only Org', slug: 'only-org'}])
+
+      mockApi({
+        apiVersion: ORGANIZATIONS_API_VERSION,
+        uri: '/organizations/org-1/grants',
+      }).reply(200, {
+        'sanity.organization.projects': [{grants: [{name: 'attach'}]}],
+      })
+
+      mockApi({
+        apiVersion: CREATE_PROJECT_API_VERSION,
+        method: 'post',
+        uri: '/projects',
+      }).reply(200, (_uri, body: Record<string, unknown>) => {
+        expect(body.displayName).toBe(expectedName)
+        return {displayName: expectedName, projectId: 'test-project'}
+      })
+
+      mockApi({
+        apiVersion: PROJECT_FEATURES_API_VERSION,
+        method: 'get',
+        uri: '/features',
+      }).reply(200, ['privateDataset'])
+
+      const context = createTestContext(tmpDir)
+      const options: InitOptions = {
+        ...defaultOptions,
+        bare: true,
+        unattended: true,
+      }
+
+      await initAction(options, context)
+    } finally {
+      rmSync(tmpDir, {force: true, recursive: true})
+    }
+  })
 })
diff --git a/packages/@sanity/cli/src/actions/init/initAction.ts b/packages/@sanity/cli/src/actions/init/initAction.ts
index a1fd41b74..9d7113c76 100644
--- a/packages/@sanity/cli/src/actions/init/initAction.ts
+++ b/packages/@sanity/cli/src/actions/init/initAction.ts
@@ -1,3 +1,5 @@
+import {readFile} from 'node:fs/promises'
+import path from 'node:path'
 import {styleText} from 'node:util'
 
 import {type SanityOrgUser, subdebug, type TelemetryUserProperties} from '@sanity/cli-core'
@@ -10,6 +12,7 @@ import {promptForConfigFiles} from '../../prompts/init/nextjs.js'
 import {getCliUser} from '../../services/user.js'
 import {CLIInitStepCompleted, type InitStepResult} from '../../telemetry/init.telemetry.js'
 import {detectFrameworkRecord} from '../../util/detectFramework.js'
+import {formatHint} from '../../util/formatHint.js'
 import {getProjectDefaults} from '../../util/getProjectDefaults.js'
 import {validateSession} from '../auth/ensureAuthenticated.js'
 import {getProviderName} from '../auth/getProviderName.js'
@@ -83,8 +86,28 @@ export async function initAction(options: InitOptions, context: InitContext): Pr
 
   const isAppTemplate = options.template ? determineAppTemplate(options.template) : false
 
+  let effectiveProjectName = options.projectName
+  if (options.unattended && !isAppTemplate && !options.project && !effectiveProjectName) {
+    const derived = await deriveProjectName(workDir)
+    if (derived) {
+      debug('Deriving --project-name from %s: %s', derived.source, derived.name)
+      effectiveProjectName = derived.name
+    }
+  }
+
+  if (options.bare && options.outputPath) {
+    throw new InitError(
+      '--bare cannot be used with --output-path. Use --bare to create the project only, then scaffold the studio separately.' +
+        formatHint(
+          'sanity init --bare --project-name "my-project" --dataset production -y',
+          'sanity init --project <id> --output-path ./studio -y',
+        ),
+      1,
+    )
+  }
+
   if (options.unattended) {
-    checkFlagsInUnattendedMode(options, {isAppTemplate, isNextJs})
+    checkFlagsInUnattendedMode(options, {effectiveProjectName, isAppTemplate, isNextJs})
   }
 
   trace.start()
@@ -117,13 +140,14 @@ export async function initAction(options: InitOptions, context: InitContext): Pr
   }
 
   let newProject: string | undefined
-  if (options.projectName) {
+  if (effectiveProjectName) {
     newProject = await createProjectFromName({
       coupon: options.coupon,
-      createProjectName: options.projectName,
+      createProjectName: effectiveProjectName,
       dataset: options.dataset,
       organization: options.organization,
       planId,
+      unattended: options.unattended,
       user,
       visibility: options.visibility,
     })
@@ -278,25 +302,28 @@ export async function initAction(options: InitOptions, context: InitContext): Pr
 
 function checkFlagsInUnattendedMode(
   options: InitOptions,
-  {isAppTemplate, isNextJs}: {isAppTemplate: boolean; isNextJs: boolean},
+  {
+    effectiveProjectName,
+    isAppTemplate,
+    isNextJs,
+  }: {effectiveProjectName: string | undefined; isAppTemplate: boolean; isNextJs: boolean},
 ): void {
   debug('Unattended mode, validating required options')
 
-  if (options.projectName && !options.organization) {
-    throw new InitError('`--project-name` requires `--organization <id>` in unattended mode', 1)
-  }
-
   if (isAppTemplate) {
     if (!options.outputPath) {
       throw new InitError('`--output-path` must be specified in unattended mode', 1)
     }
 
-    const hasProjectFlag = Boolean(options.project || options.projectName)
+    const hasProjectFlag = Boolean(options.project || effectiveProjectName)
 
     if (!hasProjectFlag && !options.organization) {
       throw new InitError(
         'The --organization flag is required for app templates in unattended mode. ' +
-          'Use --organization <id>, or pass --project <id> / --project-name <name>.',
+          'Use --organization <id>, or pass --project <id> / --project-name <name>.' +
+          formatHint(
+            'sanity init --organization <org-id> --template <template> --output-path ./app -y',
+          ),
         1,
       )
     }
@@ -305,17 +332,49 @@ function checkFlagsInUnattendedMode(
   }
 
   if (!isNextJs && !options.bare && !options.outputPath) {
-    throw new InitError('`--output-path` must be specified in unattended mode', 1)
+    throw new InitError(
+      '`--output-path` must be specified in unattended mode' +
+        formatHint('sanity init --output-path ./studio --project <id> --dataset production -y'),
+      1,
+    )
   }
 
-  if (!options.project && !options.projectName) {
+  if (!options.project && !effectiveProjectName) {
     throw new InitError(
-      '`--project <id>` or `--project-name <name>` must be specified in unattended mode',
+      '`--project <id>` or `--project-name <name>` must be specified in unattended mode' +
+        formatHint('sanity init --project-name "my-project" --dataset production -y'),
       1,
     )
   }
 }
 
+async function deriveProjectName(
+  workDir: string,
+): Promise<{name: string; source: 'directory' | 'package.json'} | undefined> {
+  try {
+    const raw = await readFile(path.join(workDir, 'package.json'), 'utf8')
+    const parsed: unknown = JSON.parse(raw)
+    if (
+      parsed &&
+      typeof parsed === 'object' &&
+      'name' in parsed &&
+      typeof parsed.name === 'string' &&
+      parsed.name.trim().length > 0
+    ) {
+      return {name: parsed.name.trim(), source: 'package.json'}
+    }
+  } catch {
+    // package.json missing or unreadable — fall through to basename
+  }
+
+  const basename = path.basename(workDir)
+  if (basename) {
+    return {name: basename, source: 'directory'}
+  }
+
+  return undefined
+}
+
 async function ensureAuthenticated(
   options: InitOptions,
   output: InitContext['output'],
@@ -332,10 +391,39 @@ async function ensureAuthenticated(
   }
 
   if (options.unattended) {
-    throw new InitError(
-      'Must be logged in to run this command in unattended mode, run `sanity login`',
-      1,
+    output.log('Not logged in — starting background authentication...')
+    try {
+      await login({
+        output,
+        telemetry: trace.newContext('login'),
+      })
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error)
+      throw new InitError(`Login failed: ${message}`, 1)
+    }
+
+    // Background login returns immediately; poll for the token
+    const maxWait = 120_000
+    const interval = 3000
+    const deadline = Date.now() + maxWait
+    let loggedInUser: SanityOrgUser | null = null
+    while (Date.now() < deadline) {
+      loggedInUser = await validateSession()
+      if (loggedInUser) break
+      await new Promise((r) => setTimeout(r, interval))
+    }
+
+    if (!loggedInUser) {
+      throw new InitError(
+        'Authentication timed out. Complete the browser login and retry, or set the SANITY_AUTH_TOKEN environment variable.',
+        1,
+      )
+    }
+
+    output.log(
+      `${logSymbols.success} You are logged in as ${loggedInUser.email} using ${getProviderName(loggedInUser.provider)}`,
     )
+    return {user: loggedInUser}
   }
 
   trace.log({step: 'login'})
diff --git a/packages/@sanity/cli/src/actions/init/project/createProjectFromName.ts b/packages/@sanity/cli/src/actions/init/project/createProjectFromName.ts
index c1983e0b3..594735933 100644
--- a/packages/@sanity/cli/src/actions/init/project/createProjectFromName.ts
+++ b/packages/@sanity/cli/src/actions/init/project/createProjectFromName.ts
@@ -3,8 +3,11 @@ import {spinner} from '@sanity/cli-core/ux'
 import {type DatasetAclMode} from '@sanity/client'
 
 import {createDataset as createDatasetService} from '../../../services/datasets.js'
-import {listOrganizations} from '../../../services/organizations.js'
+import {createOrganization, listOrganizations} from '../../../services/organizations.js'
 import {createProject} from '../../../services/projects.js'
+import {formatHint} from '../../../util/formatHint.js'
+import {getOrganizationsWithAttachGrantInfo} from '../../organizations/getOrganizationsWithAttachGrantInfo.js'
+import {InitError} from '../initError.js'
 import {promptUserForOrganization} from './promptUserForOrganization.js'
 
 const debug = subdebug('init')
@@ -15,6 +18,7 @@ export async function createProjectFromName({
   dataset,
   organization,
   planId,
+  unattended,
   user,
   visibility,
 }: {
@@ -23,6 +27,7 @@ export async function createProjectFromName({
   dataset: string | undefined
   organization: string | undefined
   planId: string | undefined
+  unattended: boolean | undefined
   user: SanityOrgUser
   visibility: 'private' | 'public' | undefined
 }): Promise<string> {
@@ -33,10 +38,35 @@ export async function createProjectFromName({
   if (!orgForCreateProjectFlag) {
     debug('no organization specified, selecting one')
     const organizations = await listOrganizations()
-    orgForCreateProjectFlag = await promptUserForOrganization({
-      organizations,
-      user,
-    })
+
+    if (unattended) {
+      const withGrantInfo = await getOrganizationsWithAttachGrantInfo(organizations)
+      const withAttach = withGrantInfo.filter(({hasAttachGrant}) => hasAttachGrant)
+      if (withAttach.length === 0) {
+        debug('no organizations found, auto-creating one in unattended mode')
+        const newOrgName = user.name || 'Personal'
+        const newOrg = await createOrganization(newOrgName)
+        orgForCreateProjectFlag = newOrg.id
+        debug('auto-created organization: %s (%s)', newOrg.id, newOrg.name)
+      } else if (withAttach.length > 1) {
+        const orgList = withAttach.map(({organization: o}) => `  ${o.id} (${o.name})`).join('\n')
+        throw new InitError(
+          `Multiple organizations available:\n${orgList}` +
+            formatHint(
+              `sanity init --organization ${withAttach[0].organization.id} --project-name "my-project" -y`,
+            ),
+          1,
+        )
+      } else {
+        orgForCreateProjectFlag = withAttach[0].organization.id
+        debug('unattended mode: single org with attach grant: %s', orgForCreateProjectFlag)
+      }
+    } else {
+      orgForCreateProjectFlag = await promptUserForOrganization({
+        organizations,
+        user,
+      })
+    }
   }
 
   debug('creating a new project')
diff --git a/packages/@sanity/cli/src/commands/__tests__/init/init.authentication.test.ts b/packages/@sanity/cli/src/commands/__tests__/init/init.authentication.test.ts
index f0e6c6803..b5f0a92d2 100644
--- a/packages/@sanity/cli/src/commands/__tests__/init/init.authentication.test.ts
+++ b/packages/@sanity/cli/src/commands/__tests__/init/init.authentication.test.ts
@@ -183,8 +183,9 @@ describe('#init: authentication', () => {
     expect(stdout).toContain('You are logged in as test@example.com using SAML')
   })
 
-  test('throws error if user is authenticated with invalid token in unattended mode', async () => {
+  test('auto-triggers login when not authenticated with invalid token in unattended mode', async () => {
     mockGetById.mockRejectedValueOnce(createHttpError(401, 'Unauthorized'))
+    mockLogin.mockRejectedValueOnce(new Error('No providers available'))
 
     const {error} = await testCommand(InitCommand, ['--yes', '--dataset=test', '--project=test'], {
       mocks: {
@@ -192,9 +193,8 @@ describe('#init: authentication', () => {
       },
     })
 
-    expect(error?.message).toContain(
-      'Must be logged in to run this command in unattended mode, run `sanity login`',
-    )
+    expect(mockLogin).toHaveBeenCalled()
+    expect(error?.message).toContain('Login failed')
     expect(error?.oclif?.exit).toBe(1)
   })
 
diff --git a/packages/@sanity/cli/src/commands/__tests__/init/init.setup.test.ts b/packages/@sanity/cli/src/commands/__tests__/init/init.setup.test.ts
index e2f700b91..ada527240 100644
--- a/packages/@sanity/cli/src/commands/__tests__/init/init.setup.test.ts
+++ b/packages/@sanity/cli/src/commands/__tests__/init/init.setup.test.ts
@@ -1,7 +1,9 @@
-import {testCommand} from '@sanity/cli-test'
+import {createTestClient, mockApi, testCommand} from '@sanity/cli-test'
+import {cleanAll, pendingMocks} from 'nock'
 import {afterEach, describe, expect, test, vi} from 'vitest'
 
 import {selectTemplate} from '../../../actions/init/scaffoldTemplate.js'
+import {ORGANIZATIONS_API_VERSION} from '../../../services/organizations.js'
 import {InitCommand} from '../../init.js'
 
 const mocks = vi.hoisted(() => ({
@@ -27,9 +29,15 @@ vi.mock('../../../prompts/init/promptForTypescript.js', () => ({
 
 vi.mock('@sanity/cli-core', async (importOriginal) => {
   const actual = await importOriginal<typeof import('@sanity/cli-core')>()
+  const globalTestClient = createTestClient({
+    apiVersion: 'v2025-05-14',
+    token: 'test-token',
+  })
+
   return {
     ...actual,
     getGlobalCliClient: vi.fn().mockResolvedValue({
+      request: globalTestClient.request,
       users: {
         getById: mocks.getById,
       } as never,
@@ -57,6 +65,9 @@ const defaultMocks = {
 describe('#init: oclif command setup', () => {
   afterEach(() => {
     vi.clearAllMocks()
+    const pending = pendingMocks()
+    cleanAll()
+    expect(pending, 'pending mocks').toEqual([])
   })
 
   test.each([
@@ -66,7 +77,6 @@ describe('#init: oclif command setup', () => {
     {flag1: 'env=.env', flag2: 'bare'},
     {flag1: 'git=test', flag2: 'bare'},
     {flag1: 'no-git', flag2: 'git=test'},
-    {flag1: 'output-path=/test-path', flag2: 'bare'},
     {flag1: 'package-manager=pnpm', flag2: 'bare'},
     {flag1: 'template=test', flag2: 'bare'},
     {flag1: 'typescript', flag2: 'bare'},
@@ -90,6 +100,38 @@ describe('#init: oclif command setup', () => {
     expect(error?.oclif?.exit).toBe(2)
   })
 
+  test('throws error with hint when --create-project is used without a value', async () => {
+    const {error} = await testCommand(InitCommand, ['--create-project'], {
+      mocks: {
+        isInteractive: true,
+        token: 'test-token',
+      },
+    })
+
+    expect(error).toBeInstanceOf(Error)
+    expect(error?.message).toContain(
+      'Flag --create-project expects a value. Use --project-name instead:',
+    )
+    expect(error?.message).toContain('[Hint]')
+    expect(error?.message).toContain('sanity init --project-name')
+    expect(error?.oclif?.exit).toBe(2)
+  })
+
+  test('throws error with hint when --bare and --output-path are both passed', async () => {
+    const {error} = await testCommand(InitCommand, ['--bare', '--output-path=/test-path'], {
+      mocks: {
+        isInteractive: true,
+        token: 'test-token',
+      },
+    })
+
+    expect(error).toBeInstanceOf(Error)
+    expect(error?.message).toContain('--bare cannot be used with --output-path')
+    expect(error?.message).toContain('[Hint]')
+    expect(error?.message).toContain('sanity init --bare --project-name')
+    expect(error?.oclif?.exit).toBe(1)
+  })
+
   test.each([
     {flag: 'env', message: 'Env filename (`--env`) must start with `.env`', value: 'invalid.txt'},
     {
@@ -230,12 +272,20 @@ describe('#init: oclif command setup', () => {
     )
   })
 
-  test('throws error when in unattended mode and `project` and `project-name` not set', async () => {
+  test('does not throw when project flags omitted in unattended mode — project name is derived', async () => {
     mocks.detectFrameworkRecord.mockResolvedValueOnce({
       name: 'Next.js',
       slug: 'nextjs',
     })
 
+    // With derived projectName, init proceeds to org resolution. We don't need to mock
+    // the full happy path — empty orgs returns the new descriptive error from task #2,
+    // which proves the original "must be specified" throw is gone.
+    mockApi({
+      apiVersion: ORGANIZATIONS_API_VERSION,
+      uri: '/organizations',
+    }).reply(200, [])
+
     const {error} = await testCommand(
       InitCommand,
       [
@@ -250,32 +300,9 @@ describe('#init: oclif command setup', () => {
       },
     )
 
-    expect(error?.message).toContain(
+    expect(error?.message ?? '').not.toContain(
       '`--project <id>` or `--project-name <name>` must be specified in unattended mode',
     )
-    expect(error?.oclif?.exit).toBe(1)
-  })
-
-  test('throws error when in unattended mode and `project-name` set without `organization`', async () => {
-    mocks.detectFrameworkRecord.mockResolvedValueOnce({
-      name: 'Next.js',
-      slug: 'nextjs',
-    })
-
-    const {error} = await testCommand(
-      InitCommand,
-      ['--yes', '--dataset=production', '--project-name=test'],
-      {
-        mocks: {
-          ...defaultMocks,
-        },
-      },
-    )
-
-    expect(error?.message).toContain(
-      '`--project-name` requires `--organization <id>` in unattended mode',
-    )
-    expect(error?.oclif?.exit).toBe(1)
   })
 
   test('logs properly if app template flag is not valid', async () => {
diff --git a/packages/@sanity/cli/src/commands/__tests__/login.test.ts b/packages/@sanity/cli/src/commands/__tests__/login.test.ts
index dbc990e7f..8f9c09708 100644
--- a/packages/@sanity/cli/src/commands/__tests__/login.test.ts
+++ b/packages/@sanity/cli/src/commands/__tests__/login.test.ts
@@ -31,6 +31,19 @@ vi.mock('@sanity/cli-core/ux', async () => {
 // Mock browser launching
 vi.mock('open')
 
+// Mock background login (spawned in non-interactive mode)
+const mockedStartBackgroundLogin = vi.hoisted(() =>
+  vi.fn().mockResolvedValue({
+    loginUrl: 'https://api.sanity.io/auth/google?type=token&origin=http://localhost:4321/callback',
+    pid: 99_999,
+    port: 4321,
+  }),
+)
+vi.mock('../../actions/auth/backgroundLogin.js', () => ({
+  getBackgroundLoginConfigPath: vi.fn(() => '/tmp/sanity/config.json'),
+  startBackgroundLogin: mockedStartBackgroundLogin,
+}))
+
 // Mock platform detection
 vi.mock('../../util/canLaunchBrowser.js', () => ({
   canLaunchBrowser: vi.fn().mockReturnValue(true),
@@ -1234,7 +1247,7 @@ describe('#login', {timeout: 10_000}, () => {
   })
 
   describe('Non-Interactive Mode', () => {
-    test('throws error listing providers when multiple OAuth providers in non-interactive mode', async () => {
+    test('lists providers and hints when multiple OAuth providers in non-interactive mode', async () => {
       mockedGetCliToken.mockResolvedValue('')
       mockedIsInteractive.mockReturnValue(false)
 
@@ -1253,31 +1266,8 @@ describe('#login', {timeout: 10_000}, () => {
 
       expect(error).toBeInstanceOf(Error)
       expect(error?.message).toContain('Multiple login providers available: google, github')
-      expect(error?.message).toContain('`--provider <name>`')
-      expect(error?.oclif?.exit).toBe(1)
-    })
-
-    test('non-interactive error excludes synthetic sso from provider list', async () => {
-      mockedGetCliToken.mockResolvedValue('')
-      mockedIsInteractive.mockReturnValue(false)
-
-      mockApi({
-        apiVersion: AUTH_API_VERSION,
-        method: 'get',
-        uri: '/auth/providers',
-      }).reply(200, {
-        providers: [
-          {name: 'google', title: 'Google', url: 'https://api.sanity.io/auth/google'},
-          {name: 'github', title: 'GitHub', url: 'https://api.sanity.io/auth/github'},
-        ],
-      })
-
-      const {error} = await testCommand(LoginCommand, ['--experimental'])
-
-      expect(error).toBeInstanceOf(Error)
-      expect(error?.message).toContain('google, github')
-      expect(error?.message).not.toContain('sso')
-      expect(error?.oclif?.exit).toBe(1)
+      expect(error?.message).toContain('[Hint]')
+      expect(error?.message).toContain('sanity login --provider google')
     })
 
     test('throws error listing SSO providers when multiple SSO providers in non-interactive mode', async () => {
@@ -1322,14 +1312,46 @@ describe('#login', {timeout: 10_000}, () => {
     test('succeeds non-interactively with a single OAuth provider', async () => {
       mockedGetCliToken.mockResolvedValue('')
       mockedIsInteractive.mockReturnValue(false)
-      mockSingleProviderLogin()
 
-      const commandPromise = testCommand(LoginCommand, [])
-      await simulateOAuthCallback(4321, 'test-session-id')
-      const {error, stdout} = await commandPromise
+      mockApi({
+        apiVersion: AUTH_API_VERSION,
+        method: 'get',
+        uri: '/auth/providers',
+      }).reply(200, {
+        providers: [{name: 'google', title: 'Google', url: 'https://api.sanity.io/auth/google'}],
+      })
+
+      const {error, stdout} = await testCommand(LoginCommand, [])
 
       if (error) throw error
-      expect(stdout).toContain('Login successful')
+      expect(stdout).toContain('Opening browser at')
+      expect(stdout).toContain('Authentication is running in the background')
+      expect(stdout).toContain('~30-60 seconds')
+      expect(mockedStartBackgroundLogin).toHaveBeenCalledWith('https://api.sanity.io/auth/google', {
+        open: true,
+      })
+    })
+
+    test('respects --no-open in non-interactive mode', async () => {
+      mockedGetCliToken.mockResolvedValue('')
+      mockedIsInteractive.mockReturnValue(false)
+
+      mockApi({
+        apiVersion: AUTH_API_VERSION,
+        method: 'get',
+        uri: '/auth/providers',
+      }).reply(200, {
+        providers: [{name: 'google', title: 'Google', url: 'https://api.sanity.io/auth/google'}],
+      })
+
+      const {error, stdout} = await testCommand(LoginCommand, ['--no-open'])
+
+      if (error) throw error
+      expect(stdout).toContain('Please open a browser at')
+      expect(stdout).not.toContain('Opening browser at')
+      expect(mockedStartBackgroundLogin).toHaveBeenCalledWith('https://api.sanity.io/auth/google', {
+        open: false,
+      })
     })
   })
 
diff --git a/packages/@sanity/cli/src/commands/auth/__tests__/cancel.test.ts b/packages/@sanity/cli/src/commands/auth/__tests__/cancel.test.ts
new file mode 100644
index 000000000..ea34a04b7
--- /dev/null
+++ b/packages/@sanity/cli/src/commands/auth/__tests__/cancel.test.ts
@@ -0,0 +1,36 @@
+import {testCommand} from '@sanity/cli-test'
+import {afterEach, describe, expect, test, vi} from 'vitest'
+
+import {Cancel} from '../cancel.js'
+
+const mockCancelBackgroundLogin = vi.hoisted(() => vi.fn())
+
+vi.mock('../../../actions/auth/backgroundLogin.js', () => ({
+  cancelBackgroundLogin: mockCancelBackgroundLogin,
+}))
+
+describe('#auth cancel', () => {
+  afterEach(() => {
+    vi.clearAllMocks()
+  })
+
+  test('cancels a running background login', async () => {
+    mockCancelBackgroundLogin.mockReturnValue({cancelled: true, pid: 1234})
+
+    const {error, stdout} = await testCommand(Cancel)
+
+    if (error) throw error
+    expect(stdout).toContain('Background login cancelled.')
+    expect(mockCancelBackgroundLogin).toHaveBeenCalledOnce()
+  })
+
+  test('reports when no background login is in progress', async () => {
+    mockCancelBackgroundLogin.mockReturnValue({cancelled: false})
+
+    const {error, stdout} = await testCommand(Cancel)
+
+    if (error) throw error
+    expect(stdout).toContain('No background login in progress.')
+    expect(mockCancelBackgroundLogin).toHaveBeenCalledOnce()
+  })
+})
diff --git a/packages/@sanity/cli/src/commands/auth/__tests__/status.test.ts b/packages/@sanity/cli/src/commands/auth/__tests__/status.test.ts
new file mode 100644
index 000000000..9526feace
--- /dev/null
+++ b/packages/@sanity/cli/src/commands/auth/__tests__/status.test.ts
@@ -0,0 +1,91 @@
+import {testCommand} from '@sanity/cli-test'
+import {afterEach, describe, expect, test, vi} from 'vitest'
+
+import {Status} from '../status.js'
+
+const mockValidateSession = vi.hoisted(() => vi.fn())
+
+vi.mock('../../../actions/auth/ensureAuthenticated.js', () => ({
+  validateSession: mockValidateSession,
+}))
+
+describe('#auth status', () => {
+  afterEach(() => {
+    vi.clearAllMocks()
+  })
+
+  test('shows logged-in user info when authenticated', async () => {
+    mockValidateSession.mockResolvedValue({
+      email: 'test@example.com',
+      id: 'user-123',
+      name: 'Test User',
+      provider: 'google',
+    })
+
+    const {error, stdout} = await testCommand(Status)
+
+    if (error) throw error
+    expect(stdout).toContain('Logged in as test@example.com (Google)')
+    expect(mockValidateSession).toHaveBeenCalledOnce()
+  })
+
+  test('shows not-logged-in error with exit 1 when not authenticated', async () => {
+    mockValidateSession.mockResolvedValue(null)
+
+    const {error} = await testCommand(Status)
+
+    expect(error).toBeInstanceOf(Error)
+    expect(error?.message).toContain('Not logged in')
+    expect(error?.message).toContain('sanity login')
+    expect(error?.message).toContain('SANITY_AUTH_TOKEN')
+    expect(error?.oclif?.exit).toBe(1)
+    expect(mockValidateSession).toHaveBeenCalledOnce()
+  })
+
+  test('outputs JSON with user info when logged in and --json flag is used', async () => {
+    mockValidateSession.mockResolvedValue({
+      email: 'dev@example.com',
+      id: 'user-456',
+      name: 'Dev User',
+      provider: 'github',
+    })
+
+    const {error, stdout} = await testCommand(Status, ['--json'])
+
+    if (error) throw error
+    const parsed = JSON.parse(stdout)
+    expect(parsed).toEqual({
+      email: 'dev@example.com',
+      loggedIn: true,
+      provider: 'GitHub',
+    })
+    expect(mockValidateSession).toHaveBeenCalledOnce()
+  })
+
+  test('outputs JSON with loggedIn false when not authenticated and --json flag is used', async () => {
+    mockValidateSession.mockResolvedValue(null)
+
+    const {error, stdout} = await testCommand(Status, ['--json'])
+
+    expect(error).toBeInstanceOf(Error)
+    expect(error?.oclif?.exit).toBe(1)
+    const parsed = JSON.parse(stdout)
+    expect(parsed).toEqual({loggedIn: false, pending: false})
+    expect(mockValidateSession).toHaveBeenCalledOnce()
+  })
+
+  test('shows correct provider name for SAML provider', async () => {
+    mockValidateSession.mockResolvedValue({
+      email: 'sso@example.com',
+      id: 'user-789',
+      name: 'SSO User',
+      provider: 'saml-okta',
+    })
+
+    const {error, stdout} = await testCommand(Status)
+
+    if (error) throw error
+    expect(stdout).toContain('Logged in as sso@example.com (SAML)')
+    expect(mockValidateSession).toHaveBeenCalledOnce()
+  })
+})
diff --git a/packages/@sanity/cli/src/commands/auth/cancel.ts b/packages/@sanity/cli/src/commands/auth/cancel.ts
new file mode 100644
index 000000000..bb3e0ebbd
--- /dev/null
+++ b/packages/@sanity/cli/src/commands/auth/cancel.ts
@@ -0,0 +1,22 @@
+import {SanityCommand} from '@sanity/cli-core'
+
+import {cancelBackgroundLogin} from '../../actions/auth/backgroundLogin.js'
+
+export class Cancel extends SanityCommand<typeof Cancel> {
+  static override description = 'Cancel a running background login process'
+  static override examples = [
+    {
+      command: '<%= config.bin %> <%= command.id %>',
+      description: 'Cancel background login',
+    },
+  ]
+
+  public async run() {
+    const {cancelled} = cancelBackgroundLogin()
+    if (cancelled) {
+      this.log('Background login cancelled.')
+    } else {
+      this.log('No background login in progress.')
+    }
+  }
+}
diff --git a/packages/@sanity/cli/src/commands/auth/status.ts b/packages/@sanity/cli/src/commands/auth/status.ts
new file mode 100644
index 000000000..430ae5a93
--- /dev/null
+++ b/packages/@sanity/cli/src/commands/auth/status.ts
@@ -0,0 +1,68 @@
+import {Flags} from '@oclif/core'
+import {SanityCommand} from '@sanity/cli-core'
+
+import {isBackgroundLoginInProgress} from '../../actions/auth/backgroundLogin.js'
+import {validateSession} from '../../actions/auth/ensureAuthenticated.js'
+import {getProviderName} from '../../actions/auth/getProviderName.js'
+
+export class Status extends SanityCommand<typeof Status> {
+  static override description = 'Check authentication status'
+  static override examples = [
+    {
+      command: '<%= config.bin %> <%= command.id %>',
+      description: 'Check if you are logged in',
+    },
+    {
+      command: '<%= config.bin %> <%= command.id %> --json',
+      description: 'Check auth status in JSON format',
+    },
+  ]
+
+  static override flags = {
+    json: Flags.boolean({
+      default: false,
+      description: 'Output auth status in JSON format',
+    }),
+  }
+
+  public async run() {
+    const {json} = this.flags
+    const user = await validateSession()
+
+    if (user) {
+      if (json) {
+        this.log(
+          JSON.stringify(
+            {email: user.email, loggedIn: true, provider: getProviderName(user.provider)},
+            null,
+            2,
+          ),
+        )
+        return
+      }
+
+      this.log(`Logged in as ${user.email} (${getProviderName(user.provider)})`)
+      return
+    }
+
+    const pending = isBackgroundLoginInProgress()
+
+    if (json) {
+      this.log(JSON.stringify({loggedIn: false, pending}, null, 2))
+      this.exit(1)
+      return
+    }
+
+    if (pending) {
+      this.error(
+        'Login pending — callback server is running, waiting for OAuth redirect. Wait 30-60 seconds and re-check, or run `sanity auth cancel` to stop.',
+        {exit: 1},
+      )
+    }
+
+    this.error(
+      'Not logged in. Run `sanity login` or set the SANITY_AUTH_TOKEN environment variable.',
+      {exit: 1},
+    )
+  }
+}
diff --git a/packages/@sanity/cli/src/commands/cors/__tests__/add.test.ts b/packages/@sanity/cli/src/commands/cors/__tests__/add.test.ts
index 1e0177e83..96da8958c 100644
--- a/packages/@sanity/cli/src/commands/cors/__tests__/add.test.ts
+++ b/packages/@sanity/cli/src/commands/cors/__tests__/add.test.ts
@@ -123,6 +123,43 @@ describe('#cors:add', () => {
     expect(stdout).toContain('CORS origin added successfully')
   })
 
+  test('accepts --project as alias for --project-id', async () => {
+    const origin = 'https://example.com'
+
+    mockApi({
+      apiVersion: CORS_API_VERSION,
+      method: 'post',
+      uri: '/projects/alias-project/cors',
+    }).reply(201, {
+      allowCredentials: true,
+      createdAt: '2023-01-01T00:00:00Z',
+      deletedAt: null,
+      id: 1,
+      origin: origin,
+      projectId: 'alias-project',
+      updatedAt: null,
+    })
+
+    const {error, stdout} = await testCommand(
+      Add,
+      [origin, '--credentials', '--project', 'alias-project'],
+      {
+        mocks: {
+          cliConfig: {api: {}},
+          projectRoot: {
+            directory: '/test/path',
+            path: '/test/path/sanity.config.ts',
+            type: 'studio' as const,
+          },
+          token: 'test-token',
+        },
+      },
+    )
+
+    if (error) throw error
+    expect(stdout).toContain('CORS origin added successfully')
+  })
+
   test('fails when no project ID is available', async () => {
     const {error} = await testCommand(Add, ['https://example.com'], {
       mocks: {
diff --git a/packages/@sanity/cli/src/commands/init.ts b/packages/@sanity/cli/src/commands/init.ts
index ca539ef9f..4afc5c08e 100644
--- a/packages/@sanity/cli/src/commands/init.ts
+++ b/packages/@sanity/cli/src/commands/init.ts
@@ -5,6 +5,7 @@ import {SanityCommand} from '@sanity/cli-core'
 import {initAction} from '../actions/init/initAction.js'
 import {InitError} from '../actions/init/initError.js'
 import {flagsToInitOptions} from '../actions/init/types.js'
+import {formatHint} from '../util/formatHint.js'
 import {getSanityEnv} from '../util/getSanityEnv.js'
 
 export class InitCommand extends SanityCommand<typeof InitCommand> {
@@ -132,7 +133,6 @@ export class InitCommand extends SanityCommand<typeof InitCommand> {
     }),
     'output-path': Flags.string({
       description: 'Path to write studio project to',
-      exclusive: ['bare'],
       helpValue: '<path>',
     }),
     'overwrite-files': Flags.boolean({
@@ -209,6 +209,16 @@ export class InitCommand extends SanityCommand<typeof InitCommand> {
     }),
   }
 
+  protected override async catch(err: Error & {exitCode?: number}): Promise<never> {
+    if (err.message?.includes('Flag --create-project expects a value')) {
+      this.error(
+        `Flag --create-project expects a value. Use --project-name instead:${formatHint('sanity init --project-name "my-project" --dataset production -y')}`,
+        {exit: 2},
+      )
+    }
+    throw err
+  }
+
   public async run(): Promise<void> {
     let mcpMode: 'auto' | 'prompt' | 'skip' = 'prompt'
     if (!this.flags.mcp || !this.resolveIsInteractive() || getSanityEnv() !== 'production') {
diff --git a/packages/@sanity/cli/src/commands/login.ts b/packages/@sanity/cli/src/commands/login.ts
index b2f41bca9..876fc0106 100644
--- a/packages/@sanity/cli/src/commands/login.ts
+++ b/packages/@sanity/cli/src/commands/login.ts
@@ -2,20 +2,27 @@ import {text} from 'node:stream/consumers'
 
 import {Command, Flags} from '@oclif/core'
 import {type FlagInput} from '@oclif/core/interfaces'
-import {SanityCommand} from '@sanity/cli-core'
+import {isInteractive, SanityCommand} from '@sanity/cli-core'
 
 import {login} from '../actions/auth/login/login.js'
 
 export class LoginCommand extends SanityCommand<typeof LoginCommand> {
-  static override description = 'Log in to your Sanity account'
+  static override description = `Log in to your Sanity account
+
+Opens a browser for authentication. If a browser session is already
+authenticated, this completes in seconds.`
   static override examples: Array<Command.Example> = [
     {
       command: '<%= config.bin %> <%= command.id %>',
-      description: 'Log in using default settings',
+      description: 'Log in via browser (opens automatically)',
+    },
+    {
+      command: '<%= config.bin %> <%= command.id %> --provider github',
+      description: 'Log in with a specific provider',
     },
     {
       command: '<%= config.bin %> <%= command.id %> --provider github --no-open',
-      description: 'Login with GitHub provider, but do not open a browser window automatically',
+      description: 'Print login URL without opening browser',
     },
     {
       command: '<%= config.bin %> <%= command.id %> --sso my-organization',
@@ -30,6 +37,10 @@ export class LoginCommand extends SanityCommand<typeof LoginCommand> {
       command: '<%= config.bin %> <%= command.id %> --with-token < token.txt',
       description: 'Log in using a token from standard input',
     },
+    {
+      command: 'SANITY_AUTH_TOKEN=<token> <%= config.bin %> init --yes',
+      description: 'Skip login entirely by setting a token as an environment variable',
+    },
   ]
   static override flags = {
     experimental: Flags.boolean({
@@ -40,6 +51,7 @@ export class LoginCommand extends SanityCommand<typeof LoginCommand> {
       allowNo: true,
       default: true,
       description: 'Open a browser window to log in (`--no-open` only prints URL)',
+      hidden: true,
     }),
     provider: Flags.string({
       description: 'Log in using the given provider',
@@ -56,6 +68,10 @@ export class LoginCommand extends SanityCommand<typeof LoginCommand> {
       description: 'Select a specific SSO provider by name (use with --sso)',
       helpValue: '<name>',
     }),
+    wait: Flags.boolean({
+      default: false,
+      description: 'Block until login completes (up to 5 minutes). Recommended for agents and CI.',
+    }),
     'with-token': Flags.boolean({
       description: 'Read token from standard input',
       exclusive: ['provider', 'sso'],
@@ -76,7 +92,10 @@ export class LoginCommand extends SanityCommand<typeof LoginCommand> {
         telemetry: this.telemetry,
         token,
       })
-      this.log('Login successful')
+
+      if (isInteractive() || token || flags.wait) {
+        this.log('Login successful')
+      }
     } catch (error) {
       const message = error instanceof Error ? error.message : String(error)
       this.error(`Login failed: ${message}`, {exit: 1})
diff --git a/packages/@sanity/cli/src/commands/organizations/__tests__/__snapshots__/list.test.ts.snap b/packages/@sanity/cli/src/commands/organizations/__tests__/__snapshots__/list.test.ts.snap
new file mode 100644
index 000000000..5ea375392
--- /dev/null
+++ b/packages/@sanity/cli/src/commands/organizations/__tests__/__snapshots__/list.test.ts.snap
@@ -0,0 +1,8 @@
+// Vitest Snapshot v1, https://vitest.dev/guide/snapshot.html
+
+exports[`#list > displays organizations correctly 1`] = `
+"id      name        slug 
+org-a   Alpha Org   alpha
+org-b   Beta Org    beta 
+"
+`;
diff --git a/packages/@sanity/cli/src/commands/organizations/__tests__/create.test.ts b/packages/@sanity/cli/src/commands/organizations/__tests__/create.test.ts
new file mode 100644
index 000000000..267682503
--- /dev/null
+++ b/packages/@sanity/cli/src/commands/organizations/__tests__/create.test.ts
@@ -0,0 +1,106 @@
+import {createTestToken, mockApi, testCommand} from '@sanity/cli-test'
+import {cleanAll, pendingMocks} from 'nock'
+import {afterEach, beforeEach, describe, expect, test, vi} from 'vitest'
+
+import {ORGANIZATIONS_API_VERSION} from '../../../services/organizations.js'
+import {Create} from '../create.js'
+
+describe('#create', () => {
+  beforeEach(() => {
+    createTestToken('test-token')
+  })
+
+  afterEach(() => {
+    vi.unstubAllEnvs()
+    const pending = pendingMocks()
+    cleanAll()
+    expect(pending, 'pending mocks').toEqual([])
+  })
+
+  test('creates an organization with the given name', async () => {
+    mockApi({
+      apiVersion: ORGANIZATIONS_API_VERSION,
+      method: 'post',
+      uri: '/organizations',
+    }).reply(200, {
+      createdByUserId: 'user-1',
+      defaultRoleName: null,
+      features: [],
+      id: 'org-new',
+      members: [],
+      name: 'My Org',
+      slug: 'my-org',
+    })
+
+    const {error, stdout} = await testCommand(Create, ['My Org'])
+
+    if (error) throw error
+    expect(stdout).toContain('Created organization: My Org (org-new)')
+    expect(stdout).toContain('https://sanity.io/manage')
+  })
+
+  test('outputs JSON when --json is specified', async () => {
+    const response = {
+      createdByUserId: 'user-1',
+      defaultRoleName: null,
+      features: [],
+      id: 'org-new',
+      members: [],
+      name: 'Test Org',
+      slug: 'test-org',
+    }
+    mockApi({
+      apiVersion: ORGANIZATIONS_API_VERSION,
+      method: 'post',
+      uri: '/organizations',
+    }).reply(200, response)
+
+    const {error, stdout} = await testCommand(Create, ['Test Org', '--json'])
+
+    if (error) throw error
+    expect(JSON.parse(stdout)).toEqual(response)
+  })
+
+  test('errors with hint when name is missing', async () => {
+    const {error} = await testCommand(Create)
+
+    expect(error).toBeInstanceOf(Error)
+    expect(error?.message).toContain('Organization name is required')
+    expect(error?.message).toContain('[Hint]')
+    expect(error?.oclif?.exit).toBe(1)
+  })
+
+  test('errors when name is too long', async () => {
+    const longName = 'a'.repeat(101)
+    const {error} = await testCommand(Create, [longName])
+
+    expect(error).toBeInstanceOf(Error)
+    expect(error?.message).toContain('cannot be longer than 100')
+    expect(error?.oclif?.exit).toBe(1)
+  })
+
+  test('displays auth error with hint when not logged in', async () => {
+    vi.unstubAllEnvs()
+
+    const {error} = await testCommand(Create, ['My Org'])
+
+    expect(error).toBeInstanceOf(Error)
+    expect(error?.message).toContain('Not logged in')
+    expect(error?.message).toContain('[Hint]')
+    expect(error?.oclif?.exit).toBe(1)
+  })
+
+  test('displays an error if the API request fails', async () => {
+    mockApi({
+      apiVersion: ORGANIZATIONS_API_VERSION,
+      method: 'post',
+      uri: '/organizations',
+    }).reply(500, {message: 'Internal Server Error'})
+
+    const {error} = await testCommand(Create, ['My Org'])
+
+    expect(error).toBeInstanceOf(Error)
+    expect(error?.message).toContain('Failed to create organization')
+    expect(error?.oclif?.exit).toBe(1)
+  })
+})
diff --git a/packages/@sanity/cli/src/commands/organizations/__tests__/list.test.ts b/packages/@sanity/cli/src/commands/organizations/__tests__/list.test.ts
new file mode 100644
index 000000000..c921cd175
--- /dev/null
+++ b/packages/@sanity/cli/src/commands/organizations/__tests__/list.test.ts
@@ -0,0 +1,127 @@
+import {createTestToken, mockApi, testCommand} from '@sanity/cli-test'
+import {cleanAll, pendingMocks} from 'nock'
+import {afterEach, beforeEach, describe, expect, test, vi} from 'vitest'
+
+import {ORGANIZATIONS_API_VERSION} from '../../../services/organizations.js'
+import {List} from '../list.js'
+
+describe('#list', () => {
+  beforeEach(() => {
+    createTestToken('test-token')
+  })
+
+  afterEach(() => {
+    vi.unstubAllEnvs()
+    const pending = pendingMocks()
+    cleanAll()
+    expect(pending, 'pending mocks').toEqual([])
+  })
+
+  test('displays organizations correctly', async () => {
+    mockApi({
+      apiVersion: ORGANIZATIONS_API_VERSION,
+      uri: '/organizations',
+    }).reply(200, [
+      {id: 'org-b', name: 'Beta Org', slug: 'beta'},
+      {id: 'org-a', name: 'Alpha Org', slug: 'alpha'},
+    ])
+
+    const {stdout} = await testCommand(List)
+
+    expect(stdout).toMatchSnapshot()
+  })
+
+  test('outputs JSON when --json is specified', async () => {
+    const organizations = [
+      {id: 'org-1', name: 'First Org', slug: 'first'},
+      {id: 'org-2', name: 'Second Org', slug: 'second'},
+    ]
+
+    mockApi({
+      apiVersion: ORGANIZATIONS_API_VERSION,
+      uri: '/organizations',
+    }).reply(200, organizations)
+
+    const {stdout} = await testCommand(List, ['--json'])
+
+    const parsed = JSON.parse(stdout)
+    expect(parsed).toEqual(organizations)
+  })
+
+  test('sorts by name when --sort name is specified', async () => {
+    mockApi({
+      apiVersion: ORGANIZATIONS_API_VERSION,
+      uri: '/organizations',
+    }).reply(200, [
+      {id: 'org-1', name: 'Charlie', slug: 'charlie'},
+      {id: 'org-2', name: 'Alpha', slug: 'alpha'},
+      {id: 'org-3', name: 'Bravo', slug: 'bravo'},
+    ])
+
+    const {stdout} = await testCommand(List, ['--sort', 'name'])
+
+    const lines = stdout.split('\n').filter(Boolean)
+
+    const alphaIndex = lines.findIndex((line) => line.includes('Alpha'))
+    const bravoIndex = lines.findIndex((line) => line.includes('Bravo'))
+    const charlieIndex = lines.findIndex((line) => line.includes('Charlie'))
+
+    expect(alphaIndex).toBeGreaterThan(0)
+    expect(bravoIndex).toBeGreaterThan(0)
+    expect(charlieIndex).toBeGreaterThan(0)
+
+    expect(alphaIndex).toBeLessThan(bravoIndex)
+    expect(bravoIndex).toBeLessThan(charlieIndex)
+  })
+
+  test('sorts in descending order when --order desc is specified', async () => {
+    mockApi({
+      apiVersion: ORGANIZATIONS_API_VERSION,
+      uri: '/organizations',
+    }).reply(200, [
+      {id: 'org-a', name: 'Alpha', slug: 'alpha'},
+      {id: 'org-b', name: 'Bravo', slug: 'bravo'},
+      {id: 'org-c', name: 'Charlie', slug: 'charlie'},
+    ])
+
+    const {stdout} = await testCommand(List, ['--order', 'desc'])
+
+    const lines = stdout.split('\n').filter(Boolean)
+
+    const orgAIndex = lines.findIndex((line) => line.includes('org-a'))
+    const orgBIndex = lines.findIndex((line) => line.includes('org-b'))
+    const orgCIndex = lines.findIndex((line) => line.includes('org-c'))
+
+    expect(orgAIndex).toBeGreaterThan(0)
+    expect(orgBIndex).toBeGreaterThan(0)
+    expect(orgCIndex).toBeGreaterThan(0)
+
+    expect(orgCIndex).toBeLessThan(orgBIndex)
+    expect(orgBIndex).toBeLessThan(orgAIndex)
+  })
+
+  test('displays auth error with hint when not logged in', async () => {
+    vi.unstubAllEnvs()
+
+    const {error} = await testCommand(List)
+
+    expect(error).toBeInstanceOf(Error)
+    expect(error?.message).toContain('Not logged in')
+    expect(error?.message).toContain('sanity login')
+    expect(error?.message).toContain('[Hint]')
+    expect(error?.oclif?.exit).toBe(1)
+  })
+
+  test('displays an error if the API request fails', async () => {
+    mockApi({
+      apiVersion: ORGANIZATIONS_API_VERSION,
+      uri: '/organizations',
+    }).reply(500, {message: 'Internal Server Error'})
+
+    const {error} = await testCommand(List)
+
+    expect(error).toBeInstanceOf(Error)
+    expect(error?.message).toContain('Failed to list organizations')
+    expect(error?.oclif?.exit).toBe(1)
+  })
+})
diff --git a/packages/@sanity/cli/src/commands/organizations/create.ts b/packages/@sanity/cli/src/commands/organizations/create.ts
new file mode 100644
index 000000000..1d08da5c3
--- /dev/null
+++ b/packages/@sanity/cli/src/commands/organizations/create.ts
@@ -0,0 +1,84 @@
+import {Args, Flags} from '@oclif/core'
+import {SanityCommand, subdebug} from '@sanity/cli-core'
+import {isHttpError} from '@sanity/client'
+
+import {isBackgroundLoginInProgress} from '../../actions/auth/backgroundLogin.js'
+import {validateOrganizationName} from '../../actions/organizations/validateOrganizationName.js'
+import {createOrganization} from '../../services/organizations.js'
+import {formatHint} from '../../util/formatHint.js'
+
+const organizationsDebug = subdebug('organizations')
+
+export class Create extends SanityCommand<typeof Create> {
+  static override args = {
+    name: Args.string({description: 'Organization name'}),
+  }
+  static override description = 'Create a new organization'
+  static override examples = [
+    {
+      command: '<%= config.bin %> <%= command.id %> "My Org"',
+      description: 'Create a new organization named "My Org"',
+    },
+    {
+      command: '<%= config.bin %> <%= command.id %> "My Org" --json',
+      description: 'Create a new organization and output JSON',
+    },
+  ]
+
+  static override flags = {
+    json: Flags.boolean({
+      default: false,
+      description: 'Output the created organization in JSON format',
+    }),
+  }
+
+  static override hiddenAliases: string[] = ['organization:create']
+
+  public async run() {
+    const {json} = this.flags
+    const name = this.args.name
+
+    if (!name) {
+      this.error(
+        `Organization name is required.${formatHint('sanity organizations create "My Org"')}`,
+        {exit: 1},
+      )
+    }
+
+    const validation = validateOrganizationName(name)
+    if (validation !== true) {
+      this.error(validation, {exit: 1})
+    }
+
+    let organization
+    try {
+      organization = await createOrganization(name)
+    } catch (error) {
+      organizationsDebug('Error creating organization', error)
+      const isAuthError =
+        (error instanceof Error && error.message.includes('must login first')) ||
+        (isHttpError(error) && (error.statusCode === 401 || error.statusCode === 403))
+      if (isAuthError) {
+        if (isBackgroundLoginInProgress()) {
+          this.error(
+            'Login pending — callback server is running, waiting for OAuth redirect. Wait 30-60 seconds and re-check, or run `sanity auth cancel` to stop.',
+            {exit: 1},
+          )
+        }
+        this.error(
+          `Not logged in. Run \`sanity login\` or set the SANITY_AUTH_TOKEN environment variable.${formatHint('sanity login --provider google')}`,
+          {exit: 1},
+        )
+      }
+      this.error('Failed to create organization', {exit: 1})
+    }
+
+    if (json) {
+      this.log(JSON.stringify(organization, null, 2))
+      return
+    }
+
+    this.log(`Created organization: ${organization.name} (${organization.id})`)
+    this.log(`Manage at: https://sanity.io/manage/personal/organization/${organization.id}`)
+  }
+}
diff --git a/packages/@sanity/cli/src/commands/organizations/list.ts b/packages/@sanity/cli/src/commands/organizations/list.ts
new file mode 100644
index 000000000..202d21966
--- /dev/null
+++ b/packages/@sanity/cli/src/commands/organizations/list.ts
@@ -0,0 +1,104 @@
+import {styleText} from 'node:util'
+
+import {Flags} from '@oclif/core'
+import {SanityCommand, subdebug} from '@sanity/cli-core'
+import {isHttpError} from '@sanity/client'
+import sortBy from 'lodash-es/sortBy.js'
+
+import {isBackgroundLoginInProgress} from '../../actions/auth/backgroundLogin.js'
+import {listOrganizations} from '../../services/organizations.js'
+import {formatHint} from '../../util/formatHint.js'
+
+const sortFields = ['id', 'name', 'slug']
+
+const organizationsDebug = subdebug('organizations')
+
+export class List extends SanityCommand<typeof List> {
+  static override description = 'List your organizations'
+  static override examples = [
+    {
+      command: '<%= config.bin %> <%= command.id %>',
+      description: 'List organizations',
+    },
+    {
+      command: '<%= config.bin %> <%= command.id %> --json',
+      description: 'List organizations in JSON format',
+    },
+    {
+      command: '<%= config.bin %> <%= command.id %> --sort=name --order=asc',
+      description: 'List organizations sorted by name, ascending',
+    },
+  ]
+
+  static override flags = {
+    json: Flags.boolean({
+      default: false,
+      description: 'Output organizations in JSON format',
+    }),
+    order: Flags.string({
+      default: 'asc',
+      description: 'Sort direction',
+      options: ['asc', 'desc'],
+    }),
+    sort: Flags.string({
+      default: 'id',
+      description: 'Sort field',
+      options: sortFields,
+    }),
+  }
+
+  static override hiddenAliases: string[] = ['organization:list']
+
+  public async run() {
+    const {json, order, sort} = this.flags
+
+    let organizations
+    try {
+      organizations = await listOrganizations()
+    } catch (error) {
+      organizationsDebug('Error listing organizations', error)
+      const isAuthError =
+        (error instanceof Error && error.message.includes('must login first')) ||
+        (isHttpError(error) && (error.statusCode === 401 || error.statusCode === 403))
+      if (isAuthError) {
+        if (isBackgroundLoginInProgress()) {
+          this.error(
+            'Login pending — callback server is running, waiting for OAuth redirect. Wait 30-60 seconds and re-check, or run `sanity auth cancel` to stop.',
+            {exit: 1},
+          )
+        }
+        this.error(
+          `Not logged in. Run \`sanity login\` or set the SANITY_AUTH_TOKEN environment variable.${formatHint('sanity login --provider google')}`,
+          {exit: 1},
+        )
+      }
+      this.error('Failed to list organizations', {exit: 1})
+    }
+
+    if (json) {
+      this.log(JSON.stringify(organizations, null, 2))
+      return
+    }
+
+    const ordered = sortBy(
+      organizations.map(({id, name, slug}) => [id, name, slug].map(String)),
+      [sortFields.indexOf(sort)],
+    )
+
+    const rows = order === 'asc' ? ordered : ordered.toReversed()
+
+    const maxWidths = sortFields.map((str) => str.length)
+
+    for (const row of rows) {
+      for (const [i, element] of row.entries()) {
+        maxWidths[i] = Math.max(element.length, maxWidths[i])
+      }
+    }
+
+    const printRow = (row: string[]) =>
+      row.map((col, i) => `${col}`.padEnd(maxWidths[i])).join('   ')
+
+    this.log(styleText('cyan', printRow(sortFields)))
+    for (const row of rows) this.log(printRow(row))
+  }
+}
diff --git a/packages/@sanity/cli/src/commands/projects/__tests__/list.test.ts b/packages/@sanity/cli/src/commands/projects/__tests__/list.test.ts
index e0b8a63de..1ae0acb93 100644
--- a/packages/@sanity/cli/src/commands/projects/__tests__/list.test.ts
+++ b/packages/@sanity/cli/src/commands/projects/__tests__/list.test.ts
@@ -1,12 +1,17 @@
-import {mockApi, testCommand} from '@sanity/cli-test'
+import {createTestToken, mockApi, testCommand} from '@sanity/cli-test'
 import {cleanAll, pendingMocks} from 'nock'
-import {afterEach, describe, expect, test} from 'vitest'
+import {afterEach, beforeEach, describe, expect, test, vi} from 'vitest'
 
 import {PROJECTS_API_VERSION} from '../../../services/projects.js'
 import {List} from '../list.js'
 
 describe('#list', () => {
+  beforeEach(() => {
+    createTestToken('test-token')
+  })
+
   afterEach(() => {
+    vi.unstubAllEnvs()
     const pending = pendingMocks()
     cleanAll()
     expect(pending, 'pending mocks').toEqual([])
@@ -124,6 +129,97 @@ describe('#list', () => {
     expect(line2023_01_02).toBeLessThan(line2023_01_03)
   })
 
+  test('outputs JSON when --json is specified', async () => {
+    const projects = [
+      {
+        createdAt: '2023-01-01',
+        displayName: 'Project One',
+        id: 'project1',
+        members: ['user1', 'user2'],
+      },
+      {
+        createdAt: '2023-01-02',
+        displayName: 'Project Two',
+        id: 'project2',
+        members: ['user1'],
+      },
+    ]
+
+    mockApi({
+      apiVersion: PROJECTS_API_VERSION,
+      query: {onlyExplicitMembership: 'true'},
+      uri: '/projects',
+    }).reply(200, projects)
+
+    const {stdout} = await testCommand(List, ['--json'])
+
+    const parsed = JSON.parse(stdout)
+    // Default sort is created desc
+    expect(parsed).toEqual([
+      {
+        created: '2023-01-02',
+        id: 'project2',
+        members: 1,
+        name: 'Project Two',
+        url: 'https://www.sanity.io/manage/project/project2',
+      },
+      {
+        created: '2023-01-01',
+        id: 'project1',
+        members: 2,
+        name: 'Project One',
+        url: 'https://www.sanity.io/manage/project/project1',
+      },
+    ])
+  })
+
+  test('applies sort and order to JSON output', async () => {
+    mockApi({
+      apiVersion: PROJECTS_API_VERSION,
+      query: {onlyExplicitMembership: 'true'},
+      uri: '/projects',
+    }).reply(200, [
+      {
+        createdAt: '2023-01-01',
+        displayName: 'Project One',
+        id: 'project1',
+        members: ['user1', 'user2', 'user3'],
+      },
+      {
+        createdAt: '2023-01-02',
+        displayName: 'Project Two',
+        id: 'project2',
+        members: ['user1'],
+      },
+      {
+        createdAt: '2023-01-03',
+        displayName: 'Project Three',
+        id: 'project3',
+        members: ['user1', 'user2'],
+      },
+    ])
+
+    const {stdout} = await testCommand(List, ['--json', '--sort', 'members', '--order', 'asc'])
+
+    const parsed = JSON.parse(stdout)
+    expect(parsed).toHaveLength(3)
+    expect(parsed[0].members).toBe(1)
+    expect(parsed[1].members).toBe(2)
+    expect(parsed[2].members).toBe(3)
+  })
+
+  test('displays auth error with hint when not logged in', async () => {
+    vi.unstubAllEnvs()
+
+    const {error} = await testCommand(List)
+
+    expect(error).toBeInstanceOf(Error)
+    expect(error?.message).toContain('Not logged in')
+    expect(error?.message).toContain('sanity login')
+    expect(error?.message).toContain('[Hint]')
+    expect(error?.oclif?.exit).toBe(1)
+  })
+
   test('displays an error if the API request fails', async () => {
     mockApi({
       apiVersion: PROJECTS_API_VERSION,
diff --git a/packages/@sanity/cli/src/commands/projects/list.ts b/packages/@sanity/cli/src/commands/projects/list.ts
index 31a5e9269..2789b2019 100644
--- a/packages/@sanity/cli/src/commands/projects/list.ts
+++ b/packages/@sanity/cli/src/commands/projects/list.ts
@@ -2,10 +2,13 @@ import {styleText} from 'node:util'
 
 import {Flags} from '@oclif/core'
 import {SanityCommand, subdebug} from '@sanity/cli-core'
+import {isHttpError} from '@sanity/client'
 import size from 'lodash-es/size.js'
 import sortBy from 'lodash-es/sortBy.js'
 
+import {isBackgroundLoginInProgress} from '../../actions/auth/backgroundLogin.js'
 import {listProjects} from '../../services/projects.js'
+import {formatHint} from '../../util/formatHint.js'
 
 const sortFields = ['id', 'members', 'name', 'url', 'created']
 
@@ -18,6 +21,10 @@ export class List extends SanityCommand<typeof List> {
       command: '<%= config.bin %> <%= command.id %>',
       description: 'List projects',
     },
+    {
+      command: '<%= config.bin %> <%= command.id %> --json',
+      description: 'List projects in JSON format',
+    },
     {
       command: '<%= config.bin %> <%= command.id %> --sort=members --order=asc',
       description: 'List projects sorted by member count, ascending',
@@ -25,6 +32,10 @@ export class List extends SanityCommand<typeof List> {
   ]
 
   static override flags = {
+    json: Flags.boolean({
+      default: false,
+      description: 'Output projects in JSON format',
+    }),
     order: Flags.string({
       default: 'desc',
       description: 'Sort direction',
@@ -40,10 +51,25 @@ export class List extends SanityCommand<typeof List> {
   static override hiddenAliases: string[] = ['project:list']
 
   public async run() {
-    const {order, sort} = this.flags
+    const {json, order, sort} = this.flags
 
     try {
       const projects = await listProjects()
+
+      if (json) {
+        const mapped = projects.map(({createdAt, displayName, id, members = []}) => ({
+          created: createdAt,
+          id,
+          members: members.length,
+          name: displayName,
+          url: `https://www.sanity.io/manage/project/${id}`,
+        }))
+        const sorted = sortBy(mapped, [sort])
+        const ordered = order === 'asc' ? sorted : sorted.toReversed()
+        this.log(JSON.stringify(ordered, null, 2))
+        return
+      }
+
       const ordered = sortBy(
         projects.map(({createdAt, displayName, id, members = []}) => {
           const manage = `https://www.sanity.io/manage/project/${id}`
@@ -71,6 +97,21 @@ export class List extends SanityCommand<typeof List> {
       for (const row of rows) this.log(printRow(row))
     } catch (error) {
       projectsDebug('Error listing projects', error)
+      const isAuthError =
+        (error instanceof Error && error.message.includes('must login first')) ||
+        (isHttpError(error) && (error.statusCode === 401 || error.statusCode === 403))
+      if (isAuthError) {
+        if (isBackgroundLoginInProgress()) {
+          this.error(
+            'Login pending — callback server is running, waiting for OAuth redirect. Wait 30-60 seconds and re-check, or run `sanity auth cancel` to stop.',
+            {exit: 1},
+          )
+        }
+        this.error(
+          `Not logged in. Run \`sanity login\` or set the SANITY_AUTH_TOKEN environment variable.${formatHint('sanity login --provider google')}`,
+          {exit: 1},
+        )
+      }
       this.error('Failed to list projects', {exit: 1})
     }
   }
diff --git a/packages/@sanity/cli/src/commands/schemas/deploy.ts b/packages/@sanity/cli/src/commands/schemas/deploy.ts
index ead46820a..d1181c005 100644
--- a/packages/@sanity/cli/src/commands/schemas/deploy.ts
+++ b/packages/@sanity/cli/src/commands/schemas/deploy.ts
@@ -1,8 +1,8 @@
 import {styleText} from 'node:util'
 
-import {SchemaExtractionError} from '@sanity/cli-build/_internal'
 import {Flags} from '@oclif/core'
 import {CLIError} from '@oclif/core/errors'
+import {SchemaExtractionError} from '@sanity/cli-build/_internal'
 import {SanityCommand} from '@sanity/cli-core'
 
 import {deploySchemas} from '../../actions/schema/deploySchemas.js'
diff --git a/packages/@sanity/cli/src/topicAliases.ts b/packages/@sanity/cli/src/topicAliases.ts
index 841a6ce58..da509b92c 100644
--- a/packages/@sanity/cli/src/topicAliases.ts
+++ b/packages/@sanity/cli/src/topicAliases.ts
@@ -23,6 +23,7 @@ export const topicAliases: Record<string, string[]> = {
   documents: ['document'],
   functions: ['function'],
   hooks: ['hook'],
+  organizations: ['organization'],
   projects: ['project'],
   schemas: ['schema'],
   tokens: ['token'],
diff --git a/packages/@sanity/cli/src/util/__tests__/sharedFlags.test.ts b/packages/@sanity/cli/src/util/__tests__/sharedFlags.test.ts
index b7bd8e49a..6c256c334 100644
--- a/packages/@sanity/cli/src/util/__tests__/sharedFlags.test.ts
+++ b/packages/@sanity/cli/src/util/__tests__/sharedFlags.test.ts
@@ -58,6 +58,21 @@ describe('getProjectIdFlag', () => {
     await expect(invoke('  abc  ')).resolves.toBe('abc')
     await expect(invoke('  ')).rejects.toThrow('cannot be empty')
   })
+
+  test('includes hidden project alias flag', () => {
+    const flags = getProjectIdFlag({semantics: 'override'})
+    expect(flags.project).toBeDefined()
+    expect(flags.project.hidden).toBe(true)
+  })
+
+  test('project alias parse trims and validates non-empty', async () => {
+    const flags = getProjectIdFlag({semantics: 'override'})
+    const parse = flags.project.parse!
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- testing parse in isolation, context/opts not used
+    const invoke = (input: string) => parse(input, {} as any, {} as any)
+    await expect(invoke('  abc  ')).resolves.toBe('abc')
+    await expect(invoke('  ')).rejects.toThrow('cannot be empty')
+  })
 })
 
 describe('getDatasetFlag', () => {
diff --git a/packages/@sanity/cli/src/util/formatHint.ts b/packages/@sanity/cli/src/util/formatHint.ts
new file mode 100644
index 000000000..d2ac068cb
--- /dev/null
+++ b/packages/@sanity/cli/src/util/formatHint.ts
@@ -0,0 +1,6 @@
+import {styleText} from 'node:util'
+
+export function formatHint(...commands: string[]): string {
+  const lines = commands.map((cmd) => `  ${cmd}`).join('\n')
+  return `\n${styleText('cyan', '[Hint]')}\n${lines}`
+}
diff --git a/packages/@sanity/cli/src/util/sharedFlags.ts b/packages/@sanity/cli/src/util/sharedFlags.ts
index feb08204c..597b047fb 100644
--- a/packages/@sanity/cli/src/util/sharedFlags.ts
+++ b/packages/@sanity/cli/src/util/sharedFlags.ts
@@ -46,6 +46,18 @@ export function getProjectIdFlag(options: SharedFlagOptions) {
   const description = (baseDescription ?? 'Project ID to use') + (isOverride ? OVERRIDE_SUFFIX : '')
 
   return {
+    // Hidden alias so that `--project <id>` works as a synonym for `--project-id <id>`
+    project: Flags.string({
+      exclusive: ['project-id'],
+      hidden: true,
+      parse: async (input: string) => {
+        const trimmed = input.trim()
+        if (trimmed === '') {
+          throw new Error('`--project` cannot be empty if provided')
+        }
+        return trimmed
+      },
+    }),
     'project-id': Flags.string({
       description,
       helpGroup: helpGroup ?? (isOverride ? 'OVERRIDE' : undefined),