Right now the only way to authenticate with the CLI tool is to provide ClientId and ClientSecret (via command line or Profiles file). But, do you know if it's planned to allow just setting directly the OAuth Token (like the Archy tool does)?
That seems reasonable. I'll bring this up in our team meeting today. We could look to have this feature added quite soon because it wouldn't be difficult to implement.
Also, just to let you know support for environment variables has been added recently.
The priority of credentials from highest to lowest is: