diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index 2a61fdc1b..9955fe8e3 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -288,7 +288,7 @@ type ClientCredentials struct {
 }
 
 // GetAccessTokenFromClientCreds generates an access token from client credentials
-func GetAccessTokenFromClientCreds(args ClientCredentials) (Result, error) {
+func GetAccessTokenFromClientCreds(ctx context.Context, args ClientCredentials) (Result, error) {
 	u, err := url.Parse("https://" + args.Domain)
 	if err != nil {
 		return Result{}, err
@@ -305,7 +305,7 @@ func GetAccessTokenFromClientCreds(args ClientCredentials) (Result, error) {
 		},
 	}
 
-	resp, err := credsConfig.Token(context.Background())
+	resp, err := credsConfig.Token(ctx)
 	if err != nil {
 		return Result{}, err
 	}
diff --git a/internal/cli/cli.go b/internal/cli/cli.go
index 927d7223c..c98224b15 100644
--- a/internal/cli/cli.go
+++ b/internal/cli/cli.go
@@ -21,6 +21,7 @@ import (
 	"github.com/spf13/pflag"
 
 	"github.com/auth0/auth0-cli/internal/analytics"
+	"github.com/auth0/auth0-cli/internal/ansi"
 	"github.com/auth0/auth0-cli/internal/auth"
 	"github.com/auth0/auth0-cli/internal/auth0"
 	"github.com/auth0/auth0-cli/internal/buildinfo"
@@ -109,11 +110,14 @@ func (t *Tenant) hasExpiredToken() bool {
 
 func (t *Tenant) regenerateAccessToken(ctx context.Context, c *cli) error {
 	if t.authenticatedWithClientCredentials() {
-		token, err := auth.GetAccessTokenFromClientCreds(auth.ClientCredentials{
-			ClientID:     t.ClientID,
-			ClientSecret: t.ClientSecret,
-			Domain:       t.Domain,
-		})
+		token, err := auth.GetAccessTokenFromClientCreds(
+			ctx,
+			auth.ClientCredentials{
+				ClientID:     t.ClientID,
+				ClientSecret: t.ClientSecret,
+				Domain:       t.Domain,
+			},
+		)
 		if err != nil {
 			return err
 		}
@@ -207,18 +211,28 @@ func (c *cli) prepareTenant(ctx context.Context) (Tenant, error) {
 		return Tenant{}, err
 	}
 
-	if t.AccessToken == "" || (scopesChanged(t) && t.authenticatedWithDeviceCodeFlow()) {
-		return RunLoginAsUser(ctx, c, true)
+	if scopesChanged(t) && t.authenticatedWithDeviceCodeFlow() {
+		c.renderer.Warnf("Required scopes have changed. Please log in to re-authorize the CLI.\n")
+		return RunLoginAsUser(ctx, c)
 	}
 
-	if !t.hasExpiredToken() {
+	if t.AccessToken != "" && !t.hasExpiredToken() {
 		return t, nil
 	}
 
 	if err := t.regenerateAccessToken(ctx, c); err != nil {
-		// Ask and guide the user through the login process.
-		c.renderer.Errorf("failed to renew access token, %s", err)
-		return RunLoginAsUser(ctx, c, true)
+		if t.authenticatedWithClientCredentials() {
+			return t, fmt.Errorf(
+				"failed to fetch access token using client credentials.\n\n"+
+					"This may occur if the designated application has been deleted or the client secret has been rotated.\n\n"+
+					"Please re-authenticate by running: %s",
+				ansi.Bold("auth0 login --domain <tenant-domain --client-id <client-id> --client-secret <client-secret>"),
+			)
+		}
+
+		c.renderer.Warnf("Failed to renew access token. Please log in to re-authorize the CLI.\n")
+
+		return RunLoginAsUser(ctx, c)
 	}
 
 	if err := c.addTenant(t); err != nil {
diff --git a/internal/cli/login.go b/internal/cli/login.go
index 23c5693bf..60a013a4b 100644
--- a/internal/cli/login.go
+++ b/internal/cli/login.go
@@ -66,7 +66,13 @@ auth0 login --domain <tenant-domain> --client-id <client-id> --client-secret <cl
 					return err
 				}
 			} else {
-				if _, err := RunLoginAsUser(ctx, cli, false); err != nil {
+				welcomeMessage := fmt.Sprintf(
+					"%s\n\n%s\n\n",
+					"✪ Welcome to the Auth0 CLI 🎊",
+					"If you don't have an account, please create one here: https://auth0.com/signup.",
+				)
+				cli.renderer.Output(welcomeMessage)
+				if _, err := RunLoginAsUser(ctx, cli); err != nil {
 					return err
 				}
 			}
@@ -85,7 +91,6 @@ auth0 login --domain <tenant-domain> --client-id <client-id> --client-secret <cl
 	cmd.SetHelpFunc(func(cmd *cobra.Command, args []string) {
 		_ = cmd.Flags().MarkHidden("tenant")
 		_ = cmd.Flags().MarkHidden("json")
-		_ = cmd.Flags().MarkHidden("no-input")
 		cmd.Parent().HelpFunc()(cmd, args)
 	})
 
@@ -94,28 +99,13 @@ auth0 login --domain <tenant-domain> --client-id <client-id> --client-secret <cl
 
 // RunLoginAsUser runs the login flow guiding the user through the process
 // by showing the login instructions, opening the browser.
-// Use `expired` to run the login from other commands setup:
-// this will only affect the messages.
-func RunLoginAsUser(ctx context.Context, cli *cli, expired bool) (Tenant, error) {
-	message := fmt.Sprintf(
-		"%s\n\n%s\n\n",
-		"✪ Welcome to the Auth0 CLI 🎊",
-		"If you don't have an account, please create one here: https://auth0.com/signup.",
-	)
-
-	if expired {
-		message = "Please sign in to re-authorize the CLI."
-		cli.renderer.Warnf(message)
-	} else {
-		cli.renderer.Output(message)
-	}
-
+func RunLoginAsUser(ctx context.Context, cli *cli) (Tenant, error) {
 	state, err := cli.authenticator.Start(ctx)
 	if err != nil {
 		return Tenant{}, fmt.Errorf("Failed to start the authentication process: %w.", err)
 	}
 
-	message = fmt.Sprintf("Your device confirmation code is: %s\n\n", ansi.Bold(state.UserCode))
+	message := fmt.Sprintf("Your device confirmation code is: %s\n\n", ansi.Bold(state.UserCode))
 	cli.renderer.Output(message)
 
 	if cli.noInput {
@@ -209,13 +199,18 @@ func RunLoginAsMachine(ctx context.Context, inputs LoginInputs, cli *cli, cmd *c
 		return err
 	}
 
-	token, err := auth.GetAccessTokenFromClientCreds(auth.ClientCredentials{
-		ClientID:     inputs.ClientID,
-		ClientSecret: inputs.ClientSecret,
-		Domain:       inputs.Domain,
-	})
+	token, err := auth.GetAccessTokenFromClientCreds(
+		ctx,
+		auth.ClientCredentials{
+			ClientID:     inputs.ClientID,
+			ClientSecret: inputs.ClientSecret,
+			Domain:       inputs.Domain,
+		},
+	)
 	if err != nil {
-		return err
+		return fmt.Errorf(
+			"failed to fetch access token using client credentials. \n\n"+
+				"Ensure that the provided client-id, client-secret and domain are correct. \n\nerror: %w\n", err)
 	}
 
 	t := Tenant{