diff --git a/internal/commands/root_test.go b/internal/commands/root_test.go
index 654594c5b..149cc4ba8 100644
--- a/internal/commands/root_test.go
+++ b/internal/commands/root_test.go
@@ -160,6 +160,7 @@ func TestCreateCommand_WithInvalidFlag_ShouldReturnExitCode1(t *testing.T) {
 
 func executeTestCommand(cmd *cobra.Command, args ...string) error {
 	fmt.Println("Executing command with args ", args)
+	defer viper.Reset()
 	cmd.SetArgs(args)
 	cmd.SilenceUsage = true
 	return cmd.Execute()
diff --git a/internal/wrappers/client.go b/internal/wrappers/client.go
index bf20407f2..d640eeba4 100644
--- a/internal/wrappers/client.go
+++ b/internal/wrappers/client.go
@@ -599,31 +599,50 @@ func configureClientCredentialsAndGetNewToken() (string, error) {
 	accessKeyID := viper.GetString(commonParams.AccessKeyIDConfigKey)
 	accessKeySecret := viper.GetString(commonParams.AccessKeySecretConfigKey)
 	astAPIKey := viper.GetString(commonParams.AstAPIKey)
+
 	var accessToken string
 
-	if accessKeyID == "" && astAPIKey == "" {
-		return "", errors.Errorf(FailedToAuth, "access key ID")
-	} else if accessKeySecret == "" && astAPIKey == "" {
-		return "", errors.Errorf(FailedToAuth, "access key secret")
+	if accessKeyID == "" && accessKeySecret == "" && astAPIKey == "" {
+		return "", errors.Errorf(FailedToAuth, "provide credentials")
 	}
 
-	authURI, err := GetAuthURI()
-	if err != nil {
-		return "", err
-	}
+	// Prefer client credentials over API key
+	if accessKeyID != "" && accessKeySecret != "" {
+		if accessKeyID == "" {
+			return "", errors.Errorf(FailedToAuth, "access key ID")
+		}
+		if accessKeySecret == "" {
+			return "", errors.Errorf(FailedToAuth, "access key secret")
+		}
+
+		authURI, err := GetAuthURI()
+		if err != nil {
+			return "", err
+		}
 
-	if astAPIKey != "" {
-		accessToken, err = getNewToken(getAPIKeyPayload(astAPIKey), authURI)
-	} else {
 		accessToken, err = getNewToken(getCredentialsPayload(accessKeyID, accessKeySecret), authURI)
-	}
+		if err != nil {
+			return "", errors.Errorf("%s", err)
+		}
+	} else if astAPIKey != "" {
+		authURI, err := GetAuthURI()
+		if err != nil {
+			return "", err
+		}
 
-	if err != nil {
-		return "", errors.Errorf("%s", err)
+		accessToken, err = getNewToken(getAPIKeyPayload(astAPIKey), authURI)
+		if err != nil {
+			return "", errors.Errorf("%s", err)
+		}
+	} else if accessKeyID != "" || accessKeySecret != "" {
+		// One is provided but not both
+		if accessKeyID == "" {
+			return "", errors.Errorf(FailedToAuth, "access key ID")
+		}
+		return "", errors.Errorf(FailedToAuth, "access key secret")
 	}
 
 	writeCredentialsToCache(accessToken)
-
 	return accessToken, nil
 }
 
diff --git a/test/integration/configuration_test.go b/test/integration/configuration_test.go
index d38c91faa..e1e3398da 100644
--- a/test/integration/configuration_test.go
+++ b/test/integration/configuration_test.go
@@ -73,6 +73,9 @@ func TestSetConfigProperty_EnvVarConfigFilePath(t *testing.T) {
 
 	err, _ = executeCommand(t, "configure", "set", "--prop-name", "cx_client_id", "--prop-value", "example_client_id")
 	assert.NilError(t, err)
+	defer func() {
+		executeCommand(t, "configure", "set", "--prop-name", "cx_client_id", "--prop-value", "")
+	}()
 }
 
 func TestLoadConfiguration_ConfigFilePathFlag(t *testing.T) {
@@ -100,6 +103,9 @@ func TestSetConfigProperty_ConfigFilePathFlag(t *testing.T) {
 
 	err, _ = executeCommand(t, "configure", "set", "--prop-name", "cx_client_id", "--prop-value", "example_client_id", "--config-file-path", filePath)
 	assert.NilError(t, err)
+	defer func() {
+		executeCommand(t, "configure", "set", "--prop-name", "cx_client_id", "--prop-value", "")
+	}()
 }
 
 func TestLoadConfiguration_ConfigFilePathFlagFileWithoutPermission(t *testing.T) {