diff --git a/rust/gateway/src/main.rs b/rust/gateway/src/main.rs
index f35ef3547..16efadc18 100644
--- a/rust/gateway/src/main.rs
+++ b/rust/gateway/src/main.rs
@@ -20,7 +20,7 @@ use phoenix_channel::get_user_agent;
 
 use futures::{TryFutureExt, future};
 use phoenix_channel::PhoenixChannel;
-use secrecy::{Secret, SecretString};
+use secrecy::Secret;
 use std::sync::Arc;
 use std::{collections::BTreeSet, path::Path};
 use std::{fmt, pin::pin};
@@ -107,6 +107,8 @@ async fn try_main(cli: Cli) -> Result<ExitCode> {
     firezone_logging::setup_global_subscriber(layer::Identity::default())
         .context("Failed to set up logging")?;
 
+    tracing::debug!(?cli);
+
     let firezone_id = get_firezone_id(cli.firezone_id).await
         .context("Couldn't read FIREZONE_ID or write it to disk: Please provide it through the env variable or provide rw access to /var/lib/firezone/")?;
     Telemetry::set_firezone_id(firezone_id.clone());
@@ -126,13 +128,8 @@ async fn try_main(cli: Cli) -> Result<ExitCode> {
         opentelemetry::global::set_meter_provider(provider);
     }
 
-    let login = LoginUrl::gateway(
-        cli.api_url,
-        &SecretString::new(cli.token),
-        firezone_id,
-        cli.firezone_name,
-    )
-    .context("Failed to construct URL for logging into portal")?;
+    let login = LoginUrl::gateway(cli.api_url, &cli.token, firezone_id, cli.firezone_name)
+        .context("Failed to construct URL for logging into portal")?;
 
     let resolv_conf = resolv_conf::Config::parse(
         std::fs::read_to_string("/etc/resolv.conf").context("Failed to read /etc/resolv.conf")?,
@@ -226,7 +223,7 @@ async fn get_firezone_id(env_id: Option<String>) -> Result<String> {
     Ok(id)
 }
 
-#[derive(Parser)]
+#[derive(Parser, Debug)]
 #[command(author, version, about, long_about = None)]
 struct Cli {
     #[arg(
@@ -239,7 +236,7 @@ struct Cli {
     api_url: Url,
     /// Token generated by the portal to authorize websocket connection.
     #[arg(env = "FIREZONE_TOKEN")]
-    token: String,
+    token: Secret<String>,
     /// Friendly name to display in the UI
     #[arg(short = 'n', long, env = "FIREZONE_NAME")]
     firezone_name: Option<String>,
@@ -257,7 +254,7 @@ struct Cli {
 
     /// Identifier generated by the portal to identify and display the device.
     #[arg(short = 'i', long, env = "FIREZONE_ID")]
-    pub firezone_id: Option<String>,
+    firezone_id: Option<String>,
 
     /// How many threads to use for reading and writing to the TUN device.
     #[arg(long, env = "FIREZONE_NUM_TUN_THREADS", default_value_t)]