diff --git a/src/drivers/api.ts b/src/drivers/api.ts
index bca3552..64976d6 100644
--- a/src/drivers/api.ts
+++ b/src/drivers/api.ts
@@ -9,11 +9,11 @@ This file is part of @p0security/cli
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
 import { Authn } from "../types/identity";
-import { tenantConfig } from "./config";
+import { getTenantConfig } from "./config";
 import * as path from "node:path";
 import yargs from "yargs";
 
-const tenantUrl = (tenant: string) => `${tenantConfig.appUrl}/o/${tenant}`;
+const tenantUrl = (tenant: string) => `${getTenantConfig().appUrl}/o/${tenant}`;
 const commandUrl = (tenant: string) => `${tenantUrl(tenant)}/command/`;
 
 export const fetchCommand = async <T>(
diff --git a/src/drivers/config.ts b/src/drivers/config.ts
index e600509..55d652a 100644
--- a/src/drivers/config.ts
+++ b/src/drivers/config.ts
@@ -16,7 +16,11 @@ import path from "path";
 
 export const CONFIG_FILE_PATH = path.join(P0_PATH, "config.json");
 
-export let tenantConfig: Config;
+let tenantConfig: Config;
+
+export function getTenantConfig(): Config {
+  return tenantConfig;
+}
 
 export async function saveConfig(config: Config) {
   print2(`Saving config to ${CONFIG_FILE_PATH}.`);
diff --git a/src/drivers/firestore.ts b/src/drivers/firestore.ts
index 447f67d..ae11035 100644
--- a/src/drivers/firestore.ts
+++ b/src/drivers/firestore.ts
@@ -9,7 +9,7 @@ This file is part of @p0security/cli
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
 import { Identity } from "../types/identity";
-import { tenantConfig } from "./config";
+import { getTenantConfig } from "./config";
 import { bootstrapConfig } from "./env";
 import { FirebaseApp, initializeApp } from "firebase/app";
 import {
@@ -35,6 +35,7 @@ let app: FirebaseApp;
 let firestore: Firestore;
 
 export function initializeFirebase() {
+  const tenantConfig = getTenantConfig();
   app = initializeApp(tenantConfig.fs, "authFirebase");
   firestore = getFirestore(app);
 }
diff --git a/src/plugins/google/login.ts b/src/plugins/google/login.ts
index 1c7c71a..93c2c07 100644
--- a/src/plugins/google/login.ts
+++ b/src/plugins/google/login.ts
@@ -11,7 +11,7 @@ You should have received a copy of the GNU General Public License along with @p0
 import { OIDC_HEADERS } from "../../common/auth/oidc";
 import { withRedirectServer } from "../../common/auth/server";
 import { urlEncode, validateResponse } from "../../common/fetch";
-import { tenantConfig } from "../../drivers/config";
+import { getTenantConfig } from "../../drivers/config";
 import { print2 } from "../../drivers/stdio";
 import { AuthorizeRequest, TokenResponse } from "../../types/oidc";
 import open from "open";
@@ -28,6 +28,7 @@ const GOOGLE_OIDC_REDIRECT_URL = `http://127.0.0.1:${GOOGLE_OIDC_REDIRECT_PORT}`
 const PKCE_LENGTH = 128;
 
 const requestAuth = async () => {
+  const tenantConfig = getTenantConfig();
   const pkceChallenge = (await import("pkce-challenge")).default as any;
   const pkce = await pkceChallenge(PKCE_LENGTH);
   const authBody: AuthorizeRequest = {
@@ -51,6 +52,7 @@ const requestToken = async (
   code: string,
   pkce: { code_challenge: string; code_verifier: string }
 ) => {
+  const tenantConfig = getTenantConfig();
   const body = {
     client_id: tenantConfig.google.clientId,
     client_secret: tenantConfig.google.clientSecret,