diff --git a/packages/core/src/oidc/init.ts b/packages/core/src/oidc/init.ts
index 51c61627d..1515abb96 100644
--- a/packages/core/src/oidc/init.ts
+++ b/packages/core/src/oidc/init.ts
@@ -217,12 +217,6 @@ export default function initOidc(
 
       try {
         const isTokenClientCredentials = token instanceof ctx.oidc.provider.ClientCredentials;
-        const pickedFields = isTokenClientCredentials
-          ? ctx.oidc.provider.ClientCredentials.IN_PAYLOAD
-          : ctx.oidc.provider.AccessToken.IN_PAYLOAD;
-        const readOnlyToken = Object.fromEntries(
-          pickedFields.map((field) => [field, Reflect.get(token, field)])
-        );
 
         const { script, envVars } =
           (await trySafe(
@@ -237,6 +231,13 @@ export default function initOidc(
           return;
         }
 
+        const pickedFields = isTokenClientCredentials
+          ? ctx.oidc.provider.ClientCredentials.IN_PAYLOAD
+          : ctx.oidc.provider.AccessToken.IN_PAYLOAD;
+        const readOnlyToken = Object.fromEntries(
+          pickedFields.map((field) => [field, Reflect.get(token, field)])
+        );
+
         const client = await cloudConnection.getClient();
 
         // We pass context to the cloud API only when it is a user's access token.