diff --git a/src/Command/Auth/AuthLoginCommand.php b/src/Command/Auth/AuthLoginCommand.php
index 4503f2104..8fb898daa 100644
--- a/src/Command/Auth/AuthLoginCommand.php
+++ b/src/Command/Auth/AuthLoginCommand.php
@@ -26,8 +26,7 @@ protected function configure(): void {
   protected function execute(InputInterface $input, OutputInterface $output): int {
     $keys = $this->datastoreCloud->get('keys');
     $activeKey = $this->datastoreCloud->get('acli_key');
-    // @todo this validation should really be enforced as a schema on the datastore.
-    if (is_array($keys) && !array_key_exists($activeKey, $keys)) {
+    if (is_array($keys) && !empty($keys) && !array_key_exists($activeKey, $keys)) {
       throw new AcquiaCliException('Invalid key in Cloud datastore; run acli auth:logout && acli auth:login to fix');
     }
     if ($activeKey) {
diff --git a/tests/phpunit/src/Commands/Auth/AuthLoginCommandTest.php b/tests/phpunit/src/Commands/Auth/AuthLoginCommandTest.php
index e990c7736..a2ccbbd67 100644
--- a/tests/phpunit/src/Commands/Auth/AuthLoginCommandTest.php
+++ b/tests/phpunit/src/Commands/Auth/AuthLoginCommandTest.php
@@ -39,6 +39,22 @@ public function testAuthLoginCommand(): void {
     $this->assertKeySavedCorrectly();
   }
 
+  public function testAuthLoginNoKeysCommand(): void {
+    $this->mockRequest('getAccount');
+    $this->clientServiceProphecy->setConnector(Argument::type(Connector::class))->shouldBeCalled();
+    $this->clientServiceProphecy->isMachineAuthenticated()->willReturn(FALSE);
+    $this->removeMockCloudConfigFile();
+    $this->fs->dumpFile($this->cloudConfigFilepath, json_encode(['send_telemetry' => FALSE]));
+    $this->createDataStores();
+    $this->command = $this->createCommand();
+
+    $this->executeCommand(['--key' => $this->key, '--secret' => $this->secret]);
+    $output = $this->getDisplay();
+
+    $this->assertStringContainsString('Saved credentials', $output);
+    $this->assertKeySavedCorrectly();
+  }
+
   public function providerTestAuthLoginInvalidInputCommand(): Generator {
     yield
       [
@@ -72,9 +88,18 @@ public function testAuthLoginInvalidInputCommand(array $inputs, array $args): vo
   public function testAuthLoginInvalidDatastore(): void {
     $this->clientServiceProphecy->isMachineAuthenticated()->willReturn(FALSE);
     $this->removeMockCloudConfigFile();
+    $data = [
+      'acli_key' => 'key2',
+      'keys' => [
+        'key1' => [
+          'label' => 'foo',
+          'secret' => 'foo',
+          'uuid' => 'foo',
+        ],
+      ],
+    ];
+    $this->fs->dumpFile($this->cloudConfigFilepath, json_encode($data));
     $this->createDataStores();
-    $this->datastoreCloud->set('keys', ['key1']);
-    $this->datastoreCloud->set('acli_key', 'key2');
     $this->command = $this->createCommand();
     $this->expectException(AcquiaCliException::class);
     $this->expectExceptionMessage('Invalid key in Cloud datastore; run acli auth:logout && acli auth:login to fix');