diff --git a/src/envelope_authorizer/cli.py b/src/envelope_authorizer/cli.py
index 047d4ad..6a0ae17 100644
--- a/src/envelope_authorizer/cli.py
+++ b/src/envelope_authorizer/cli.py
@@ -9,6 +9,8 @@ command loads config and resolves a storage backend first. expected failures
 import argparse
 import sys
 
+from cryptography.exceptions import InvalidTag
+
 from . import __version__
 from .config import ConfigError, load_config
 from .commands import CommandError, authorize, config_init, init, list_keys, revoke, verify
@@ -88,6 +90,8 @@ def main() -> int:
         storage = resolve(config)
         handlers[args.cmd](config, storage, args)
         return 0
+    except InvalidTag:
+        return _fail("capability flag failed authentication — tampered or wrong DEK")
     except (ConfigError, CommandError, RuntimeError, ValueError, FileNotFoundError) as error:
         return _fail(str(error))