diff --git a/src/utils.test.ts b/src/utils.test.ts
index ca954a2..d21fa24 100644
--- a/src/utils.test.ts
+++ b/src/utils.test.ts
@@ -151,6 +151,12 @@ describe("extractSecret", () => {
 });
 
 describe("loadSecrets when using Connect", () => {
+	beforeEach(() => {
+		process.env[envConnectHost] = "https://localhost:8000";
+		process.env[envConnectToken] = "token";
+		process.env[envServiceAccountToken] = "";
+	});
+
 	it("sets the client info and gets the executed output", async () => {
 		await loadSecrets(true);
 
@@ -278,6 +284,15 @@ describe("loadSecrets when using Service Account", () => {
 		expect(core.exportVariable).not.toHaveBeenCalled();
 	});
 
+	it("wraps createClient errors with a descriptive message", async () => {
+		(createClient as jest.Mock).mockRejectedValue(
+			new Error("invalid token format"),
+		);
+		await expect(loadSecrets(false)).rejects.toThrow(
+			"Service account authentication failed: invalid token format",
+		);
+	});
+
 	describe("multiple refs", () => {
 		const ref1 = "op://vault/item/field";
 		const ref2 = "op://vault/other/item";
diff --git a/src/utils.ts b/src/utils.ts
index 97922bb..e66cc18 100644
--- a/src/utils.ts
+++ b/src/utils.ts
@@ -30,7 +30,7 @@ export const validateAuth = (): void => {
 	core.info(`Authenticated with ${authType}.`);
 };
 
-export const getEnvVarNamesWithSecretRefs = (): string[] =>
+const getEnvVarNamesWithSecretRefs = (): string[] =>
 	Object.keys(process.env).filter(
 		(key) =>
 			typeof process.env[key] === "string" &&
@@ -81,8 +81,6 @@ export const extractSecret = (
 	envName: string,
 	shouldExportEnv: boolean,
 ): void => {
-	core.info(`Populating variable: ${envName}`);
-
 	const ref = process.env[envName];
 	if (!ref) {
 		return;
@@ -93,16 +91,7 @@ export const extractSecret = (
 		return;
 	}
 
-	if (shouldExportEnv) {
-		core.exportVariable(envName, secretValue);
-	} else {
-		core.setOutput(envName, secretValue);
-	}
-	// Skip setSecret for empty strings to avoid the warning:
-	// "Can't add secret mask for empty string in ##[add-mask] command."
-	if (secretValue) {
-		core.setSecret(secretValue);
-	}
+	setResolvedSecret(envName, secretValue, shouldExportEnv);
 };
 
 // Connect loads secrets via the 1Password CLI