[BUG] OAuth token refresh fails due to Keychain permission errors (possibly after updates)

Resolved 💬 7 comments Opened Jan 20, 2026 by mattheworiordan Closed Mar 26, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Claude Code cannot persist refreshed OAuth tokens because it fails to delete/update existing macOS Keychain entries. This results in users needing to manually run /login multiple times per day.

What Should Happen?

Login should be remembered for days/weeks (whatever the default is), not hours.

Error Messages/Logs

2026-01-17T08:51:48.166Z [ERROR] Error: Error: Failed to delete keychain entry
2026-01-17T13:12:29.475Z [DEBUG] MCP server "ably": Token expired without refresh token


Note the second log entry relates to short MCP auth expiry too (another bug), which is tracked by https://github.com/anthropics/claude-code/issues/5706 and https://github.com/anthropics/claude-code/issues/12447, both unresolved too.

Steps to Reproduce

  1. Use Claude Code for several days with auto-updates enabled
  2. Observe "OAuth token has expired" errors requiring /login
  3. Check debug logs for: Error: Failed to delete keychain entry

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.12

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Other

Additional Information

Environment:

  • macOS 15.x (Sequoia)
  • Claude Code versions: 2.1.7 → 2.1.12 (auto-updated)
  • Using multiple config directories (CLAUDE_CONFIG_DIR)

Root Cause Analysis (theory, not proven):

  • Keychain items created by one Claude version cannot be modified by a different version
  • Each auto-update changes the binary, breaking Keychain ACL permissions
  • The token refresh mechanism succeeds server-side but fails to persist client-side

Workaround:
I have tried manually deleting all Claude Code-credentials* Keychain entries and logging in again, but the issue persists. So no real workaround apart from logging in frequently.

Impact:

  • Users must /login 1-3 times per day
  • Productivity loss due to auth interruptions
  • Confusion about why tokens don't auto-refresh

Environment Note: Multiple Config Directories

I use two Claude Code profiles via CLAUDE_CONFIG_DIR:

  • claude → default ~/.claude (business)
  • pclaude~/.claude-personal (personal, via alias)

The personal profile (pclaude) experiences this issue most frequently. This may be relevant if Keychain entries are scoped per-config-directory or if the non-default config path affects credential
storage/retrieval.

Related Issues

  • #9403 - macOS Keychain ACL issue preventing credential reads (requires security unlock-keychain workaround). My issue is different: credentials delete fails during token refresh, with explicit error

Failed to delete keychain entry.

  • #12447 - OAuth tokens expire during long sessions without auto-refresh. My issue is different: tokens expire within hours of a fresh /login, and the refresh mechanism fails to persist new tokens due to

Keychain errors.

  • #5244 - Credentials not persisted after successful login. Possibly related, but no mention of the specific Keychain deletion error I'm seeing.

My issue appears to be a distinct failure mode: the token refresh succeeds server-side, but Claude Code cannot update the Keychain entry (deletion fails), so refreshed tokens are never persisted.

View original on GitHub ↗

This issue has 7 comments on GitHub. Read the full discussion on GitHub ↗