[BUG] OAuth token refresh fails due to Keychain permission errors (possibly after updates)
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Claude Code cannot persist refreshed OAuth tokens because it fails to delete/update existing macOS Keychain entries. This results in users needing to manually run /login multiple times per day.
What Should Happen?
Login should be remembered for days/weeks (whatever the default is), not hours.
Error Messages/Logs
2026-01-17T08:51:48.166Z [ERROR] Error: Error: Failed to delete keychain entry
2026-01-17T13:12:29.475Z [DEBUG] MCP server "ably": Token expired without refresh token
Note the second log entry relates to short MCP auth expiry too (another bug), which is tracked by https://github.com/anthropics/claude-code/issues/5706 and https://github.com/anthropics/claude-code/issues/12447, both unresolved too.
Steps to Reproduce
- Use Claude Code for several days with auto-updates enabled
- Observe "OAuth token has expired" errors requiring
/login - Check debug logs for:
Error: Failed to delete keychain entry
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.12
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Other
Additional Information
Environment:
- macOS 15.x (Sequoia)
- Claude Code versions: 2.1.7 → 2.1.12 (auto-updated)
- Using multiple config directories (CLAUDE_CONFIG_DIR)
Root Cause Analysis (theory, not proven):
- Keychain items created by one Claude version cannot be modified by a different version
- Each auto-update changes the binary, breaking Keychain ACL permissions
- The token refresh mechanism succeeds server-side but fails to persist client-side
Workaround:
I have tried manually deleting all Claude Code-credentials* Keychain entries and logging in again, but the issue persists. So no real workaround apart from logging in frequently.
Impact:
- Users must
/login1-3 times per day - Productivity loss due to auth interruptions
- Confusion about why tokens don't auto-refresh
Environment Note: Multiple Config Directories
I use two Claude Code profiles via CLAUDE_CONFIG_DIR:
claude→ default~/.claude(business)pclaude→~/.claude-personal(personal, via alias)
The personal profile (pclaude) experiences this issue most frequently. This may be relevant if Keychain entries are scoped per-config-directory or if the non-default config path affects credential
storage/retrieval.
Related Issues
- #9403 - macOS Keychain ACL issue preventing credential reads (requires
security unlock-keychainworkaround). My issue is different: credentials delete fails during token refresh, with explicit error
Failed to delete keychain entry.
- #12447 - OAuth tokens expire during long sessions without auto-refresh. My issue is different: tokens expire within hours of a fresh
/login, and the refresh mechanism fails to persist new tokens due to
Keychain errors.
- #5244 - Credentials not persisted after successful login. Possibly related, but no mention of the specific Keychain deletion error I'm seeing.
My issue appears to be a distinct failure mode: the token refresh succeeds server-side, but Claude Code cannot update the Keychain entry (deletion fails), so refreshed tokens are never persisted.
This issue has 7 comments on GitHub. Read the full discussion on GitHub ↗