[BUG] OAuth token stored in Keychain on Mac can be read by any process that can execute /usr/bin/security

Resolved 💬 3 comments Opened Mar 1, 2026 by dottedmag Closed Mar 30, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

I can easily run

$ security -v find-generic-password -s "Claude Code-credentials" -a "dottedmag" -w
find-generic-password "-s" "Claude Code-credentials" "-a" "dottedmag" "-w"
{"claudeAiOauth":<omitted>}

and so can any other non-sandboxed application. No confirmation pops up.

What's the point of storing the token in the Keychain if there is effectively no protection?

What Should Happen?

MacOS keychain access prompt should pop up, at the very least.

Error Messages/Logs

Steps to Reproduce

  • Log into Antropic account with Claude Code.
  • Easily obtain the password as described above from another app.

Claude Model

Not sure / Multiple models

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.63 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗