[BUG] VS Code Remote SSH: Claude Code extension requires re-login because macOS Keychain is inaccessible from SSH sessions

Resolved 💬 3 comments Opened Apr 6, 2026 by yulin7645 Closed Apr 9, 2026

Description

When using VS Code Remote SSH to connect to a macOS machine (Mac Mini), the Claude Code extension always prompts for re-authentication, even though the CLI (claude) works fine in the local terminal on the same machine.

Root Cause

Claude Code stores OAuth credentials in the macOS Keychain (Claude Code-credentials entry). SSH sessions cannot access Keychain because the Security Framework requires a GUI desktop session to authorize access (it tries to pop up an authorization dialog, which fails in headless SSH).

  • Local terminal: runs in desktop session → Keychain accessible → works
  • VS Code Remote SSH: runs in SSH session → Keychain inaccessible → requires re-login

Environment

  • macOS 26.2 (Mac Mini M4, Apple Silicon)
  • Claude Code v2.1.92 (binary installation)
  • VS Code Remote SSH from MacBook Pro
  • Authentication: claude.ai OAuth (Max subscription)

Reproduction

  1. SSH into a macOS machine where Claude Code CLI is authenticated
  2. Open VS Code Remote SSH to that machine
  3. Open Claude Code extension in VS Code → prompts for login
  4. Meanwhile, claude auth status in local terminal shows logged in

Workaround

Manually export the OAuth token from Keychain to a credentials file:

# On the macOS machine (local terminal, not SSH):
security find-generic-password -s "Claude Code-credentials" -a "$(whoami)" -w > ~/.claude/.credentials.json
chmod 600 ~/.claude/.credentials.json

Claude Code reads ~/.claude/.credentials.json as a fallback when Keychain is unavailable.

Suggested Fix

  1. Add automatic file fallback: When writing to Keychain, also write to ~/.claude/.credentials.json (with 0600 permissions) as a fallback for non-desktop sessions.
  2. Or use VS Code's SecretStorage API: When running as a VS Code extension, use the VS Code SecretStorage API instead of direct Keychain access. VS Code handles credential forwarding over SSH tunnels natively.

Related Issues

  • #19456 — OAuth token refresh fails due to Keychain permission errors
  • #41026 — OAuth token refresh overwrites keychain item
  • #28318 — Account switches in VS Code extension

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗