Use Linux system keychain (libsecret) for sensitive plugin credentials
Resolved 💬 3 comments Opened Apr 14, 2026 by bendavis78 Closed May 25, 2026
Feature Request
Plugin credentials marked as "sensitive": true in userConfig are stored in the system keychain on macOS (Keychain) and Windows (Credential Manager), but on Linux they fall back to a plain-text JSON file at ~/.claude/.credentials.json.
Linux has a standard keychain API via libsecret (D-Bus Secret Service API), backed by GNOME Keyring, KDE Wallet, or KeePassXC. Most desktop Linux environments have a secret service provider running.
Proposed behavior
- Check if a D-Bus secret service is available
- If yes, store/retrieve sensitive plugin credentials via libsecret
- If no secret service is available, fall back to the current
~/.claude/.credentials.jsonbehavior
Why this matters
- Desktop Linux developers (GNOME, KDE, etc.) have a working keychain that goes unused
- Plain-text credential files are a weaker security posture than the keychain-backed storage macOS and Windows users get
- The O'Reilly plugin ecosystem has multiple plugins requiring auth tokens (Sentry, Cortex, Jira, etc.), so this affects many credentials per developer
Notes
- The main challenge is Node.js native bindings for libsecret (the old
keytarpackage was deprecated). A lightweight D-Bus client or spawningsecret-toolas a subprocess could be alternatives. - Headless/container/WSL environments often lack a secret service, so the fallback is still needed.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗