Use Linux system keychain (libsecret) for sensitive plugin credentials

Resolved 💬 3 comments Opened Apr 14, 2026 by bendavis78 Closed May 25, 2026

Feature Request

Plugin credentials marked as "sensitive": true in userConfig are stored in the system keychain on macOS (Keychain) and Windows (Credential Manager), but on Linux they fall back to a plain-text JSON file at ~/.claude/.credentials.json.

Linux has a standard keychain API via libsecret (D-Bus Secret Service API), backed by GNOME Keyring, KDE Wallet, or KeePassXC. Most desktop Linux environments have a secret service provider running.

Proposed behavior

  1. Check if a D-Bus secret service is available
  2. If yes, store/retrieve sensitive plugin credentials via libsecret
  3. If no secret service is available, fall back to the current ~/.claude/.credentials.json behavior

Why this matters

  • Desktop Linux developers (GNOME, KDE, etc.) have a working keychain that goes unused
  • Plain-text credential files are a weaker security posture than the keychain-backed storage macOS and Windows users get
  • The O'Reilly plugin ecosystem has multiple plugins requiring auth tokens (Sentry, Cortex, Jira, etc.), so this affects many credentials per developer

Notes

  • The main challenge is Node.js native bindings for libsecret (the old keytar package was deprecated). A lightweight D-Bus client or spawning secret-tool as a subprocess could be alternatives.
  • Headless/container/WSL environments often lack a secret service, so the fallback is still needed.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗