macOS keychain credentials not reused after auto-update — forces re-login on every version bump

Resolved 💬 3 comments Opened Apr 16, 2026 by MSM-12 Closed Apr 20, 2026

Summary

On macOS, Claude Code stores OAuth credentials in the login keychain under service Claude Code-credentials. After every auto-update, the new binary cannot read the existing keychain item and falls back to the OAuth login flow, repeating the cycle on the next update.

Likely cause

Claude Code is installed at a version-specific path (~/.local/share/claude/versions/<version>/) with ~/.local/bin/claude as a symlink. macOS keychain ACLs bind to the signed binary, so the new versioned binary is not on the ACL of the keychain item created by the previous version, and a new item is written in its place.

Evidence

  • security find-generic-password -s "Claude Code-credentials" shows cdat and mdat both equal to the moment of the most recent /login, confirming replacement (not reuse).
  • Token in the entry is valid (refresh token present, expiresAt in the future), so this is not an expiry issue.

Environment

  • Claude Code 2.1.110
  • macOS Darwin 25.4.0
  • Install path: ~/.local/share/claude/versions/2.1.110

Workaround

Set DISABLE_AUTOUPDATER=1 in ~/.claude/settings.json and update manually with claude update.

Suggested fix

Re-grant the keychain ACL to the new binary on update, or install to a stable non-versioned path.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗