macOS keychain credentials not reused after auto-update — forces re-login on every version bump
Summary
On macOS, Claude Code stores OAuth credentials in the login keychain under service Claude Code-credentials. After every auto-update, the new binary cannot read the existing keychain item and falls back to the OAuth login flow, repeating the cycle on the next update.
Likely cause
Claude Code is installed at a version-specific path (~/.local/share/claude/versions/<version>/) with ~/.local/bin/claude as a symlink. macOS keychain ACLs bind to the signed binary, so the new versioned binary is not on the ACL of the keychain item created by the previous version, and a new item is written in its place.
Evidence
security find-generic-password -s "Claude Code-credentials"showscdatandmdatboth equal to the moment of the most recent/login, confirming replacement (not reuse).- Token in the entry is valid (refresh token present,
expiresAtin the future), so this is not an expiry issue.
Environment
- Claude Code 2.1.110
- macOS Darwin 25.4.0
- Install path:
~/.local/share/claude/versions/2.1.110
Workaround
Set DISABLE_AUTOUPDATER=1 in ~/.claude/settings.json and update manually with claude update.
Suggested fix
Re-grant the keychain ACL to the new binary on update, or install to a stable non-versioned path.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗