Claude CLI Login 101 · Lesson 2

Where the credential lives

Understand the old Keychain item, current file, and safe permissions.

By the end
1

The big idea

Before the fix, an older Claude Code-credentials Keychain item existed. After cleanup, current login created ~/.claude/.credentials.json with mode 600.

Think of it like… They are two vaults. An old record may exist without being the vault the current version can use.

The cause is inferred from the before/after transition: old item + false status; logout removes it; fresh OAuth creates the file; status and request pass.

2

In one picture

Chrome OAuthCallbackCredentialauth statusReal request
Before: success stopped before becoming local session state.
3

Try it

security find-generic-password -s 'Claude Code-credentials'
ls -l ~/.claude/.credentials.json
# never cat the file

Remember: Never print credential file contents.

Quick check

How do you inspect without exposing the token?

Use evidence that crosses the real boundary without exposing a secret.