Location
Encryption
Credentials are encrypted using:- Algorithm: AES-256-GCM
- Key derivation: PBKDF2 with machine-specific seed
- Security model: Same protection level as OS keychains, without interactive prompts
Key Format
Credentials are stored with keys using different formats depending on scope: Global credentials (2-part key):type identifies the credential type, workspaceId is the workspace UUID, and sourceId is the source identifier.
Credential Types
anthropic_api_key and claude_oauth are legacy global credentials. New installations store credentials per LLM connection.Examples
Credential Scoping
Credentials are scoped at two levels:- LLM connection credentials are tied to a specific connection slug
- Source credentials are specific to a source within a workspace, using the 3-part key format
Legacy global credentials are migrated automatically into LLM connection credentials:
anthropic_api_key::global→llm_api_key::anthropic-apiclaude_oauth::global→llm_oauth::claude-max
Viewing Stored Credentials
You can see what credentials are stored (but not their values):Managing Credentials
Adding Credentials
Credentials are added automatically when you:- Complete the setup wizard (API key or OAuth)
- Connect to a source requiring authentication
- Authenticate with an MCP server
Removing Credentials
To clear all credentials, delete the credentials file:Security Considerations
File permissions
File permissions
The credentials file is created with restricted permissions (readable only by your user). Verify with:
Backup considerations
Backup considerations
If you backup your home directory, the credentials file is included but encrypted. It cannot be decrypted on a different machine.
Machine migration
Machine migration
When moving to a new machine, you’ll need to re-enter credentials. The encrypted file from your old machine won’t work.
Environment Variable Override
For automation or CI environments, you can provide credentials via environment variables:
Environment variables take precedence over stored credentials.
Troubleshooting
Credential not found errors
Credential not found errors
The credential may have been removed or corrupted. Re-enter it:
- For API keys: Open Settings and re-enter your key
- For OAuth: Re-authenticate when prompted
Cannot decrypt credentials
Cannot decrypt credentials
This usually means the file was copied from another machine. Delete the credentials file and re-enter credentials:
File permission errors
File permission errors
Fix permissions: