Credentials

Overview

Credentials management uses macOS Keychain to securely store API keys for all 18 MCP services. No .env files with secrets — everything goes through Keychain. The secrets setup script handles storing and retrieving keys for GitHub, Vercel, Neon, Stripe, Figma, and more. Claude Code reads them at runtime through environment variables injected by the MCP config.

Current Progress

• Keychain-based secrets management operational
• secrets.sh script handles all 18 service keys
• Per-project DATABASE_URLs supported for multi-repo work
• No .env files with secrets in any repo

Areas of Improvement

• No key rotation reminders — some keys may be stale
• Keychain approach is macOS-only — need Linux alternative for CI
• Missing audit log of which keys are accessed when
• Could add key expiration tracking

References

Setup

1. Run .claude/setup/secrets.sh to configure API keys
2. Keys are stored in macOS Keychain, not .env files
3. MCP servers reference keys via env vars in settings.json
4. Per-project DATABASE_URLs supported for multi-repo work

Usage

• security add-generic-password for storing keys
• security find-generic-password for retrieving keys
• Never commit API keys — always use Keychain
• Settings.json env block injects keys into MCP servers
• /credentials command manages the full lifecycle

Config Files