Skillget

claude-code-auth

skill
Security Audit
Warn
Health Warn
  • License — License: MIT
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Low visibility — Only 5 GitHub stars
Code Warn
  • Code scan incomplete — No supported source files were scanned during light audit
Permissions Pass
  • Permissions — No dangerous permissions requested
Purpose
This utility lets you snapshot, swap between, and inspect multiple Claude Code authentication sessions, making it easy to manage personal and work accounts while viewing rate-limit headroom.

Security Assessment
Risk: Medium. The tool inherently handles highly sensitive data: your OAuth credentials. However, it employs appropriate security practices. It does not hardcode secrets and avoids writing sensitive tokens to disk in plaintext on macOS, instead using the encrypted system Keychain. On Linux, tokens are stored locally with strict file permissions (`chmod 600`). Network requests are made to Anthropic's API to fetch profile and usage data. The primary risk is architectural: storing multiple authentication tokens in a single location increases the potential blast radius if your local machine or Keychain is compromised. Additionally, the automated code scan was incomplete, meaning the source code was not fully verified for hidden vulnerabilities.

Quality Assessment
The project is very new and has low community visibility with only 5 GitHub stars. However, it is actively maintained (last push was today) and is properly licensed under the standard MIT license. Because it is a young, low-visibility project, community trust is not yet established.

Verdict
Use with caution. While the author implements secure storage practices, the incomplete code scan and low community adoption mean you should review the script yourself before executing it, especially since it requires direct access to your authentication credentials.
SUMMARY

Snapshots Claude Code credentials so you can quickly swap between multiple accounts and see rate-limit headroom left.

README.md

Claude Code Auth (cc-auth)

cc-auth — save, switch, and inspect multiple Claude Code authentication slots.

If you use more than one Claude account (personal/work, multiple Max plans), Claude Code only ever sees one set of credentials at a time. cc-auth snapshots those credentials into named slots and lets you swap between them, while caching each account's profile and rate-limit usage so you can see — at a glance — which account has headroom left.

cc-auth list example

How it works

Claude Code stores its OAuth credentials in:

  • macOS: the login Keychain, under service Claude Code-credentials
  • Linux: ~/.claude/.credentials.json (chmod 600)

Credentials are never written to ~/.claude/cc-auth/. On macOS, every slot's OAuth blob is stored securely in the login Keychain (service cc-auth, account = slot name) — encrypted at rest under your login password, gated by the system security binary, and never touches disk in plaintext. On Linux, where there's no system-wide secret store to assume, slot credentials live in credentials.json files written chmod 600.

The only things cc-auth writes under ~/.claude/cc-auth/slots/<name>/ are non-sensitive metadata used for the list / stats views:

  • profile.json — last response from /api/oauth/profile (email, tier, plan)
  • usage.json — last response from /api/oauth/usage (5h / 7d utilization, reset times)

Switching a slot copies its credentials back into the active location (Keychain on macOS, file on Linux). Restart any running Claude Code sessions to pick up the change.

Upgrading from an older version? If you have a ~/.cc-auth/ directory from a prior install, cc-auth will automatically move it to ~/.claude/cc-auth/ on first run.

Install

Drop cc-auth somewhere on your PATH and make it executable:

install -m 0755 cc-auth ~/.local/bin/cc-auth

Requires Python 3.10+. fzf is optional — if present, cc-auth switch uses it for an interactive picker; otherwise it falls back to a numbered prompt.

Commands

Command Description
cc-auth save [<name>] Snapshot the active credentials into a slot. Defaults the name to the logged-in account email.
cc-auth switch [<name>] Activate a slot. With no name, opens an fzf picker (or numbered prompt).
cc-auth list List slots with cached email, tier, and 5h/7d utilization sparkbars.
cc-auth current Print the slot name matching the currently active credentials.
cc-auth delete <name> Remove a slot.
cc-auth refresh [<name>] Re-fetch profile + usage for one slot, or all slots.
cc-auth stats [<name>] Detailed cached usage table for one or all slots.
cc-auth whoami Live profile + usage for the active account.

Typical workflow

# log in to account A via `claude`, then snapshot it
cc-auth save                    # auto-names from account email

# log in to account B, snapshot that too
cc-auth save work

# see who's got headroom
cc-auth list

# swap to whichever account has the most quota left
cc-auth switch

Security

cc-auth never sends your credentials anywhere. Tokens only move between two stores on your own machine:

  • macOS: every credential — both the active one Claude Code reads (service Claude Code-credentials) and every saved slot (service cc-auth, account = slot name) — lives in the login Keychain. Reads and writes go through the system security binary, so the OS prompts for Keychain access the first time and secrets are encrypted at rest under your login password. No OAuth tokens are ever written to disk by cc-auth on macOS.
  • Linux: the active credential is ~/.claude/.credentials.json and slot credentials are ~/.claude/cc-auth/slots/<name>/credentials.json, both written chmod 600. There's no system-wide secret store assumed; if you need stronger isolation, run on an encrypted volume (LUKS) or wrap with pass/secret-tool.

The only files cc-auth writes under ~/.claude/cc-auth/slots/<name>/ are profile.json and usage.json — non-sensitive metadata (email, tier, rate-limit counters) used for the list / stats views.

The only network calls are authenticated GETs to api.anthropic.com/api/oauth/profile and /api/oauth/usage. No third-party services, no telemetry.

License

MIT — see LICENSE.

Reviews (0)

No results found