Open
Conversation
Reads from Claude Code's Keychain item trigger a macOS authorization dialog on every poll. Cache the extracted token in a ClaudeCodeStats- owned Keychain item and in memory. Invalidate both on 401/403. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR reduces repeated macOS Keychain authorization prompts by caching Claude Code’s OAuth access token in an app-owned Keychain item and also caching it in-memory for the current session, with cache invalidation on 401/403 responses.
Changes:
- Add an in-memory access token cache to avoid repeated file/Keychain reads during a session.
- Add an app-owned Keychain item (
ClaudeCodeStats-credentials) to persist the token and avoid repeatedly reading Claude Code’s Keychain item. - Clear both the in-memory and app Keychain caches when the API returns 401/403.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
ClaudeCodeStats/ClaudeCodeStats/Services/OAuthUsageService.swift
Outdated
Show resolved
Hide resolved
- Add @mainactor to OAuthUsageService for thread safety on cachedToken - Log failures on SecItemAdd and SecItemDelete instead of ignoring status - Remove side effects from hasCredentials (no longer mutates cache or writes to Keychain) - Add comment clarifying why readTokenFromAppKeychain is separate from readTokenFromKeychain Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
ClaudeCodeStats/ClaudeCodeStats/Services/OAuthUsageService.swift
Outdated
Show resolved
Hide resolved
…nique Keychain addressing
- hasCredentials now delegates to readAccessToken() so the in-memory
cache is populated on first check, avoiding repeated file/Keychain I/O
- Add fixed kSecAttrAccount ("oauth-token") to all app-Keychain queries
so the cached token item is uniquely addressed
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (1)
ClaudeCodeStats/ClaudeCodeStats/Services/OAuthUsageService.swift:22
@MainActoron the whole service forces all synchronous file/keychain I/O inreadAccessToken()(and anyhasCredentialsevaluation) to run on the main actor.FileManager.default.contents(atPath:)andSecItemCopyMatchingcan block, which may cause UI hitching during SwiftUI body evaluation or refresh. Consider removing the class-level@MainActor(or narrowing actor isolation) and performing the keychain/file reads off the main thread while keeping only UI-facing state updates on the main actor.
@MainActor
class OAuthUsageService {
static let shared = OAuthUsageService()
private let apiURL = "https://api.anthropic.com/v1/messages"
private let credentialsPath: String = {
let home = FileManager.default.homeDirectoryForCurrentUser.path
return "\(home)/.claude/.credentials.json"
}()
private let keychainService = "Claude Code-credentials"
private let appKeychainService = "ClaudeCodeStats-credentials"
private let appKeychainAccount = "oauth-token"
private var cachedToken: String?
private init() {}
var hasCredentials: Bool {
readAccessToken() != nil
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ClaudeCodeStats/ClaudeCodeStats/Services/OAuthUsageService.swift
Outdated
Show resolved
Hide resolved
ClaudeCodeStats/ClaudeCodeStats/Services/OAuthUsageService.swift
Outdated
Show resolved
Hide resolved
- Rename reflects that both in-memory and Keychain caches are cleared - Set kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly to prevent iCloud Keychain sync and restrict access appropriately Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ClaudeCodeStats-credentialsKeychain item owned by the app, avoiding repeated macOS authorization prompts from reading Claude Code's Keychain itemTest plan
🤖 Generated with Claude Code