Skip to content

Read Claude Desktop login safely#962

Open
robinebers wants to merge 2 commits into
mainfrom
cursor/5daa197a
Open

Read Claude Desktop login safely#962
robinebers wants to merge 2 commits into
mainfrom
cursor/5daa197a

Conversation

@robinebers

Copy link
Copy Markdown
Owner

TL;DR

OpenUsage can now use an existing Claude Desktop login without requiring a separate Claude Code login. The integration is read-only and never consumes or writes Desktop's rotating refresh token.

What was happening

  • Claude Desktop stores its OAuth cache behind Electron Safe Storage, so OpenUsage could only tell Desktop users to install and sign in through Claude Code.
  • Refreshing Desktop-owned OAuth credentials outside Desktop could invalidate its session.
  • Background refreshes must not trigger unexpected macOS Keychain dialogs.

What this changes

  • Decrypts Claude Desktop's OAuth cache and active-organization cookie using the Claude Safe Storage Keychain item.
  • Uses only a currently valid access token; refresh tokens and all Desktop-owned files remain untouched.
  • Keeps working Claude Code credentials first, with Desktop as a fallback when CLI credentials cannot provide live usage.
  • Allows Keychain interaction only for manual refreshes and caches the approved Safe Storage key in memory.
  • Documents the one-time Keychain prompt, read-only behavior, and stale-token recovery.

Heads-up

  • Claude Desktop access tokens are short-lived. When one expires, users must open Claude Desktop so it can renew its own session.
  • A remaining Bugbot suggestion to prefer a failed CLI error over the Desktop permission message was intentionally declined: approving Desktop access is the recovery path and avoids forcing an unnecessary CLI re-login.

Tests

  • swift test --build-system native — 1,017 tests passed, 3 skipped.
  • ./script/build_and_run.sh verify — release build staged, signed, launched, and process-verified.
  • Bugbot rerun until no actionable findings remained.

Made with Cursor

Use Desktop's encrypted access token as a read-only fallback without consuming its rotating refresh token, and keep background refreshes from triggering Keychain prompts.

Co-authored-by: Cursor <cursoragent@cursor.com>
@robinebers robinebers added the gate-passed Passed the automated PR gatekeeper checks (gatekeeper skips it on later runs) label Jul 11, 2026 — with Cursor
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

docs gate-passed Passed the automated PR gatekeeper checks (gatekeeper skips it on later runs) provider tests

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant