#8469: fix(auth): detect actual keychain account name when writing Claude CLI credentials
agents
stale
Cluster:
Auth Improvements and Fixes
## Problem
When OpenClaw refreshes OAuth tokens and tries to write them back to macOS Keychain, it uses a hardcoded account name `"Claude Code"`, but Claude Code CLI may create the keychain entry with the system username (e.g., `"username"`) as the account.
This causes the write to fail silently (or create a duplicate entry), breaking token sync between OpenClaw and Claude Code.
## Solution
Added `detectClaudeCliKeychainAccount()` function that parses the existing keychain entry to find the actual account name before writing. This ensures we update the correct entry regardless of what account name was used when it was created.
## Changes
- Added `detectClaudeCliKeychainAccount()` to detect the actual account name from the keychain entry
- Modified `writeClaudeCliKeychainCredentials()` to use the detected account name
- Added logging of the account name used when writing
Fixes #8447
<!-- greptile_comment -->
<h2>Greptile Overview</h2>
<h3>Greptile Summary</h3>
This PR fixes Claude CLI keychain refresh writes on macOS by detecting the existing keychain item’s account name (instead of always using the hardcoded `"Claude Code"`) and then using that account when updating the `Claude Code-credentials` entry.
The change is localized to `src/agents/cli-credentials.ts`, in the code path that writes refreshed OAuth tokens back into the Keychain so OpenClaw and Claude Code stay in sync.
<h3>Confidence Score: 4/5</h3>
- This PR is likely safe to merge, with a small risk of edge-case failures in account-name detection.
- The change is small and scoped, but it relies on parsing `security` CLI output, which is historically format-unstable; if the regex fails, the fix can degrade back to the previous behavior for some users.
- src/agents/cli-credentials.ts
<!-- greptile_other_comments_section -->
<sub>(2/5) Greptile learns from your feedback when you react with thumbs up/down!</sub>
<!-- /greptile_comment -->
Most Similar PRs
#2123: fix(auth): sync from Claude CLI keychain before OAuth refresh
by jorge123255 · 2026-01-26
83.9%
#13484: feat(auth): restore Claude Code CLI OAuth credential sync
by joshpocock · 2026-02-10
79.5%
#7523: fix(auth): re-sync external CLI credentials on token revocation
by codeslayer44 · 2026-02-02
78.5%
#21053: security(infra): OS keychain storage for device private keys
by richvincent · 2026-02-19
76.5%
#11208: fix(config): prevent __OPENCLAW_REDACTED__ corruption on config writes
by janckerchen · 2026-02-07
74.0%
#6400: fix: set correct mode for Anthropic OAuth auth (#2697)
by coupclawbot · 2026-02-01
73.5%
#3196: docs: clarify auth-profiles.json format for Claude Max setup-tokens
by aadeina · 2026-01-28
73.4%
#10492: fix(auth): store Anthropic setup-token as type:oauth for auto-refresh
by sparck75 · 2026-02-06
73.3%
#23654: security(cli): redact sensitive values in config get output
by SleuthCo · 2026-02-22
73.0%
#10182: fix: skip non-openclaw LaunchAgents in doctor gateway scan
by Yida-Dev · 2026-02-06
72.9%