GitCredential Storage

Git Credential Storage

When you use HTTPS (rather than SSH) to push and pull from a remote, Git needs your username and password or personal access token for every network operation. Without a credential helper, Git prompts you for these on every single command — which quickly becomes unbearable. Credential helpers cache or store these credentials so you only need to enter them once (or rarely). Choosing the right helper is a balance between convenience and security.

The cache Helper (Memory, Not Disk)

The cache helper holds credentials in memory through a background daemon process. They are never written to disk and are automatically cleared when the timeout expires or the system restarts. This is the safest credential helper available.

Use the in-memory cache helper

Bash
# Default: credentials cached for 15 minutes (900 seconds)
git config --global credential.helper cache

# Custom timeout: cache for 1 hour (3600 seconds)
git config --global credential.helper 'cache --timeout=3600'

# Cache for 8 hours (a full work session)
git config --global credential.helper 'cache --timeout=28800'
Note
The `cache` helper is not available on Windows. Windows users should use the Git Credential Manager instead.
The store Helper (Plaintext on Disk)
Warning
The `store` helper writes credentials to `~/.git-credentials` in plaintext. Any process or user that can read that file — malware, a nosy sysadmin, a compromised application — can see your passwords and tokens. Use this helper only on personal machines where you understand the risk, and only when platform keychain integration is not available. Never use it on shared or multi-user systems.

Plaintext store helper (use with caution)

Bash
git config --global credential.helper store

Contents of ~/.git-credentials (plaintext!)

Text
https://username:ghp_yourPersonalAccessToken@github.com
Platform-Native Keychain Helpers

The best option for most developers is a helper that integrates with the operating system's secure credential store. These use the OS keychain (which is encrypted and access-controlled) rather than storing credentials in plaintext.

Platform

Helper

Backend Storage

macOS

osxkeychain

macOS Keychain (encrypted, Touch ID protected)

Windows

manager or wincred

Windows Credential Manager

Linux (GNOME)

libsecret

GNOME Keyring or KWallet

Linux (KDE)

libsecret

KWallet

Cross-platform

Git Credential Manager (GCM)

OS keychain on each platform

Platform-native helper setup

Bash
# macOS (usually pre-configured by git-credential-osxkeychain)
git config --global credential.helper osxkeychain

# Linux with libsecret
git config --global credential.helper /usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret

# Windows (usually set automatically by Git for Windows)
git config --global credential.helper manager
Git Credential Manager (GCM)

Git Credential Manager is Microsoft's cross-platform, open-source credential helper. It is the most feature-complete option, supporting OAuth flows, multi-factor authentication, and Azure DevOps. It ships with Git for Windows and can be installed separately on macOS and Linux.

Install Git Credential Manager

Bash
# macOS
brew install --cask git-credential-manager

# Linux (Debian/Ubuntu)
curl -L https://aka.ms/gcm/linux-install-source.sh | sh

# Check which helper is configured
git config --global credential.helper

  • OAuth flows — authenticates via browser for GitHub, GitLab, Bitbucket, and Azure DevOps

  • MFA support — handles repositories that require two-factor authentication

  • Multiple accounts — manages different credentials for different hosts or organizations

  • OS keychain — stores tokens in the platform keychain, not plaintext

  • Automatic token refresh — handles expired tokens transparently

How Credential Helpers Work Internally

Git communicates with credential helpers through a simple stdin/stdout protocol. You can use this directly to approve or reject stored credentials.

Git credential plumbing commands

Bash
# Ask the helper for credentials (what git does internally)
echo "url=https://github.com" | git credential fill

# Tell the helper these credentials are valid (save them)
echo "url=https://github.com
username=myuser
password=mytoken" | git credential approve

# Tell the helper these credentials failed (erase them)
echo "url=https://github.com" | git credential reject
HTTPS vs SSH: The Credential Comparison

Dimension

HTTPS + Credential Helper

SSH Keys

Initial setup

Easy — just enter username/token once

Moderate — generate key, add to host

Credential storage

Requires a helper to avoid re-entering

Key agent handles it transparently

Revocation

Delete or rotate the personal access token

Remove public key from host, rotate private key

MFA / token rotation

Must update stored token when it expires

SSH keys do not expire by default

Firewall

Port 443 — almost never blocked

Port 22 — sometimes blocked on corporate networks

Multiple accounts

Credential helper must support per-host config

Multiple keys via SSH config file

Security

Good with OS keychain; poor with plaintext store

Excellent — private key never leaves your machine

Tip
For most developers, SSH keys are the superior long-term choice. Once configured, SSH authentication is completely silent — no tokens to rotate, no credential helpers to manage, no plaintext storage concerns. Generate an SSH key pair, add the public key to your Git host, and push/pull using `git@github.com:user/repo.git` URLs instead of `https://`.
Clearing Stored Credentials

Clear credentials from various helpers

Bash
# Erase cached credentials from cache helper
git credential-cache exit

# Remove a specific credential (prompts the helper to erase)
echo "url=https://github.com" | git credential reject

# macOS: remove from keychain via command line
git credential-osxkeychain erase << EOF
protocol=https
host=github.com
EOF