Choice: OS Keychain via keytar
-Alternatives considered: File-based (~/.github-mcp), environment variables only
-Rationale: Native security, no plaintext files, cross-platform
+Choice: OS Keychain via @napi-rs/keyring
+Alternatives considered: File-based (~/.github-mcp), environment variables only, keytar (replaced — required libsecret on Linux)
+Rationale: Native security, no plaintext files, cross-platform, prebuilt binaries with no system dependencies
On first use, you'll authenticate via GitHub OAuth:
You only need to do this once. To re-authenticate: npx @ldraney/github-mcp auth login
On macOS, you'll see a system dialog:
+"node wants to use your confidential information stored in 'github-mcp' in your keychain."
+This is expected and is a good sign — it means your GitHub token is stored in the macOS Keychain, the same encrypted vault that Safari, Mail, and other system apps use for credentials. Enter your login keychain password (your Mac login password) to allow access.
+You can click Always Allow to avoid the prompt on future launches.
+GitHub MCP is designed so your credentials never touch the filesystem as plaintext.
+ +Your GitHub token is stored in your operating system's native credential manager — macOS Keychain, Windows Credential Manager, or Linux secret-service. These are encrypted, OS-protected stores. Your token is never written to a config file, environment file, or disk.
+Authentication uses GitHub's OAuth flow. You authorize in your browser and the token is issued directly — you never create, copy, or paste a Personal Access Token. Tokens can be revoked from your GitHub settings at any time.
+The OAuth client secret is held on our backend server, never shipped in the npm package or .mcpb bundle. Your machine only ever handles the short-lived authorization code and the resulting token.
+The OAuth callback uses a temporary local HTTP server on a random port that only listens for a single redirect, then shuts down. Webhook delivery uses smee.io (outbound SSE), so no inbound ports are ever exposed.
+