cc-auth — save, switch, and inspect multiple Claude Code authentication slots.
If you use more than one Claude account (personal/work, multiple Max plans), Claude Code only ever sees one set of credentials at a time. cc-auth snapshots those credentials into named slots and lets you swap between them, while caching each account's profile and rate-limit usage so you can see — at a glance — which account has headroom left.
Claude Code stores its OAuth credentials in:
- macOS: the login Keychain, under service
Claude Code-credentials - Linux:
~/.claude/.credentials.json(chmod 600)
Credentials are never written to ~/.claude/cc-auth/. On macOS, every slot's OAuth blob is stored securely in the login Keychain (service cc-auth, account = slot name) — encrypted at rest under your login password, gated by the system security binary, and never touches disk in plaintext. On Linux, where there's no system-wide secret store to assume, slot credentials live in credentials.json files written chmod 600.
The only things cc-auth writes under ~/.claude/cc-auth/slots/<name>/ are non-sensitive metadata used for the list / stats views:
profile.json— last response from/api/oauth/profile(email, tier, plan)usage.json— last response from/api/oauth/usage(5h / 7d utilization, reset times)
Switching a slot copies its credentials back into the active location (Keychain on macOS, file on Linux). Restart any running Claude Code sessions to pick up the change.
Upgrading from an older version? If you have a
~/.cc-auth/directory from a prior install,cc-authwill automatically move it to~/.claude/cc-auth/on first run.
Drop cc-auth somewhere on your PATH and make it executable:
install -m 0755 cc-auth ~/.local/bin/cc-authRequires Python 3.10+. fzf is optional — if present, cc-auth switch uses it for an interactive picker; otherwise it falls back to a numbered prompt.
| Command | Description |
|---|---|
cc-auth save [<name>] |
Snapshot the active credentials into a slot. Defaults the name to the logged-in account email. |
cc-auth switch [<name>] |
Activate a slot. With no name, opens an fzf picker (or numbered prompt). |
cc-auth list |
List slots with cached email, tier, and 5h/7d utilization sparkbars. |
cc-auth current |
Print the slot name matching the currently active credentials. |
cc-auth delete <name> |
Remove a slot. |
cc-auth refresh [<name>] |
Re-fetch profile + usage for one slot, or all slots. |
cc-auth stats [<name>] |
Detailed cached usage table for one or all slots. |
cc-auth whoami |
Live profile + usage for the active account. |
# log in to account A via `claude`, then snapshot it
cc-auth save # auto-names from account email
# log in to account B, snapshot that too
cc-auth save work
# see who's got headroom
cc-auth list
# swap to whichever account has the most quota left
cc-auth switchcc-auth never sends your credentials anywhere. Tokens only move between two stores on your own machine:
- macOS: every credential — both the active one Claude Code reads (service
Claude Code-credentials) and every saved slot (servicecc-auth, account = slot name) — lives in the login Keychain. Reads and writes go through the systemsecuritybinary, so the OS prompts for Keychain access the first time and secrets are encrypted at rest under your login password. No OAuth tokens are ever written to disk bycc-authon macOS. - Linux: the active credential is
~/.claude/.credentials.jsonand slot credentials are~/.claude/cc-auth/slots/<name>/credentials.json, both writtenchmod 600. There's no system-wide secret store assumed; if you need stronger isolation, run on an encrypted volume (LUKS) or wrap withpass/secret-tool.
The only files cc-auth writes under ~/.claude/cc-auth/slots/<name>/ are profile.json and usage.json — non-sensitive metadata (email, tier, rate-limit counters) used for the list / stats views.
The only network calls are authenticated GETs to api.anthropic.com/api/oauth/profile and /api/oauth/usage. No third-party services, no telemetry.
MIT — see LICENSE.