A CLI tool to manage Claude AI OAuth secrets across multiple GitHub repositories.
- Bun runtime installed (for development)
- GitHub Personal Access Token with
reposcope - Claude credentials file at
~/.claude/.credentials.json
bun installmake build
# Binary will be created at dist/claude-secrets-renovator-
Authenticate with GitHub:
bun run src/main.ts auth # Or with binary: ./claude-secrets-renovator authYou'll be prompted to enter:
- Your GitHub Personal Access Token (with
reposcope) - Your GitHub organization/username
Both will be securely stored for future use.
- Your GitHub Personal Access Token (with
-
Check status:
bun run src/main.ts status
The tool provides multiple ways to update secrets:
-
Update specific repositories:
bun run src/main.ts update repo1 repo2 repo3
-
Interactive selection:
bun run src/main.ts update --interactive # Or just: bun run src/main.ts update -
Update all repositories:
bun run src/main.ts update --all
auth- Authenticate with GitHublogout- Remove stored GitHub credentialsupdate [repos...]- Update Claude secrets in repositories--all, -a- Update all repositories--interactive, -i- Select repositories interactively
status- Check authentication and credentials statusmonitor- Monitor and auto-refresh credentials (long-running process)service- Generate and install systemd service for automatic monitoring--user <username>- User to run the service as (default: current user)--install- Install the service after generation--enable- Enable the service to start on boot--start- Start the service immediately
help- Show help information
This tool reads your Claude OAuth credentials from ~/.claude/.credentials.json and updates the following secrets in each specified repository:
CLAUDE_ACCESS_TOKENCLAUDE_REFRESH_TOKENCLAUDE_EXPIRES_AT
The secrets are encrypted using GitHub's public key before being stored.
- GitHub tokens are stored locally in
~/.claude-secrets-renovator/config.json - Tokens are never logged or exposed
- All secrets are encrypted before being sent to GitHub
To build a standalone binary for Linux:
make buildTo install system-wide:
make install # Requires sudoThe tool includes a monitor command that continuously watches for expiring Claude credentials and automatically refreshes them. You can run this as a systemd service to ensure your GitHub secrets are always up-to-date.
First, build and install the binary:
make build
sudo make installTo set up the monitor as a systemd service:
# Generate, install, enable, and start the service (requires sudo)
sudo claude-secrets-renovator service --install --enable --startThis will:
- Create a systemd service file at
/etc/systemd/system/claude-secrets-renovator@yourusername.service - Enable the service to start on boot
- Start the service immediately
If you prefer to set up the service manually:
-
Generate the service file:
claude-secrets-renovator service
-
Create the systemd service file: Save the generated content to
/etc/systemd/system/claude-secrets-renovator@yourusername.service -
Enable and start the service:
sudo systemctl daemon-reload sudo systemctl enable claude-secrets-renovator@yourusername.service sudo systemctl start claude-secrets-renovator@yourusername.service
Once installed, you can manage the service with these commands:
# Check service status
sudo systemctl status claude-secrets-renovator@yourusername
# View logs
sudo journalctl -u claude-secrets-renovator@yourusername -f
# Stop the service
sudo systemctl stop claude-secrets-renovator@yourusername
# Restart the service
sudo systemctl restart claude-secrets-renovator@yourusername
# Disable automatic startup
sudo systemctl disable claude-secrets-renovator@yourusernameThe monitor service:
- Checks your Claude credentials every time they're close to expiring (within 5 minutes)
- Automatically refreshes expired credentials
- Updates all configured GitHub repositories with the new credentials
- Runs continuously in the background
- Retries failed operations after 1 hour