Managing OS X Credentials for Multiple GitHub Repos

By default git stores credentials globally but it can be configured to cache credentials on a per-repo basis.

On OS X a tool called osxkeychain is used to store your GitHub credentials. This tool stores your credentials in the OS X Keychain which you can see by running the Keychain Access app in your OS X Applications. To ensure this helper is working, run:

git config --global credential.helper osxkeychain

To authenticate myself with GitHub I prefer to use Personal Access Tokens as they’re a more granular and easily-repudiated credential, so you can visit github.com/settings/tokens and generate a token. Usually I have repo scope only as I just need to manage repos.

Keep a note of this token now as you won’t be able to see it again once you leave the GitHub page. It should be kept somewhere safe, such as a password manager like gopass. I have a little script that gets my access token and copies it into the clipboard buffer (although that might not be the most secure approach) ready for me to paste when my credentials are requested.

At this stage you can use your username and this access token when git asks for your credentials, however these credentials will be stored for all repos from GitHub. To use these credentials on a per-repo basis, run:

git config --global credential.usehttppath true

This will mean that git can cache different credentials for github.com/person/example and github.com/person/another rather than just one set of credentials for github.com. Note that you should use Clone with HTTPS, such as git clone https://github.com/person/example.git not Clone with SSH such as git clone git@github.com:person/example.git because using SSH just use an SSH key (if you have one set up) rather than the access token.

When git needs credentials, it will prompt you as:

Cloning into 'example'...
Username for 'https://github.com/person/example.git': YOUR_USERNAME
Password for 'https://betandr@github.com/person/example.git': YOUR_ACCESS_TOKEN

At this stage you can create another access token in a different GitHub account and then use this different when working with another repo on the same system.

You will be able to see these different credentials in your OS X Keychain by running Keychain Access and searching for github. You should see a list of credentials for GitHub which, when clicked on, look like:

GitHub credentials for betandr account

GitHub credentials for babbc account

These credentials can then be deleted from your Keychain if you no longer require them.