Store Wrangler's OAuth credentials in your OS keychain
Wrangler can now store the OAuth credentials returned by wrangler login in an AES-256-GCM ↗-encrypted file, with the encryption key held in your operating system keychain. The default behavior is unchanged — credentials still live in a plaintext TOML file unless you opt in.
To opt in, run:
npx wrangler login --use-keyringThe choice is persisted across Wrangler invocations. Opt back out with npx wrangler login --no-use-keyring, or override the preference for a single command with the CLOUDFLARE_AUTH_USE_KEYRING environment variable.
wrangler whoami now reports where credentials are stored:
🔐 Credentials are stored in: Encrypted file (~/.config/.wrangler/config/default.enc) with key in macOS Keychain (service=wrangler, account=default)Per-platform backends:
- macOS uses the built-in Keychain via
/usr/bin/security. - Linux uses libsecret ↗ via the
secret-toolCLI from thelibsecret-toolspackage. - Windows uses Credential Manager via
@napi-rs/keyring↗, installed on-demand the first time you opt in.
Refer to Storing OAuth credentials in the OS keychain for the full details, including the migration behavior on opt-in/opt-out and the CLOUDFLARE_AUTH_USE_KEYRING environment variable.