Skip to content

Changelog

New updates and improvements at Cloudflare.

hero image

Store Wrangler's OAuth credentials in your OS keychain

Wrangler can now store the OAuth credentials returned by wrangler login in an AES-256-GCM-encrypted file, with the encryption key held in your operating system keychain. The default behavior is unchanged — credentials still live in a plaintext TOML file unless you opt in.

To opt in, run:

Terminal window
npx wrangler login --use-keyring

The choice is persisted across Wrangler invocations. Opt back out with npx wrangler login --no-use-keyring, or override the preference for a single command with the CLOUDFLARE_AUTH_USE_KEYRING environment variable.

wrangler whoami now reports where credentials are stored:

🔐 Credentials are stored in: Encrypted file (~/.config/.wrangler/config/default.enc) with key in macOS Keychain (service=wrangler, account=default)

Per-platform backends:

  • macOS uses the built-in Keychain via /usr/bin/security.
  • Linux uses libsecret via the secret-tool CLI from the libsecret-tools package.
  • Windows uses Credential Manager via @napi-rs/keyring, installed on-demand the first time you opt in.

Refer to Storing OAuth credentials in the OS keychain for the full details, including the migration behavior on opt-in/opt-out and the CLOUDFLARE_AUTH_USE_KEYRING environment variable.