vtcode-auth
June 6, 2026 · View on GitHub
Root AGENTS.md | OAuth PKCE flows and credential storage for LLM providers.
Modules
openai_chatgpt_oauth/ OpenAI ChatGPT OAuth | openrouter_oauth/ OpenRouter OAuth | mcp_oauth/ MCP server OAuth | oauth_server/ local callback server | pkce/ PKCE challenge generation | credentials/ credential storage (keyring + file) | auth_service/ OpenAIAccountAuthService | config/ AuthConfig types | storage_paths/ path resolution
Rules
- All OAuth flows use PKCE —
generate_pkce_challenge()is the entry point. credentials::CredentialStoragesupports keyring and file-based backends.oauth_server::run_auth_code_callback_serverstarts a local HTTP server for OAuth callbacks.- Re-exported from
vtcode-config::authfor backward compat — canonical code is here.
Gotchas
clear_openai_chatgpt_session_with_mode()andclear_oauth_token_with_mode()accept storage mode — use the_with_modevariants for explicit control.- MCP OAuth is separate from provider OAuth —
mcp_oauth::McpOAuthServicehandles it. credentials::keyring_entryshort-circuits whenkeyring_disabled()is true (cfg!(debug_assertions),cfg!(test),VTCODE_DISABLE_KEYRING, orCI), so debug builds, tests, and CI fall back to file storage and never trigger macOS Keychain prompts. Debug-keyring can be re-enabled withVTCODE_DISABLE_KEYRING=0.is_keyring_functional()caches its result to avoid repeated Keychain round trips.