Manage API keys

This guide shows you how to manage API keys and credentials.

Where keys are stored

All sensitive credentials are stored via flutter_secure_storage:

Platform	Storage
macOS	Keychain
Windows	Credential Store
Linux	libsecret

shared_preferences is used only for non-sensitive preferences (theme, font). API keys are never stored in plain files.

GitHub token

Add

Navigate to Settings → Integrations (or during onboarding)
Enter your GitHub personal access token
Required scopes: repo, read:org
Click Verify — Control Center validates the token
On success, the token is stored in the keychain

Auto-detect `gh` CLI

If the gh CLI is installed and authenticated:

Control Center detects it automatically
Reads the token from gh’s credential store
No manual entry needed

Update

Navigate to Settings → Integrations
Click Update next to GitHub
Enter the new token
Verify and save

Remove

Navigate to Settings → Integrations
Click Remove next to GitHub
The token is deleted from the keychain

Linear API key

Navigate to Settings → Integrations
Find Linear and click Connect
Enter your Linear API key
Verify and save

Model provider keys

API keys for model providers (Anthropic, OpenAI, etc.) are managed by the adapter CLIs themselves, not by Control Center. Configure them in the CLI’s configuration:

# Claude Code
claude config set apiKey ...

# OpenAI
export OPENAI_API_KEY=...

Security considerations

Never commit tokens to Git — Control Center stores them in the system keychain, not in files
Use least-privilege tokens — only request the scopes you need
Rotate tokens regularly — set expiration dates on GitHub PATs
Revoke on compromise — revoke tokens immediately if you suspect they’ve been exposed

Troubleshooting

Keychain access denied

On macOS, ensure Control Center has keychain access. The app requests access on first use — grant it.

Token not working

Check if the token has expired
Verify the required scopes are present
Test manually: curl -H "Authorization: token YOUR_TOKEN" https://api.github.com/user