Credential handling

Bom Agent stores CLI tokens, OAuth sessions, and third-party credentials securely on your local machine.

Where credentials live

  • CLI tokens — each CLI's standard location (~/.claude/, ~/.codex/)
  • OAuth sessions — AuthSessionService memory + OS secure store
  • Notion credentials — NotionCredentials object (transmitted only to Bom.Server)
  • Browser cookies — Playwright user data dir (~/.bom/browser-profiles/)
OS stores

macOS Keychain on Mac, DPAPI on Windows.

How to remove

  1. A specific CLI — Settings → CLI priority → disconnect that CLI
  2. OAuth session — Profile → Sign out
  3. Everything — Settings → Account → "Delete all data"

Credential check on Pack publish

Hardcoded tokens, secrets, or API keys in a Pack manifest reject the publish automatically.

Warning

Environment variables are also scanned. Take credentials via input forms or external OAuth flows instead.

Previous Permissions Next Data storage