feat: add macOS Keychain support for secure credential storage #47
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Credentials can now be stored in macOS Keychain instead of plain text .env files: - security add-generic-password -a "api_id" -s "telegram-mcp" -w "YOUR_API_ID" -U - security add-generic-password -a "api_hash" -s "telegram-mcp" -w "YOUR_API_HASH" -U - security add-generic-password -a "session_string" -s "telegram-mcp" -w "YOUR_SESSION_STRING" -U The code tries Keychain first, then falls back to environment variables, maintaining full backward compatibility. Benefits: - Credentials never stored in plain text on disk - Protected by macOS security (Touch ID, password) - Not accidentally committed to git 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
Contributor
|
pls fix black |
🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
chigwell
requested changes
Jan 13, 2026
Owner
chigwell
left a comment
chigwell
left a comment
There was a problem hiding this comment.
Hi @BayramAnnakov, and thank you for your contribution. This PR seems very useful, and we really appreciate your suggestion. However, I'd prefer not to include the subprocess dependency in main.py, nor to run
subprocess.run(["security", "find-generic-password", "-a", account, "-s", service, "-w"])in each MCP instance. Instead, I'd prefer to keep this in a separate python script (see, e.g. session_string_generator.py) so it's only run by the developers who actually need it. Thank you.
Contributor
Author
|
Makes sense, will address |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Add support for storing Telegram API credentials in macOS Keychain instead of plain text .env files.
Changes
get_credential_from_keychain()function to read from macOS Keychainget_credential()wrapper that tries Keychain first, falls back to environment variablesUsage
Store credentials in Keychain:
Benefits
Platform Support
🤖 Generated with Claude Code