Git Credential Helper
Git does not handle credentials directly. Instead, it relies on external "credential helpers" to store and retrieve credentials securely to access private repositories or other resources. This design allows Git to be flexible and integrate with various credential storage solutions across different platforms.
tip
TL;DR:
git-credential-manager(GCM) is the modern recommendation — it runs on Windows, macOS, and Linux, and supports multi-factor auth for GitHub, GitLab, Bitbucket, and Azure DevOps, whereas the OS-native helpers only handle username/password.osxkeychainis perfectly fine if you're macOS-only and don't need OAuth browser flows.cacheis the right call when you have no secure storage available — e.g. ephemeral CI containers where you just need credentials to survive one pipeline run.storeshould be a last resort — plaintext on disk is barely better than typing every time.
List of Helpers
🍎 = macOS, 🐧 = Linux, 🪟 = Windows
| Helper | Platform | Storage | Security | Notes |
|---|---|---|---|---|
cache | 🍎 🐧 | In-memory (Unix socket) | ✅ Never touches disk | Built-in, Default timeout 15 min, configurable. Not available on Windows |
store | 🍎 🐧 🪟 | Plaintext file (~/.git-credentials) | ⚠️ Unencrypted | Built-in, File-permission protected only. Last resort |
osxkeychain | 🍎 | macOS Keychain | ✅ AES-256, login-key derived | Default on macOS. |
wincred | 🪟 | Windows Credential Manager | ✅ OS-encrypted | Bundled with Git for Windows. Legacy, superseded by GCM |
gnome-libsecret | 🐧 (GNOME) | GNOME Keyring / libsecret | ✅ OS-encrypted | Replaces older gnome-keyring helper |
kwallet | 🐧 (KDE) | KWallet | ✅ OS-encrypted | KDE desktop environments |
Cross-platform (third-party, install separately):
| Helper | Platform | Storage | OAuth support | Notes |
|---|---|---|---|---|
git-credential-manager (GCM) | 🍎 🐧 🪟 | OS keychain per platform | ✅ Yes | The modern default. Replaces wincred. Supports GitHub, GitLab, Bitbucket, Azure DevOps |
oauth (git-credential-oauth) | 🍎 🐧 🪟 | OS keychain | ✅ Yes | Lightweight OAuth-only alternative to GCM. Common in Linux distro packages |
gopass | 🍎 🐧 🪟 | gopass password store (GPG-encrypted) | ❌ | Good for teams sharing credentials via GPG |
1password | 🍎 🐧 🪟 | 1Password vault | ❌ | Requires 1Password desktop app running |
lastpass | 🍎 🐧 🪟 | LastPass vault | ❌ | Requires LastPass CLI |