google · sqrrrl · Apr 7, 2026 · Apr 8, 2026
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -57,6 +57,7 @@
   "dependencies": {
     "@formatjs/intl": "^3.1.6",
     "@modelcontextprotocol/sdk": "^1.12.1",
+    "@napi-rs/keyring": "^1.2.0",
     "chalk": "^5.4.1",
     "chokidar": "^4.0.3",
     "cli-truncate": "^4.0.0",

diff --git a/src/auth/auth.ts b/src/auth/auth.ts
@@ -24,6 +24,7 @@ import {google} from 'googleapis';
 import {AuthorizationCodeFlow} from './auth_code_flow.js';
 import {CredentialStore} from './credential_store.js';
 import {FileCredentialStore} from './file_credential_store.js';
+import {KeyringCredentialStore} from './keyring_credential_store.js';
 import {LocalServerAuthorizationCodeFlow} from './localhost_auth_code_flow.js';
 import {DEFAULT_CLASP_OAUTH_CLIENT_ID} from './oauth_client.js';
 import {ServerlessAuthorizationCodeFlow} from './serverless_auth_code_flow.js';
@@ -34,18 +35,21 @@ type InitOptions = {
   authFilePath?: string;
   userKey?: string;
   useApplicationDefaultCredentials?: boolean;
+  useKeyring?: boolean;
 };
 
 /**
  * Holds authentication information for the current session.
  * @property {OAuth2Client} [credentials] - The authorized OAuth2 client, if logged in.
  * @property {CredentialStore} [credentialStore] - The store used for loading/saving credentials.
  * @property {string} user - The identifier for the current user (e.g., 'default' or a custom key).
+ * @property {string} [authFilePath] - The path to the file store.
  */
 export type AuthInfo = {
   credentials?: OAuth2Client;
   credentialStore?: CredentialStore;
   user: string;
+  authFilePath?: string;
 };
 
 /**
@@ -58,23 +62,37 @@ export type AuthInfo = {
  */
 export async function initAuth(options: InitOptions): Promise<AuthInfo> {
   const authFilePath = options.authFilePath ?? path.join(os.homedir(), '.clasprc.json');
-  const credentialStore = new FileCredentialStore(authFilePath);
+  const fileStore = new FileCredentialStore(authFilePath);
+  let credentialStore: CredentialStore = fileStore;
+
+  const userKey = options.userKey ?? 'default';
+
+  const fileCreds = await fileStore.load(userKey);
+
+  if (options.useKeyring || fileCreds?.is_keyring) {
+    debug('Using keyring store for user %s', userKey);
+    credentialStore = new KeyringCredentialStore();
+    // If they specified --use-keyring but the stub doesn't exist yet, we don't write it here.
+    // It will be written in the login/import process.
+  }
 
   debug('Initializing auth from %s', options.authFilePath);
   if (options.useApplicationDefaultCredentials) {
     const credentials = await createApplicationDefaultCredentials();
     return {
       credentials,
       credentialStore,
-      user: options.userKey ?? 'default',
+      user: userKey,
+      authFilePath,
     };
   }
 
-  const credentials = await getAuthorizedOAuth2Client(credentialStore, options.userKey);
+  const credentials = await getAuthorizedOAuth2Client(credentialStore, userKey);
   return {
     credentials,
     credentialStore,
-    user: options.userKey ?? 'default',
+    user: userKey,
+    authFilePath,
   };
 }
 

diff --git a/src/auth/credential_store.ts b/src/auth/credential_store.ts
@@ -28,8 +28,9 @@ import {Credentials, JWTInput} from 'google-auth-library';
  * @property {number} [expiry_date] - The expiry date of the access token in milliseconds.
  * @property {string} [type] - The type of credential, e.g., 'authorized_user'.
  * @property {string} [id_token] - The ID token (often same as access_token for clasp's use).
+ * @property {boolean} [is_keyring] - Flag indicating whether the credentials are in the keyring.
  */
-export type StoredCredential = JWTInput & Credentials;
+export type StoredCredential = JWTInput & Credentials & {is_keyring?: boolean};
 
 /**
  * Defines the contract for a credential storage mechanism.
@@ -63,4 +64,10 @@ export interface CredentialStore {
    * @returns {Promise<StoredCredential | null>} The stored credentials, or null if not found.
    */
   load(user: string): Promise<StoredCredential | null>;
+
+  /**
+   * Lists all users that have credentials in the store.
+   * @returns {Promise<string[]>} A list of user identifiers.
+   */
+  listUsers(): Promise<string[]>;
 }
diff --git a/src/auth/file_credential_store.ts b/src/auth/file_credential_store.ts
@@ -131,6 +131,18 @@ export class FileCredentialStore implements CredentialStore {
    * @param {string} user - The identifier for the user.
    * @returns {Promise<StoredCredential | null>} The stored credentials if found, otherwise null.
    */
+  async listUsers(): Promise<string[]> {
+    const store: FileContents = this.readFile();
+    const users = new Set(Object.keys(store.tokens || {}));
+
+    // Check for V1 legacy credentials under the default user
+    if (!users.has('default') && (hasLegacyLocalCredentials(store) || hasLegacyGlobalCredentials(store))) {
+      users.add('default');
+    }
+
+    return Array.from(users);
+  }
+
   async load(user: string): Promise<StoredCredential | null> {
     const store: FileContents = this.readFile();
     const credentials = store.tokens?.[user] as StoredCredential;