Synopsis
git config --global credential.helper <helper>
git credential fill
git credential approve
git credential rejectDescription
The git credential machinery handles authentication for HTTPS remotes. Rather than prompting for a username and password every push, Git delegates to a credential helper that stores credentials securely. Helpers include cache (in-memory for a few minutes), store (plain-text file), osxkeychain (macOS Keychain), manager (Git Credential Manager on Windows/macOS/Linux), and libsecret (Linux GNOME).
You rarely call git credential directly — you configure a helper once, and Git invokes it transparently. Modern setups (especially with GitHub) use OAuth tokens or 2FA-protected personal access tokens stored in a system keyring.
In day-to-day use, git credential integrates closely with shell aliases, editor plugins, and continuous integration. Power users often add aliases that combine flags they always pass, or wrap the command in scripts that enforce team conventions. Output formatting can be customized via Git config — pretty formats, color schemes, and pager behavior are all tunable. When something goes wrong, the first diagnostic step is usually to re-run the command with GIT_TRACE=1 in the environment, which reveals the underlying plumbing calls. For unusual situations, the --help output (git credential --help) opens the full manual page with details on every option, including those rarely used in casual workflows but essential for debugging or scripting at scale.
Understanding how git credential interacts with the rest of Git's data model — the object database, the index, refs, and the working tree — pays dividends. Each command operates on some subset of these pieces, and knowing which it touches helps predict outcomes and recover from mistakes. Reading the official Git documentation alongside hands-on practice in a throwaway repository is the fastest way to internalize the nuances. Most production issues with Git stem from one of three causes: surprising default behavior, partial network operations, or rewriting history that was already shared. A working mental model of git credential's side effects helps avoid all three.
Common Options
| Subcommand / Config | Description |
|---|---|
credential.helper | Set the credential helper to use. |
credential.useHttpPath | Include URL path in the lookup key. |
fill | Plumbing: ask helpers for credentials. |
approve / reject | Tell helpers an attempt succeeded or failed. |
credential.<url>.helper | URL-specific helper. |
credential.helper "cache --timeout=3600" | Configurable in-memory cache. |
Examples
git config --global credential.helper osxkeychain
# macOS: store credentials in Keychain
git config --global credential.helper manager
# Cross-platform: Git Credential Manager
git config --global credential.helper "cache --timeout=3600"
# Cache for one hour in memory
# Per-host helper:
git config --global credential.https://github.com.helper "!gh auth git-credential"
# Use the GitHub CLI as the helperCommon Mistakes
The store helper writes plain text to ~/.git-credentials — fine for throwaway VMs, dangerous on shared machines. Avoid passwords entirely; use personal access tokens or SSH keys for write access. After rotating a token, run git credential reject or clear the cache to force a refresh.
Related Commands
git config, git push, git fetch, ssh-agent