Git Credential Manager
Cross-platform Git credential storage for GitHub, Azure, and more
Quick Take: Git Credential Manager
Git Credential Manager is the definitive solution for macOS developers who use HTTPS for Git operations and have 2FA enabled on their accounts. It transforms the authentication experience from a constant friction point into a set-and-forget background process. The smooth OAuth flow, automatic token refresh, and native Keychain integration make it far superior to managing PATs manually. While SSH keys remain a valid alternative for those who prefer explicit key management, GCM is the right choice for most developers working with modern Git hosting providers that enforce multi-factor authentication.
Best For
- •Developers with 2FA-enabled Git accounts
- •Teams standardizing on HTTPS workflows
- •Enterprise environments with SSO requirements
What is Git Credential Manager?
Git Credential Manager (GCM) is a cross-platform credential helper maintained by GitHub (Microsoft) that provides secure authentication for Git repositories over HTTPS. Unlike the basic credential helpers that ship with Git, GCM offers sophisticated multi-factor authentication support, OAuth integration, and native keychain storage that makes working with modern Git hosting providers smooth and secure. For Mac developers who prefer HTTPS over SSH for their Git operations, GCM eliminates the friction of manually managing Personal Access Tokens (PATs) by handling the entire authentication flow through a browser-based OAuth handshake. Once authenticated, your credentials are securely stored in the macOS Keychain, encrypted at rest, and automatically refreshed when tokens expire. GCM supports all major Git hosting platforms including GitHub (and GitHub Enterprise), GitLab, Bitbucket, and Azure DevOps, detecting the provider automatically based on the remote URL. This intelligent provider detection means you can work with multiple Git services simultaneously without configuration conflicts. The tool has evolved from separate platform-specific implementations into a unified .NET-based codebase that ensures consistent behavior whether you are on macOS, Windows, or Linux. For teams that enforce two-factor authentication or Single Sign-On (SSO) policies, GCM is essentially mandatory for HTTPS workflows because it handles the complex OAuth device flow that traditional credential storage cannot. It integrates natively with your terminal, typically redirecting to your default browser for the initial authentication handshake, then operating silently in the background for subsequent operations. The project is open-source, hosted at github.com/git-ecosystem/git-credential-manager, and receives regular updates to support new authentication methods and provider features.
Install with Homebrew
brew install --cask git-credential-managerDeep Dive: Secure Git Authentication for the Modern Developer
Understanding how Git Credential Manager solves the authentication challenges of modern Git workflows.
History & Background
Git Credential Manager evolved from multiple platform-specific tools: Git Credential Manager for Windows, and Git Credential Manager for Mac and Linux. In 2020, these were unified into a single cross-platform tool built on .NET Core, now simply called Git Credential Manager. This consolidation brought consistent behavior and features across all operating systems, simplifying maintenance and ensuring feature parity. The project moved to the git-ecosystem organization on GitHub, signaling its role as essential Git infrastructure rather than a platform-specific add-on.
How It Works
GCM operates as a Git credential helper, meaning Git invokes it automatically when credentials are needed. When you perform a Git operation requiring authentication, Git calls GCM with the protocol and host information. GCM checks its credential store (macOS Keychain) for existing valid credentials. If none exist or they've expired, GCM initiates an OAuth flow by opening your browser. After successful authentication, GCM receives an OAuth token, stores it securely, and returns it to Git. The .NET runtime bundled with GCM handles the OAuth protocol complexities, including PKCE for security.
Ecosystem & Integrations
GCM integrates with the broader Git authentication ecosystem. It works alongside tools like GitHub CLI (gh), which can share credentials through GCM. For VS Code users, GCM provides the authentication that powers built-in Git operations. CI/CD systems typically use different authentication methods (deploy keys, PATs in environment variables), but GCM remains the standard for interactive developer workstations. The tool also supports credential namespaces, allowing different credential stores for different Git hosts or even different accounts on the same host.
Future Development
Recent updates have focused on improving the authentication experience for GitHub Enterprise and Azure DevOps users with complex SSO configurations. The team continues to add support for new authentication methods as Git hosting providers evolve their security requirements. Windows Hello and biometric authentication integration has been enhanced, and similar macOS Touch ID integration is being explored. The project maintains backward compatibility while adding new features, ensuring existing workflows aren't disrupted by updates.
Key Features
Native macOS Keychain Integration
GCM stores your Git credentials directly in the macOS Keychain, using Apple's secure credential storage infrastructure. Your tokens are encrypted at rest using your system's security mechanisms, and you can inspect or remove them using Keychain Access if needed. This integration means credentials persist across terminal sessions and system reboots without requiring re-authentication.
Multi-Factor Authentication Support
Unlike basic credential helpers that choke on 2FA-protected accounts, GCM handles MFA natively through OAuth device flow. When you push to a 2FA-enabled repository, GCM opens your browser for authentication, where you complete any required MFA challenges. The resulting OAuth token is stored securely, eliminating the need to manually generate and paste Personal Access Tokens.
Automatic Token Refresh
OAuth tokens have expiration dates, and manually refreshing them is tedious. GCM monitors token expiry and automatically refreshes credentials before they expire, ensuring your Git operations never fail due to stale authentication. This happens transparently in the background without interrupting your workflow.
Multi-Provider Detection
GCM intelligently detects which Git hosting service you are connecting to based on the remote URL. Whether you are pushing to GitHub, pulling from GitLab, or cloning from Azure DevOps, GCM serves the correct authentication flow automatically. This means you can work with multiple providers in the same terminal session without configuration changes.
Cross-Platform Consistency
Built on .NET, GCM provides identical behavior across macOS, Windows, and Linux. Teams sharing dotfiles, scripts, or CI/CD configurations benefit from this consistency since the same credential helper configuration works everywhere. Developers who switch between operating systems experience no authentication friction.
Enterprise SSO Support
For organizations using SAML or OIDC-based Single Sign-On with GitHub Enterprise or Azure DevOps, GCM integrates with these enterprise identity providers. It can handle SSO challenges during the browser authentication flow, making it suitable for corporate environments with strict identity governance requirements.
Who Should Use Git Credential Manager?
1The Security-Conscious Developer
A developer working at a company that mandates 2FA on all GitHub accounts needs to push code multiple times daily. Without GCM, they would need to generate a Personal Access Token, store it somewhere (risking exposure), and paste it every time Git prompts for credentials. With GCM, they authenticate once via browser, complete the 2FA challenge, and never think about authentication again. Their OAuth token is securely stored in the Keychain and refreshed automatically.
2The Multi-Platform Contractor
A freelance developer works with multiple clients, each using different Git hosting services: one on GitHub, another on GitLab, and a third on Azure DevOps. Rather than juggling different SSH keys or remembering which PAT goes where, they install GCM once. When they clone or push to any repository, GCM detects the provider and handles authentication appropriately, streamlining context-switching between projects.
3The Enterprise Team Lead
An engineering manager is onboarding new developers to a company that uses GitHub Enterprise with SAML SSO. New hires struggle with the authentication setup, causing delays. By standardizing on GCM across all developer machines, the manager simplifies onboarding: new developers run the Homebrew install command, and their first Git operation triggers the SSO browser flow. No manual token generation, no documentation confusion, just smooth access control.
Install Git Credential Manager on Mac
Installing Git Credential Manager on macOS is straightforward using Homebrew. The tool integrates with your existing Git installation and requires minimal configuration to start working.
Install Homebrew (if not present)
Open Terminal and run: `/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"` to install the Homebrew package manager.
Install Git Credential Manager
Run the Homebrew Cask command to install GCM: `brew install --cask git-credential-manager`. This downloads the latest stable release and places it in your system.
Configure Git to Use GCM
Tell Git to use GCM as your credential helper: `git config --global credential.helper manager`. This sets GCM as the default for all repositories.
Verify Installation
Run `git credential-manager --version` to confirm the installation succeeded. You should see the version number printed to your terminal.
Pro Tips
- • Your first git push or pull to a remote will trigger the browser authentication flow - this is expected behavior.
- • Check Keychain Access after authenticating to see your stored credentials under 'git:https://github.com' or similar entries.
Configuration Tips
Set Default Browser for Auth
If GCM opens the wrong browser for authentication, you can specify your preferred browser. Run `git config --global credential.browser /Applications/Firefox.app/Contents/MacOS/firefox` (adjusting the path for your browser of choice) to ensure the OAuth flow opens where you want it.
Enable Credential Caching
For temporary credentials (like in CI environments), configure GCM's cache timeout: `git config --global credential.cacheOptions "--timeout 7200"` caches credentials for two hours. This reduces authentication prompts during intensive development sessions.
Configure for Multiple GitHub Accounts
If you use separate GitHub accounts for work and personal projects, configure GCM to prompt for account selection: `git config --global credential.github.com.useHttpPath true`. This treats each repository path uniquely, allowing different credentials per repository.
Alternatives to Git Credential Manager
While Git Credential Manager excels at HTTPS authentication with MFA support, several alternatives exist depending on your security preferences and workflow requirements.
git-credential-osxkeychain
SSH Keys
GitHub CLI (gh)
Pricing
Git Credential Manager is completely free and open-source, licensed under the MIT License. There are no paid tiers, subscriptions, or enterprise versions. The project is maintained by GitHub (Microsoft) and the open-source community. All features, including enterprise SSO support and multi-provider authentication, are available to everyone at no cost. The source code is publicly available at github.com/git-ecosystem/git-credential-manager.
Pros
- ✓Smoothly handles 2FA and OAuth authentication flows that break basic credential helpers.
- ✓Stores credentials securely in the native macOS Keychain with encryption at rest.
- ✓Supports all major Git providers (GitHub, GitLab, Bitbucket, Azure DevOps) out of the box.
- ✓Automatically refreshes expired tokens without user intervention.
- ✓Cross-platform consistency makes team standardization straightforward.
Cons
- ✗Requires .NET runtime bundled with the app, adding installation size compared to native helpers.
- ✗Browser-based authentication flow may be inconvenient in headless or SSH-only environments.
- ✗Some users prefer SSH keys for their explicit key management and audit trail capabilities.
Community & Support
Git Credential Manager is maintained as part of the git-ecosystem organization on GitHub, with active involvement from GitHub/Microsoft employees and community contributors. The project's GitHub repository serves as the primary hub for bug reports, feature requests, and discussions. Documentation is comprehensive and includes troubleshooting guides for common issues. Because GCM is the recommended credential helper for GitHub and Azure DevOps, it receives regular updates and security patches. Stack Overflow has an active tag for GCM-related questions, and most Git-focused communities are familiar with the tool. The project averages over 500 GitHub stars and sees consistent contribution activity, with releases shipping roughly every 4-6 weeks to address compatibility issues and add support for new authentication scenarios across evolving provider platforms.
Frequently Asked Questions about Git Credential Manager
Our Verdict
Git Credential Manager is the definitive solution for macOS developers who use HTTPS for Git operations and have 2FA enabled on their accounts. It transforms the authentication experience from a constant friction point into a set-and-forget background process. The smooth OAuth flow, automatic token refresh, and native Keychain integration make it far superior to managing PATs manually. While SSH keys remain a valid alternative for those who prefer explicit key management, GCM is the right choice for most developers working with modern Git hosting providers that enforce multi-factor authentication.
About the Author
Expert Tips for Git Credential Manager
For corporate environments with SAML SSO, test GCM with your identity provider during onboarding setup rather than waiting for developers to encounter auth failures.
If you use GitHub Actions or other CI systems, GCM's interactive browser flow won't work - use PATs or GITHUB_TOKEN environment variables instead for automation contexts.
When switching between multiple Git hosting providers throughout the day, GCM's automatic provider detection eliminates the mental overhead of remembering which authentication method each service requires. This is especially valuable for consultants and contractors who routinely work across GitHub, GitLab, and Azure DevOps repositories within the same session.
Related Technologies & Concepts
Related Topics
Git Authentication & Security
Tools and practices for securely authenticating with Git repositories and managing credentials.
Developer Security Tools
Software focused on protecting developer workflows, credentials, and sensitive data.
Sources & References
Fact-CheckedLast verified: Jan 24, 2026
Key Verified Facts
- GCM stores credentials in the native macOS Keychain for secure, encrypted storage.[gcm-docs]
- GCM supports GitHub, GitLab, Bitbucket, and Azure DevOps out of the box.[gcm-repo]
- 1Git Credential Manager GitHub Repository
Accessed Jan 24, 2026
- 2Git Credential Manager Documentation
Accessed Jan 24, 2026
- 3GitHub Authentication Documentation
Accessed Jan 24, 2026
Research queries: Git Credential Manager Mac 2026 installation OAuth 2FA Keychain