RCA-2026-03-27-002: Analysis

Root Cause

5 Whys Analysis

Why # Question and Answer

1

Why did Claude work with vault unmounted?
Because: Auth token was stored in local .credentials.json, not the symlinked credentials.json.

2

Why was the token in a different file?
Because: Claude Code uses two credential files with different purposes.

3

Why wasn’t this known during initial setup?
Because: File inspection only checked credentials.json (visible), not .credentials.json (hidden).

4

Why wasn’t the hidden file discovered?
Because: ls without -a flag doesn’t show dot-prefixed files.

5

Why does Claude use two credential files?
Because: Separation of concerns: settings/metadata vs auth tokens (security pattern).

Root Cause Statement

Claude Code separates credentials into two files:

  • credentials.json - Settings, account metadata, cached configs (44KB)

  • .credentials.json - OAuth access tokens (433 bytes)

Initial vault symlink targeted the wrong file. The auth token lives in the hidden dot-prefixed file.

Claude Code Credential Architecture

File Purpose Contents

credentials.json

Settings & metadata

autoUpdates, oauthAccount (metadata only), projects, userID, cached configs

.credentials.json

OAuth authentication

Access token for Claude Max/Pro subscription

Key Discovery

The oauthAccount object in credentials.json contains:

accountUuid, displayName, emailAddress, organizationName, organizationRole...

But NOT the actual OAuth token. The token is stored separately in .credentials.json.