Keychain for Secrets
Store sensitive data in Keychain, never in UserDefaults or plain files
CLAUDE.md
Store API keys, tokens, passwords, and other secrets in the macOS/iOS Keychain. Never use UserDefaults, property lists, or plain text files for sensitive data.
// Good — Keychain via Security.framework
let query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrService as String: "com.myapp.api-keys",
kSecAttrAccount as String: "ANTHROPIC_API_KEY",
kSecValueData as String: key.data(using: .utf8)!
]
SecItemAdd(query as CFDictionary, nil)
// Bad — UserDefaults (visible in ~/Library/Preferences)
UserDefaults.standard.set(apiKey, forKey: "apiKey")For apps distributed outside the App Store, ensure the Keychain access group and entitlements are configured correctly.
Copy this block into your CLAUDE.md or agent config file to enforce it in your workflow.