Overslaan naar inhoud

Update Claude Code authorisation key

10 februari 2026 in
CTech Metrology, Luc Wens

Claude Code Security Cleanup: Oh-My-ClaudeCode Update & GitHub Token Rotation

Date: February 10, 2026

Background

Running the OMC Doctor Report in Claude Code revealed two issues:

  1. Outdated Plugin — Oh-My-ClaudeCode v3.7.0 installed, v4.1.9 available
  2. Exposed GitHub PAT — A Personal Access Token was stored in plain text in ~/.claude/settings.json

Step 1: Update Oh-My-ClaudeCode Plugin

Clear the plugin cache so Claude Code fetches the latest version on next restart:

rm -rf "$HOME/.claude/plugins/cache/omc/oh-my-claudecode"

Note: After clearing the cache, all hooks will error until you restart Claude Code, because the old version's scripts no longer exist on disk.

Step 2: Fix settings.json — Remove Hardcoded PAT

The settings.json file at ~/.claude/settings.json contained the GitHub PAT in plain text in the mcpServers.github.env section. Replace the hardcoded token with an environment variable reference:

Before:

"env": {
  "GITHUB_PERSONAL_ACCESS_TOKEN": "github_pat_11AKC..."
}

After:

"env": {
  "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_PERSONAL_ACCESS_TOKEN}"
}

Step 3: Generate a New SSH Key

Since the old SSH key (CTech) was deleted during cleanup, a new one was generated:

ssh-keygen -t ed25519 -C "luc.wens@ctechmetrology.com"

Then copy the public key to add to GitHub:

cat ~/.ssh/id_ed25519.pub

Step 4: Add SSH Key to GitHub

  1. Go to GitHub → Settings → SSH and GPG keys
  2. Click New SSH key
  3. Title: Claude
  4. Key type: Authentication Key
  5. Paste the contents of id_ed25519.pub (starts with ssh-ed25519 AAAA...)
  6. Click Add SSH key

Important: Paste the .pub file contents, not the private key or a fingerprint. GitHub expects OpenSSH public key format.

Step 5: Rotate the Personal Access Token (PAT)

  1. Go to GitHub → Settings → Developer settings → Personal access tokens → Tokens (classic)

  2. Delete the old compromised token (github_pat_11AKC...)
  3. Click Generate new token (classic)
  4. Name: Claude MCP
  5. Select scope: repo (full control of private repositories)
  6. Click Generate token
  7. Copy the token immediately — GitHub only shows it once

Step 6: Set the PAT as an Environment Variable

In PowerShell, set the new token as a persistent environment variable:

setx GITHUB_PERSONAL_ACCESS_TOKEN "ghp_your_new_token_here"

Step 7: Restart Claude Code

Close Claude Code completely and reopen it. On restart it will:

  • Download Oh-My-ClaudeCode v4.1.9
  • Pick up the new GITHUB_PERSONAL_ACCESS_TOKEN environment variable
  • All hooks will work again

Common Pitfalls

  • SSH key vs PAT: These are two different authentication methods. SSH keys are under Settings → SSH and GPG keys. PATs are under Settings → Developer settings → Personal access tokens.
  • GitHub Apps page: Don't confuse Developer settings → GitHub Apps with Personal access tokens. You don't need a GitHub App for this.
  • Public vs Private key: GitHub needs the .pub file contents, not the private key or the SHA256 fingerprint.
  • Token visibility: Classic PATs start with ghp_.... You can only see the full token once at generation time.
  • Environment variable: After setx, you must close and reopen all terminals for the variable to take effect.

Result

After completing all steps:

  • Oh-My-ClaudeCode updated to v4.1.9
  • GitHub PAT no longer exposed in plain text
  • New SSH authentication key registered
  • Old compromised token deleted and rotated
CCZ Bestuursvergadering