Claude Code is a pow­er­ful command-​line tool for agen­tic soft­ware devel­op­ment. However, if you try to use it over an SSH secure shell ses­sion on macOS, you may see a con­fus­ing mix of ​“Login suc­cess­ful” and ​“Missing API key” mes­sages. The root cause: Claude Code’s OAuth token lives in the macOS Keychain, which SSH ses­sions can’t access by default.

Here’s a quick fix that took about 10 min­utes to build — with Claude Code’s help. (Meta, but effective.)

The Fix

Add this to your ~/.zshrc:

# Wrapper function to unlock keychain before running claude
claude() {
  if [ -n "$SSH_CONNECTION" ] && [ -z "$KEYCHAIN_UNLOCKED" ]
  then
    security unlock-keychain ~/Library/Keychains/login.keychain-db
    export KEYCHAIN_UNLOCKED=true
  fi
  command claude "$@"
}

Reload your shell (source ~/.zshrc), then run claude over SSH. It will prompt for your key­chain pass­word once per ses­sion, then work normally.

How It Works

1. Detects SSH ses­sions via $SSH_CONNECTION
2. Unlock the key­chain once per ses­sion, using $KEYCHAIN_UNLOCKED to guard against mul­ti­ple attempts
3. Delegate to the real claude com­mand with all argu­ments passed

The key­chain stays unlocked for the dura­tion of your SSH ses­sion, so you only enter the pass­word once.

Security note: This does­n’t bypass macOS Keychain secu­ri­ty. It just prompts you once per SSH ses­sion, the same as if you’d unlocked it locally.

With this wrap­per in place, I can get Claude Code to behave over SSH exact­ly as it does local­ly. There are no sur­pris­es and no API keys, and my Claude Pro login works as expected.

The broader lesson

Command line tools that rely on the macOS Keychain often break over SSH. Wrapping those tools with the security unlock-keychain com­mand gen­er­al­ly fix­es those issues.