Showing results for 
Search instead for 
Did you mean: 

curl and OAuth tokens on macOS

Adventurer II
3 3 834

When poking the Canvas API with curl I would often find myself copy and pasting lots of Authorization headers around to correctly authenticate against Canvas. This is error prone and also leaves your tokens accessible in your .bash_history file. To improve on this I wrote a small script for macOS that stores the tokens in Apple's keychain and then automatically adds the Authorization header to the curl request based on the URL in the command line. While this isn't perfect, it's much better and easier to use. The result is a script I call ccurl. 


Download a copy of ccurl, make it executable and set the CCURL_HOSTS environmental variable to a space separated list of hosts you wish to use ccurl against. 

$ curl -s -O chmod +x ccurl
$ echo 'export CCURL_HOSTS=""' >> ~/.bashrc‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

You may also wish to put ccurl somewhere on your PATH. Then to set a token for a host use (history -c flushes bash history so the token doesn't get save in plain sight):

$ security add-generic-password -a $USER -s -w 7~1K9WJ3xobQp5RX8DUbbSdigxn2WD8yMOfUlCHbH9FIPlyL7E9E5QWSWN4CCVfqAEHC
$ history -c‍‍‍‍‍‍


Then to use it just do a curl command but add the extra c, it passes all command line options through to curl so it should support all examples you see for the standard curl tool (jq is a tool to transform json, but here it just formats it to make it more readable):

$ ccurl -s | jq .
  "id": 4539009,
  "name": "Matthew Buckett",
  "created_at": "2015-05-31T19:49:29+01:00",
  "sortable_name": "Buckett, Matthew",
  "short_name": "Matthew Buckett",
  "avatar_url": "",
  "locale": null,
  "effective_locale": "en-GB",
  "permissions": {
    "can_update_name": true,
    "can_update_avatar": true

Links - How to create a token for your account.

Tags (3)

Nice contribution,  @matthew_buckett 

I barely know how to use my Mac, but I'm good on Linux and I imagine BASH is similar in both places. If someone wants to do this but doesn't want to clear their BASH history (I have some regular lengthy commands I use that I don't want to have to recreate), you could put the line to add the token to the security ring into a text file and then execute that file. 

vi add_token
# add the security line and save the file
. add_token
rm add_token‍‍‍‍

I personally wouldn't use vi and people should feel free to use their favorite editor instead.

Adventurer II

Thanks James, nice tip, the other way to not have it in your history file is to put a space as the first character in your command but this is easy to miss when copy/pasting command lines out of the web.

Learner II

This is nifty, James, thanks! 

FYI: if your main concern is your bash history, you can also leverage curl's -K option to load per-server configs portably. You'd lose the keychain, though.