Credential storage
The desktop app stores OAuth tokens in the OS keychain — macOS Keychain or Windows Credential Manager. Credentials are tied to the desktop app process; other apps on your machine cannot read them.
What's stored where
| Token | Storage | Lifetime |
|---|---|---|
| Google refresh token | OS keychain | Long-lived |
| Querylab.io refresh JWT | OS keychain | 30 days |
| Google access token | In memory | 1 hour |
The short-lived (1-hour) session JWT lives in localStorage and is refreshed from the keychain.
OAuth flow
The desktop app uses the RFC 8252 loopback redirect flow:
- The app starts a local server on a random port
- Your browser opens Google's consent page
- Google redirects to
http://127.0.0.1:{PORT}/callback(loopback only) - Tokens are exchanged directly between the app and Google
- Querylab.io's backend receives only an identity token to verify your account
The Google refresh token is not sent to Querylab.io's backend.
Manage credentials
- View — Keychain Access (macOS) or Credential Manager (Windows); search "querylab"
- Reset — Help > Reset Auth State (Cmd+Shift+R on macOS, Ctrl+Shift+R on Windows)
- Debug — Help > Debug Auth State (shows which tokens are present without revealing values)