Credentials Stay Local
Your Google credentials are stored on your device and never pass through Querylab.io servers.
How It Works
The desktop app uses macOS Keychain to store all sensitive tokens. This is the same system macOS uses for passwords, certificates, and other secrets.
| Token | Storage | Encryption |
|---|---|---|
| Google refresh token | macOS Keychain | Hardware-backed |
| App refresh token | macOS Keychain | Hardware-backed |
| Google access token | In-memory only | Never written to disk |
| App session token | localStorage | Standard browser storage |
Desktop vs Web Credential Storage
| Desktop | Web | |
|---|---|---|
| Storage | macOS Keychain (encrypted, hardware-backed) | Browser localStorage (unencrypted) |
| Persistence | Survives browser cache clears | Lost on cache clear |
| Access | Only Querylab.io process can read | Any script on the domain |
| Visibility | Viewable in Keychain Access app | Viewable in DevTools |
OAuth Flow
The desktop app uses the RFC 8252 loopback redirect flow — the most secure OAuth method for native apps:
- Querylab.io starts a local server on a random port
- Your browser opens Google's consent page
- Google redirects to
http://127.0.0.1:{PORT}/callback— traffic never leaves your machine - Tokens are exchanged directly between the app and Google
- Only an identity token is sent to Querylab.io's backend to verify your account
Your Google refresh token never touches Querylab.io servers.
Managing Credentials
View stored credentials: Open macOS Keychain Access and search for "querylab"
Reset all credentials: Help > Reset Auth State (Cmd+Shift+R)
Debug auth issues: Help > Debug Auth State — shows which tokens are present without revealing values
Related
- Authentication — sign-in methods
- Desktop App overview — installation and setup