Secure Git credential storage for Windows with support for Visual Studio Team Services, GitHub, and Bitbucket multi-factor authentication.

View the Project on GitHub microsoft/Git-Credential-Manager-for-Windows

Environment Variables

Git Credential Manager and Git Askpass work out of the box for most users. Environment variables, to customize or tweak behavior, are available as needed.

The Git Credential Manager for Windows [GCM] can be configured using environment variables. Environment variables take precedence over configuration settings.

For the complete list of environment variables the GCM understands, see the list below.

Configuration Setting Names


Defines the type of authentication to be used.

Supports Auto, Basic, AAD, MSA, GitHub, Bitbucket, Integrated, and NTLM.

Use AAD or MSA if the host is ‘’ Azure Domain or Live Account authentication, relatively.

Use GitHub if the host is ‘’.

Use BitBucket or Atlassian if the host is ‘’.

Use Integrated or NTLM if the host is a Team Foundation, or other NTLM authentication based, server.

Defaults to Auto.

See credential.authority.


Determines if the the GCM should ignore Git local configuration values.

Supports true or false. Defaults to false.

No configuration equivalent.


Determines if the the GCM should ignore Git system configuration values.

Supports true or false. Defaults to false.

No configuration equivalent.


Causes the proxy value to be considered when evaluating credential target information. A proxy setting should established if use of a proxy is required to interact with Git remotes.

The value should the URL of the proxy server.

Defaults to not using a proxy server.

See credential.httpProxy.


Sets the reported user-agent when GCM performs network operations.

Defaults to the GCM’s user-agent.

No configuration equivalent.


Specifies if user can be prompted for credentials or not.

Supports Auto, Always, or Never. Defaults to Auto.

See credential.interactive.


Forces authentication to use a modal dialog instead of asking for credentials at the command prompt.

Supports true or false. Defaults to true.

See credential.modalPrompt.


Sets the namespace for stored credentials.

By default the GCM uses the ‘git’ namespace for all stored credentials, setting this configuration value allows for control of the namespace used globally, or per host.

See credential.namespace.


Prevents the deletion of credentials even when they are reported as invalid by Git. Can lead to lockout situations once credentials expire and until those credentials are manually removed.

Supports true or false. Defaults to false.

See credential.preserve.


Sets the maximum time, in milliseconds, for a network request to wait before timing out. This allows changing the default for slow connections.

Supports an integer value. Defaults to 90,000 miliseconds.

See credential.httpTimeout.


Sets a duration, in hours, limit for the validity of Personal Access Tokens requested from Azure DevOps.

If the value is greater than the maximum duration set for the account, the account value supersedes. The value cannot be less than a one hour (1).

Defaults to the account token duration. Honored when authority is set to AAD or MSA.

See credential.tokenDuration.


Enables trace logging of all activities. Configuring Git and the GCM to trace to the same location is often desirable, and the GCM is compatible and cooperative with GIT_TRACE.


SET GIT_TRACE=%UserProfile%\git.log
SET GCM_TRACE=%UserProfile%\git.log

If the value of GCM_TRACE is a full path to a file in an existing directory, logs are appended to the file.

IF the value of GCM_TRACE is true, logs are written standard error.

Defaults tracing being disabled.

No configuration equivalent.


Causes validation of credentials before supplying them to Git. Invalid credentials get a refresh attempt before failing. Incurs minor network operation overhead.

Defaults to true. Ignored when authority set to Basic.

See credential.validate.


Overrides GCM default scope request when generating a Personal Access Token from Azure DevOps. The supported format is one or more scope values separated by whitespace, commas, semi-colons, or pipe characters (' ', ',', ';', '|').

Defaults to vso.code_write|vso.packaging; Honored when host is ‘’.

See credential.vstsScope.


Enables trace logging of all activities. Logs are written to the local .git/ folder at the root of the repository.

Note: This setting will not override the GCM_TRACE environment variable.

See credential.writeLog.