Signing & notarization

Since v5.0, every release DMG is signed with a Developer ID Application certificate, notarized by Apple, and stapled with the notarization ticket. Zero Gatekeeper friction.

First launch

On any Mac, the DMG opens directly. No "Open Anyway" message to confirm in System Settings, no xattr -cr workaround to know about.

The widget extension is also notarized and hardened, so it registers cleanly in WidgetKit without being flagged as malware.

Hardened runtime

Every binary in the bundle is signed with hardened runtime enabled:

The main app
The widget extension
The AppleScript installer applet (for the Keychain helper)

It's the Apple standard for apps distributed outside the Mac App Store, and it's what makes the app eligible for notarization.

No more LaunchAgent helper

The main app reads the OAuth token directly from the macOS keychain via /usr/bin/security, with a one-click approval once. You no longer need to install a dedicated LaunchAgent helper for the token (unless you're on Claude Code 2.1+ where the Keychain helper is required, see Keychain helper).

Migration from v4.x

Fully automatic:

The legacy LaunchAgent is unloaded at startup
Its plist is cleanly removed
Your settings (pinned metrics, theme, popover layout, onboarding flag) carry over

If you're installing TokenEater for the first time on this machine, nothing to know. If you're migrating from v4.x to v5.0+, the app detects the old helper and removes it on first launch.