diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index b1e5530..afca45f 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -68,6 +68,7 @@ Safety rules in this repo:
 Authentication rule:
 - prefer a personal access token for the `tubco` HTTPS remote
 - do not rely on a reusable account password long term
+- store the PAT through macOS keychain using the repo-local `credential.helper=osxkeychain` setting
 
 ## Current Delivery Model
 - GitHub Actions is used for CI
diff --git a/backend/workflows/templates/workflows/developer_handbook.html b/backend/workflows/templates/workflows/developer_handbook.html
index 9296073..9a2e383 100644
--- a/backend/workflows/templates/workflows/developer_handbook.html
+++ b/backend/workflows/templates/workflows/developer_handbook.html
@@ -698,6 +698,7 @@ docker compose restart worker</code></pre>
 ./scripts/git_remote_target.sh set-tubco-identity</code></pre>
       <p>Switch between the normal commit identity and the TUBCO customer identity when needed.</p>
       <p>For the TUBCO HTTPS remote, prefer a personal access token instead of a reusable account password.</p>
+      <p>This repo now uses <code>credential.helper=osxkeychain</code> locally, so the TUBCO PAT should be stored in the macOS keychain instead of being embedded in remote URLs.</p>
     </div>
     <div class="box">
       <h3>Direct server deployment</h3>