Ask mode cannot use valid gh auth, but Agent mode can

Lukasz_Lenart · April 8, 2026, 9:26am

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

On macOS, gh works in Agent mode but fails in Ask mode in the same repo/session.

In Ask mode:

gh auth status says the keyring token is invalid
gh pr view <public PR URL> fails with Post "https://api.github.com/graphql": Forbidden

In Agent mode:

gh auth status succeeds
gh pr view succeeds
gh api graphql -f query='{ viewer { login } }' succeeds

This suggests Ask mode shell runs in a restricted context that cannot access the same keychain-backed gh credentials as Agent mode.

Steps to Reproduce

Use gh cli in Ask mode and then in Agent mode

Expected Behavior

Ask mode should either support the same local gh auth context for read-only commands, or clearly report that gh auth is unavailable in Ask mode due to sandboxing.

Operating System

MacOS

Version Information

Version: 3.0.13 (Universal)
VSCode Version: 1.105.1
Commit: 48a15759f53cd5fc9b5c20936ad7d79847d914b0
Date: 2026-04-07T03:05:17.114Z
Layout: editor
Build Type: Stable
Release Track: Default
Electron: 39.8.1
Chromium: 142.0.7444.265
Node.js: 22.22.1
V8: 14.2.231.22-electron.0
OS: Darwin arm64 25.4.0

Does this stop you from using Cursor

No - Cursor works, but with this issue

Colin · April 8, 2026, 12:11pm

Hey there!

The “token in keyring is invalid” error is a red herring. gh reports that when the outbound API request is blocked, not because there’s actually a problem with your keychain credentials.

Ask mode runs all shell commands inside a sandbox with restricted network access. By default, api.github.com is not on the network allowlist, so gh requests get blocked.

To fix this:

Add a .cursor/sandbox.json to your project root with api.github.com in the network allowlist:

{
  "networkPolicy": {
    "default": "deny",
    "allow": [
      "api.github.com"
    ]
  }
}

See the sandbox documentation for the full config reference.

Check your auto-run network settings in Cursor Settings > Agents > Auto Run > Auto-Run Network Access. Make sure it’s set to “sandbox.json” or “sandbox.json + Defaults”. You can also set this to “Allow All”.

This works the same way in Agent mode when sandbox is enabled, and it’s not specific to Ask mode. Ask mode just always enforces the sandbox.

Lukasz_Lenart · April 9, 2026, 7:13am

Thanks, that solved the problem! I will spread the info

Topic		Replies	Views
Agent cannot run git push or other authenticated commands — no access to user credentials Bug Reports terminal , security , github	4	204	March 3, 2026
Git: Push fails with "could not read Username for 'https://github.com': Device not configured" — credential helper not used when Source Control runs git Bug Reports macos	3	87	March 17, 2026
beforeShellExecution returns permission: "ask" but sandboxed Agent shell still runs the command (sandbox: true) Bug Reports sandbox , terminal , auto-run , hooks	2	37	March 23, 2026
Cloud Agent cannot read GitHub Issues — “GraphQL: Resource not accessible by integration (repository.issues)” Bug Reports cloud-agents , github	2	31	April 6, 2026
Cursor CLI just quits with exit code 1 and no output on macOS VM in CI Bug Reports ssh , cli , macos	4	136	March 12, 2026