diff --git a/internal/config/auth_config_test.go b/internal/config/auth_config_test.go
new file mode 100644
index 000000000..92a3cc89d
--- /dev/null
+++ b/internal/config/auth_config_test.go
@@ -0,0 +1,91 @@
+package config
+
+import (
+	"testing"
+
+	ghConfig "github.com/cli/go-gh/v2/pkg/config"
+	"github.com/stretchr/testify/require"
+	"github.com/zalando/go-keyring"
+)
+
+func newTestAuthConfig() *AuthConfig {
+	return &AuthConfig{
+		cfg: ghConfig.ReadFromString(""),
+	}
+}
+
+func TestTokenFromKeyring(t *testing.T) {
+	// Given a keyring that contains a token for a host
+	keyring.MockInit()
+	keyring.Set(keyringServiceName("github.com"), "", "test-token")
+
+	// When we get the token from the auth config
+	authCfg := newTestAuthConfig()
+	token, err := authCfg.TokenFromKeyring("github.com")
+
+	// Then it returns successfully with the correct token
+	require.NoError(t, err)
+	require.Equal(t, "test-token", token)
+}
+
+func TestTokenFromKeyringNonExistent(t *testing.T) {
+	// Given a keyring that doesn't contain any tokens
+	keyring.MockInit()
+
+	// When we try to get a token from the auth config
+	authCfg := newTestAuthConfig()
+	_, err := authCfg.TokenFromKeyring("github.com")
+
+	// Then it returns failure bubbling the ErrNotFound
+	require.ErrorIs(t, err, keyring.ErrNotFound)
+}
+
+func TestNoUserInAuthConfig(t *testing.T) {
+	// Given a host configuration without a user
+	authCfg := newTestAuthConfig()
+
+	// When we get the user
+	_, err := authCfg.User("github.com")
+
+	// Then it returns failure, bubbling the KeyNotFoundError
+	var keyNotFoundError *ghConfig.KeyNotFoundError
+	require.ErrorAs(t, err, &keyNotFoundError)
+}
+
+func TestUserInAuthConfig(t *testing.T) {
+	// Given an a host configuration with a user
+	authCfg := newTestAuthConfig()
+	authCfg.cfg.Set([]string{hosts, "github.com", "user"}, "test-user")
+
+	// When we get the user
+	user, err := authCfg.User("github.com")
+
+	// Then it returns success with the correct user
+	require.NoError(t, err)
+	require.Equal(t, "test-user", user)
+}
+
+func TestNoGitProtocolInAuthConfig(t *testing.T) {
+	// Given a host configuration without a git protocol
+	authCfg := newTestAuthConfig()
+
+	// When we get the git protocol
+	gitProtocol, err := authCfg.GitProtocol("github.com")
+
+	// Then it returns success, using the default
+	require.NoError(t, err)
+	require.Equal(t, "https", gitProtocol)
+}
+
+func TestGitProtocolInAuthConfig(t *testing.T) {
+	// Given an a host configuration with a git protocol
+	authCfg := newTestAuthConfig()
+	authCfg.cfg.Set([]string{hosts, "github.com", "git_protocol"}, "ssh")
+
+	// When we get the git protocol
+	gitProtocol, err := authCfg.GitProtocol("github.com")
+
+	// Then it returns success with the correct git protocol
+	require.NoError(t, err)
+	require.Equal(t, "ssh", gitProtocol)
+}
diff --git a/internal/config/config.go b/internal/config/config.go
index 335f70264..1dafa7bbb 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -178,6 +178,7 @@ func (c *AuthConfig) User(hostname string) (string, error) {
 
 // GitProtocol will retrieve the git protocol for the logged in user at the given hostname.
 // If none is set it will return the default value.
+// TODO: although this returns an error, it actually has no path to error.
 func (c *AuthConfig) GitProtocol(hostname string) (string, error) {
 	key := "git_protocol"
 	val, err := c.cfg.Get([]string{hosts, hostname, key})