Summary

RFC: #3139
Implementation: #10592
Documentation: https://doc.rust-lang.org/nightly/cargo/reference/unstable.html#registry-auth
Issue: A-registry-authentication Area: registry authentication and authorization (authn authz)

This feature adds the ability to authenticate additional endpoints to a registry, including downloading crates.

Unresolved Issues

• Do registries need a more fine-grained switch for which API commands require authentication?
• The RFC mentions adding --token to additional commands like install and search, but we are leaning away from allowing tokens from being passed in on the command-line due to the ease of leaking. Should the --token flag be added or no? --token won't be added for now.
• Consider changing the name and form of the X- header. See Cargo alternative registry auth rfcs#3139 (comment) and Cargo alternative registry auth rfcs#3139 (comment) Cargo now uses the www-authenticate header with the Cargo scheme and the login_url value, as in WWW-Authenticate: Cargo login_url="https://test-registry-login/me.
• Will there be any concerns with the interaction with RFC 3231 (asymmetric tokens)?
• Require a credential-provider to be defined in order to use authenticated registries

Stabilization tracked in #8933

Future Extensions

• Support authentication with git indexes. Preferably, cargo will transition to HTTP indexes which will make this not necessary.

About tracking issues

Tracking issues are used to record the overall progress of implementation.
They are also used as hubs connecting to other relevant issues, e.g., bugs or open design questions.
A tracking issue is however not meant for large scale discussion, questions, or bug reports about a feature.
Instead, open a dedicated issue for the specific matter and add the relevant feature gate label.