Historical Limitations
For the public crates registry at Crates.io, only commands that involve publishing crates,
such as login
, publish
, and yank
perform and/or require authorization.
This poses a problem for a private crates registry, because under that model, it is possible to download the
.crate
artifacts (source code) for any crate hosted at the registry server, without any authorization, so long
as the crate name and version are known or guessed.
Also, when performing cargo build
, cargo check
and other build commands that do not involve publishing crates,
cargo
does not (currently) include an "Authorization" header, so there is no way for a private crate registry
server to determine whether the requester is authorized to perform the request.