Historical Limitations

For the public crates registry at Crates.io, only commands that involve publishing crates, such as login, publish, and yank perform and/or require authorization.

This poses a problem for a private crates registry, because under that model, it is possible to download the .crate artifacts (source code) for any crate hosted at the registry server, without any authorization, so long as the crate name and version are known or guessed.

Also, when performing cargo build, cargo check and other build commands that do not involve publishing crates, cargo does not (currently) include an "Authorization" header, so there is no way for a private crate registry server to determine whether the requester is authorized to perform the request.

Shipyard.rs: the Book - Private Cargo Registry Service

Historical Limitations