Authentication Model

Authorization of HTTP(S) requests to a crates registry server is performed via an authentication token in the body/value of a HTTP "authorization" header, e.g.:

$ curl -H "authorization: ${MY_AUTH_TOKEN}" \

In general, cargo appends the authentication headers to outgoing requests it generates as part of a build command.

For example, cargo publish will generate an HTTPS PUT request to (assuming the crate is being published at --registry with an auth token in the "authorization" header for identifying whether the user has permissions to publish a crate version for the crate in question (i.e. is an owner of the crate).