Passing Auth Token Via User-Agent Header

Until the -Z registry-auth unstable cargo feature is stabilized, we are providing a temporary solution to perform authenticated crate downloads at Shipyard.rs.

Note: Using the "User-Agent" header to pass an auth token is not ideal. If you are using the nightly version of Cargo/rustc, a better solution is to enable the -Z registry-auth unstable feature.

Configuring User-Agent Header

There is a somewhat obscure configuration option to specify the "User-Agent" header that cargo sends as part of all of its requests, which defaults to the cargo version number being used.

Shipyard.rs will first check requests for the presence of an "Authorization" header, but will fall back to checking for a "User-Agent" header in a specific format, which will be used as a fallback.

For an example auth token with the dummy value AxzHJS6gWK=, the cargo "User-Agent" setting would be configured by adding this to ~/.cargo/config.toml:

# set a custom user-agent header value for cargo requests:
[http]
user-agent = "shipyard AxzHJS6gWK="

See the configuration docs for additional details.

Using the "User-Agent" header to pass an authorization token is less than ideal and temporary. However, for what it is worth, our servers have been configured not to log the "User-Agent" header for requests that might contain an authentication token in the header value.