Consuming crates
Every namespace is a cargo sparse registry. Reads always require a token; there is no anonymous download, even from public namespaces. Consumers only ever see promoted versions (unless their token carries the any-version flag; see Tokens & access).
As a named registry
Section titled “As a named registry”The standard setup, for publish namespaces and for mirrors of registries other than crates.io:
[registries.acme]index = "sparse+https://haven.example.com/ns/acme/index/"
[registry]global-credential-providers = ["cargo:token"]Dependencies then name the registry explicitly:
[dependencies]useful-crate = { version = "2", registry = "acme" }As a crates.io replacement
Section titled “As a crates.io replacement”A mirror namespace whose upstream is crates.io can replace cargo’s built-in source, so plain dependencies resolve through your mirror with zero Cargo.toml changes:
[registries.acme-mirror]index = "sparse+https://haven.example.com/ns/acme-mirror/index/"
[source.crates-io]replace-with = "acme-mirror"
[registry]global-credential-providers = ["cargo:token"]Every serde = "1" in the project now goes through the mirror and its
policy. The namespace page shows the right snippet for its kind, filled
in with real URLs.
Public namespaces
Section titled “Public namespaces”Public namespaces are browsable by any signed-in user, and their promoted versions can be pulled with a personal public-read token: mint one from your account, it reads promoted versions of every public namespace on the instance. This is how open source distributed through Haven is consumed.
Private access across organizations
Section titled “Private access across organizations”To let an outside identity read a private crate, the namespace owner adds a grant for it. The consumer then uses their own token; the grant, not the token, is what entitles them.