Skip to content

Consuming crates

Every namespace is a cargo sparse registry. Reads always require a token; there is no anonymous download, even from public namespaces. Consumers only ever see promoted versions (unless their token carries the any-version flag; see Tokens & access).

The standard setup, for publish namespaces and for mirrors of registries other than crates.io:

[registries.acme]
index = "sparse+https://haven.example.com/ns/acme/index/"
[registry]
global-credential-providers = ["cargo:token"]

Dependencies then name the registry explicitly:

[dependencies]
useful-crate = { version = "2", registry = "acme" }

A mirror namespace whose upstream is crates.io can replace cargo’s built-in source, so plain dependencies resolve through your mirror with zero Cargo.toml changes:

[registries.acme-mirror]
index = "sparse+https://haven.example.com/ns/acme-mirror/index/"
[source.crates-io]
replace-with = "acme-mirror"
[registry]
global-credential-providers = ["cargo:token"]

Every serde = "1" in the project now goes through the mirror and its policy. The namespace page shows the right snippet for its kind, filled in with real URLs.

Public namespaces are browsable by any signed-in user, and their promoted versions can be pulled with a personal public-read token: mint one from your account, it reads promoted versions of every public namespace on the instance. This is how open source distributed through Haven is consumed.

To let an outside identity read a private crate, the namespace owner adds a grant for it. The consumer then uses their own token; the grant, not the token, is what entitles them.