Tired of hitting rate limits when running nix flake update? Trying to
fetch a private repository in your flake inputs or builtin fetchers?
Nix supports setting access-tokens in your Nix config. This tool makes it easy to get those tokens in the right place.
- OAuth device flow authentication (no manual token creation needed)
- Support for multiple providers (GitHub, GitHub Enterprise, and GitLab)
- Token storage in
~/.config/nix/nix.conf - Token validation and status checking
- Automatic backup creation before modifying configuration
Run directly without installation:
nix run github:numtide/nix-auth -- loginInstall into your profile:
nix profile install github:numtide/nix-authOr add to your system configuration:
{
inputs.nix-auth.url = "github:numtide/nix-auth";
# In your system packages
environment.systemPackages = [
inputs.nix-auth.packages.${system}.default
];
}go install github.com/numtide/nix-auth@latestgit clone https://github.com/numtide/nix-auth
cd nix-auth
go build .Authenticate with GitHub (default provider):
nix-auth loginAuthenticate with GitLab:
nix-auth login gitlabAuthenticate with GitHub Enterprise or GitLab self-hosted:
# GitHub Enterprise
nix-auth login github --host github.company.com --client-id <your-client-id>
# GitLab self-hosted
nix-auth login gitlab --host gitlab.company.com --client-id <your-application-id>The tool will:
- Display a one-time code
- Open your browser to the provider's device authorization page
- Wait for you to authorize the application
- Save the token to
~/.config/nix/nix.conf
Note for self-hosted instances:
- GitHub Enterprise: You'll need to create an OAuth App and provide the client ID via
--client-id - GitLab self-hosted: You'll need to create an OAuth application and provide the client ID via
--client-id
The tool will guide you through this process if the client ID is not provided. You can also set the GITHUB_CLIENT_ID or GITLAB_CLIENT_ID environment variables as an alternative to the --client-id flag.
View all configured tokens:
nix-auth statusRemove a token interactively:
nix-auth logoutRemove a specific provider's token:
nix-auth logout githubRemove a token for a specific host:
nix-auth logout --host github.company.comThe tool manages the access-tokens configuration in your ~/.config/nix/nix.conf file. This allows Nix to authenticate when fetching flake inputs from private repositories or builtins fetchers, and hitting rate limits.
Example configuration added by this tool:
access-tokens = github.com=ghp_xxxxxxxxxxxxxxxxxxxx gitlab.com=glpat-xxxxxxxxxxxx github.company.com=ghp_yyyyyyyy
- Tokens are stored locally in your Nix configuration
- The tool creates automatic backups before modifying your configuration
- Uses OAuth device flow for secure authentication
- Minimal required permissions (only necessary scopes for accessing repositories)
- Support for more providers (Gitea, Forgejo, Bitbucket, etc.)
- Token expiration notifications
- Integration with system keychains for secure storage (will require patching Nix)
MIT