How authentication works#

Credentials matter in two distinct situations when using sysand:

  • Publishing to the official Sysand Index. The index at sysand.com is public (browsing and installing projects requires no credentials), but sysand publish requires authentication. In supported CI environments it uses trusted publishing by default. Elsewhere, it requires a bearer token and fails up-front if no bearer-token credential matches the index URL. See Create an API token, which also shows the per-shell commands for configuring the token.

  • Reading from an access-restricted location. Any Sysand index or project download location may require authentication, for example a self-hosted index on an internal network. Then sysand needs credentials just to fetch projects; see Authenticate to an index for the setup steps.

The rest of this page explains which authentication methods sysand supports and how credentials are scoped. For exact environment variable names, URL glob behavior, redirect handling, and publish-specific bearer-token rules, see Authentication.

Sysand currently supports:

  • HTTP(S) using the basic access authentication scheme

  • HTTP(S) using (fixed) bearer tokens (used by, for example, the Sysand Index and private GitLab pages)

  • Git, for projects fetched from git repositories. When git is installed, Sysand runs it with your existing setup, so anything that already works for git clone (SSH keys, credential helpers) also works for Sysand. There is no Sysand-side way to configure git credentials; the SYSAND_CRED_* variables described in the authentication reference do not apply to git.

Configuring credentials#

Currently, authentication is configured through environment variables; the steps are in Authenticate to an index. Each credential has a URL pattern, and Sysand only considers that credential for matching URLs.

This matters because a single project can use more than one network location: the official Sysand Index, a private index, direct archive URLs, or Git repositories. URL-scoped credentials let one shell environment contain credentials for several locations without sending every credential to every server.

How sysand applies a matching credential during downloads, and the stricter bearer-token rules for sysand publish, are described in Authentication.