diff --git a/docs/concepts/authentication/http.md b/docs/concepts/authentication/http.md index 02dee6b1e..90a68410f 100644 --- a/docs/concepts/authentication/http.md +++ b/docs/concepts/authentication/http.md @@ -5,14 +5,8 @@ uv supports credentials over HTTP when querying package registries. Authentication can come from the following sources, in order of precedence: - The URL, e.g., `https://:@/...` -- A [`.netrc`](https://everything.curl.dev/usingcurl/netrc) configuration file -- A [keyring](https://github.com/jaraco/keyring) provider (requires opt-in) - -`.netrc` authentication is enabled by default, and will respect the `NETRC` environment variable if -defined, falling back to `~/.netrc` if not. - -To enable keyring-based authentication, pass the `--keyring-provider subprocess` command-line -argument to uv, or set `UV_KEYRING_PROVIDER=subprocess`. +- A [netrc](#netrc-files) configuration file +- A [keyring provider](#keyring-providers) (off by default) Authentication may be used for hosts specified in the following contexts: @@ -22,6 +16,47 @@ Authentication may be used for hosts specified in the following contexts: - `find-links` - `package @ https://...` +## netrc files + +[`.netrc`](https://everything.curl.dev/usingcurl/netrc) files are a long-standing plain text format +for storing credentials on a system. + +Reading credentials from `.netrc` files is always enabled. The target file path will be loaded from +the `NETRC` environment variable if defined, falling back to `~/.netrc` if not. + +## Keyring providers + +A keyring provider typically fetches credentials from an operating system store. + +The keyring providers are not used by default. + +### The 'subprocess' keyring provider + +The 'subprocess' keyring provider invokes the `keyring` command to fetch credentials. + +The expected interface for this is based on the popular [keyring](https://github.com/jaraco/keyring) +Python package. Similar support is built-in to pip. + +Set `--keyring-provider subprocess`, `UV_KEYRING_PROVIDER=subprocess`, or +`tool.uv.keyring-provider = "subprocess"` to use the provider. + +### The 'native' keyring provider + +!!! note + + The native keyring provider is in [preview](../preview.md) — it is still experimental and being + actively developed. + +The native keyring provider uses the secret storage mechanism native to your operating system. On +macOS, it uses the Keychain Services. On Windows, it uses the Windows Credential Manager. On Linux, +it uses the DBus-based Secret Service API. + +Currently, uv only searches the native keyring provider for credentials it has added to the secret +store. + +Set `--keyring-provider native`, `UV_KEYRING_PROVIDER=native`, or +`tool.uv.keyring-provider = "native"` to use the provider. + ## Persistence of credentials If authentication is found for a single index URL or net location (scheme, host, and port), it will