Skip to content
Latchkey

cargo "no token found ... please run cargo login" (private registry) in CI

cargo needs a token to read from a private registry or to publish, and none is configured on the runner. Either the registry credential was never injected, or it lacks the scope for the operation.

What this error means

cargo build, publish, or fetch fails with "error: no token found for X, please run cargo login", or with a 401/403 from the private registry.

cargo
error: failed to publish to registry at https://registry.internal.example.com

Caused by:
  no token found for `internal`, please run `cargo login --registry internal`
  or use environment variable CARGO_REGISTRIES_INTERNAL_TOKEN

Common causes

No registry token injected into the job

The private registry credential was never exposed to the step, so cargo has nothing to authenticate with.

A token without the needed scope

A token configured for read may lack publish rights (or vice versa), producing a 401/403 on the operation.

How to fix it

Inject the token via the registry env var

cargo reads CARGO_REGISTRIES_<NAME>_TOKEN from the environment, so set it from a secret.

.github/workflows/ci.yml
env:
  CARGO_REGISTRIES_INTERNAL_TOKEN: ${{ secrets.CARGO_INTERNAL_TOKEN }}

Verify scope for a 401/403

A persistent 401/403 is not fixed by retrying; confirm the token belongs to a principal allowed to read or publish to that registry.

Terminal
cargo publish --registry internal --dry-run

How to prevent it

  • Keep registry tokens in CI secrets, never committed.
  • Use CARGO_REGISTRIES_<NAME>_TOKEN rather than cargo login files in CI.
  • Grant least-privilege scope (read vs publish) per token.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →