dart pub token

The dart pub token subcommand manages a store of tokens. When publishing packages and retrieving dependencies, the dart pub command uses tokens to authenticate against third-party servers.

It stores these tokens in a user-wide config directory. The dart pub token subcommand has three subcommands: add, list and remove.

The dart pub command considers the terms credential, token, secret, and secret token to be interchangable.

Consider a scenario when you have a dependency hosted on a private repository. When you use the dart pub get command, it might return a prompt to provide credentials:

$ dart pub get
Resolving dependencies... 
https://some-package-repo.com/my-org/my-repo package repository requested authentication!
You can provide credentials using:
    dart pub token add https://some-package-repo.com/my-org/my-repo

Some, but not all, servers also return a message with instructions as to how you can obtain a token.

To create a new credential, use the dart pub token add command.

At the prompt, type the credential on the command line (stdin).

$ dart pub token add https://some-package-repo.com/my-org/my-repo
Enter secret token: <Type token on stdin>
 Requests to "https://some-package-repo.com/my-org/my-repo" will now be 
 authenticated using the secret token.

To use the same token for any and all terminal sessions and in scripts, store the token in an environment variable.

1. Store your token in an environment variable.

   Make sure to hide the token from your shell history. To explore one way of doing this, consult this post on Medium.

2. To enable any environment variables that you add, restart any open consoles.

3. To use an environment variable as a token, use the dart pub token add command:

   $ dart pub token add <hosted-url> --env-var <TOKEN_VAR>

   This command reads the token stored in $TOKEN_VAR then uses it to authenticate with the hosted-url hosting the desired package. It should print the following response to the terminal.

   $ dart pub token add https://other-package-repo.com/ --env-var TOKEN_VAR
   Requests to "https://other-package-repo.com/" will now be authenticated using the secret token stored in the environment variable "TOKEN_VAR".

Most CI environments can inject tokens into an environment variable. To learn how, consult documentation for GitHub Actions or GitLab as examples.

To see a list of all active credentials, use the dart pub token list command:

$ dart pub token list
You have secret tokens for 2 package repositories:
https://some-package-repo.com/my-org/my-repo
https://other-package-repo.com/

To remove a single token, use the dart pub token remove command:

$ dart pub token remove https://other-package-repo.com
Removed secret token for package repository: https://other-package-repo.com

To remove all tokens, use the preceding command with the remove --all option:

$ dart pub token remove --all
pub-tokens.json is deleted.
Removed 1 secret tokens.