Skip to content
DUUMBI Docs

Authentication

The registry requires authentication for publishing and yanking modules. Browsing, searching, and downloading are public.

Auth modes

Section titled “Auth modes”

Each registry instance runs in one of two authentication modes:

ModeUse caseHow users register
local_passwordSelf-hosted / private registriesWeb registration form at /register
github_oauthPublic registry (registry.duumbi.dev)“Sign in with GitHub” on the web UI

The auth mode is set by the registry operator via the AUTH_MODE environment variable. As a user, you don’t need to configure this — the CLI auto-detects the mode.

Creating an account

Section titled “Creating an account”

Public registry (GitHub OAuth)

Section titled “Public registry (GitHub OAuth)”
  1. Visit registry.duumbi.dev and click Sign in
  2. Authorize the DUUMBI app on GitHub
  3. You’re logged in — your GitHub username becomes your registry username

Private registry (local password)

Section titled “Private registry (local password)”
  1. Visit your registry’s /register page
  2. Choose a username and password (minimum 8 characters)
  3. Sign in at /login

CLI login

Section titled “CLI login”

Device code flow (GitHub OAuth registries)

Section titled “Device code flow (GitHub OAuth registries)”

The recommended flow for GitHub OAuth registries. No need to copy-paste tokens:

Terminal window
duumbi registry login duumbi

This opens your browser with a one-time code. Enter the code, authorize, and the CLI receives a token automatically.

Manual token

Section titled “Manual token”

Works with any registry. First, generate a token in the web UI (see below), then:

Terminal window
duumbi registry login myregistry --token duu_your_token_here

Credentials are stored in ~/.duumbi/credentials.toml.

Logging out

Section titled “Logging out”
Terminal window
duumbi registry logout myregistry

This removes the stored token from ~/.duumbi/credentials.toml.

Managing API tokens

Section titled “Managing API tokens”

Tokens are managed in the web UI at /settings/tokens (you must be signed in).

Creating a token

Section titled “Creating a token”
  1. Navigate to Settings > API Tokens (or go directly to /settings/tokens)
  2. Enter a descriptive name (e.g., ci-deploy, laptop)
  3. Click Generate token
  4. Copy the token immediately — it is shown only once

Tokens use the duu_ prefix for easy identification. They are SHA-256 hashed in the database, so the raw value cannot be retrieved after creation.

Revoking a token

Section titled “Revoking a token”

On the tokens page, click Revoke next to the token you want to disable. This takes effect immediately — any CLI sessions using that token will fail on the next request.

How token auth works

Section titled “How token auth works”

When the CLI makes an authenticated request (publish, yank), it sends the token as a Bearer header:

Authorization: Bearer duu_your_token_here

The registry hashes the incoming token with SHA-256 and looks it up in the database. This means:

  • Tokens are never stored in plain text on the server
  • Token validation is a constant-time hash comparison
  • Each token is scoped to a single user