2 .\" Title: gitcredentials
3 .\" Author: [FIXME: author] [see http://www.docbook.org/tdg5/en/html/author]
4 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
7 .\" Source: Git 2.42.0.424.gceadf0f3cf
10 .TH "GITCREDENTIALS" "7" "2023\-10\-20" "Git 2\&.42\&.0\&.424\&.gceadf0" "Git Manual"
11 .\" -----------------------------------------------------------------
12 .\" * Define some portability stuff
13 .\" -----------------------------------------------------------------
14 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
15 .\" http://bugs.debian.org/507673
16 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
17 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
20 .\" -----------------------------------------------------------------
21 .\" * set default formatting
22 .\" -----------------------------------------------------------------
23 .\" disable hyphenation
25 .\" disable justification (adjust text to left margin only)
27 .\" -----------------------------------------------------------------
28 .\" * MAIN CONTENT STARTS HERE *
29 .\" -----------------------------------------------------------------
31 gitcredentials \- Providing usernames and passwords to Git
35 git config credential\&.https://example\&.com\&.username myusername
36 git config credential\&.helper "$helper $options"
41 Git will sometimes need credentials from the user in order to perform operations; for example, it may need to ask for a username and password in order to access a remote repository over HTTP\&. Some remotes accept a personal access token or OAuth access token as a password\&. This manual describes the mechanisms Git uses to request these credentials, as well as some features to avoid inputting these credentials repeatedly\&.
42 .SH "REQUESTING CREDENTIALS"
44 Without any credential helpers defined, Git will try the following strategies to ask the user for usernames and passwords:
56 environment variable is set, the program specified by the variable is invoked\&. A suitable prompt is provided to the program on the command line, and the user\(cqs input is read from its standard output\&.
69 configuration variable is set, its value is used as above\&.
82 environment variable is set, its value is used as above\&.
93 Otherwise, the user is prompted on the terminal\&.
95 .SH "AVOIDING REPETITION"
97 It can be cumbersome to input the same credentials over and over\&. Git provides two methods to reduce this annoyance:
107 Static configuration of usernames for a given authentication context\&.
118 Credential helpers to cache or store passwords, or to interact with a system password wallet or keychain\&.
121 The first is simple and appropriate if you do not have secure storage available for a password\&. It is generally configured by adding this to your config:
127 [credential "https://example\&.com"]
135 Credential helpers, on the other hand, are external programs from which Git can request both usernames and passwords; they typically interface with secure storage provided by the OS or other programs\&. Alternatively, a credential\-generating helper might generate credentials for certain servers via some API\&.
137 To use a helper, you must first select one to use\&. Git currently includes the following helpers:
141 Cache credentials in memory for a short period of time\&. See
142 \fBgit-credential-cache\fR(1)
148 Store credentials indefinitely on disk\&. See
149 \fBgit-credential-store\fR(1)
153 You may also have third\-party helpers installed; search for \fBcredential\-*\fR in the output of \fBgit help \-a\fR, and consult the documentation of individual helpers\&. Once you have selected a helper, you can tell Git to use it by putting its name into the credential\&.helper variable\&.
169 $ git help \-a | grep credential\-
186 Read its description\&.
192 $ git help credential\-foo
208 Tell Git to use it\&.
214 $ git config \-\-global credential\&.helper foo
221 .SS "Available helpers"
223 The community maintains a comprehensive list of Git credential helpers at \m[blue]\fBhttps://git\-scm\&.com/doc/credential\-helpers\fR\m[]\&.
226 An alternative to inputting passwords or personal access tokens is to use an OAuth credential helper\&. Initial authentication opens a browser window to the host\&. Subsequent authentication happens in the background\&. Many popular Git hosts support OAuth\&.
227 .SH "CREDENTIAL CONTEXTS"
229 Git considers each credential to have a context defined by a URL\&. This context is used to look up context\-specific configuration, and is passed to any helpers, which may use it as an index into secure storage\&.
231 For instance, imagine we are accessing \fBhttps://example\&.com/foo\&.git\fR\&. When Git looks into a config file to see if a section matches this context, it will consider the two a match if the context is a more\-specific subset of the pattern in the config file\&. For example, if you have this in your config file:
237 [credential "https://example\&.com"]
245 then we will match: both protocols are the same, both hosts are the same, and the "pattern" URL does not care about the path component at all\&. However, this context would not match:
251 [credential "https://kernel\&.org"]
259 because the hostnames differ\&. Nor would it match \fBfoo\&.example\&.com\fR; Git compares hostnames exactly, without considering whether two hosts are part of the same domain\&. Likewise, a config entry for \fBhttp://example\&.com\fR would not match: Git compares the protocols exactly\&. However, you may use wildcards in the domain name and other pattern matching techniques as with the \fBhttp\&.<URL>\&.*\fR options\&.
261 If the "pattern" URL does include a path component, then this too must match exactly: the context \fBhttps://example\&.com/bar/baz\&.git\fR will match a config entry for \fBhttps://example\&.com/bar/baz\&.git\fR (in addition to matching the config entry for \fBhttps://example\&.com\fR) but will not match a config entry for \fBhttps://example\&.com/bar\fR\&.
262 .SH "CONFIGURATION OPTIONS"
264 Options for a credential context can be configured either in \fBcredential\&.*\fR (which applies to all credentials), or \fBcredential\&.<URL>\&.*\fR, where <URL> matches the context as described above\&.
266 The following options are available in either location:
270 The name of an external credential helper, and any associated options\&. If the helper name is not an absolute path, then the string
271 \fBgit credential\-\fR
272 is prepended\&. The resulting string is executed by the shell (so, for example, setting this to
273 \fBfoo \-\-option=bar\fR
275 \fBgit credential\-foo \-\-option=bar\fR
276 via the shell\&. See the manual of specific helpers for examples of their use\&.
278 If there are multiple instances of the
279 \fBcredential\&.helper\fR
280 configuration variable, each helper will be tried in turn, and may provide a username, password, or nothing\&. Once Git has acquired both a username and a non\-expired password, no more helpers will be tried\&.
283 \fBcredential\&.helper\fR
284 is configured to the empty string, this resets the helper list to empty (so you may override a helper set by a lower\-priority config file by configuring the empty\-string helper, followed by whatever set of helpers you would like)\&.
289 A default username, if one is not provided in the URL\&.
294 By default, Git does not consider the "path" component of an http URL to be worth matching via external helpers\&. This means that a credential stored for
295 \fBhttps://example\&.com/foo\&.git\fR
296 will also be used for
297 \fBhttps://example\&.com/bar\&.git\fR\&. If you do want to distinguish these cases, set this option to
302 You can write your own custom helpers to interface with any system in which you keep credentials\&.
304 Credential helpers are programs executed by Git to fetch or save credentials from and to long\-term storage (where "long\-term" is simply longer than a single Git process; e\&.g\&., credentials may be stored in\-memory for a few minutes, or indefinitely on disk)\&.
306 Each helper is specified by a single string in the configuration variable \fBcredential\&.helper\fR (and others, see \fBgit-config\fR(1))\&. The string is transformed by Git into a command to be executed using these rules:
316 If the helper string begins with "!", it is considered a shell snippet, and everything after the "!" becomes the command\&.
327 Otherwise, if the helper string begins with an absolute path, the verbatim helper string becomes the command\&.
338 Otherwise, the string "git credential\-" is prepended to the helper string, and the result becomes the command\&.
341 The resulting command then has an "operation" argument appended to it (see below for details), and the result is executed by the shell\&.
343 Here are some example specifications:
349 # run "git credential\-foo"
353 # same as above, but pass an argument to the helper
355 helper = "foo \-\-bar=baz"
357 # the arguments are parsed by the shell, so use shell
358 # quoting if necessary
360 helper = "foo \-\-bar=\*(Aqwhitespace arg\*(Aq"
362 # you can also use an absolute path, which will not use the git wrapper
364 helper = "/path/to/my/helper \-\-with\-arguments"
366 # or you can specify your own shell snippet
367 [credential "https://example\&.com"]
369 helper = "!f() { test \e"$1\e" = get && echo \e"password=$(cat $HOME/\&.secret)\e"; }; f"
376 Generally speaking, rule (3) above is the simplest for users to specify\&. Authors of credential helpers should make an effort to assist their users by naming their program "git\-credential\-$NAME", and putting it in the \fB$PATH\fR or \fB$GIT_EXEC_PATH\fR during installation, which will allow a user to enable it with \fBgit config credential\&.helper $NAME\fR\&.
378 When a helper is executed, it will have one "operation" argument appended to its command line, which is one of:
382 Return a matching credential, if any exists\&.
387 Store the credential, if applicable to the helper\&.
392 Remove matching credentials, if any, from the helper\(cqs storage\&.
395 The details of the credential will be provided on the helper\(cqs stdin stream\&. The exact format is the same as the input/output format of the \fBgit credential\fR plumbing command (see the section \fBINPUT/OUTPUT FORMAT\fR in \fBgit-credential\fR(1) for a detailed specification)\&.
397 For a \fBget\fR operation, the helper should produce a list of attributes on stdout in the same format (see \fBgit-credential\fR(1) for common attributes)\&. A helper is free to produce a subset, or even no values at all if it has nothing useful to provide\&. Any provided attributes will overwrite those already known about by Git\(cqs credential subsystem\&. Unrecognised attributes are silently discarded\&.
399 While it is possible to override all attributes, well behaving helpers should refrain from doing so for any attribute other than username and password\&.
401 If a helper outputs a \fBquit\fR attribute with a value of \fBtrue\fR or \fB1\fR, no further helpers will be consulted, nor will the user be prompted (if no credential has been provided, the operation will then fail)\&.
403 Similarly, no more helpers will be consulted once both username and password had been provided\&.
405 For a \fBstore\fR or \fBerase\fR operation, the helper\(cqs output is ignored\&.
407 If a helper fails to perform the requested operation or needs to notify the user of a potential issue, it may write to stderr\&.
409 If it does not support the requested operation (e\&.g\&., a read\-only store or generator), it should silently ignore the request\&.
411 If a helper receives any other operation, it should silently ignore the request\&. This leaves room for future operations to be added (older helpers will just ignore the new requests)\&.
414 Part of the \fBgit\fR(1) suite