KASETTO

Authentication

Auth tokens for private GitHub, GitLab, Bitbucket, Codeberg, and Gitea.

Kasetto can pull skills and MCP configs from private repositories. No login command or credentials file needed — just set an environment variable and it works.

Supported Git Hosts

HostExample URL
GitHubhttps://github.com/org/repo
GitHub Enterprisehttps://ghe.example.com/org/repo
GitLabhttps://gitlab.com/group/project
GitLab self-hostedhttps://gitlab.example.com/group/subgroup/project
Bitbucket Cloudhttps://bitbucket.org/workspace/repo
Codeberghttps://codeberg.org/owner/repo
Giteahttps://gitea.com/owner/repo
Forgejohttps://forgejo.org/owner/repo

Host Detection Rules

Kasetto identifies the git host from the URL hostname:

  • GitLab - gitlab.com, any subdomain of gitlab.com (e.g., sub.gitlab.com), or any hostname starting with gitlab. (e.g., gitlab.example.com).
  • Bitbucket - bitbucket.org or www.bitbucket.org.
  • Codeberg / Gitea / Forgejo - codeberg.org, gitea.com, forgejo.org (and their www. variants).
  • GitHub - github.com and any other hostname not matching the rules above.

Any unrecognized hostname with an owner/repo path (2 segments) is treated as GitHub Enterprise. This means ghe.example.com/acme/skills works automatically with GITHUB_TOKEN. Unrecognized hostnames with 3+ path segments (e.g., git.example.com/group/sub/repo) are treated as GitLab-style.

Self-hosted Gitea or Forgejo instances (e.g., gitea.mycompany.com) are not auto-detected. They will be treated as GitHub Enterprise. If your self-hosted instance uses the GitHub-compatible API layout this may still work, but the GITEA_TOKEN variable will not be applied. Use GITHUB_TOKEN instead, or open an issue if you need explicit support for a custom Gitea domain.

Environment Variables

GitHub

VariableDescription
GITHUB_TOKENPersonal access token or fine-grained token
GH_TOKENFallback if GITHUB_TOKEN is not set

Works for github.com and GitHub Enterprise Server alike.

export GITHUB_TOKEN=ghp_...
kst sync --config kasetto.yaml

GitLab

VariableDescription
GITLAB_TOKENPersonal or project access token
CI_JOB_TOKENFallback - automatically set in GitLab CI/CD pipelines

Works for gitlab.com and any self-hosted instance whose hostname starts with gitlab..

export GITLAB_TOKEN=glpat-...
kst sync --config kasetto.yaml

Bitbucket Cloud

Bitbucket has two options:

Method 1 - API token:

VariableDescription
BITBUCKET_EMAILAccount email address
BITBUCKET_TOKENAtlassian API token

Method 2 - App password:

VariableDescription
BITBUCKET_USERNAMEBitbucket username
BITBUCKET_APP_PASSWORDApp password (create at Bitbucket Settings > App passwords)

Method 1 is tried first; if those variables aren't set, Method 2 is used.

Codeberg / Gitea / Forgejo

VariableDescription
GITEA_TOKENPersonal access token
CODEBERG_TOKENFallback if GITEA_TOKEN is not set
FORGEJO_TOKENFallback if neither of the above is set

All three are checked in order — the first one found is used for any Gitea-family host.

Remote Configs

Authentication also applies when you fetch a config via --config <url>. The token is chosen based on the URL hostname, using the same detection rules above.

export GITHUB_TOKEN=ghp_...
kst sync --config https://github.com/org/private-repo/blob/main/kasetto.yaml

If the URL points to a private resource and no matching token is set, Kasetto reports an HTTP error with a hint about which variable to set.

Previous

Supported Agents

Next

Writing Skills

On this page