KASETTO

Authentication

Auth tokens for private GitHub, GitLab, Bitbucket, Codeberg, and Gitea.

Kasetto can pull skills, commands, instructions, and MCP configs from private repositories. No login command or credentials file needed — just set an environment variable and it works.

Supported Git Hosts

HostExample URL
GitHubhttps://github.com/org/repo
GitHub Enterprisehttps://ghe.example.com/org/repo
GitLabhttps://gitlab.com/group/project
GitLab self-hostedhttps://gitlab.example.com/group/subgroup/project
Bitbucket Cloudhttps://bitbucket.org/workspace/repo
Codeberghttps://codeberg.org/owner/repo
Giteahttps://gitea.com/owner/repo
Forgejohttps://forgejo.org/owner/repo

Host Detection Instructions

Kasetto identifies the git host from the URL hostname:

  • GitLab - gitlab.com, any subdomain of gitlab.com (e.g., sub.gitlab.com), or any hostname starting with gitlab. (e.g., gitlab.example.com).
  • Bitbucket - bitbucket.org or www.bitbucket.org.
  • Codeberg / Gitea / Forgejo - codeberg.org, gitea.com, forgejo.org (and their www. variants).
  • GitHub - github.com and any other hostname not matching the instructions above.

Any unrecognized hostname with an owner/repo path (2 segments) is treated as GitHub Enterprise. This means ghe.example.com/acme/skills works automatically with GITHUB_TOKEN. Unrecognized hostnames with 3+ path segments (e.g., git.example.com/group/sub/repo) are treated as GitLab-style.

Self-hosted Gitea or Forgejo instances (e.g., gitea.mycompany.com) are not auto-detected. They will be treated as GitHub Enterprise. If your self-hosted instance uses the GitHub-compatible API layout this may still work, but the GITEA_TOKEN variable will not be applied. Use GITHUB_TOKEN instead, or open an issue if you need explicit support for a custom Gitea domain.

Environment Variables

GitHub

VariableDescription
GITHUB_TOKENPersonal access token or fine-grained token
GH_TOKENFallback if GITHUB_TOKEN is not set

Works for github.com and GitHub Enterprise Server alike.

export GITHUB_TOKEN=ghp_...
kst sync --config kasetto.yaml

GitLab

VariableDescription
GITLAB_TOKENPersonal or project access token
CI_JOB_TOKENFallback - automatically set in GitLab CI/CD pipelines

Works for gitlab.com and any self-hosted instance whose hostname starts with gitlab..

export GITLAB_TOKEN=glpat-...
kst sync --config kasetto.yaml

Bitbucket Cloud

Bitbucket has two options:

Method 1 - API token:

VariableDescription
BITBUCKET_EMAILAccount email address
BITBUCKET_TOKENAtlassian API token

Method 2 - App password:

VariableDescription
BITBUCKET_USERNAMEBitbucket username
BITBUCKET_APP_PASSWORDApp password (create at Bitbucket Settings > App passwords)

Method 1 is tried first; if those variables aren't set, Method 2 is used.

Codeberg / Gitea / Forgejo

VariableDescription
GITEA_TOKENPersonal access token
CODEBERG_TOKENFallback if GITEA_TOKEN is not set
FORGEJO_TOKENFallback if neither of the above is set

All three are checked in order — the first one found is used for any Gitea-family host.

Remote Configs

Authentication also applies when you fetch a config via --config <url>. The token is chosen based on the URL hostname, using the same detection instructions above.

export GITHUB_TOKEN=ghp_...
kst sync --config https://github.com/org/private-repo/blob/main/kasetto.yaml

If the URL points to a private resource and no matching token is set, Kasetto reports an HTTP error with a hint about which variable to set.

Previous

Supported Agents

Next

Writing Skills

On this page