Lab 5: Restricting Access with Authenticated Repositories

By the end of this lab, you will be able to:

  • Create a date-based source for CRAN in Package Manager
  • Configure an authenticated repository that requires a token to access
  • Generate a repos:read token scoped to that repository
  • Configure an R user to install packages from the authenticated repository
NoteBefore You Begin

This lab puts into practice the concepts covered in Restricting Access with Authenticated Repositories. If you have not read it yet, review it first so the steps below make sense.

TipRequired Reading

Create a Date-based Source and an Authenticated Repository

A date-based CRAN source, also called a snapshot source, pins a repository to the state of CRAN on a specific date. Every user installing from that source gets the same package versions, regardless of when they install. This is a way to ensure reproducibility without relying on any other tools.

In this lab the snapshot source is also the example used to demonstrate authentication, but the two concepts are independent: any repository can be authenticated, and any repository can be based on a snapshot. Combining them provides a way for a specific team to have a reproducible, access-controlled set of packages.

First, create a CRAN date-based source called authenticated-cran-2026-05-01. Then create an authenticated repository based on that source. Run the following commands:

Terminal
# Create source from desired date:
sudo rspm create source --name=authenticated-cran-2026-05-01 --type=cran-snapshot --snapshot=2026-05-01

# Create the repository that will serve this source, and make it authenticated:
sudo rspm create repo --name=cran-snapshot --description='Access CRAN packages' --authenticated=true
sudo rspm subscribe --repo=cran-snapshot --source=authenticated-cran-2026-05-01

Generate an Access Token

Generate a token for that repository that allows repos:read, and save it to a persistent, secure location (such as a password manager or a text file on your local computer):

Terminal
sudo rspm create token --scope=repos:read --repos=cran-snapshot \
  --description="Allows read access for the authenticated-cran-2026-05-01 repo" --user="repo-reader"

Configure an R User to Use the Repository

Use the token you generated to log in to the Package Manager user interface. You should see the cran-snapshot repository in the dropdown of the repositories you can install from. Then click on the “Setup” button, and follow the instructions to configure access to this authenticated repository. You will:

  1. Create a .netrc file in your home directory
  2. Make sure that ~/.netrc has the appropriate permissions so that it is only readable by you
  3. Edit the ~/.Rprofile file to (1) configure your instance of Package Manager as the repository; (2) include the code provided in the Setup instructions to ensure that curl is used to download packages and that it uses the .netrc file for authentication.

The .netrc file should look like this:

~/.netrc
machine <your-package-manager-url>
login __token__
password <your-token>

Note that the url for machine is the bare URL for your Package Manager instance (do not include the protocol), login is literally __token__, and the password is the token you generated.

The .Rprofile should look like this, make sure to replace <your-package-manager-url> with the URL for your Package Manager instance (and to use the same URL in the .netrc file, for this lab we recommend using the URL ending in instruqt.io found in the bottom right corner of the lab, and not the one ending in instruqt.com):

~/.Rprofile
# Configure the authenticated repository as the default CRAN repository
options(repos = c(CRAN = "<your-package-manager-url>/cran-snapshot/latest"))

# Use curl with a netrc file for authenticated repo access
options(download.file.method = "curl")

options(download.file.extra = paste(
  "--netrc",
  # Follow redirects, show errors, and display the HTTP status and URL
  '-fsSL -w "%{stderr}curl: HTTP %{http_code} %{url_effective}\n"',
  # Configure the R user agent header to install Linux binary packages
  sprintf('--header "User-Agent: R (%s)"', paste(getRversion(), R.version["platform"], R.version["arch"], R.version["os"]))
))
TipUse your own Package Manager URL

Once you have configured an authenticated repository, you can use the token you generated to log in to the Package Manager user interface. In the UI, click on “Sign in” and paste your token in the text box. You should see the cran-snapshot repository in the dropdown of the repositories you can install from. Once selected, you can click on the “Setup” button to see the instructions for configuring your R user to install from this authenticated repository.

Verify Your Work

Launch R (remember that R installed in /opt/R/<x.y.z>/bin), check that the new authenticated repository is listed, and install a package, checking the install logs to make sure that it comes from the authenticated repository:

R Console
# Check that the new authenticated repository is listed
getOption("repos")

# Install a package, check the logs to make sure that it comes from the authenticated repository
install.packages("remotes")
  • Authenticated repositories restrict access so that only callers presenting a valid token can install. This is how you scope a repository to a specific team or instance on a shared Package Manager.
  • Access is granted with tokens scoped to a repository and a permission; a repos:read token allows installing from that repository and nothing more. Treat tokens as secrets and store them securely.
  • Consuming an authenticated repository from R requires three coordinated pieces: a .netrc file holding the credentials, an .Rprofile that adds the repository and downloads via curl, and the repository URL.
  • A date-based (snapshot) source pins a repository to CRAN’s state on a chosen date, giving every user the same package versions for reproducibility. Authentication and snapshots are independent but can be combined to give a team a reproducible, access-controlled set of packages.