`access-tokens` is underspecified

The documentation for access-tokens is quite underspecified. I posted here, not help, since I don’t even know if i need help. I’m left with so many questions that I can’t even assess if this feature is interesting to me or not.

Question 1: what kind of requests does it apply to?

Nix makes a lot of different kinds of requests.

1a) substitutions from cache. Can access-tokens replace netrc-file?
1b) flake inputs?
1c) eval-time fetchers (fetchTarball, fetchGit, fetchTree)
1d) build-time fetchers e.g. nixpkgs fetchers like pkgs.fetchurl

Question 2: how exactly is the access token attached to requests?

2a) what header is used?
2b) can the header be changed?
2c) is the token always a Bearer token? Can that be changed?
2d) Is the behavior destination dependent? Can I use this with arbitrary sources?

Question 3: how does this interact with the daemon?

3a) can un-trusted users provide access-tokens config?

Flake related API calls

No

Yes

fetchTree, and only that

No, we aren’t there yet.

Bearer token

The Auth one.

Nope, it’s based on HTTP standards.

Yes and no

The token will be injected as soon as an ecal time request to the domain of the key is done. Afaiu there is no special treatment for different domains.

Not at all, as it’s an eval only thing

Yes, and I’d recommend to not have this as a global setting