Private github repo inputs with access tokens - how exactly?

I’m having a terrible time figuring out a working system for private repo flake inputs.


It’s unclear which url format I’m supposed to use. The documentation mentions only a very weird:

              Example ~/code/flake.nix: = {
         type = "gitlab";
         host = "";
         owner = "mycompany";
         repo = "pro";


Some people posting on forums seems to use git+ssh:// format instead.

Second of all I’m getting very mixed results w.r.t where I’m supposed to put the access-token github=pat_... string.

/etc/nix/nix.conf ? Doesn’t seem to work at all. ~/.config/nix/nix.conf? Also doesn't seem to work. ~/.local/share/nix/trusted-settings.json` kind of sometimes seems to work.

Is it supposed to work with flakes at all? Is putting it into nixConfig = { access-tokens = [ "" ]; }; in a top-level of flake supposed to work?

Third, is it supposed to be github= or ? Does it depend on the type of input url format I’m using?

On top of it, it seems to me that nix does something really messed up w.r.t. cache invalidation on recursive inputs. If I have flake F, that has a private input A, that refers to a private input B, then even after fixing A to refer to B using ssh+git://git@... , and then changing F to use that new version of A, building F attempts to fetch B using the old url format, ignoring the new format in the new version of A. Its seem that the url of B, is cached based on B’s revision, ignoring the actual url A uses.

I would appreciate someone actually using access-token spelling out something know to work and confirm all the little doubts I have.

Edit: So as usually, only after asking for help on a public forum and then strugling a little bit more, I figured out that the link format that works reliably is only:

url = "github:owner/repo/rev";

kind. With that discovery, everything kind of felt into right place, though I’m still not entirely sure about the details of how things work.

The access token setting in flake for this looks like:

  nixConfig = {
    extra-substituters = [ "" ];
    extra-trusted-public-keys = [ "" ];
    access-tokens = [

and this is going to ask the user to user &/or presist or not, and store it under ~/.local/share/nix/trusted-settings.json.