Skip to main content

Running Private Packages with GitHub Login

Kurtosis CLI supports the ability to run private packages hosted on GitHub via kurtosis github login. This guide assumes that you have Kurtosis installed and a package hosted on GitHub that is private.


GitHub Login is not yet supported over Kubernetes backend. Please create an issue to request this feature!

1. Authorize Kurtosis CLI OAuth Application

Using Kurtosis CLI, run:

kurtosis github login

The following prompt should be displayed. After copying the one time code, press enter.


A GitHub screen should pop up in your browser instructing you to enter the one-time code you just copied in your terminal.


After entering the code, GitHub will prompt you to authorize Kurtosis CLI. Kurtosis CLI requests repo access to repositories for the ability to read and pull from private repositories.

OAuth Token Scopes

While repo gives Kurtosis read and write access to private repositories, Kurtosis only performs read operations. GitHub does not support a repo:read OAuth scope, but an alternative is to use a fine-grained personal access token to restrict Kurtosis CLI read/write and repository permissions. This token can be passed to Kurtosis CLI via the kurtosis engine start --github-auth-token=<> flag.

Private Packages within GitHub Orgs

If the private package you'd like to develop on lives in a GitHub org, the organization must also authorize Kurtosis CLI. To have an organization you are a part of authorize Kurtosis CLI, click the Request button next to the organization name on the authorization page, then notify your org admins to accept the request via email.

Once you have authorized Kurtosis CLI, you'll be redirected to a success page.


Now, navigate back to your terminal. Your Kurtosis engine will automatically restart for GitHub auth to take effect.


OAuth Token storage

Behind the scenes, authorizing Kurtosis CLI means GitHub will generate an OAuth token that Kurtosis CLI can use to perform GitHub operations on your behalf. Following GitHub CLI, we attempt to securely store this token in system credential storage. If system credential store is unavailable, we store it in a plain text file in your Kurtosis config directory at kurtosis config path.

Run a Private Package

Now, run a private package! Get the locator of the private package you have access to that you'd like to run that. For this example, we'll assume there's a private package at

kurtosis run

Now, the package should run! Additionally, any locators (e.g. in upload_files or import_module) that refer to resources in private GitHub repositories you have access to, are also authorized.