From db6ed512e4aee58b4cffd1abfcd35853a8e11bc9 Mon Sep 17 00:00:00 2001
From: Enrico Bolzonello <enribolzonello@gmail.com>
Date: Thu, 26 Mar 2026 16:27:35 +0100
Subject: [PATCH 1/2] test(auth): add tests showing token rejected behavior for
 alt registries

---
 tests/testsuite/registry_auth.rs | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/tests/testsuite/registry_auth.rs b/tests/testsuite/registry_auth.rs
index ed02b381c79..6961fca1aeb 100644
--- a/tests/testsuite/registry_auth.rs
+++ b/tests/testsuite/registry_auth.rs
@@ -448,6 +448,36 @@ Caused by:
         .run();
 }
 
+#[cargo_test]
+fn incorrect_token_bearer_scheme() {
+    let _registry = RegistryBuilder::new()
+        .alternative()
+        .auth_required()
+        .no_configure_token()
+        .http_index()
+        .build();
+
+    let p = make_project();
+    cargo(&p, "build")
+        .env("CARGO_REGISTRIES_ALTERNATIVE_TOKEN", "Bearer incorrect")
+        .with_status(101)
+        .with_stderr_data(str![[r#"
+[UPDATING] `alternative` index
+[ERROR] failed to get `bar` as a dependency of package `foo v0.0.1 ([ROOT]/foo)`
+
+Caused by:
+  token rejected for `alternative`, please run `cargo login --registry alternative`
+  or use environment variable CARGO_REGISTRIES_ALTERNATIVE_TOKEN
+
+Caused by:
+  failed to get successful HTTP response from `http://127.0.0.1:[..]/index/config.json`, got 401
+  body:
+  Unauthorized message from server.
+
+"#]])
+        .run();
+}
+
 #[cargo_test]
 fn anonymous_alt_registry() {
     // An alternative registry that requires auth, but is not in the config.

From 487983c96c44963cd51ef3adda165abbe1a4aa44 Mon Sep 17 00:00:00 2001
From: Enrico Bolzonello <enribolzonello@gmail.com>
Date: Thu, 26 Mar 2026 16:40:20 +0100
Subject: [PATCH 2/2] fix(auth); add auth scheme hint to token rejected error
 for alt registries

---
 src/cargo/util/auth/mod.rs            | 16 ++++++++++++++++
 tests/testsuite/credential_process.rs |  3 ++-
 tests/testsuite/registry_auth.rs      | 10 ++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/src/cargo/util/auth/mod.rs b/src/cargo/util/auth/mod.rs
index fc8179d8d8b..76e2d78afd7 100644
--- a/src/cargo/util/auth/mod.rs
+++ b/src/cargo/util/auth/mod.rs
@@ -400,6 +400,8 @@ pub struct AuthorizationError {
     reason: AuthorizationErrorReason,
     /// Should `cargo login` and the `_TOKEN` env var be included when displaying this error?
     supports_cargo_token_credential_provider: bool,
+    /// Whether the cached token appears to lack an authentication scheme (no space found).
+    token_lacks_scheme: Option<bool>,
 }
 
 impl AuthorizationError {
@@ -416,12 +418,17 @@ impl AuthorizationError {
             credential_provider(gctx, &sid, false, false)?
                 .iter()
                 .any(|p| p.first().map(String::as_str) == Some("cargo:token"));
+        let cache = gctx.credential_cache();
+        let token_lacks_scheme = cache
+            .get(sid.canonical_url())
+            .map(|entry| !entry.token_value.as_deref().expose().contains(' '));
         Ok(AuthorizationError {
             sid,
             default_registry: gctx.default_registry()?,
             login_url,
             reason,
             supports_cargo_token_credential_provider,
+            token_lacks_scheme,
         })
     }
 }
@@ -461,6 +468,15 @@ impl fmt::Display for AuthorizationError {
                     "\nYou may need to log in using this registry's credential provider"
                 )?;
             }
+
+            if self.reason == AuthorizationErrorReason::TokenRejected {
+                if self.token_lacks_scheme == Some(true) {
+                    write!(
+                        f,
+                        "\nnote: the token does not include an authentication scheme"
+                    )?;
+                }
+            }
             Ok(())
         } else if self.reason == AuthorizationErrorReason::TokenMissing {
             write!(
diff --git a/tests/testsuite/credential_process.rs b/tests/testsuite/credential_process.rs
index f86e349fcb3..0918330c284 100644
--- a/tests/testsuite/credential_process.rs
+++ b/tests/testsuite/credential_process.rs
@@ -104,6 +104,7 @@ fn credential_provider_auth_failure() {
 [UPDATING] `alternative` index
 [ERROR] token rejected for `alternative`
 You may need to log in using this registry's credential provider
+[NOTE] the token does not include an authentication scheme
 
 Caused by:
   failed to get successful HTTP response from [..]
@@ -629,7 +630,7 @@ fn basic_provider() {
             eprintln!("CARGO={:?}", std::env::var("CARGO").ok());
             eprintln!("CARGO_REGISTRY_NAME_OPT={:?}", std::env::var("CARGO_REGISTRY_NAME_OPT").ok());
             eprintln!("CARGO_REGISTRY_INDEX_URL={:?}", std::env::var("CARGO_REGISTRY_INDEX_URL").ok());
-            print!("sekrit"); 
+            print!("sekrit");
         }"#)
         .build();
     cred_proj.cargo("build").run();
diff --git a/tests/testsuite/registry_auth.rs b/tests/testsuite/registry_auth.rs
index 6961fca1aeb..6954c72b0d7 100644
--- a/tests/testsuite/registry_auth.rs
+++ b/tests/testsuite/registry_auth.rs
@@ -231,6 +231,7 @@ Caused by:
 Caused by:
   token rejected for `alternative`, please run `cargo login --registry alternative`
   or use environment variable CARGO_REGISTRIES_ALTERNATIVE_TOKEN
+  [NOTE] the token does not include an authentication scheme
 
 Caused by:
   failed to get successful HTTP response from `http://127.0.0.1:[..]/index/config.json`, got 401
@@ -272,6 +273,7 @@ Caused by:
 Caused by:
   token rejected for `alternative`, please run `cargo login --registry alternative`
   or use environment variable CARGO_REGISTRIES_ALTERNATIVE_TOKEN
+  [NOTE] the token does not include an authentication scheme
 
 Caused by:
   failed to get successful HTTP response from `http://127.0.0.1:[..]/index/config.json`, got 401
@@ -316,6 +318,7 @@ Caused by:
 Caused by:
   token rejected for `alternative`, please run `cargo login --registry alternative`
   or use environment variable CARGO_REGISTRIES_ALTERNATIVE_TOKEN
+  [NOTE] the token does not include an authentication scheme
 
 Caused by:
   failed to get successful HTTP response from `http://127.0.0.1:[..]/index/config.json`, got 401
@@ -410,6 +413,7 @@ Caused by:
 Caused by:
   token rejected for `alternative`, please run `cargo login --registry alternative`
   or use environment variable CARGO_REGISTRIES_ALTERNATIVE_TOKEN
+  [NOTE] the token does not include an authentication scheme
 
 Caused by:
   failed to get successful HTTP response from `http://127.0.0.1:[..]/index/config.json`, got 401
@@ -465,6 +469,12 @@ fn incorrect_token_bearer_scheme() {
 [UPDATING] `alternative` index
 [ERROR] failed to get `bar` as a dependency of package `foo v0.0.1 ([ROOT]/foo)`
 
+Caused by:
+  failed to load source for dependency `bar`
+
+Caused by:
+  unable to update registry `alternative`
+
 Caused by:
   token rejected for `alternative`, please run `cargo login --registry alternative`
   or use environment variable CARGO_REGISTRIES_ALTERNATIVE_TOKEN