[FEATURE] Support GITHUB_TOKEN / GIT_ASKPASS for plugin marketplace git operations

Resolved 💬 3 comments Opened Apr 17, 2026 by liamd-rokt Closed Apr 20, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

claude plugin marketplace add cannot clone private GitHub
repositories in environments that rely on external credential
helpers (e.g., GIT_ASKPASS, GITHUB_TOKEN, GH_TOKEN).

The CLI spawns its own git clone subprocess, but does not pass
through standard git authentication environment variables. This
means that even though git clone works correctly in the user's
terminal (via credential helpers), the same operation fails when
triggered by claude plugin marketplace add.

Reproduction

In an environment where git HTTPS authentication is provided via
GIT_ASKPASS:

This works — git respects GIT_ASKPASS
git clone https://github.com/my-org/my-private-marketplace.git
✓ Cloning into 'my-private-marketplace'...

This fails — claude CLI does not pass GIT_ASKPASS to its git
subprocess
claude plugin marketplace add
https://github.com/my-org/my-private-marketplace
✘ HTTPS authentication failed. Please ensure your credential
helper is configured

Setting GITHUB_TOKEN also doesn't work
GITHUB_TOKEN=ghp_xxx claude plugin marketplace add
https://github.com/my-org/my-private-marketplace
✘ HTTPS authentication failed.

Workaround

Pre-clone the repo manually, then point the marketplace at the
local path:

git clone https://github.com/my-org/my-private-marketplace.git \
~/.claude/plugins/marketplaces/my-marketplace

claude plugin marketplace add
~/.claude/plugins/marketplaces/my-marketplace
claude plugin install my-plugin

This works but requires additional scripting and means claude
plugin marketplace update won't be able to pull new changes (same
auth issue).

Embedding token in URL — security concern

Embedding a token directly in the URL does work:

claude plugin marketplace add "https://x-access-token:${TOKEN}@gi
thub.com/my-org/my-marketplace"

However, the CLI stores the full token in plaintext in
~/.claude/settings.json:

```{
"extraKnownMarketplaces": {
"my-marketplace": {
"source": {
"source": "git",
"url": "https://x-access-token:ghp_XXXX@github.com/my-org
/my-marketplace.git"
}
}
}
}

         
  This is a security risk — tokens persisted on disk can be leaked 
  via backups, dotfile syncing, or compromised environments.       
                                                                   
  
  ---     

### Proposed Solution                                  
                                                                   
  Support standard git authentication mechanisms in the CLI's git  
  operations:                                                      
                                                                   
  1. Inherit GIT_ASKPASS — pass through the existing GIT_ASKPASS   
  environment variable to the git subprocess. This is how many     
  CI/CD systems and remote development environments (Coder, Gitpod,
   Codespaces) provide credentials.                                
  2. Read GITHUB_TOKEN / GH_TOKEN — use these environment variables
   to authenticate HTTPS clones, consistent with how gh CLI and    
  GitHub Actions work.                                             
  3. Inherit git credential helpers — respect the user's configured
   credential.helper in their git config.                          
  4. If token-in-URL is supported, don't persist it — redact       
  credentials from the stored URL in settings.json and re-resolve  
  them at clone/update time from environment variables.            

### Alternative Solutions

_No response_

### Priority

Medium - Would be very helpful

### Feature Category

CLI commands and flags

### Use Case Example                                              

  This is particularly important for:                              
                                                                   
  - Remote development environments (Coder, Gitpod, Codespaces)    
  where auth is provided via credential helpers, not SSH keys or gh
   auth login                                                      
  - CI/CD pipelines where tokens are injected as environment       
  variables                                                        
  - Organizations distributing private plugin marketplaces to their
   teams — the marketplace add + install should work with the same 
  auth the user already has for git 

### Additional Context

  Environment                                                      
                                                                   
  - Claude Code CLI v2.1.112                                       
  - Linux (Alpine-based container)                                 
  - Git authentication provided via GIT_ASKPASS credential helper  
                                                                   

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗