initial draft of rfc for crates.io username

[carols10cents]

For crates.io team feedback!

Updated rendered as of 2026-04-06

[Turbo87]

thanks for your work @carols10cents! :)

[jtgeibel]

Just a few general comment from me:

• We should allow for an id:1234 form that would be tied to the primary key of the users table. This would provide a stable identifier that always points to the same user even if they rename their account.
• We should document what we consider to be a valid username. Based on on the current GitHub rules, I'm thinking:
  • Only allow alphanumeric characters [a-zA-Z0-9] and hyphens -.
  • Hyphens must not appear at the start or end of the name, and cannot show up as consecutive characters.
  • Cap the length to something reasonable (GH is capped at 39 characters).
  • Additionally, maybe we should require at least 1 non-numeric character, to avoid potential confusion with id numbers. (Though if GH doesn't already deny this we might have some existing usernames that would break this rule.)
• We should document that usernames are case-insensitive, such that username, UserName, etc. are considered equivalent. Like we do with crate names we would probably store the original casing and apply a distinct constraint to a normalized version of the column.

(I've largely inferred the GitHub username rules from what is documented in their enterprise SAML documentation regarding username normalization.)

[eth3lbert]

I think it would be less confusing/surprising to users if we used a consistent registration process for all users. What I've seen on most other services is a flow that looks more like this:

• user clicks on "login with XXX" button
• server checks if a corresponding account on XXX is known
  • if yes: login successful
• server shows the user a "register your account" page with a username field that is prefilled with the username from XXX
• the username fields checks for collisions with existing usernames on the server and only lets the user register once they've chosen a free username

it would probably also make sense to have the user confirm their email address in the same registration form. I could also imagine that the registration form then triggers a email verification and only after verification activates the account, but I guess that is somewhat orthogonal and not directly related to this RFC :)

Yeah, this is exactly the flow I had in mind too. I’m also not a fan of syncing usernames automatically, much like Tobi mentioned earlier. There might be significantly more work required once we support multiple login methods, such as handling a user who logs in with GitHub first and then tries other methods later. However, I think the first step is helping users understand that their crates.io username might not map 1:1 to their GitHub handle or other future providers. Other than that, Tobi has already covered most of the points I noticed at first glance.

Regarding the warning icon or text, I’m wondering if we should also display it in the owners' section of the crate page sidebar?

[LawnGnome]

I haven't had a chance to dig into the reference section in depth yet, but here are some high level thoughts, as promised.

I think I'm with @Turbo87 that we're going to need some sort of prefixed alias type thing for this to be viable from a user experience perspective (so github:LawnGnome as a valid identifier). As I mentioned below, I'm not sure if we then also need some sort of fully qualified user name like crates.io:LawnGnome as a requirement, but it's probably ultimately going to be needed at least as an optional thing for ambiguous situations.

Overall, though, I think this aligns well with my own thoughts, and my concerns are mostly around the edges. Feels like we're on the right track. Thanks for writing this up!

[carols10cents]

• Only allow alphanumeric characters [a-zA-Z0-9] and hyphens -.

No underscore?

Actually, I think I just figured it out-- we have github usernames with underscores in them in users.gh_login now, but I think GitHub does enterprise integration by adding _[enterprise name] to the end of the github username, so regular non-enterprise github accounts aren't allowed to have underscores.

But I think we need to allow them so that all current usernames are valid, and I think we're going to want to do the same (important but annoying) hyphen/underscore normalization for uniqueness that we use for crate names.

[carols10cents]

• Additionally, maybe we should require at least 1 non-numeric character, to avoid potential confusion with id numbers. (Though if GH doesn't already deny this we might have some existing usernames that would break this rule.)

Yeah just checked and GitHub allows all-numeric usernames. Ex: https://github.com/1141265442

So I think we'll have to allow that too.

[carols10cents]

Regarding the warning icon or text, I’m wondering if we should also display it in the owners' section of the crate page sidebar?

Yup, I have that already around line 55, bolded here:

When you visit a user's page at https://crates.io/users/example_username, see a user account
listed as an owner of a crate in the crate's sidebar, or run cargo owner add example_username
and the account's crates.io username differs from the GitHub username associated with the account,
you will see a warning icon similar to ⚠️

Do you have any suggestions on how to make this clearer?

[carols10cents]

• We should allow for an id:1234 form that would be tied to the primary key of the users table. This would provide a stable identifier that always points to the same user even if they rename their account.

I've added this as an unresolved question. On one hand, I'm not sure that this is needed; on the other hand, this is something we could add today independently of this RFC, if we wanted.

[carols10cents]

Ok I think I've resolved all the comments! I tried to make changes in topical commits so that wouldn't be terrible to review just what changed commit-by-commit, but I'm also interested in how the RFC reads overall. Here's an updated rendered link.

[Turbo87]

only made it to the "Rationale and alternatives" section before I ran out of time, but it's looking great so far. only got a few small comments :)

[Turbo87]

do we really want to add support for other services to this API? in my mind these prefixes were only meant for the disambiguation that is currently needed because people assume GitHub/crates.io username match up, but I'm not sure we need to support e.g. gitlab:foo

[carols10cents]

To me, it's a safety+convenience thing. If someone knows the gitlab username of the person they'd like to add, and they want to be really confident they're adding the right person without having to first go verify that their crates.io username does or does not match, this gives them a convenient way to be confident.

[jtgeibel]

No underscore?

Thanks for double checking against the database (on this and that all-numeric usernames already exist too). My understanding was that GH didn't allow underscores because usernames must be valid DNS hostnames. Presumably, enterprise accounts don't get a subdomain under github.io.

Regarding an id:1234 form:

I've added this as an unresolved question. On one hand, I'm not sure that this is needed; on the other hand, this is something we could add today independently of this RFC, if we wanted.

Thanks for adding that. I agree this could be done independently. I was thinking it would be useful as a stable identifier for cargo owner commands, but at the same time adding/removing an owner is a one-off command and probably isn't hard-coded into scripts very often.

[carols10cents]

Ok, I'm feeling like this is in good enough shape to open as a real RFC maybe immediately after our meeting this week - please register any objections before then!

Updated rendered link

[joshtriplett]

• Only allow alphanumeric characters [a-zA-Z0-9] and hyphens -.

No underscore?

Actually, I think I just figured it out-- we have github usernames with underscores in them in users.gh_login now, but I think GitHub does enterprise integration by adding _[enterprise name] to the end of the github username, so regular non-enterprise github accounts aren't allowed to have underscores.

But I think we need to allow them so that all current usernames are valid, and I think we're going to want to do the same (important but annoying) hyphen/underscore normalization for uniqueness that we use for crate names.

Ah, just found this comment after I reviewed the RFC.

Would be helpful to have this rationale included. But I'm also wondering if we could handle this another way, and avoid needing the underscore/hyphen normalization code.

[carols10cents]

Would be helpful to have this rationale included. But I'm also wondering if we could handle this another way, and avoid needing the underscore/hyphen normalization code.

I can add that... Do you have any ideas on how to handle this another way? I can't think of anything that wouldn't cause disruption for existing usernames :(

[carols10cents]

This is now a real RFC! If you've gotten here somehow, please go comment on rust-lang/rfcs#3946 instead :) Archiving this repo!