Wrap the token around the repository, not the account
Wrangler now handles Artifacts namespaces and repositories, plus the metadata that sits around them. You can list namespaces, read namespace metadata, create repositories, list repositories, read repository metadata, and delete repositories from the CLI. The operational point is plain enough: the repository is now the unit that matters, not a broad account bucket with a loose token hanging off it.
That keeps Git access narrower. A repo-scoped token is issued for one repository only, so the token does not need to carry reach across every Artifacts repo in the account. If the token leaks, the blast radius stays close to the repo it was meant for. That is the boundary worth keeping.
Namespace and repository metadata matter here because they give you a way to check what exists before you hand out access. A quick wrangler artifacts namespaces list tells you what namespaces are present. wrangler artifacts namespaces get and wrangler artifacts repos get let you inspect the target before issuing anything. That is the dull part of the job, which is usually the part that stops the awkward call later.
Issue and test repo-scoped access without broadening Git reach
The CLI command that matters most is wrangler artifacts repos issue-token. It issues a repo-scoped token for Git access, tied to the repository you name. Use that token only where repository-level access is needed, not as a convenient stand-in for general Artifacts administration.
The practical sequence is narrow:
- confirm the namespace exists
- confirm the repository exists
- issue a repo-scoped token for that repository
- test Git access against that repo only
That testing step matters because it catches overreach early. If the token works against more than one repository, the boundary has already gone wrong. If it fails on the intended repo, the mistake is usually in the repository target, not in the principle of repo scoping. Either way, you want the failure before someone starts cloning things in anger.
The admin commands in Wrangler also make lifecycle control more direct. wrangler artifacts repos create and wrangler artifacts repos delete sit beside wrangler artifacts repos list and wrangler artifacts repos get, so the same tool can create the repository, inspect it, and remove it again when access should end. That is a clean place to revoke use by deleting the repository or replacing the token, rather than leaving old access tokens to drift around like forgotten SSH keys in a drawer.




