.netrc File Builder

What the .netrc file does

The .netrc file is a 1970s convention for storing login credentials so command-line tools can authenticate non-interactively. It lives at ~/.netrc (or %USERPROFILE%\_netrc on Windows), must be readable only by its owner (chmod 600), and is consumed by curl (--netrc, --netrc-file), wget, the legacy ftp client, git (via credential helpers), Python's urllib and Java's URLConnection. It is plain text — that is both the appeal and the security risk.

File format

Entries are blank-line separated. Each entry has a machine line (or the special default fallback), a login, a password and optionally an account token. Tokens cannot contain spaces or #:

machine ftp.example.com
  login alice
  password s3cret
  account billing

machine github.com
  login alice
  password ghp_xxxxxxxxxxxxxxxxxxxx

default
  login anonymous
  password [email protected]

The default stanza is the fallback for any host not explicitly listed. The deprecated macdef directive used to define FTP macros and is best avoided.

Security trade-offs and modern alternatives

The file is plain text. Anyone who reads it reads your passwords — including a misconfigured backup, a shared dotfiles repository, a stolen laptop. Stronger alternatives are OS-level keystores: macOS Keychain, GNOME Keyring / KWallet on Linux, Windows Credential Manager. The gh CLI uses the keyring instead of .netrc. For team and server use, HashiCorp Vault, AWS Secrets Manager, Doppler and 1Password CLI are the modern path. In CI, GitHub Actions and GitLab CI inject secrets as environment variables — Docker has dedicated secrets mounts. Use .netrc for personal, short-lived tokens; rotate them often.

Best practices

• chmod 600 ~/.netrc immediately after creation — curl refuses to read it otherwise.
• Never commit the file to git or any dotfiles repository.
• Use short-lived personal access tokens, not long-term passwords.
• Rotate tokens periodically — quarterly for low-risk, monthly for production credentials.
• Encrypt the home volume (FileVault, LUKS) so a stolen disk does not reveal the file.
• Use a separate --netrc-file /path/to/custom.netrc per project when contexts diverge.

FAQ

Should I check .netrc into git? No. Ever. Add .netrc to .gitignore globally (git config --global core.excludesfile ~/.gitignore_global) so you cannot leak it by mistake.

Is .netrc still used in 2026? Yes, in legacy curl, wget and FTP workflows, and as a quick way to script against private APIs from the shell. New software prefers OS keychains and OIDC tokens.

Why must I run chmod 600? curl, ftp and most libraries refuse to read a file with group or world permissions, precisely to prevent leaking credentials by accident.

Is any data sent to a server? No. The file is composed in your browser and written to the output block — nothing is uploaded.