The binary-caches.json format

The binary-caches.json file configures the agent to use a binary cache.

A binary-caches.json with a single pushable cache looks like:

{ "mycache": (1)
    { "kind": "CachixCache" (2)
    , "publicKeys": ... (3)
    , ...
1 The name of the (Cachix) cache; for example the mycache part from
2 A kind field to distinguish between cache types.
3 Further details about the cache.

Top-level dictionary

The top-level object represents a dictionary from cache names to objects with the cache’s details and secrets.

Multiple caches can be specified this way. Currently the cache name in the dictionary is also used directly as the Cachix cache name.

{ "mycache": ...
, "some-other-cache": ...


This is currently the only supported cache kind.

The name for a cache is taken from the key in the top-level dictionary, such as mycache in the example.

The details of a cachix cache can be specified with the following fields:


A field of type string with the value CachixCache.


An optional field of type string.

Omit this field entirely when configuring a publicly readable Cachix cache.

This is a secret token to authenticate the agent to A personal token can be retrieved from the the Getting started instructions, step 3. If you have set up the cachix CLI, it is also present in ~/.config/cachix/cachix.dhall. will provide tokens with restricted authorization in the near future.

When present, its value starts with eyJ.


A list of strings.

These are required to verify the integrity of cached store paths and to accept them into the Nix store. They are the public counterpart to the signingKeys.

You may look up the public keys by going to <cache-name>

A public key looks like


A list of strings.

This is a cache-specific secret key to sign store paths.

You can find it in ~/.config/cachix/cachix.dhall or your key backup after following the setup instructions on

The keys are in Base64 format.

Currently only a single signing key is supported.