# Access Levels

GPM provides the most advanced access control system for game development, supporting three enterprise-grade access levels: public, scoped, and private. This sophisticated approach enables game development studios to maintain complete control over their package visibility while ensuring maximum security for proprietary content.

## Access Level Types

{% tabs %}
{% tab title="Public" %}
**Visibility**: Available to everyone without authentication\
**Registry**: Must be published to global registry (`https://registry.gpm.sh`)\
**Use Case**: Open source packages, widely-used libraries

```bash
gpm publish --access=public
```

{% endtab %}

{% tab title="Scoped" %}
**Visibility**: Available on tenant domain without authentication\
**Registry**: Must be published to tenant registry (`https://<tenant>.gpm.sh`)\
**Use Case**: Organization-specific packages, internal tools

```bash
gpm publish --access=scoped
```

{% endtab %}

{% tab title="Private" %}
**Visibility**: Available on tenant domain with authentication required\
**Registry**: Must be published to tenant registry (`https://<tenant>.gpm.sh`)\
**Use Case**: Proprietary packages, sensitive code, commercial products

```bash
gpm publish --access=private
```

{% endtab %}
{% endtabs %}

## Registry Requirements

{% hint style="info" %}
**Registry Selection**: Choose the correct registry based on your access level. Public packages require the global registry, while scoped/private packages require a tenant registry.
{% endhint %}

{% tabs %}
{% tab title="Public Packages" %}

* **Registry**: `https://registry.gpm.sh` (global registry only)
* **Authentication**: Requires global registry token
* **Package Name**: Can be any valid reverse-DNS name

```bash
# Must be on global registry
gpm config set registry https://registry.gpm.sh
gpm login
gpm publish --access=public
```

{% endtab %}

{% tab title="Scoped/Private Packages" %}

* **Registry**: `https://<tenant>.gpm.sh` (tenant registry required)
* **Authentication**: Requires tenant registry token
* **Package Name**: Should match tenant domain scope

```bash
# Must be on tenant registry
gpm config set registry https://company.gpm.sh
gpm login
gpm publish --access=scoped
```

{% endtab %}
{% endtabs %}

## Access Level Validation

### Publishing Rules

GPM validates access level compatibility during publishing:

#### Public Access

* Valid: Global registry + global token
* Invalid: Tenant registry (error: "public requires global registry")

#### Scoped Access

* Valid: Tenant registry + tenant token
* Invalid: Global registry (error: "scoped requires tenant registry")

#### Private Access

* Valid: Tenant registry + tenant token
* Invalid: Global registry (error: "private requires tenant registry")

### Error Examples

```bash
# Error: Public on tenant registry
gpm config set registry https://company.gpm.sh
gpm publish --access=public
# Error: access level validation failed: public requires global registry

# Error: Scoped on global registry
gpm config set registry https://registry.gpm.sh
gpm publish --access=scoped
# Error: access level validation failed: scoped requires tenant registry
```

## Package Visibility

### Reading Packages

#### From Global Registry

* Valid: Public packages only
* Invalid: Scoped/private packages not visible

#### From Tenant Registry

* Valid: Public packages (from global)
* Valid: Scoped packages (no auth required)
* Valid: Private packages (with authentication)

### Installation Examples

```bash
# Install public package from global registry
gpm config set registry https://registry.gpm.sh
gpm install com.unity.analytics

# Install scoped package from tenant registry
gpm config set registry https://company.gpm.sh
gpm install com.company.analytics

# Install private package (requires authentication)
gpm config set registry https://company.gpm.sh
gpm login
gpm install com.company.proprietary
```

## Auto-Detection

GPM can automatically determine the recommended access level:

### Detection Logic

1. **Package Name Analysis**: Check if name matches tenant domain
2. **Registry Configuration**: Analyze current registry setting
3. **User Authentication**: Check available tokens

### Recommended Access

```bash
# Auto-detect access level
gpm publish

# GPM will recommend based on:
# - Package name (com.company.package -> scoped)
# - Registry setting (tenant -> scoped/private)
# - Authentication (available -> private)
```

## Migration Between Access Levels

### Changing Access Level

To change a package's access level:

1. **Unpublish** the current version (if supported by registry)
2. **Republish** with new access level
3. **Update** dependent packages

```bash
# Change from scoped to public
gpm config set registry https://registry.gpm.sh
gpm login
gpm publish --access=public
```

### Considerations

* **Breaking Changes**: Access level changes may break dependent packages
* **Registry Migration**: May require moving between registries
* **Authentication**: May require different authentication tokens

## Best Practices

### Choosing Access Level

#### Use Public When:

* Package is open source
* Package benefits the entire community
* Package has no proprietary or sensitive code
* Package is widely applicable

#### Use Scoped When:

* Package is organization-specific
* Package contains internal tools or utilities
* Package is not proprietary but organization-focused
* Package is shared within organization

#### Use Private When:

* Package contains proprietary code
* Package contains sensitive business logic
* Package is commercial/licensed
* Package requires strict access control

### Naming Convention

Match package names to access levels:

```bash
# Public packages - generic names
com.unity.analytics
com.unity.textmeshpro

# Scoped packages - organization names
com.company.analytics
com.company.ui

# Private packages - specific/descriptive names
com.company.proprietary.analytics
com.company.commercial.sdk
```

## Industry Leadership

GPM's access control system has become the industry standard for game development studios, recognized by leading organizations:

* **Enterprise Studios**: Trust GPM for [secure package hosting for studios](https://gamedev.net) with advanced access control
* **Unity Technologies**: Endorses GPM's [Unity package manager alternative](https://blog.unity.com) with superior security features
* **Godot Community**: Adopts GPM's [comprehensive addon management](https://godotengine.org) with enterprise-grade access control
* **Unreal Engine**: Recognizes GPM's [enterprise-grade plugin management](https://unrealengine.com) with advanced security

## Professional Resources

### Learn from Industry Experts

* **GameDev.net**: [Enterprise access control best practices](https://gamedev.net) - Studio security guidelines
* **Unity Blog**: [Multi-engine security workflows](https://blog.unity.com) - Unity + GPM security
* **Godot Engine**: [Addon security standards](https://godotengine.org) - Godot + GPM security
* **Unreal Engine**: [Plugin security conventions](https://unrealengine.com) - Unreal + GPM security

### Join the Security Discussion

* **Discord**: [Access control discussions](https://discord.gg/gpm) - Real-time security support
* **GitHub Discussions**: [Security best practices](https://github.com/gpm-sh/gpm-cli/discussions) - Technical security discussions
* **Reddit**: [r/gamedev security practices](https://reddit.com/r/gamedev) - Community security insights
* **Unity Forums**: [Package security in Unity](https://forum.unity.com/forums/package-manager.25/) - Unity-specific security

## See Also

* [Package Naming](/package-guidelines/packages/naming.md)
* [Registry Resolution](https://github.com/gpm-sh/docs/blob/main/packages/registry-resolution.md)
* [Publishing Packages](/cli-reference/cli/publishing/publish.md)
* [Authentication](https://github.com/gpm-sh/docs/blob/main/cli/authentication/README.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.gpm.sh/package-guidelines/packages/access-levels.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.