diff --git a/Cargo.toml b/Cargo.toml
index 4472f5f3e..ff2dff68b 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -19,7 +19,7 @@ path = "src/cargo/lib.rs"
 bytesize = "1.0"
 cargo-platform = { path = "crates/cargo-platform", version = "0.1.2" }
 cargo-util = { path = "crates/cargo-util", version = "0.2.3" }
-crates-io = { path = "crates/crates-io", version = "0.35.0" }
+crates-io = { path = "crates/crates-io", version = "0.35.1" }
 curl = { version = "0.4.44", features = ["http2"] }
 curl-sys = "0.4.59"
 env_logger = "0.10.0"
diff --git a/crates/cargo-test-support/src/registry.rs b/crates/cargo-test-support/src/registry.rs
index fb2fb5ae3..cf4069b79 100644
--- a/crates/cargo-test-support/src/registry.rs
+++ b/crates/cargo-test-support/src/registry.rs
@@ -294,8 +294,8 @@ impl RegistryBuilder {
                     &config_path,
                     format!(
                         "
-                    [registries.{alternative}]
-                    index = '{}'",
+                        [registries.{alternative}]
+                        index = '{}'",
                         registry.index_url
                     )
                     .as_bytes(),
@@ -306,11 +306,11 @@ impl RegistryBuilder {
                     &config_path,
                     format!(
                         "
-                    [source.crates-io]
-                    replace-with = 'dummy-registry'
+                        [source.crates-io]
+                        replace-with = 'dummy-registry'
 
-                    [registries.dummy-registry]
-                    index = '{}'",
+                        [registries.dummy-registry]
+                        index = '{}'",
                         registry.index_url
                     )
                     .as_bytes(),
@@ -799,7 +799,7 @@ impl HttpServer {
         // todo: PASETO with challenges
         // - If the operation is a mutation:
         if let Some(mutation) = mutation {
-            //  - That the operation matches the mutation field an is one of publish, yank, or unyank.
+            //  - That the operation matches the mutation field and is one of publish, yank, or unyank.
             if message.mutation != Some(mutation.mutation) {
                 dbg!(message.mutation);
                 return false;
diff --git a/crates/crates-io/Cargo.toml b/crates/crates-io/Cargo.toml
index f399ef9b4..7d641da9d 100644
--- a/crates/crates-io/Cargo.toml
+++ b/crates/crates-io/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "crates-io"
-version = "0.35.0"
+version = "0.35.1"
 edition = "2021"
 license = "MIT OR Apache-2.0"
 repository = "https://github.com/rust-lang/cargo"
diff --git a/src/bin/cargo/commands/login.rs b/src/bin/cargo/commands/login.rs
index 3efa75fb7..d2bd9c166 100644
--- a/src/bin/cargo/commands/login.rs
+++ b/src/bin/cargo/commands/login.rs
@@ -11,15 +11,24 @@ pub fn cli() -> Command {
         .arg_quiet()
         .arg(Arg::new("token").action(ArgAction::Set))
         .arg(opt("registry", "Registry to use").value_name("REGISTRY"))
-        .arg(flag("generate-keypair", "Generate a public/secret keypair").conflicts_with("token"))
         .arg(
-            flag("secret-key", "Prompt for secret key")
+            flag(
+                "generate-keypair",
+                "Generate a public/secret keypair (unstable)",
+            )
+            .conflicts_with("token"),
+        )
+        .arg(
+            flag("secret-key", "Prompt for secret key (unstable)")
                 .conflicts_with_all(&["generate-keypair", "token"]),
         )
         .arg(
-            opt("key-subject", "Set the key subject for this registry")
-                .value_name("SUBJECT")
-                .conflicts_with("token"),
+            opt(
+                "key-subject",
+                "Set the key subject for this registry (unstable)",
+            )
+            .value_name("SUBJECT")
+            .conflicts_with("token"),
         )
         .after_help("Run `cargo help login` for more detailed information.\n")
 }
diff --git a/src/cargo/ops/registry.rs b/src/cargo/ops/registry.rs
index 331b4b113..dea7f703f 100644
--- a/src/cargo/ops/registry.rs
+++ b/src/cargo/ops/registry.rs
@@ -807,7 +807,11 @@ pub fn registry_login(
     let new_token;
     if generate_keypair || secret_key_required || key_subject.is_some() {
         if !config.cli_unstable().registry_auth {
-            panic!("-Zregistry_auth required.");
+            // todo use fail_if_stable_opt
+            bail!(
+                "asymmetric token options are unstable and require the \
+                `-Z registry-auth` option on the nightly channel"
+            );
         }
         assert!(token.is_none());
         // we are dealing with asymmetric tokens
diff --git a/src/cargo/util/auth.rs b/src/cargo/util/auth.rs
index a56a0b2f2..be1208ffa 100644
--- a/src/cargo/util/auth.rs
+++ b/src/cargo/util/auth.rs
@@ -3,9 +3,9 @@
 use crate::util::{config, config::ConfigKey, CanonicalUrl, CargoResult, Config, IntoUrl};
 use anyhow::{bail, format_err, Context as _};
 use cargo_util::ProcessError;
-use pasetors::paserk::FormatAsPaserk;
 use core::fmt;
 use pasetors::keys::{AsymmetricPublicKey, AsymmetricSecretKey};
+use pasetors::paserk::FormatAsPaserk;
 use serde::Deserialize;
 use std::collections::HashMap;
 use std::error::Error;
diff --git a/src/doc/src/reference/unstable.md b/src/doc/src/reference/unstable.md
index f1473b1ea..3b5626a24 100644
--- a/src/doc/src/reference/unstable.md
+++ b/src/doc/src/reference/unstable.md
@@ -903,7 +903,7 @@ This same flag is also used to enable asymmetric authentication tokens.
 
 Add support for Cargo to authenticate the user to registries without sending secrets over the network.
 
-In [`config.toml`](https://doc.rust-lang.org/cargo/reference/config.html) and `credentials.toml` files there is a field called `private-key`, which is a private key formatted in the secret [subset of `PASERK`](https://github.com/paseto-standard/paserk/blob/master/types/secret.md) and is used to sign asymmetric tokens
+In [`config.toml`](config.md) and `credentials.toml` files there is a field called `private-key`, which is a private key formatted in the secret [subset of `PASERK`](https://github.com/paseto-standard/paserk/blob/master/types/secret.md) and is used to sign asymmetric tokens
 
 A keypair can be generated with `cargo login --generate-keypair` which will:
 - generate a public/private keypair in the currently recommended fashion.
diff --git a/tests/testsuite/login.rs b/tests/testsuite/login.rs
index a6bc93f95..20ef8d1ba 100644
--- a/tests/testsuite/login.rs
+++ b/tests/testsuite/login.rs
@@ -153,3 +153,20 @@ fn bad_asymmetric_token_args() {
         .with_status(1)
         .run();
 }
+
+// todo why do theas hang when run as a test?
+// #[cargo_test]
+// fn asymmetric_requires_nightly() {
+//     cargo_process("login --key-subject=foo")
+//         .with_status(101)
+//         .with_stderr_contains("asymmetric token options are unstable and require the `-Z registry-auth` option on the nightly channel")
+//         .run();
+//     cargo_process("login --generate-keypair")
+//         .with_status(101)
+//         .with_stderr_contains("asymmetric token options are unstable and require the `-Z registry-auth` option on the nightly channel")
+//         .run();
+//     cargo_process("login --secret-key")
+//         .with_status(101)
+//         .with_stderr_contains("asymmetric token options are unstable and require the `-Z registry-auth` option on the nightly channel")
+//         .run();
+// }
diff --git a/tests/testsuite/owner.rs b/tests/testsuite/owner.rs
index 83252e410..9fc960c92 100644
--- a/tests/testsuite/owner.rs
+++ b/tests/testsuite/owner.rs
@@ -115,7 +115,7 @@ fn simple_add_with_asymmetric() {
         .build();
 
     // The http_api server will check that the authorization is correct.
-    // If the authorization was not sent then we wuld get an unauthorized error.
+    // If the authorization was not sent then we would get an unauthorized error.
     p.cargo("owner -a username")
         .arg("-Zregistry-auth")
         .masquerade_as_nightly_cargo(&["registry-auth"])
@@ -182,7 +182,7 @@ fn simple_remove_with_asymmetric() {
         .build();
 
     // The http_api server will check that the authorization is correct.
-    // If the authorization was not sent then we wuld get an unauthorized error.
+    // If the authorization was not sent then we would get an unauthorized error.
     p.cargo("owner -r username")
         .arg("-Zregistry-auth")
         .replace_crates_io(registry.index_url())
diff --git a/tests/testsuite/registry.rs b/tests/testsuite/registry.rs
index 2a90f3aa8..7f5d1e8dd 100644
--- a/tests/testsuite/registry.rs
+++ b/tests/testsuite/registry.rs
@@ -1179,7 +1179,7 @@ fn login_with_asymmetric_key_subject_without_key() {
         .with_status(101)
         .run();
 
-    // ok so ad a secret_key to the credentials
+    // ok so add a secret_key to the credentials
     cargo_process("login --secret-key -v -Z registry-auth")
         .masquerade_as_nightly_cargo(&["registry-auth"])
         .replace_crates_io(registry.index_url())
diff --git a/tests/testsuite/yank.rs b/tests/testsuite/yank.rs
index c36c6ef92..684a04508 100644
--- a/tests/testsuite/yank.rs
+++ b/tests/testsuite/yank.rs
@@ -74,7 +74,7 @@ fn explicit_version_with_asymmetric() {
         .build();
 
     // The http_api server will check that the authorization is correct.
-    // If the authorization was not sent then we wuld get an unauthorized error.
+    // If the authorization was not sent then we would get an unauthorized error.
     p.cargo("yank --version 0.0.1")
         .arg("-Zregistry-auth")
         .masquerade_as_nightly_cargo(&["registry-auth"])