Hey Brett,

I think it would also be nice to have a "password command" option wherein a command would be run every time it needs the token. For instance:

token_cmd='pass pkgctltoken'

That way there isn't a token hanging around in the environment.

that is exactly the idea behind the environment variable, the MR[0] with the manpage entry and prompt regarding the token just wasnt merged yet.
You can create an alias for pkgctl like the following in your bash- or zshrc, just note the quoting:

$ alias pkgctl='DEVTOOLS_GITLAB_TOKEN="$(command to obtain token)" pkgctl'

So the command is evaluated each time when pkgctl is invoked on the shell and the token does not hang around in the environment :)
If you want to, you can also have a look at this configuration in my dotfiles[1].

cheers,
gromit

[0] https://gitlab.archlinux.org/archlinux/devtools/-/merge_requests/144/diffs#2af9d23df78ef3e268721604c5f8d3fd15a52a13_0_24
[1] https://github.com/christian-heusel/dotfiles/blob/b591506816f8034d67479dfa63431dab4fa156e5/roles/shell-configuration/templates/zshrc.j2#L97