Skip to content
Latchkey

Renovate hostRules 401 for a private registry in CI

Renovate authenticates to private registries through hostRules. A 401 means no valid token was sent for that host: either there is no hostRules entry, the matchHost does not match the feed, or the referenced secret resolved to empty.

What this error means

Renovate logs a 401 or 403 for a private registry host during dependency lookup or lockfile update, and packages from that feed are never updated.

Renovate
WARN: Received a 401 (Unauthorized) response
  hostType: npm
  host: pkgs.internal.example.com

Common causes

No hostRules entry for the registry host

Without a hostRules rule matching the host, Renovate sends unauthenticated requests and the feed returns 401.

matchHost mismatch or an empty token

A matchHost that does not match the actual host, or a secret that resolved to empty, leaves the request unauthenticated.

How to fix it

Add a matching hostRules entry

  1. Set matchHost to the exact registry host.
  2. Set hostType to the ecosystem (npm, pypi, docker, maven).
  3. Provide the token from an encrypted value or environment secret.
renovate.json
{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "hostRules": [
    {
      "matchHost": "pkgs.internal.example.com",
      "hostType": "npm",
      "token": "{{ secrets.NPM_INTERNAL_TOKEN }}"
    }
  ]
}

Verify scope for a persistent 403

A 403 authenticates but lacks access. Confirm the token belongs to a principal permitted to read that feed or package.

How to prevent it

  • Keep a hostRules entry for each private registry host.
  • Match matchHost exactly and set the correct hostType.
  • Store tokens as encrypted secrets, never in plaintext config.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →