npm E401 / E403 Private Registry Auth in CI - Fix Registry Authentication
E401 (unauthorized) and E403 (forbidden) from a private registry mean your request was rejected for lack of valid credentials or access. This is a configuration failure, not a transient blip.
What this error means
npm install fails fetching a private or scoped package with code E401 or E403. The same request fails every time because the token is missing, expired, or lacks read access to that package.
npm
npm ERR! code E401
npm ERR! Unable to authenticate, your authentication token seems to be
invalid.
npm ERR! 401 Unauthorized - GET https://registry.acme.internal/@acme%2fuiCommon causes
No auth token configured in CI
The .npmrc in CI has no _authToken for the private registry, so requests are unauthenticated.
The token is expired or lacks access
A revoked, expired, or under-scoped token is rejected for the package you are pulling.
How to fix it
Configure a valid token from a secret
- Store the token in a CI secret.
- Write it into .npmrc for the private registry before install.
Terminal
echo "//registry.acme.internal/:_authToken=${NPM_TOKEN}" >> .npmrcPass the secret through the workflow env
- Reference the secret in the step env.
- Confirm the token has read access to the scope.
Workflow
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}How to prevent it
- Provision a non-expiring or rotated CI token with the right scope access, inject it via secrets, and never commit it. Retrying will not fix a bad token; only correcting the credential does.
Related guides
npm E401 / ENEEDAUTH - Fix Registry Auth and .npmrc Token in CIFix npm E401 "Incorrect or missing auth token" and ENEEDAUTH in CI - a private registry rejecting the request…
npm "403 Forbidden" on Install - Fix Blocked Registry Reads in CIFix npm "E403 403 Forbidden" while installing in CI - a registry or proxy refusing a read your token is not a…
npm .npmrc Auth Token in CI - Configure Registry Credentials SafelyConfigure the npm .npmrc auth token in CI so private installs authenticate, injecting the token from a secret…