Skip to content
Latchkey

npm E401 / E403 Private Registry Auth in CI - Fix Registry Authentication

E401 (unauthorized) and E403 (forbidden) from a private registry mean your request was rejected for lack of valid credentials or access. This is a configuration failure, not a transient blip.

What this error means

npm install fails fetching a private or scoped package with code E401 or E403. The same request fails every time because the token is missing, expired, or lacks read access to that package.

npm
npm ERR! code E401
npm ERR! Unable to authenticate, your authentication token seems to be
invalid.
npm ERR! 401 Unauthorized - GET https://registry.acme.internal/@acme%2fui

Common causes

No auth token configured in CI

The .npmrc in CI has no _authToken for the private registry, so requests are unauthenticated.

The token is expired or lacks access

A revoked, expired, or under-scoped token is rejected for the package you are pulling.

How to fix it

Configure a valid token from a secret

  1. Store the token in a CI secret.
  2. Write it into .npmrc for the private registry before install.
Terminal
echo "//registry.acme.internal/:_authToken=${NPM_TOKEN}" >> .npmrc

Pass the secret through the workflow env

  1. Reference the secret in the step env.
  2. Confirm the token has read access to the scope.
Workflow
env:
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

How to prevent it

  • Provision a non-expiring or rotated CI token with the right scope access, inject it via secrets, and never commit it. Retrying will not fix a bad token; only correcting the credential does.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →