npm "403 Forbidden" on Install - Fix Blocked Registry Reads in CI
A 403 on install (not publish) means the registry authenticated the request but refused the read. The token is valid, but policy - a blocked package, an entitlement, or a proxy rule - forbids fetching it.
What this error means
npm install/npm ci fails with E403 403 Forbidden - GET for a package, even though authentication succeeds for other packages. It is a permission/policy refusal, not a missing package (404) or bad auth (401).
npm error code E403
npm error 403 Forbidden - GET https://registry.internal/@acme%2fpkg
npm error Package "@acme/pkg" is blocked by policy / not entitled for this token.Common causes
The token lacks entitlement to read the package
On a private/proxy registry, a token may authenticate but not be entitled to a particular scope or package, so reads return 403.
A proxy or security policy blocks the package
A pull-through proxy with an allowlist/denylist (or a vulnerability policy) can forbid specific packages or versions with a 403.
How to fix it
Use a token entitled for the scope
Authenticate with a token that has read access to the package’s scope on the right registry.
npm config get registry
# ensure the scope maps to the entitled registry and token:
cat .npmrc
# @acme:registry=https://registry.internal
# //registry.internal/:_authToken=${NPM_TOKEN}Check proxy/policy rules
- Confirm the package/version is allowed by the proxy’s policy.
- Verify the token’s entitlements cover the scope being read.
- If a vulnerability policy blocks a version, pin to an allowed one.
How to prevent it
- Grant CI tokens read entitlement for every scope they install.
- Keep proxy allowlists in sync with your dependency set.
- Pin to versions your security policy permits.