Skip to content
Latchkey

npm "403 Forbidden" on Install - Fix Blocked Registry Reads in CI

A 403 on install (not publish) means the registry authenticated the request but refused the read. The token is valid, but policy - a blocked package, an entitlement, or a proxy rule - forbids fetching it.

What this error means

npm install/npm ci fails with E403 403 Forbidden - GET for a package, even though authentication succeeds for other packages. It is a permission/policy refusal, not a missing package (404) or bad auth (401).

npm output
npm error code E403
npm error 403 Forbidden - GET https://registry.internal/@acme%2fpkg
npm error Package "@acme/pkg" is blocked by policy / not entitled for this token.

Common causes

The token lacks entitlement to read the package

On a private/proxy registry, a token may authenticate but not be entitled to a particular scope or package, so reads return 403.

A proxy or security policy blocks the package

A pull-through proxy with an allowlist/denylist (or a vulnerability policy) can forbid specific packages or versions with a 403.

How to fix it

Use a token entitled for the scope

Authenticate with a token that has read access to the package’s scope on the right registry.

Terminal
npm config get registry
# ensure the scope maps to the entitled registry and token:
cat .npmrc
# @acme:registry=https://registry.internal
# //registry.internal/:_authToken=${NPM_TOKEN}

Check proxy/policy rules

  1. Confirm the package/version is allowed by the proxy’s policy.
  2. Verify the token’s entitlements cover the scope being read.
  3. If a vulnerability policy blocks a version, pin to an allowed one.

How to prevent it

  • Grant CI tokens read entitlement for every scope they install.
  • Keep proxy allowlists in sync with your dependency set.
  • Pin to versions your security policy permits.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →