Skip to content
Latchkey

Artifactory npm "401 Unauthorized" (.npmrc _auth) in CI

npm sent a request to the Artifactory-backed registry with no valid credential. The registry line resolves, but the .npmrc has no _auth/_authToken, or the token is expired.

What this error means

An npm install or npm publish against the Artifactory registry fails with "npm error code E401" and "Unable to authenticate, need: Basic realm". Public installs may still work.

npm
npm error code E401
npm error 401 Unauthorized - GET https://acme.jfrog.io/artifactory/api/npm/npm-virtual/lodash
npm error Unable to authenticate, need: Basic realm="Artifactory Realm"

Common causes

The .npmrc has no auth token for the registry

The registry line points at Artifactory, but there is no matching //host/artifactory/api/npm/repo/:_authToken line, so npm requests anonymously.

A stale or expired token in .npmrc

The token was written once and never refreshed; once expired, every authenticated npm call returns 401.

How to fix it

Generate .npmrc with jf npm-config

  1. Configure the npm repositories for the jf CLI so it writes a correct .npmrc.
  2. Run npm through jf so auth is injected from JF_ACCESS_TOKEN.
  3. Avoid committing tokens; let CI generate the .npmrc at runtime.
Terminal
jf npm-config --repo-resolve npm-virtual --repo-deploy npm-local
jf npm install

Write the auth line explicitly from a secret

If not using jf for npm, set the scoped auth token line from a CI secret.

.npmrc
registry=https://acme.jfrog.io/artifactory/api/npm/npm-virtual/
//acme.jfrog.io/artifactory/api/npm/npm-virtual/:_authToken=${NPM_TOKEN}

How to prevent it

  • Generate .npmrc at CI time from a secret, never commit the token.
  • Prefer jf npm-config so the CLI manages resolve and deploy repos.
  • Rotate the npm token and update the secret in one place.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →