Artifactory npm "401 Unauthorized" (.npmrc _auth) in CI
npm sent a request to the Artifactory-backed registry with no valid credential. The registry line resolves, but the .npmrc has no _auth/_authToken, or the token is expired.
What this error means
An npm install or npm publish against the Artifactory registry fails with "npm error code E401" and "Unable to authenticate, need: Basic realm". Public installs may still work.
npm error code E401
npm error 401 Unauthorized - GET https://acme.jfrog.io/artifactory/api/npm/npm-virtual/lodash
npm error Unable to authenticate, need: Basic realm="Artifactory Realm"Common causes
The .npmrc has no auth token for the registry
The registry line points at Artifactory, but there is no matching //host/artifactory/api/npm/repo/:_authToken line, so npm requests anonymously.
A stale or expired token in .npmrc
The token was written once and never refreshed; once expired, every authenticated npm call returns 401.
How to fix it
Generate .npmrc with jf npm-config
- Configure the npm repositories for the jf CLI so it writes a correct
.npmrc. - Run npm through jf so auth is injected from JF_ACCESS_TOKEN.
- Avoid committing tokens; let CI generate the
.npmrcat runtime.
jf npm-config --repo-resolve npm-virtual --repo-deploy npm-local
jf npm installWrite the auth line explicitly from a secret
If not using jf for npm, set the scoped auth token line from a CI secret.
registry=https://acme.jfrog.io/artifactory/api/npm/npm-virtual/
//acme.jfrog.io/artifactory/api/npm/npm-virtual/:_authToken=${NPM_TOKEN}How to prevent it
- Generate
.npmrcat CI time from a secret, never commit the token. - Prefer
jf npm-configso the CLI manages resolve and deploy repos. - Rotate the npm token and update the secret in one place.