Artifactory npm "401 Unauthorized" (.npmrc _auth) in CI
npm reached the Artifactory virtual npm repository but Artifactory rejected the request with 401. The registry is up; the .npmrc credential (_auth, _authToken, or the base64 _password) is missing, stale, or was written literally instead of from a secret.
What this error means
npm install or npm publish stops with "npm error code E401" and "npm error 401 Unauthorized - GET https://<host>/artifactory/api/npm/<repo>/<pkg>". Public packages proxied through the same repo also fail.
npm error code E401
npm error 401 Unauthorized - GET https://mycompany.jfrog.io/artifactory/api/npm/npm-virtual/lodash - Bad credentialsCommon causes
The auth token was never written into .npmrc
The step relies on a .npmrc that references ${NPM_AUTH_TOKEN} but the secret was not exported, so npm sends an anonymous request.
A stale or wrong base64 _auth string
Artifactory _auth is base64 of user:password (or an API key). A rotated password or a mangled encoding yields a token Artifactory no longer accepts.
How to fix it
Generate the .npmrc from Artifactory and inject the token
- In Artifactory, use "Set Me Up" on the npm repo to get the exact registry and
_auth/_authTokenlines. - Store the token as a CI secret and reference it in
.npmrc. - Confirm npm reads that
.npmrc(project root orNPM_CONFIG_USERCONFIG).
//mycompany.jfrog.io/artifactory/api/npm/npm-virtual/:_authToken=${NPM_AUTH_TOKEN}
registry=https://mycompany.jfrog.io/artifactory/api/npm/npm-virtual/Verify the credential out of band
Curl the registry with the same token to prove it is the credential, not npm config.
curl -H "Authorization: Bearer $NPM_AUTH_TOKEN" \
https://mycompany.jfrog.io/artifactory/api/npm/npm-virtual/lodashHow to prevent it
- Keep Artifactory tokens in CI secrets and reference them by variable in
.npmrc. - Regenerate the
.npmrcfrom "Set Me Up" after any credential rotation. - Never commit a literal
_authstring to the repository.