Nexus npm "npm ERR! 401 Unauthorized" on publish in CI
npm sent no valid credential to the Nexus npm registry, so Nexus returned 401. Nexus expects a base64 user:password in _auth (or an npm token) scoped to the hosted npm repository URL.
What this error means
npm publish or npm install against the Nexus registry fails with "npm ERR! code E401" and "npm ERR! 401 Unauthorized - PUT https://nexus.example.com/repository/npm-hosted/...".
npm ERR! code E401
npm ERR! 401 Unauthorized - PUT
https://nexus.example.com/repository/npm-hosted/@acme%2fapp - UnauthorizedCommon causes
No auth token in .npmrc for the registry
The CI .npmrc points at the Nexus registry but has no _auth or //host/repository/npm-hosted/:_authToken, so npm publishes anonymously and gets 401.
Wrong auth encoding for a Nexus npm repo
Nexus npm expects base64 of username:password in _auth; a plaintext password or a token for a different repo will not authenticate.
How to fix it
Write a credentialed .npmrc from secrets
- Base64-encode the Nexus
username:passwordinto an_authvalue. - Write .npmrc in CI with the registry URL and
_authfrom secrets. - Publish so npm sends the Authorization header.
registry=https://nexus.example.com/repository/npm-hosted/
_auth=${NEXUS_NPM_AUTH_B64}
always-auth=true
email=ci@example.comGenerate the base64 auth in the pipeline
Compute _auth from CI secrets so the password is never committed.
echo -n "$NEXUS_USERNAME:$NEXUS_PASSWORD" | base64How to prevent it
- Keep NEXUS_USERNAME/NEXUS_PASSWORD in CI secrets and derive _auth at runtime.
- Set
always-auth=trueso reads and writes both authenticate. - Publish to the hosted npm repo URL, not a group/proxy.