Skip to main content

npm Security

If Anonymous Access is enabled, any anonymous user has read access to the repositories and repository groups. If disabled or write access is required for publishing a package, the user needs to authenticate to the repository manager. There are two methods to authenticate npm with your repository manager; you should only use one at a time.

Authentication Using Realm and Login

This authentication method requires thenpm Bearer Token Realm. Simply add the realm to the active realms in the Realms section of the Security menu from the Administration menu to activate it as documented in Realms.

Once the realm is activated, a npm CLI user can establish the authentication to a repository with the npm adduser ( npm login is an equivalent alias ) command.

Note that due to breaking changes to authentication introduced in npm version 9, you must include --auth-type=legacy in the command as illustrated below.

npm adduser --auth-type=legacy --registry=http://localhost:8081/repository/npm-internal/

Provide your repository manager username and password as well as an email address when prompted. Upon successful completion, a line for authentication of this combination is automatically added to your .npmrc configuration file for the specific repository.

Despite its name, the npm adduser command does not actually create a user account inside Nexus Repository. It merely associates a token with an existing user account and allows the CLI to store that token for re-use.

Authentication Using Basic Auth

In some instances you cannot use the realm and login method, for example if you have a username which includes capital letters (disallowed by npm login). In these you can still use npm by configuring it to use basic auth with your repository manager. This authentication method involves editing the .npmrc configuration file adding an encoded username and password as well as configuring authentication to always occur. It is considered the less flexible of the methods supported.

The _auth variable has to be generated by base64-encoding the string of username:password. You can create this encoded string with the command line call to openssl e.g. for the admin user using password admin123:

echo -n 'admin:admin123' | openssl base64

Other tools for the encoding are uuencode or, for Windows users, certutil. To use certutil on Windows you need to put the credentials to be encoded into a file:



Ensure your file does not have extra whitespace or a trailing line separator as either of these will negatively impact the resultant output.

Then run:

c:\certutil /encode in.txt out.txt 

After this the base64 encoded credentials can be found in between the begin and end certificate lines in the output file:



Whatever tool you use to generate the encoded username and password string can be tested by encoding the string admin:admin123 , which should result in YWRtaW46YWRtaW4xMjM= . Another example is jane:testpassword123 which should result in amFuZTp0ZXN0cGFzc3dvcmQxMjM=.

Once you have encoded credentials they can be added to the .npmrc file, along with your author email and enabled authentication (below your already entered registry configuration). For example, for admin/admin123:

Proxying and Authenticating in Package Manager Clients

In order to configure a package manager client, you will first need to retrieve your user token from Nexus Repository.

Retrieve the base64 encoded string from your user token by taking the following steps:

1. After logging in, navigate to your Account and select the User Token option.

2. Select Access user token.

3. Provide your password to authenticate.

4. Scroll to the field called "Use the following for a base64 representation of "user:password"

5. Select Copy to Clipboard.

Then, follow the instructions for your package manager client below using your base64 value wherever you see "base64token" in the examples.


1. Configure the registry using a line like the following example:

npm config set registry="https://nexus.example/repository/repository-name/"

2. Configure authentication using a line like the following example:

npm config set _auth="base64token"

3. Check the current configuration using the following:

npm config ls


1. Configure the registry using a line like the following example:

yarn config set registry "https://nexus.example/repository/repository-name"

2. Configure authentication using code like the following example:

npm config set always-auth=true
npm config set _auth="base64token"

3. Check the current configuration using the following:

yarn config list