Integrate JFrog Artifactory with Lovable by storing your Artifactory base URL and API token in Cloud Secrets, then creating a Supabase Edge Function that calls Artifactory's REST API to fetch npm package metadata or download artifacts. This turns Artifactory into a private npm registry your Lovable app can query at runtime for dependency info, version lists, or internal package downloads.
Using Artifactory as a private package registry with Lovable
JFrog Artifactory is the package management backbone of thousands of enterprise development teams. It stores private npm packages, proxies public registries like npmjs.com, and provides an auditable, access-controlled store for every artifact your team produces. For Lovable app developers who need to query internal package versions, display dependency metadata, or serve download links for internal tools, Artifactory's REST API is the access layer.
Because Artifactory sits behind authentication, you cannot call it directly from a browser without exposing your API token. Lovable's Edge Function pattern solves this: your Artifactory credentials live in Cloud Secrets (encrypted, inaccessible from the frontend), and the Edge Function mediates every request. The Lovable app can then display package version lists, check if a specific version exists, or generate time-limited download URLs — all without the user ever seeing your Artifactory credentials.
This integration differs from RapidAPI in intent: RapidAPI helps you discover and consume third-party public APIs, while Artifactory manages packages and binaries your own team produces or curates. The integration patterns are similar (Edge Function proxy with a secret API key), but Artifactory calls tend to be internal tooling scenarios rather than end-user-facing features.
Integration method
Artifactory's REST API requires an authentication header (either Bearer token or Basic auth) on every request, so calls must be proxied through a Lovable Edge Function rather than made from the browser. You store your Artifactory base URL and API token in Cloud Secrets, create a Supabase Edge Function that queries the Artifactory REST API for package metadata or artifact downloads, and your Lovable frontend calls that Edge Function. This keeps your credentials invisible to end users and resolves any CORS restrictions on the Artifactory server.
Prerequisites
- A JFrog Artifactory instance — either JFrog Cloud (cloud.jfrog.com) or a self-hosted server accessible from the internet
- An Artifactory user account with read access to the repository you want to query
- An Artifactory API token (generated in User Settings → API Key or Identity Tokens)
- The base URL of your Artifactory instance (e.g., https://yourcompany.jfrog.io/artifactory)
- A Lovable project with Lovable Cloud enabled and the Cloud tab accessible
Step-by-step guide
Generate an Artifactory API token
Generate an Artifactory API token
Log in to your Artifactory instance and navigate to your user profile by clicking your username in the top-right corner, then selecting 'Edit Profile' or 'User Settings'. In the Authentication Settings section, you will see either an 'API Key' field or an 'Identity Tokens' section depending on your Artifactory version. For Artifactory 7.x and JFrog Cloud, use Identity Tokens: click 'Generate Token', give it a descriptive name like 'lovable-integration', select an expiry period appropriate for your use case, and click 'Generate'. Copy the token immediately — Artifactory will not show it again after you close the dialog. For older Artifactory versions, click 'Generate API Key' in the Authentication Settings section and copy the displayed key. Note your Artifactory base URL from the browser address bar — it typically follows the pattern https://yourcompany.jfrog.io/artifactory for cloud instances or https://artifactory.yourcompany.com/artifactory for self-hosted. You will need both the token and the base URL in the next step. Also identify the repository key (short name) of the npm repository you want to query — find it on the Artifactory home page under 'Repositories'.
Pro tip: Create a dedicated service account in Artifactory with read-only permissions for the repositories your Lovable app needs, rather than using your personal account's token.
Expected result: You have an Artifactory API token copied to your clipboard and know your instance's base URL and repository key.
Store Artifactory credentials in Cloud Secrets
Store Artifactory credentials in Cloud Secrets
In your Lovable project, click the '+' icon next to the preview to open side panels, then select the Cloud tab. Scroll to the Secrets section and add two secrets. First, click 'Add Secret', set the Name to ARTIFACTORY_BASE_URL, and paste your full Artifactory base URL (e.g., https://yourcompany.jfrog.io/artifactory) as the Value — include the trailing /artifactory path segment but no trailing slash. Click 'Save'. Then click 'Add Secret' again, set the Name to ARTIFACTORY_TOKEN, and paste the API token or identity token you generated. Click 'Save'. Both secrets are now encrypted and stored in Lovable's red zone, accessible only from Edge Functions via Deno.env.get(). Never include these values in Lovable chat prompts, frontend components, or any file that is committed to your GitHub repository. Lovable's security layer blocks approximately 1,200 hardcoded credentials per day — storing credentials in secrets is both the secure and the operationally correct approach, as it allows you to rotate tokens without changing any code.
Pro tip: If you rotate your Artifactory token (good practice every 90 days), just update the ARTIFACTORY_TOKEN secret in Cloud — no code changes needed.
Expected result: ARTIFACTORY_BASE_URL and ARTIFACTORY_TOKEN both appear in the Cloud tab Secrets panel with masked values.
Create an Artifactory npm metadata Edge Function
Create an Artifactory npm metadata Edge Function
Prompt Lovable to create an Edge Function that calls the Artifactory REST API. For npm package metadata, the Artifactory API endpoint follows the pattern GET /api/npm/{repo-key}/{package-name} which returns version lists, dist-tags, and metadata in the standard npm registry format. Your Edge Function should accept a package name as a query parameter, construct the Artifactory URL from the secret base URL, call the API with the Bearer token authentication header, and return the relevant fields. Include CORS headers so your Lovable React frontend can call the function from the browser. Add error handling for 401 Unauthorized (token expired or missing), 404 Not Found (package does not exist in the repo), and network errors. The function should also handle the case where ARTIFACTORY_BASE_URL or ARTIFACTORY_TOKEN secrets are not configured and return a descriptive 500 error rather than crashing silently.
Create a Supabase Edge Function at supabase/functions/artifactory-npm/index.ts. It should accept query parameters: 'package' (npm package name) and 'repo' (Artifactory repository key, default to 'npm-local'). Read ARTIFACTORY_BASE_URL and ARTIFACTORY_TOKEN from Deno.env. Call GET {ARTIFACTORY_BASE_URL}/api/npm/{repo}/{package} with Authorization: Bearer {ARTIFACTORY_TOKEN}. Return the package name, latest version, all available versions array, and last modified date. Handle 401 by returning 'Invalid Artifactory token', 404 by returning 'Package not found', and include CORS headers.
Paste this in Lovable chat
1// supabase/functions/artifactory-npm/index.ts2import { serve } from "https://deno.land/std@0.168.0/http/server.ts";34const corsHeaders = {5 "Access-Control-Allow-Origin": "*",6 "Access-Control-Allow-Headers": "authorization, x-client-info, apikey, content-type",7};89serve(async (req) => {10 if (req.method === "OPTIONS") {11 return new Response("ok", { headers: corsHeaders });12 }1314 try {15 const url = new URL(req.url);16 const packageName = url.searchParams.get("package");17 const repo = url.searchParams.get("repo") ?? "npm-local";1819 if (!packageName) {20 return new Response(21 JSON.stringify({ error: "package parameter is required" }),22 { status: 400, headers: { ...corsHeaders, "Content-Type": "application/json" } }23 );24 }2526 const baseUrl = Deno.env.get("ARTIFACTORY_BASE_URL");27 const token = Deno.env.get("ARTIFACTORY_TOKEN");2829 if (!baseUrl || !token) {30 return new Response(31 JSON.stringify({ error: "Artifactory secrets not configured" }),32 { status: 500, headers: { ...corsHeaders, "Content-Type": "application/json" } }33 );34 }3536 const artifactoryUrl = `${baseUrl}/api/npm/${repo}/${encodeURIComponent(packageName)}`;3738 const response = await fetch(artifactoryUrl, {39 headers: {40 "Authorization": `Bearer ${token}`,41 "Accept": "application/json",42 },43 });4445 if (response.status === 401) {46 return new Response(47 JSON.stringify({ error: "Invalid Artifactory token — check ARTIFACTORY_TOKEN secret" }),48 { status: 401, headers: { ...corsHeaders, "Content-Type": "application/json" } }49 );50 }5152 if (response.status === 404) {53 return new Response(54 JSON.stringify({ error: `Package '${packageName}' not found in repository '${repo}'` }),55 { status: 404, headers: { ...corsHeaders, "Content-Type": "application/json" } }56 );57 }5859 if (!response.ok) {60 return new Response(61 JSON.stringify({ error: `Artifactory error: ${response.status}` }),62 { status: response.status, headers: { ...corsHeaders, "Content-Type": "application/json" } }63 );64 }6566 const data = await response.json();67 const versions = data.versions ? Object.keys(data.versions) : [];68 const latest = data["dist-tags"]?.latest ?? versions[versions.length - 1] ?? null;6970 return new Response(71 JSON.stringify({72 name: data.name,73 latest,74 versions,75 description: data.description ?? "",76 modified: data.time?.modified ?? null,77 }),78 { headers: { ...corsHeaders, "Content-Type": "application/json" } }79 );80 } catch (error) {81 return new Response(82 JSON.stringify({ error: error.message }),83 { status: 500, headers: { ...corsHeaders, "Content-Type": "application/json" } }84 );85 }86});Pro tip: Artifactory's npm API endpoint follows the standard npm registry protocol, so the response shape matches what you would get from registry.npmjs.org — the versions object keys are version strings.
Expected result: Lovable deploys the Edge Function. Visiting the function URL with a ?package=your-package-name parameter returns JSON with version metadata.
Query artifact storage info for non-npm artifacts
Query artifact storage info for non-npm artifacts
If you need to query generic artifact metadata (Docker images, Maven JARs, raw binaries) rather than npm packages, use Artifactory's storage API instead. The storage API endpoint GET /api/storage/{repo-key}/{path/to/artifact} returns file info including size, checksums, download URI, and last modified timestamp. For listing the contents of a directory, the same endpoint returns a children array when the path is a folder. This is useful for building release browser UIs where users can see all artifacts in a given directory and get download information. Adjust the Edge Function from Step 3 to accept a path parameter instead of a package name, and call the storage API endpoint. The authentication mechanism (Bearer token header) is identical across all Artifactory REST API endpoints, so only the URL path changes. If you need to actually serve file downloads (not just metadata), your Edge Function can fetch the artifact bytes using the downloadUri from the storage API response and stream them back as a binary response with appropriate Content-Disposition headers.
Update the Artifactory Edge Function to also handle a /storage path. When the request includes a 'path' parameter instead of 'package', call GET {ARTIFACTORY_BASE_URL}/api/storage/{repo}/{path} and return the name, size, download_uri, checksums, and last_modified fields from the response.
Paste this in Lovable chat
Pro tip: The Artifactory storage API returns a children array for directories and a downloadUri string for individual files — check which one you receive to determine whether to render a folder browser or a file download button.
Expected result: The Edge Function handles both npm metadata and generic storage queries, returning appropriate data structures for each.
Build the package browser UI in Lovable
Build the package browser UI in Lovable
With the Edge Function deployed and tested, describe the UI you want to Lovable in a chat prompt. For a developer portal use case, you might want a search input, a package name autocomplete, a version list table, and a copy-to-clipboard button for the install command. For a release browser, a file tree with folder navigation and download buttons is more appropriate. Lovable will generate the React component that calls your Edge Function with the appropriate parameters. Make sure to specify how you want loading states, empty states (no results found), and error states displayed. If your Artifactory instance requires a specific repository key that users should not need to know about, hardcode it as the default in your Edge Function or pass it as a static prop from your component — do not expose internal repository names in your UI unless they are meaningful to users.
Add an npm package lookup panel to the developer tools page. It should have a text input for a package name and a Search button. On submit, call the Edge Function at /functions/v1/artifactory-npm?package={name}&repo=npm-local. Show the package name, latest version, and a scrollable list of all versions in a card. For each version, show a copy button that copies 'npm install {package}@{version}' to the clipboard. Show a spinner while loading and an inline error if the package is not found.
Paste this in Lovable chat
Pro tip: If your Artifactory npm repository proxies the public npm registry in addition to private packages, add a note in the UI to indicate which packages are private versus proxied from npmjs.com.
Expected result: The package browser UI is functional in your deployed Lovable app, returning real package metadata from your Artifactory instance.
Common use cases
Display available versions of an internal npm package
Build an internal developer portal in Lovable that lists all published versions of your company's private npm packages stored in Artifactory. The Edge Function queries the Artifactory npm API for a given package name and returns the version list, publish dates, and latest tag for display in your portal's UI.
Create an Edge Function at supabase/functions/artifactory-versions/index.ts that accepts a package name query parameter, calls the Artifactory npm metadata endpoint at ${ARTIFACTORY_BASE_URL}/api/npm/{repo-key}/{package-name} using an Authorization header with my ARTIFACTORY_TOKEN from Cloud Secrets, and returns the list of available versions as JSON. Then add a search input and results list to the developer portal page that calls this function.
Copy this prompt to try it in Lovable
Check if a specific artifact version exists before triggering a deploy
In a release management tool built on Lovable, validate that a specific artifact version exists in Artifactory before allowing a deployment to proceed. The Edge Function calls the Artifactory artifact info endpoint, returns a boolean indicating whether the artifact exists, and your UI shows a green check or red warning accordingly.
Add an artifact validation step to the deploy form. Before enabling the Deploy button, call an Edge Function that queries Artifactory for the artifact at the path the user entered. Use the Artifactory storage API endpoint GET /api/storage/{repo-key}/{path} with ARTIFACTORY_BASE_URL and ARTIFACTORY_TOKEN from Cloud Secrets. Return whether the artifact exists and its size. Show a success badge or error message next to the path input.
Copy this prompt to try it in Lovable
Serve download links for internal binary releases
Build an internal release distribution page in Lovable where team members can browse and download versioned binary releases stored in Artifactory. The Edge Function generates authenticated download URLs or proxies the file download, so users only need to be authenticated to your Lovable app — not to Artifactory directly.
Create a release download page that lists files from the Artifactory repository at ARTIFACTORY_BASE_URL/repo/releases/ using a GET /api/storage call. Show the file name, size, and last modified date in a table. Add a Download button for each file that calls another Edge Function which fetches the artifact bytes using my ARTIFACTORY_TOKEN and streams them back as a file download response.
Copy this prompt to try it in Lovable
Troubleshooting
Edge Function returns 401 Unauthorized from Artifactory
Cause: The ARTIFACTORY_TOKEN secret is incorrect, expired, or the user associated with the token does not have read access to the repository.
Solution: Log into Artifactory and navigate to User Settings to verify your token is still valid or generate a new one. Check that the token has read permissions for the repository you are querying. Update the ARTIFACTORY_TOKEN secret in Cloud → Secrets with the new token value.
Artifactory returns 404 for a package you know exists
Cause: The repository key in your API call does not match the actual repository name in Artifactory, or the package path is using incorrect URL encoding.
Solution: Log into Artifactory and find the exact repository key on the Repositories page — it is case-sensitive and may differ from the repository display name. For npm scoped packages (e.g., @company/package), ensure the package name is URL-encoded: @company%2Fpackage.
1const artifactoryUrl = `${baseUrl}/api/npm/${repo}/${encodeURIComponent(packageName)}`;Cannot connect to self-hosted Artifactory — connection refused or timeout
Cause: Your self-hosted Artifactory server is behind a firewall or VPN and is not accessible from Lovable's Edge Function runtime (Deno Deploy infrastructure).
Solution: Supabase Edge Functions run on Deno Deploy's global edge network and must be able to reach your Artifactory server over a public internet connection. If your Artifactory is on a private network, you will need to either whitelist Supabase's IP ranges or use JFrog Cloud instead of self-hosted.
Edge Function returns 'Artifactory secrets not configured' even after adding secrets
Cause: The secret names in Cloud Secrets do not exactly match the strings used in Deno.env.get() calls — Deno environment variable names are case-sensitive.
Solution: Open Cloud tab → Secrets and confirm the names are exactly ARTIFACTORY_BASE_URL and ARTIFACTORY_TOKEN (all caps, underscores, no spaces). In your Edge Function code, verify the Deno.env.get() calls use the exact same strings.
1const baseUrl = Deno.env.get("ARTIFACTORY_BASE_URL");2const token = Deno.env.get("ARTIFACTORY_TOKEN");Best practices
- Use a dedicated Artifactory service account with read-only permissions for your Lovable integration rather than a personal account token — this limits the blast radius if the token is ever compromised.
- Rotate your Artifactory API token every 90 days and update the ARTIFACTORY_TOKEN secret in Cloud to match — no code changes are required.
- Never store the Artifactory base URL or token in frontend code, environment variable files, or Lovable chat prompts.
- Cache frequently requested package metadata in your Supabase database to reduce calls to Artifactory and improve response times for end users.
- Scope your Edge Function to specific repository keys your app legitimately needs — do not build a generic proxy that accepts arbitrary repository names from the frontend, as this could expose unintended repositories.
- Log Artifactory API errors in Cloud → Logs and set up Supabase alerts for repeated 401 or 403 responses, which may indicate a compromised or expired token.
- For production use, use JFrog's Identity Tokens with short expiry windows rather than long-lived API keys.
- Test your Edge Function against both existing and non-existing package names before building the UI, so you know exactly what error shapes to handle in your React components.
Alternatives
RapidAPI is an API marketplace for discovering and consuming third-party public APIs, while Artifactory manages private packages and binaries your own team produces.
Docker Hub and registries handle container images, while Artifactory manages a broader range of artifact types including npm, Maven, Docker, and generic binaries in one place.
GitLab Package Registry offers built-in npm and Docker registry capabilities directly in your GitLab project, which may be simpler if your team already uses GitLab for source control.
Frequently asked questions
Does Lovable support Artifactory as an npm registry for building the app itself?
No. Lovable manages its own build environment and you cannot configure its npm registry to point to your Artifactory instance during the build process. The integration described here is for runtime API calls — your Lovable app calls Artifactory's REST API at runtime to display package metadata or serve downloads. For using private packages during development, clone your Lovable project to GitHub and configure npm locally.
Can I use Basic Auth instead of a Bearer token for Artifactory?
Yes. Artifactory supports Basic Auth using your username and encrypted password. In your Edge Function, replace the Bearer token header with Authorization: Basic {base64(username:encryptedPassword)}. Store the base64-encoded credential string as a single secret in Cloud Secrets. However, JFrog recommends using API tokens or Identity Tokens over Basic Auth for programmatic access.
Can my Lovable app download actual artifact files through this integration?
Yes, but with a size caveat. Supabase Edge Functions have a 2MB response body limit. For small artifacts (CLI tools, config files, JSON data), your Edge Function can fetch the artifact bytes from Artifactory and stream them back as a file download. For large binaries, a better pattern is to return the Artifactory download URI from your Edge Function and redirect the browser to it — this requires your Artifactory instance to be publicly accessible or to generate a time-limited signed URL.
What Artifactory REST API version should I use?
Use the Artifactory REST API v1 (the standard /api/ prefix) for most operations — it covers npm metadata, storage info, file search, and downloads. JFrog also offers an Artifactory REST API v2 for newer JFrog Platform features. The code examples in this guide use v1 which is available on all Artifactory versions from 6.x onward.
Can RapidDev help configure a custom Artifactory integration for a more complex use case?
Yes. For complex scenarios such as streaming large binary downloads, implementing Artifactory webhook receivers in Lovable, or building a full release management portal, RapidDev's team can help design and implement the Edge Function architecture and Supabase data model.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation