To use JFrog Artifactory with Replit, configure your Replit project to use Artifactory as a custom npm or pip registry by storing Artifactory deploy tokens in Replit Secrets (lock icon 🔒) and adding .npmrc or pip.conf configuration files that point to your Artifactory instance. This workflow lets you install private packages from Artifactory and publish build artifacts back to your registry during Replit-based development.
JFrog Artifactory as a Private Registry for Replit Projects
JFrog Artifactory is the standard artifact repository in enterprise software development. Organizations use Artifactory to host private npm packages, internal Python libraries, approved dependency mirrors, and build artifacts. When a Replit developer needs to install a private package from their company's Artifactory instance — whether working on an internal tool, contributing to a corporate project, or consuming an enterprise SDK — they need to configure Replit to authenticate with Artifactory and point the package manager at the correct repository URL.
The Artifactory integration with Replit is a configuration workflow rather than an API integration. It involves three components: the Artifactory instance URL (your company's JFrog Cloud or self-hosted Artifactory), a deploy token or API key for authentication, and configuration files (.npmrc for Node.js, pip.conf for Python) that tell the package manager where to find packages. These configuration files reference secrets stored in Replit Secrets so that credentials are never hardcoded in source-controlled files.
For npm projects in Replit, you configure a virtual repository URL in .npmrc with token-based authentication. When you run npm install in the Replit Shell, npm fetches packages from Artifactory rather than registry.npmjs.org. Artifactory can proxy the public npm registry while adding your private packages — so you do not need to manage separate sources for public and private packages. The same pattern applies to Python pip, Maven (Java), and other package ecosystems supported by Artifactory.
Integration method
JFrog Artifactory integrates with Replit by configuring Replit as an Artifactory client — pointing npm or pip at your Artifactory virtual repository URL instead of the public registry. Deploy tokens stored in Replit Secrets authenticate package downloads and uploads. This lets Replit Repls consume private packages from Artifactory and publish artifacts to Artifactory as part of a CI/CD workflow.
Prerequisites
- A Replit account with a Node.js or Python Repl ready
- Access to a JFrog Artifactory instance (cloud.jfrog.com or self-hosted) with at least one npm or PyPI repository configured
- An Artifactory user account or service account with permission to read from (and optionally write to) the target repository
- A deploy token or API key generated from Artifactory (Settings → User Management → Access Tokens)
Step-by-step guide
Generate an Artifactory Deploy Token
Generate an Artifactory Deploy Token
Artifactory uses token-based authentication for programmatic access. You need to generate a deploy token (also called an access token) that your Replit project will use when installing or publishing packages. Log into your Artifactory instance. Navigate to Administration → User Management → Access Tokens (in JFrog Platform, this may be under your username → Edit Profile → Generate API Key or Identity and Access → Access Tokens). Create a new token with the following settings: - Token type: Access Token (not reference token) - Username: your Artifactory username or a service account name - Scope: Applied permissions for the specific repositories you need to access. For read-only package installation, select 'Read' on the target virtual repository. For publishing, add 'Write' permission. - Expiry: Set an appropriate expiry. For development tokens that rotate with the project, 1 year is common. For CI/CD, consider shorter-lived tokens. Copy the generated token immediately — it is shown only once. Also note your Artifactory instance URL (e.g., https://yourcompany.jfrog.io) and the repository names you will use (e.g., npm-virtual for npm packages, pypi-virtual for Python packages). The full registry URL for npm is typically https://yourcompany.jfrog.io/artifactory/api/npm/npm-virtual/.
Pro tip: Create a dedicated service account (not a personal account) for Replit-to-Artifactory authentication. Service accounts can have minimal scoped permissions and their tokens can be rotated without affecting personal credentials.
Expected result: You have an Artifactory deploy token copied to your clipboard. You know your Artifactory instance URL and the repository names for npm or PyPI packages.
Store Artifactory Credentials in Replit Secrets
Store Artifactory Credentials in Replit Secrets
Click the lock icon (🔒) in the Replit sidebar to open the Secrets pane. Add the following secrets for your Artifactory integration: ARTIFACTORY_URL: your Artifactory instance base URL, e.g., https://yourcompany.jfrog.io. ARTIFACTORY_TOKEN: the deploy token you generated in Step 1. ARTIFACTORY_NPM_REGISTRY: the full npm registry URL, e.g., https://yourcompany.jfrog.io/artifactory/api/npm/npm-virtual/. ARTIFACTORY_PYPI_INDEX: the pip index URL, e.g., https://yourcompany.jfrog.io/artifactory/api/pypi/pypi-virtual/simple. These secrets are accessed in configuration files and scripts using shell-style environment variable substitution. You will reference them in the .npmrc and pip.conf files in the next steps. Replit exposes Secrets as environment variables in the Shell and in running processes, so configuration files that use ${ARTIFACTORY_TOKEN} syntax will have the value substituted at runtime.
1# Check that Artifactory secrets are configured2import os34required = ['ARTIFACTORY_URL', 'ARTIFACTORY_TOKEN']5for key in required:6 val = os.environ.get(key)7 if not val:8 print(f'MISSING: {key} — add it in Replit Secrets (lock icon 🔒)')9 else:10 print(f'OK: {key} = {val[:30]}...')Pro tip: Replit Secrets are available as environment variables in the Shell tab, making them accessible in .npmrc configuration files that support ${ENV_VAR} substitution.
Expected result: All Artifactory secrets appear in the Replit Secrets panel. The verification script confirms each variable is present.
Configure npm to Use Artifactory as Registry
Configure npm to Use Artifactory as Registry
Create a .npmrc file in the root of your Replit project to configure npm to use Artifactory as the package registry. This file tells npm where to find packages and how to authenticate. The .npmrc file supports environment variable substitution using the ${VARIABLE_NAME} syntax, which is how you reference your Artifactory credentials without hardcoding them. There are two registration patterns: scoped registry (for specific package scopes like @your-company/*) and global registry override (replacing the default npm registry entirely with Artifactory). Use scoped for corporate packages alongside public packages; use global override if Artifactory is a proxy that includes all public packages. After creating .npmrc, test it by running npm install in the Replit Shell. If authentication succeeds, packages will be fetched from Artifactory. If you see 401 errors, verify ARTIFACTORY_TOKEN is set correctly in Secrets. Note: .npmrc should be committed to your repository if it uses environment variable references (${ARTIFACTORY_TOKEN}) — the secrets themselves are never in the file, only the references. If for any reason you use a plaintext token in .npmrc (not recommended), add .npmrc to .gitignore.
1# .npmrc — Configure npm to use Artifactory registry in Replit2# For scoped packages only (@your-company/* scope)3@your-company:registry=https://yourcompany.jfrog.io/artifactory/api/npm/npm-virtual/4//yourcompany.jfrog.io/artifactory/api/npm/npm-virtual/:_authToken=${ARTIFACTORY_TOKEN}56# OR: Global registry override (replace all npm with Artifactory)7# registry=https://yourcompany.jfrog.io/artifactory/api/npm/npm-virtual/8# //yourcompany.jfrog.io/artifactory/api/npm/npm-virtual/:_authToken=${ARTIFACTORY_TOKEN}910# For publishing packages back to Artifactory11# publishConfig:12# registry=https://yourcompany.jfrog.io/artifactory/api/npm/npm-local/1314# Optional: set email and always-auth for strict environments15# email=your-service-account@yourcompany.com16# always-auth=truePro tip: The registry hostname in the _authToken line (//yourcompany.jfrog.io/...) must exactly match the registry URL above it. A mismatch causes npm to skip authentication and you will get 401 errors on private packages.
Expected result: Running npm install @your-company/internal-package in the Replit Shell fetches the package from Artifactory rather than the public npm registry. No 401 authentication errors appear.
Configure pip to Use Artifactory as PyPI Index
Configure pip to Use Artifactory as PyPI Index
For Python Replit projects, configure pip to use Artifactory as the package index. Create a pip.conf file (or set pip configuration via environment variables) that points to your Artifactory PyPI virtual repository. The simplest approach in Replit is to set the PIP_INDEX_URL environment variable in your .replit configuration file or shell startup, pointing to your Artifactory PyPI URL with credentials embedded. Alternatively, create a pip.conf file in the project root. Artifactory's PyPI repository URL includes your credentials using the format: https://username:token@yourcompany.jfrog.io/artifactory/api/pypi/pypi-virtual/simple/. However, embedding credentials in URLs is less secure than using .netrc or pip's --extra-index-url with environment variables. The recommended approach for Replit is to use the PIP_EXTRA_INDEX_URL or PIP_INDEX_URL environment variable with credentials, referencing your Replit Secret via the standard ${ARTIFACTORY_TOKEN} pattern in the .replit file's environment section. After configuration, test with pip install your-private-package in the Replit Shell. pip should fetch the package from Artifactory's PyPI repository.
1# pip.conf — Configure pip to use Artifactory PyPI in Replit2# Place this file at the project root or at ~/.config/pip/pip.conf34[global]5# Replace the default PyPI with Artifactory virtual repo (which proxies public PyPI)6index-url = https://yourcompany.jfrog.io/artifactory/api/pypi/pypi-virtual/simple/78# Authentication via trusted host (use _authToken in the URL for token auth)9# For token auth, embed in URL:10# index-url = https://<username>:${ARTIFACTORY_TOKEN}@yourcompany.jfrog.io/artifactory/api/pypi/pypi-virtual/simple/1112trusted-host = yourcompany.jfrog.io1314# --- Alternative: set via environment in .replit ---15# Set in Shell or .replit env section:16# PIP_INDEX_URL=https://username:${ARTIFACTORY_TOKEN}@yourcompany.jfrog.io/artifactory/api/pypi/pypi-virtual/simple/1718# --- Install a private package: ---19# pip install your-internal-library20# pip install -r requirements.txt (all packages fetched from Artifactory)Pro tip: For Replit Python projects, setting PIP_INDEX_URL as a Replit Secret (with credentials embedded in the URL) is cleaner than a pip.conf file because it works automatically for pip commands in the Shell without any additional configuration.
Expected result: Running pip install your-private-package in the Replit Shell fetches the package from your Artifactory PyPI repository. Requirements.txt installation also uses Artifactory.
Common use cases
Install Private npm Packages from Artifactory
Configure Replit to install corporate npm packages hosted in Artifactory. Your Replit project uses @your-company/internal-sdk, which is not on public npm but is available in your Artifactory npm repository. With .npmrc configured, npm install works seamlessly from the Replit Shell.
Set up a Replit Node.js project that installs private npm packages from our company's Artifactory registry. Configure .npmrc to use the Artifactory URL and authenticate with a deploy token stored in Replit Secrets.
Copy this prompt to try it in Replit
Publish Build Artifacts to Artifactory
Use Replit as a development environment where you build and publish versioned packages to Artifactory. After running tests and building the package in Replit Shell, npm publish pushes the artifact to Artifactory where it becomes available to other teams and CI pipelines.
Configure a Replit project to publish an npm package to our Artifactory npm registry. Set up the .npmrc with publish registry pointing to Artifactory and authenticate using a deploy token from Replit Secrets.
Copy this prompt to try it in Replit
Python Project with Private PyPI Packages
Set up a Replit Python project that installs private Python libraries from an Artifactory PyPI repository. Configure pip to use your Artifactory virtual PyPI repository as the index URL so that pip install fetches both public packages and private internal libraries from one source.
Configure a Replit Python project to install packages from our Artifactory PyPI repository using a pip.conf that authenticates with a deploy token stored in Replit Secrets.
Copy this prompt to try it in Replit
Troubleshooting
npm install returns 401 Unauthorized for packages from Artifactory
Cause: The ARTIFACTORY_TOKEN secret is not being read by .npmrc, the token has expired, or the _authToken registry host in .npmrc does not exactly match the registry URL.
Solution: Verify ARTIFACTORY_TOKEN is set in Replit Secrets. In the .npmrc, ensure the authentication host line (//yourcompany.jfrog.io/...) exactly matches the hostname and path of the registry URL. Try running npm config list in the Replit Shell to see the active npm configuration and check for any configuration issues.
1# Test Artifactory authentication directly from Replit Shell2curl -H "Authorization: Bearer ${ARTIFACTORY_TOKEN}" \3 https://yourcompany.jfrog.io/artifactory/api/npm/npm-virtual/ \4 -v 2>&1 | grep -E '< HTTP|401|200'pip install returns HTTP 403 or packages are not found in Artifactory
Cause: The Artifactory token does not have read permissions on the target PyPI repository, or the repository name in the index URL is incorrect.
Solution: In Artifactory, verify the deploy token has read permissions on the PyPI virtual repository. Check the repository name by navigating to Artifactory → Repositories and confirming the exact name. Virtual repositories proxy local and remote repos — ensure the virtual repo includes both the remote (public PyPI mirror) and any local repos with private packages.
Environment variable ${ARTIFACTORY_TOKEN} is not substituted in .npmrc
Cause: npm's .npmrc supports ${VAR} substitution, but only if the variable is set in the current environment. Replit Secrets are available as environment variables, but if the Repl was not restarted after adding a new secret, the variable may not be in scope.
Solution: After adding new secrets in the Replit Secrets panel, stop and restart the Repl to reload environment variables. You can verify by opening the Replit Shell and running echo $ARTIFACTORY_TOKEN to confirm the value is accessible.
npm publish fails with 403 Forbidden when trying to publish to Artifactory
Cause: The deploy token has read-only permissions, or the publishConfig in package.json or .npmrc points to the wrong repository (virtual repositories in Artifactory are typically read-only — publish to local repos, not virtual repos).
Solution: For publishing, configure publishConfig to point to your Artifactory local repository (not virtual). In .npmrc, add a separate entry for the local repo: //yourcompany.jfrog.io/artifactory/api/npm/npm-local/:_authToken=${ARTIFACTORY_TOKEN}. Ensure the token has Deploy permissions on the local repo.
1// package.json — set publishConfig for Artifactory local repo2{3 "publishConfig": {4 "registry": "https://yourcompany.jfrog.io/artifactory/api/npm/npm-local/"5 }6}Best practices
- Store ARTIFACTORY_TOKEN and ARTIFACTORY_URL in Replit Secrets (lock icon 🔒) — never hardcode credentials in .npmrc, pip.conf, or source files
- Use ${ARTIFACTORY_TOKEN} environment variable substitution in .npmrc rather than embedding the token as a plaintext value
- Create a dedicated service account in Artifactory for Replit access with only the minimum repository permissions needed (read for installation, deploy for publishing)
- Use virtual repositories in Artifactory that proxy public registries — this way your Replit project can install both public and private packages from one endpoint
- Set token expiry to a reasonable timeframe and update ARTIFACTORY_TOKEN in Replit Secrets before the token expires to avoid broken builds
- Commit .npmrc and pip.conf to version control since they contain only environment variable references, not actual secrets
- Pin package versions in package.json and requirements.txt — Artifactory caches specific versions, and version ranges can resolve differently when Artifactory's cache is stale
Alternatives
Jenkins is the CI/CD pipeline that typically triggers Artifactory artifact uploads after builds, while Artifactory is the storage layer — the two are complementary rather than competing.
Travis CI can publish artifacts to Artifactory as part of cloud-hosted CI pipelines, offering simpler configuration than Jenkins for open-source or smaller projects.
GitLab includes a built-in Package Registry for npm, PyPI, Maven, and other formats that may replace Artifactory for teams already using GitLab for source control and CI/CD.
Frequently asked questions
How do I configure Replit to use JFrog Artifactory as an npm registry?
Create a .npmrc file in your Replit project root with the Artifactory registry URL and an authentication token reference. Store your deploy token in Replit Secrets as ARTIFACTORY_TOKEN, then reference it in .npmrc as _authToken=${ARTIFACTORY_TOKEN}. When you run npm install in the Replit Shell, packages are fetched from Artifactory.
How do I securely store Artifactory credentials in Replit?
Click the lock icon (🔒) in the Replit sidebar to open the Secrets panel. Add ARTIFACTORY_TOKEN with your Artifactory deploy token value. Reference it in configuration files as ${ARTIFACTORY_TOKEN} — npm and many other tools support this environment variable substitution syntax in their config files.
Can I publish packages from Replit to Artifactory?
Yes. Configure .npmrc with publishConfig pointing to your Artifactory local repository (not virtual), and ensure your deploy token has Deploy permissions on that repository. Run npm publish from the Replit Shell to push the package. For Python, use twine (pip install twine) with --repository-url pointing to your Artifactory PyPI local repo.
Does using Artifactory as a registry slow down package installation in Replit?
If Artifactory is a virtual repository that proxies the public registry and caches packages, installation speed is similar to or faster than direct npm/PyPI access after the first download. Artifactory's cache means subsequent installs of the same package version skip the internet fetch. Latency depends on your Artifactory instance location relative to Replit's server region.
What is the difference between a virtual, local, and remote repository in Artifactory?
Remote repositories proxy external package registries (like npm or PyPI) and cache downloaded packages. Local repositories store packages you publish yourself (private packages). Virtual repositories are aggregations of multiple local and remote repos — you point your package manager at a virtual repo to get access to both public and private packages from one URL.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation