# How to Integrate Replit with JFrog Artifactory

- Tool: Replit
- Difficulty: Intermediate
- Time required: 20 minutes
- Last updated: March 2026

## TL;DR

To use JFrog Artifactory with Replit, configure your Replit project to use Artifactory as a custom npm or pip registry by storing Artifactory deploy tokens in Replit Secrets (lock icon 🔒) and adding .npmrc or pip.conf configuration files that point to your Artifactory instance. This workflow lets you install private packages from Artifactory and publish build artifacts back to your registry during Replit-based development.

## JFrog Artifactory as a Private Registry for Replit Projects

JFrog Artifactory is the standard artifact repository in enterprise software development. Organizations use Artifactory to host private npm packages, internal Python libraries, approved dependency mirrors, and build artifacts. When a Replit developer needs to install a private package from their company's Artifactory instance — whether working on an internal tool, contributing to a corporate project, or consuming an enterprise SDK — they need to configure Replit to authenticate with Artifactory and point the package manager at the correct repository URL.

The Artifactory integration with Replit is a configuration workflow rather than an API integration. It involves three components: the Artifactory instance URL (your company's JFrog Cloud or self-hosted Artifactory), a deploy token or API key for authentication, and configuration files (.npmrc for Node.js, pip.conf for Python) that tell the package manager where to find packages. These configuration files reference secrets stored in Replit Secrets so that credentials are never hardcoded in source-controlled files.

For npm projects in Replit, you configure a virtual repository URL in .npmrc with token-based authentication. When you run npm install in the Replit Shell, npm fetches packages from Artifactory rather than registry.npmjs.org. Artifactory can proxy the public npm registry while adding your private packages — so you do not need to manage separate sources for public and private packages. The same pattern applies to Python pip, Maven (Java), and other package ecosystems supported by Artifactory.

## Before you start

- A Replit account with a Node.js or Python Repl ready
- Access to a JFrog Artifactory instance (cloud.jfrog.com or self-hosted) with at least one npm or PyPI repository configured
- An Artifactory user account or service account with permission to read from (and optionally write to) the target repository
- A deploy token or API key generated from Artifactory (Settings → User Management → Access Tokens)

## Step-by-step guide

### 1. Generate an Artifactory Deploy Token

Artifactory uses token-based authentication for programmatic access. You need to generate a deploy token (also called an access token) that your Replit project will use when installing or publishing packages.

Log into your Artifactory instance. Navigate to Administration → User Management → Access Tokens (in JFrog Platform, this may be under your username → Edit Profile → Generate API Key or Identity and Access → Access Tokens).

Create a new token with the following settings:
- Token type: Access Token (not reference token)
- Username: your Artifactory username or a service account name
- Scope: Applied permissions for the specific repositories you need to access. For read-only package installation, select 'Read' on the target virtual repository. For publishing, add 'Write' permission.
- Expiry: Set an appropriate expiry. For development tokens that rotate with the project, 1 year is common. For CI/CD, consider shorter-lived tokens.

Copy the generated token immediately — it is shown only once.

Also note your Artifactory instance URL (e.g., https://yourcompany.jfrog.io) and the repository names you will use (e.g., npm-virtual for npm packages, pypi-virtual for Python packages). The full registry URL for npm is typically https://yourcompany.jfrog.io/artifactory/api/npm/npm-virtual/.

**Expected result:** You have an Artifactory deploy token copied to your clipboard. You know your Artifactory instance URL and the repository names for npm or PyPI packages.

### 2. Store Artifactory Credentials in Replit Secrets

Click the lock icon (🔒) in the Replit sidebar to open the Secrets pane. Add the following secrets for your Artifactory integration:

ARTIFACTORY_URL: your Artifactory instance base URL, e.g., https://yourcompany.jfrog.io.

ARTIFACTORY_TOKEN: the deploy token you generated in Step 1.

ARTIFACTORY_NPM_REGISTRY: the full npm registry URL, e.g., https://yourcompany.jfrog.io/artifactory/api/npm/npm-virtual/.

ARTIFACTORY_PYPI_INDEX: the pip index URL, e.g., https://yourcompany.jfrog.io/artifactory/api/pypi/pypi-virtual/simple.

These secrets are accessed in configuration files and scripts using shell-style environment variable substitution. You will reference them in the .npmrc and pip.conf files in the next steps. Replit exposes Secrets as environment variables in the Shell and in running processes, so configuration files that use ${ARTIFACTORY_TOKEN} syntax will have the value substituted at runtime.

```
# Check that Artifactory secrets are configured
import os

required = ['ARTIFACTORY_URL', 'ARTIFACTORY_TOKEN']
for key in required:
    val = os.environ.get(key)
    if not val:
        print(f'MISSING: {key} — add it in Replit Secrets (lock icon 🔒)')
    else:
        print(f'OK: {key} = {val[:30]}...')
```

**Expected result:** All Artifactory secrets appear in the Replit Secrets panel. The verification script confirms each variable is present.

### 3. Configure npm to Use Artifactory as Registry

Create a .npmrc file in the root of your Replit project to configure npm to use Artifactory as the package registry. This file tells npm where to find packages and how to authenticate.

The .npmrc file supports environment variable substitution using the ${VARIABLE_NAME} syntax, which is how you reference your Artifactory credentials without hardcoding them.

There are two registration patterns: scoped registry (for specific package scopes like @your-company/*) and global registry override (replacing the default npm registry entirely with Artifactory). Use scoped for corporate packages alongside public packages; use global override if Artifactory is a proxy that includes all public packages.

After creating .npmrc, test it by running npm install in the Replit Shell. If authentication succeeds, packages will be fetched from Artifactory. If you see 401 errors, verify ARTIFACTORY_TOKEN is set correctly in Secrets.

Note: .npmrc should be committed to your repository if it uses environment variable references (${ARTIFACTORY_TOKEN}) — the secrets themselves are never in the file, only the references. If for any reason you use a plaintext token in .npmrc (not recommended), add .npmrc to .gitignore.

```
# .npmrc — Configure npm to use Artifactory registry in Replit
# For scoped packages only (@your-company/* scope)
@your-company:registry=https://yourcompany.jfrog.io/artifactory/api/npm/npm-virtual/
//yourcompany.jfrog.io/artifactory/api/npm/npm-virtual/:_authToken=${ARTIFACTORY_TOKEN}

# OR: Global registry override (replace all npm with Artifactory)
# registry=https://yourcompany.jfrog.io/artifactory/api/npm/npm-virtual/
# //yourcompany.jfrog.io/artifactory/api/npm/npm-virtual/:_authToken=${ARTIFACTORY_TOKEN}

# For publishing packages back to Artifactory
# publishConfig:
#   registry=https://yourcompany.jfrog.io/artifactory/api/npm/npm-local/

# Optional: set email and always-auth for strict environments
# email=your-service-account@yourcompany.com
# always-auth=true
```

**Expected result:** Running npm install @your-company/internal-package in the Replit Shell fetches the package from Artifactory rather than the public npm registry. No 401 authentication errors appear.

### 4. Configure pip to Use Artifactory as PyPI Index

For Python Replit projects, configure pip to use Artifactory as the package index. Create a pip.conf file (or set pip configuration via environment variables) that points to your Artifactory PyPI virtual repository.

The simplest approach in Replit is to set the PIP_INDEX_URL environment variable in your .replit configuration file or shell startup, pointing to your Artifactory PyPI URL with credentials embedded. Alternatively, create a pip.conf file in the project root.

Artifactory's PyPI repository URL includes your credentials using the format: https://username:token@yourcompany.jfrog.io/artifactory/api/pypi/pypi-virtual/simple/. However, embedding credentials in URLs is less secure than using .netrc or pip's --extra-index-url with environment variables.

The recommended approach for Replit is to use the PIP_EXTRA_INDEX_URL or PIP_INDEX_URL environment variable with credentials, referencing your Replit Secret via the standard ${ARTIFACTORY_TOKEN} pattern in the .replit file's environment section.

After configuration, test with pip install your-private-package in the Replit Shell. pip should fetch the package from Artifactory's PyPI repository.

```
# pip.conf — Configure pip to use Artifactory PyPI in Replit
# Place this file at the project root or at ~/.config/pip/pip.conf

[global]
# Replace the default PyPI with Artifactory virtual repo (which proxies public PyPI)
index-url = https://yourcompany.jfrog.io/artifactory/api/pypi/pypi-virtual/simple/

# Authentication via trusted host (use _authToken in the URL for token auth)
# For token auth, embed in URL:
# index-url = https://<username>:${ARTIFACTORY_TOKEN}@yourcompany.jfrog.io/artifactory/api/pypi/pypi-virtual/simple/

trusted-host = yourcompany.jfrog.io

# --- Alternative: set via environment in .replit ---
# Set in Shell or .replit env section:
# PIP_INDEX_URL=https://username:${ARTIFACTORY_TOKEN}@yourcompany.jfrog.io/artifactory/api/pypi/pypi-virtual/simple/

# --- Install a private package: ---
# pip install your-internal-library
# pip install -r requirements.txt  (all packages fetched from Artifactory)
```

**Expected result:** Running pip install your-private-package in the Replit Shell fetches the package from your Artifactory PyPI repository. Requirements.txt installation also uses Artifactory.

## Best practices

- Store ARTIFACTORY_TOKEN and ARTIFACTORY_URL in Replit Secrets (lock icon 🔒) — never hardcode credentials in .npmrc, pip.conf, or source files
- Use ${ARTIFACTORY_TOKEN} environment variable substitution in .npmrc rather than embedding the token as a plaintext value
- Create a dedicated service account in Artifactory for Replit access with only the minimum repository permissions needed (read for installation, deploy for publishing)
- Use virtual repositories in Artifactory that proxy public registries — this way your Replit project can install both public and private packages from one endpoint
- Set token expiry to a reasonable timeframe and update ARTIFACTORY_TOKEN in Replit Secrets before the token expires to avoid broken builds
- Commit .npmrc and pip.conf to version control since they contain only environment variable references, not actual secrets
- Pin package versions in package.json and requirements.txt — Artifactory caches specific versions, and version ranges can resolve differently when Artifactory's cache is stale

## Use cases

### Install Private npm Packages from Artifactory

Configure Replit to install corporate npm packages hosted in Artifactory. Your Replit project uses @your-company/internal-sdk, which is not on public npm but is available in your Artifactory npm repository. With .npmrc configured, npm install works seamlessly from the Replit Shell.

Prompt example:

```
Set up a Replit Node.js project that installs private npm packages from our company's Artifactory registry. Configure .npmrc to use the Artifactory URL and authenticate with a deploy token stored in Replit Secrets.
```

### Publish Build Artifacts to Artifactory

Use Replit as a development environment where you build and publish versioned packages to Artifactory. After running tests and building the package in Replit Shell, npm publish pushes the artifact to Artifactory where it becomes available to other teams and CI pipelines.

Prompt example:

```
Configure a Replit project to publish an npm package to our Artifactory npm registry. Set up the .npmrc with publish registry pointing to Artifactory and authenticate using a deploy token from Replit Secrets.
```

### Python Project with Private PyPI Packages

Set up a Replit Python project that installs private Python libraries from an Artifactory PyPI repository. Configure pip to use your Artifactory virtual PyPI repository as the index URL so that pip install fetches both public packages and private internal libraries from one source.

Prompt example:

```
Configure a Replit Python project to install packages from our Artifactory PyPI repository using a pip.conf that authenticates with a deploy token stored in Replit Secrets.
```

## Troubleshooting

### npm install returns 401 Unauthorized for packages from Artifactory

Cause: The ARTIFACTORY_TOKEN secret is not being read by .npmrc, the token has expired, or the _authToken registry host in .npmrc does not exactly match the registry URL.

Solution: Verify ARTIFACTORY_TOKEN is set in Replit Secrets. In the .npmrc, ensure the authentication host line (//yourcompany.jfrog.io/...) exactly matches the hostname and path of the registry URL. Try running npm config list in the Replit Shell to see the active npm configuration and check for any configuration issues.

```
# Test Artifactory authentication directly from Replit Shell
curl -H "Authorization: Bearer ${ARTIFACTORY_TOKEN}" \
  https://yourcompany.jfrog.io/artifactory/api/npm/npm-virtual/ \
  -v 2>&1 | grep -E '< HTTP|401|200'
```

### pip install returns HTTP 403 or packages are not found in Artifactory

Cause: The Artifactory token does not have read permissions on the target PyPI repository, or the repository name in the index URL is incorrect.

Solution: In Artifactory, verify the deploy token has read permissions on the PyPI virtual repository. Check the repository name by navigating to Artifactory → Repositories and confirming the exact name. Virtual repositories proxy local and remote repos — ensure the virtual repo includes both the remote (public PyPI mirror) and any local repos with private packages.

### Environment variable ${ARTIFACTORY_TOKEN} is not substituted in .npmrc

Cause: npm's .npmrc supports ${VAR} substitution, but only if the variable is set in the current environment. Replit Secrets are available as environment variables, but if the Repl was not restarted after adding a new secret, the variable may not be in scope.

Solution: After adding new secrets in the Replit Secrets panel, stop and restart the Repl to reload environment variables. You can verify by opening the Replit Shell and running echo $ARTIFACTORY_TOKEN to confirm the value is accessible.

### npm publish fails with 403 Forbidden when trying to publish to Artifactory

Cause: The deploy token has read-only permissions, or the publishConfig in package.json or .npmrc points to the wrong repository (virtual repositories in Artifactory are typically read-only — publish to local repos, not virtual repos).

Solution: For publishing, configure publishConfig to point to your Artifactory local repository (not virtual). In .npmrc, add a separate entry for the local repo: //yourcompany.jfrog.io/artifactory/api/npm/npm-local/:_authToken=${ARTIFACTORY_TOKEN}. Ensure the token has Deploy permissions on the local repo.

```
// package.json — set publishConfig for Artifactory local repo
{
  "publishConfig": {
    "registry": "https://yourcompany.jfrog.io/artifactory/api/npm/npm-local/"
  }
}
```

## Frequently asked questions

### How do I configure Replit to use JFrog Artifactory as an npm registry?

Create a .npmrc file in your Replit project root with the Artifactory registry URL and an authentication token reference. Store your deploy token in Replit Secrets as ARTIFACTORY_TOKEN, then reference it in .npmrc as _authToken=${ARTIFACTORY_TOKEN}. When you run npm install in the Replit Shell, packages are fetched from Artifactory.

### How do I securely store Artifactory credentials in Replit?

Click the lock icon (🔒) in the Replit sidebar to open the Secrets panel. Add ARTIFACTORY_TOKEN with your Artifactory deploy token value. Reference it in configuration files as ${ARTIFACTORY_TOKEN} — npm and many other tools support this environment variable substitution syntax in their config files.

### Can I publish packages from Replit to Artifactory?

Yes. Configure .npmrc with publishConfig pointing to your Artifactory local repository (not virtual), and ensure your deploy token has Deploy permissions on that repository. Run npm publish from the Replit Shell to push the package. For Python, use twine (pip install twine) with --repository-url pointing to your Artifactory PyPI local repo.

### Does using Artifactory as a registry slow down package installation in Replit?

If Artifactory is a virtual repository that proxies the public registry and caches packages, installation speed is similar to or faster than direct npm/PyPI access after the first download. Artifactory's cache means subsequent installs of the same package version skip the internet fetch. Latency depends on your Artifactory instance location relative to Replit's server region.

### What is the difference between a virtual, local, and remote repository in Artifactory?

Remote repositories proxy external package registries (like npm or PyPI) and cache downloaded packages. Local repositories store packages you publish yourself (private packages). Virtual repositories are aggregations of multiple local and remote repos — you point your package manager at a virtual repo to get access to both public and private packages from one URL.

---

Source: https://www.rapidevelopers.com/replit-integration/jfrog-artifactory
© RapidDev — https://www.rapidevelopers.com/replit-integration/jfrog-artifactory
