Skip to main content


The authentication is tied to the auth plugin you are using. The package restrictions are also handled by the Package Access.

The client authentication is handled by the npm client itself. Once you log in to the application:

npm adduser --registry http://localhost:4873

A token is generated in the npm configuration file hosted in your user home folder. For more information about .npmrc read the official documentation.

cat .npmrc

Anonymní publikování

verdaccio allows you to enable anonymous publish. To achieve that you will need to correctly set up your packages access.


access: $anonymous
publish: $anonymous
proxy: npmjs

As is described on issue #212 until npm@5.3.0 and all minor releases won't allow you publish without a token.

Principy skupin

The meaning of $all and $anonymous

As you know Verdaccio uses htpasswd by default. That plugin does not implement the methods allow_access, allow_publish and allow_unpublish. Thus, Verdaccio will handle that in the following way:

  • Pokud nejste přihlášení (jste anonymní), $all a $anonymous znamenají to samé.
  • If you are logged in, $anonymous won't be part of your groups and $all will match any logged user. A new group $authenticated will be added to your group list.

Nastavení $all bude odpovídat všem uživatelům, přihlášeným i nepřihlášeným.

The previous behavior only applies to the default authentication plugin. If you are using a custom plugin and such plugin implements allow_access, allow_publish or allow_unpublish, the resolution of the access depends on the plugin itself. Verdaccio will only set the default groups.


  • logged: $all, $authenticated, + skupiny přidané doplňkem
  • anonymous (odhlášený): $all a $anonymous.

Default htpasswd

In order to simplify the setup, verdaccio uses a plugin based on htpasswd. Since version v3.0.x the verdaccio-htpasswd plugin is used by default.

file: ./htpasswd
# Maximum amount of users allowed to register, defaults to "+inf".
# You can set this to -1 to disable registration.
#max_users: 1000
fileřetězecAno./htpasswdvšechnysoubor, který obsahuje šifrované přihlašovací údaje
max_usersčísloNe1000všechnynastavit limit uživatelů

In case to decide do not allow user to login, you can set max_users: -1.