Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. Integrations
  2. JFrog CLI
  3. CLI Configuration

Enterprise Configuration

Configuration Directory Structure

The default configuration directory is ~/.jfrog/. You can change it with the JFROG_CLI_HOME_DIR environment variable. Inside this directory you find:

  • config — Server configurations and credentials (JSON format)
  • Cached data for plugins and dependencies
  • Transfer state data for transfer-files operations

Note: Do not edit the config file manually when using jf config commands. Manual edits may cause corruption or encryption mismatches.

Configuration File Structure

The ~/.jfrog/config file stores server entries. Each entry has a unique ID and contains URL, authentication method, and optional TLS settings. The format is JSON or a compatible structure.

Configuration Encryption

Set JFROG_CLI_ENCRYPTION_KEY to encrypt stored passwords and tokens. The key must be set before adding a configuration and each time you run commands that use it.

Warning: If you set JFROG_CLI_ENCRYPTION_KEY when adding a configuration, you must set the same key every time you use that configuration. If you lose the encryption key, the stored credentials cannot be recovered — you must remove the configuration with jf config rm and re-add it.

You can also use file-based encryption. See Configuring the CLI for details on both encryption methods.

Multi-Server Support

You can add multiple servers with different IDs. Use jf config use <server-id> to switch the active server. The JFROG_CLI_SERVER_ID environment variable overrides the active server for a single command or session.

# Add multiple servers
jf c add dev-server --url=https://dev.jfrog.io --access-token=... --interactive=false
jf c add prod-server --url=https://prod.jfrog.io --access-token=... --interactive=false

# Switch active server
jf c use prod-server

# Override per-command
jf rt ping --server-id=dev-server

CI/CD Configuration

In CI/CD pipelines, use non-interactive mode:

  • Set CI=true to disable interactive prompts
  • Add servers with --interactive=false and --url plus --access-token or --password
  • Use JFROG_URL and JFROG_ACCESS_TOKEN environment variables as the source of truth
  • Add cleanup steps: jf config rm <server-id> --quiet to avoid credential leakage

Boundary Conditions and Limits

ParameterConstraintNotes
Server IDMust not be delete, use, show, or clearThese are reserved words used by the CLI internally
Server ID charactersAlphanumeric, hyphens, and underscores recommendedAvoid spaces, dots, and special characters to prevent shell escaping issues
URL formatMust include protocol (https:// or http://)Omitting the protocol causes connection failures. Always use https:// for production
URL trailing slashOptionalThe CLI handles both https://acme.jfrog.io and https://acme.jfrog.io/
Access tokenJWT format (starts with eyJ)Tokens are typically 500-2000 characters. No length limit enforced by CLI
Password with special charsMust be quoted in shellUse --password-stdin or --access-token-stdin to avoid shell interpretation issues
CSV file for users-createHeaders must be: username,password,emailNo BOM (Byte Order Mark). UTF-8 encoding. Unix line endings recommended
Config encryption keyAny stringIf set, must be identical across all sessions using the encrypted config
--build-nameRequired with --build-numberBoth must be present or both absent. Partial specification causes an error
Wildcard patterns* matches any sequence, ? matches single characterUsed in --include-repos, --exclude-repos, --exclusions flags

Version Compatibility

CLI VersionMinimum ArtifactoryNotes
v2.x (current)7.xCurrent version
jf login7.64.0+Browser-based login requires this minimum
--reference token7.38.10+Reference tokens require this minimum
Transfer commands7.x (both source and target)data-transfer plugin must match server version

Stored server configurations are forward-compatible: configs created with older CLI versions work with newer versions. The reverse is not guaranteed — avoid downgrading the CLI after adding configurations.

Enterprise Considerations

Proxy Configuration

If your organization uses a forward proxy for outbound internet access, set these environment variables before running JFrog CLI commands:

export HTTP_PROXY=http://proxy.example.com:8080
export HTTPS_PROXY=http://proxy.example.com:8080
export NO_PROXY=localhost,127.0.0.1,.internal.example.com

The CLI respects standard Go HTTP proxy environment variables. For transfer-files operations, you can also use the --proxy-key flag to route traffic through Artifactory's built-in proxy configuration.

TLS and Certificates

For environments with self-signed certificates or custom CA roots:

  • Option 1: Add the CA certificate to your system trust store (recommended for production)
  • Option 2: Use --insecure-tls on jf config add to skip verification (testing only)
  • Option 3: Use --client-cert-path and --client-cert-key-path for mutual TLS (mTLS) authentication

See also Authentication — RSA Keys and Client Certificates for detailed mTLS and SSH key setup.

Air-Gapped Environments

In environments without internet access:

  1. Download the JFrog CLI binary on a connected machine and copy it to the air-gapped environment
  2. Use jf config add with the internal Artifactory URL
  3. Set JFROG_CLI_PLUGINS_SERVER and JFROG_CLI_PLUGINS_REPO to resolve plugins from an internal Artifactory repository
  4. Set JFROG_CLI_RELEASES_REPO to <server-id>/<repo-name> for Maven/Gradle dependency resolution from an internal source

SSO / External Authentication

JFrog CLI supports Single Sign-On (SSO) through:

  • Browser login: jf login opens a browser that supports your SSO provider (SAML, OAuth)
  • OIDC token exchange: jf eot exchanges tokens from GitHub Actions, Azure DevOps, or other OIDC providers
  • Access tokens: Generate SSO-authenticated tokens through the UI, then use them with --access-token

Updated 7 days ago

What’s Next

For a hands-on walkthrough, follow the Manage Server Configurations tutorial.