Configure Artifactory for PTC
Configure JFrog Artifactory remote repositories, anonymous access, and the package-reroute endpoint for Package Traffic Controller (PTC).
JFrog Artifactory Configuration
This section covers the JFrog Artifactory side of PTC setup: create remote repositories, ensure Curation is enabled, register each package type with Package Reroute through the REST API (which auto-enrolls the repository in Curation by default), configure anonymous access, and verify the redirect endpoint. Complete this before security edge redirect rules are activated; see Deployment Sequence.
Important — PTC
repo_keymust be a remote repository: The Package Rerouterepo_keymust point to a remote repository. Virtual repositories are not supported as the PTCrepo_key.
Complete the following procedures in order (after Prerequisites):
- Step 1: Create a Remote Repository
- Step 2: Ensure JFrog Curation Is Enabled
- Step 3: Register Repositories with Package Reroute (Mandatory)
- Step 4: Configure Anonymous Access
- Step 5: Verify the Redirect Endpoint
Repository Architecture
PTC requires the following repository structure:
- Remote Repository: Proxies and caches packages from the upstream public registry, and is the only supported
repo_keytarget for Package Reroute. JFrog Curation policies apply at this layer when Curation is enabled for that remote. The remote must allow anonymous Read and Deploy/Cache (per package type) so it can serve and cache packages from the upstream registry without end-user credentials. See Step 4: Configure Anonymous Access; scope permissions to that remote only.
The Package Reroute repo_key must point to a remote repository. Virtual repositories are not supported as the repo_key target—they prevent JFrog from tracking consumption accurately and from configuring Curation automatically on the upstream-facing repository.
Step 1: Create a Remote Repository
The steps below use npm and registry.npmjs.org as a worked example. For each other package type you support, create a remote repository of the matching package type with that ecosystem’s public registry URL, then map each type in the Package Reroute Config API the same way.
To create a remote repository for PTC:
- Navigate to Administration > Repositories > Remote.
- Click New Remote Repository.
- Package Type: Select
npm. - Repository Key: Enter a descriptive name, for example
npm-remote-registry. - URL:
https://registry.npmjs.org - Click Create.
The remote repository is created and ready to map in the Package Reroute Config API.
Step 2: Ensure JFrog Curation Is Enabled
Make sure JFrog Curation is enabled in your Artifactory instance before calling the Package Reroute API in Step 3. The API auto-enrolls the target remote repository in Curation when linked_curation is true (the default), so you do not need to connect individual repositories to Curation manually.
To skip Curation enrollment for a specific repository, send linked_curation: false in the Step 3 request body.
For how to enable and configure Curation, see Configure JFrog Curation.
Step 3: Register Repositories with Package Reroute (Mandatory)
This step is mandatory. After the remote repository exists and Curation is enabled (see Step 2), map each package type you enable to that remote repository’s repo_key using the Update Registry Configuration API. PTC does not work until this step completes—the Router /artifactory/api/package-reroute path needs a configured remote repository for each registry type. The API validates that the repository exists and is a remote repository before accepting the configuration, and (by default) auto-enrolls it in Curation.
The repo_key must reference a remote repository. Virtual repositories are not supported.
Supported type values for GA are npm, pypi, docker, huggingfaceml, gems (RubyGems), and cargo (Rust). Repeat the call for every ecosystem you roll out.
To register npm with Package Reroute:
- Use the remote repository key from Step 1 (for example
npm-remote-registry) as therepo_key. - Call
PUT /artifactory/api/package-reroute/config/npmwith that key in the request body. - Confirm the response returns HTTP 200 and the same
repo_key. - Optionally call Get Registry Configuration or Get Full Configuration to verify the mapping.
curl -X PUT "https://<YOUR_ARTIFACTORY_URL>/artifactory/api/package-reroute/config/npm" \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"repo_key": "npm-remote-registry"}'Where:
<YOUR_ARTIFACTORY_URL>: Your JFrog Platform hostname (for exampleacme.jfrog.io)<token>: Admin JWT or use Basic authentication per Package Reroute Config APIrepo_key: The remote repository key from Step 1
Package Reroute is configured for npm. Repeat PUT /artifactory/api/package-reroute/config/{type} for each additional package type (for example pypi, docker, huggingfaceml, gems, cargo) before you enable security edge redirect rules for those ecosystems.
By default (linked_curation: true), a successful call also auto-enrolls the target remote repository in Curation. Send linked_curation: false in the request body to register the repository for reroute without enrolling it in Curation.
Error responses
The Update Registry Configuration API returns the following errors when the request cannot be applied:
| Status | Meaning | What to do |
|---|---|---|
400 | Unsupported package type, missing/invalid repo_key, or the referenced remote repository does not exist. | Confirm the package type is supported and that repo_key points to an existing remote repository (not a virtual repository). |
407 | Proxy Authentication Required before the package-reroute flow can proceed. | Ensure the request is authenticated with the proxy. Also see Step 5: Verify the Redirect Endpoint. |
422 | Curation cannot be enabled for the target repository: either Curation is not enabled in Artifactory, or the package type is not supported by Curation. Only returned when linked_curation is true (the default). | Enable Curation in Artifactory (see Step 2) or send linked_curation: false to skip Curation enrollment. |
503 | Failed to enable Curation for the repo_key. Only returned when linked_curation is true (the default). | Retry, or send linked_curation: false to skip Curation enrollment, then enable Curation in Artifactory (see Step 2). |
Step 4: Configure Anonymous Access
PTC currently operates with anonymous access. Redirected requests arrive without end-user Artifactory credentials, so the anonymous principal must be allowed to complete installs through the remote repository you set as repo_key in Package Reroute.
To configure anonymous access for PTC:
- Navigate to Administration > Security > Settings.
- Enable Allow Anonymous Access (platform setting).
- Assign permissions to the anonymous user on the remote repository configured as
repo_keyin Package Reroute. Grant Read plus Deploy/Cache (and any other actions required for that package type) so Artifactory can proxy and cache from the public registry on behalf of anonymous clients. - Use permission targets limited to that remote (for example
npm-remote-registry), not broad anonymous access across the whole instance. - Verify: From a context with no Artifactory token, exercise the same URL path clients use after redirect (the remote repository’s API URL for your package type) and confirm install or metadata fetch succeeds.
Anonymous users can complete installs through the configured remote repo_key.
Recommendation: Keep anonymous permission targets scoped to the specific remote repository used by PTC, rather than opening anonymous access on unrelated repos.
For more details on configuring anonymous access in JFrog Artifactory, see:
- Allow Anonymous Access
- Anonymous Users — Includes how to restrict anonymous access to API-only use and block anonymous users from accessing the Artifactory UI
Restrict Anonymous PTC Traffic to SASE Provider Egress
Optional, JFrog Cloud (SaaS) only. Restrict the anonymous access required by PTC (see Step 4 above) so that only requests routed through your SASE provider's public egress ranges can reach Artifactory. The same pattern applies to every supported SASE provider — the only thing that changes per vendor is which IP/CIDR ranges you allowlist.
The MyJFrog portal IP/CIDR allowlist is a JFrog Cloud control and does not apply to self-hosted Artifactory deployments. On self-hosted, use your own firewall, reverse proxy, WAF, or network policy to limit which source IPs can reach Artifactory's HTTPS endpoint. See Configure cloud security for cloud security options and the current UI locations.
Adding your SASE provider's public egress ranges to the allowlist:
- Limits inbound traffic to allowlisted source addresses, per MyJFrog rules.
- Blocks direct anonymous access from arbitrary networks when combined with your IP policy.
- Reduces exposure from enabling anonymous repository access for the redirect flow.
To add your SASE provider's egress ranges to the MyJFrog allowlist:
- Get the canonical egress IP/CIDR list from your SASE provider:
- Zscaler: see Zscaler Cloud Enforcement Node Ranges (CenR). Use the page that matches your tenant's cloud (
zscalerthree.net,zscalertwo.net, and so on). - Netskope: see NewEdge IP Ranges for Allowlisting.
- Any other supported SASE: use your provider's published egress IP-range reference.
- Zscaler: see Zscaler Cloud Enforcement Node Ranges (CenR). Use the page that matches your tenant's cloud (
- Log in to my.jfrog.com.
- Open the Security area for your JFrog Cloud subscription and locate the IP/CIDR allowlist control.
- Add your SASE provider's egress ranges in CIDR notation (for example,
100.101.128.0/17). - Save or apply the change.
Tab names and menu paths can change between portal releases. Use Configure cloud security as the source of truth.
Step 5: Verify the Redirect Endpoint
The /artifactory/api/package-reroute entry point on the JFrog Router is where security edge-redirected client traffic lands. It is product-defined and not customer-configurable. You can validate it before redirect rules are enabled by calling Artifactory directly with the same query shape your security edge will append (url= original registry URL, percent-encoded).
To verify the package-reroute redirect endpoint:
Build https://<hostname>/artifactory/api/package-reroute?url=<percent-encoded-upstream-url> using your Artifactory hostname. Percent-encode the value of url (for https://registry.npmjs.org/express use https%3A%2F%2Fregistry.npmjs.org%2Fexpress). Example (fictional tenant acme.jfrog.io):
curl -v "https://<YOUR_ARTIFACTORY_URL>/artifactory/api/package-reroute?url=https%3A%2F%2Fregistry.npmjs.org%2Fexpress"Where:
<YOUR_ARTIFACTORY_URL>: Your JFrog Platform hostname (for exampleacme.jfrog.io)
Use your own hostname. The Router path is /artifactory/api/package-reroute. If an encoded url fails in your shell, try single-quoting the full URL or passing --data-urlencode via curl -G.
Expected: HTTP 302 or 307 with a Location header pointing to an Artifactory URL (typically under /artifactory/api/npm/<your-remote>/... for the express package, not still on registry.npmjs.org). Do not use curl -L if you only want to inspect the first hop.
If the response is not 302/307, see Verify the Redirect Endpoint troubleshooting for the common causes (401/403, 407, 404, very long url= values).
For details on how to find and interpret PTC reroute lines in Artifactory's system logs, see Package Reroute Logs for PTC.
Frequently Asked Questions
This section provides answers to frequently asked questions about configuring JFrog Artifactory for Package Traffic Controller (PTC).
FAQs
Q: Is the Package Reroute API call mandatory for PTC?
A: Yes. You must call PUT /artifactory/api/package-reroute/config/{type} for each package type you enable before redirect rules intercept traffic. See Step 3: Register repositories with Package Reroute (mandatory).
Q: Can the Package Reroute repo_key point to a virtual repository?
repo_key point to a virtual repository?A: No. The repo_key must reference a remote repository. Virtual repositories are not supported. See Repository Architecture.
Q: Why does PTC require anonymous access on Artifactory?
A: Redirected requests arrive without end-user Artifactory credentials. The anonymous principal must have Read and Deploy/Cache on the remote repository configured as repo_key. See Step 4: Configure Anonymous Access.
Q: What HTTP response should I expect from /artifactory/api/package-reroute?
/artifactory/api/package-reroute?A: A successful test returns HTTP 302 or 307 with a Location header pointing at your Artifactory remote repository path—not the public registry hostname. See Step 5: Verify the Redirect Endpoint.
