Package Traffic Controller (PTC)
Route public package traffic through Artifactory via your security edge for JFrog Curation policy enforcement and audit.
JFrog Package Traffic Controller (PTC) intercepts public package traffic at the network layer and routes it through Artifactory, so JFrog Curation policies and audit logging apply to every intercepted install without changing how developers work. PTC integrates with your existing security edge, the same tool already inspecting outbound traffic, to redirect matching package requests to Artifactory's /package-reroute endpoint.
New to PTC? Start with PTC Quick Start for a concise end-to-end walkthrough, then use the linked topics for detailed configuration and troubleshooting.
Once the security edge client, the trust store, and redirect policies are in place, every process on that workstation is governed the same way, whether the install originates from a human developer or an AI coding agent. The technical entry point is the package-reroute service (Router path /package-reroute, REST API under /artifactory/api/package-reroute/).
Important — PTC requires a remote repository: The Package Reroute
repo_keymust point to a remote repository. Virtual repositories are not supported as the PTCrepo_key. This keeps PTC configuration aligned to the upstream-facing repository used for consumption tracking and Curation behavior.
Supported Security Edges
PTC integrates with your existing security edge (SASE) to intercept package traffic and redirect it to Artifactory. Pick the vendor your organization already uses and follow that vendor's guide. This is not an additional configuration step.
- Zscaler Internet Access (ZIA) — see Configure Zscaler ZIA
- Netskope — see Configure Netskope
- Cloudflare Gateway — see Configure Cloudflare Gateway
For the shared registry hostname reference used by all SASE providers, see Public Registry Hostnames. For deployment order, see Deployment Sequence.
Supported Package Types (GA)
The following ecosystems are supported for PTC. For detailed client guidance, see Configuration by Package Type.
- npm — supported clients: npm, pnpm, and yarn
- Python (PyPI) — supported clients: pip, pipenv, Poetry (version 1.7.0 or later), and uv. See Configuring Artifactory to Support Poetry for PTC for the Poetry version constraint.
- Docker — Container images and trust configuration. JFrog-validated engines, CLIs, and tools are listed under Docker, Hugging Face, and Other Types.
- Hugging Face — see Docker, Hugging Face, and Other Types
- RubyGems — supported clients: gem, Bundler. See RubyGems Configuration.
- Cargo (Rust) — supported clients: cargo. See Cargo (Rust) Configuration.
Supported Workstation Operating Systems
- Windows
- macOS
- Linux
Install scripts, certificate placement, and environment variables are maintained in the scripts/ README.
How It Works
sequenceDiagram
participant Dev as DeveloperMachine
participant SASE as SASE
participant AF as JFrog_Artifactory
participant Repo as NPM_Repository
participant Cur as CurationEngine
participant Pub as PublicRegistry
Dev->>SASE: npm install GET registry.npmjs.org/package
SASE->>SASE: SSL Inspection and URL Match
SASE-->>Dev: HTTP 307 Redirect to Artifactory
Dev->>AF: Follow redirect to /package-reroute
AF-->>Dev: Redirect to NPM Repository
Dev->>Repo: Request package
Repo->>Cur: Check curation policies
alt Package Approved
Cur-->>Repo: Approved
Repo->>Pub: Fetch package
Pub-->>Repo: Return package
Repo-->>Dev: Package delivered
else Package Blocked
Cur-->>Dev: Policy violation error
end
The sequence diagram shows the path when JFrog Curation is enabled on the remote that resolves the package. If Curation is not enabled, the curation policy check and approve/block branch do not occur.
A typical redirect format:
<YOUR_ARTIFACTORY_URL>/package-reroute?url=https%3A%2F%2Fregistry.npmjs.org%2FexpressThe url value is percent-encoded in real redirects and in curl tests. See Step 5: Verify the Redirect Endpoint.
For end-to-end setup, see Configure Artifactory for PTC and your SASE provider's guide (see Supported Security Edges). For deployment-scope choices (organization-wide vs scoped to specific groups), see Scoped Versus Unscoped Deployment.
Document Map
| Topic | Page |
|---|---|
| PTC Quick Start (end-to-end walkthrough) | PTC Quick Start |
| Deployment Sequence and Gradual Rollout | Deployment and Rollout |
| Prerequisites | Review PTC Prerequisites |
| Workstation Configuration | Configure Workstation for PTC |
| JFrog Artifactory Configuration | Configure Artifactory for PTC |
| Zscaler ZIA Configuration Guide | Configure Zscaler ZIA |
| Netskope Configuration Guide | Configure Netskope |
| Configuration API | Package Reroute Config API |
| Configuration by Package Type | Configuration by Package Type |
| Package Reroute Logs | Package Reroute Logs for PTC |
| Known Limitations and Troubleshooting | Limitations and Troubleshooting |
Frequently Asked Questions
This section provides answers to frequently asked questions about Package Traffic Controller (PTC).
FAQs
Q: What is JFrog Package Traffic Controller (PTC)?
A: PTC integrates your existing SASE provider with JFrog Artifactory to intercept outbound public registry traffic and route it through Artifactory before packages reach developers. JFrog Curation policies and audit logging can apply to that traffic without changing package manager commands. See Supported Security Edges for the current vendor list.
Q: What do I need before deploying PTC?
A: You need JFrog Artifactory with Package Reroute configured, a SASE client on workstations, trust for the SASE CA per package client, and SASE redirect rules in the order described in Deployment and Rollout. See Prerequisites for the full checklist.
Q: Does PTC work with private or scoped npm packages?
A: The anonymous SASE redirect path is intended for public packages from public registries. For private or scoped packages that require client credentials, point the package manager at your Artifactory virtual URL with tokens instead of relying on redirect alone. See Anonymous Access Only for the full constraint and workarounds.
Q: Why must redirect rules exclude POST requests?
A: Commands such as npm audit send POST to registry hosts. Redirecting POST causes those commands to fail. Configure your SASE provider's redirect rules to allow only GET and HEAD for registry traffic. See your SASE provider's guide in Supported Security Edges for the per-vendor steps.
Q: Can I roll out PTC to a pilot group first?
A: Yes. Use your SASE group controls on the inspection and redirect rules, and phase package ecosystems one at a time. JFrog recommends this approach. See Gradual Rollout Recommendation.
