Package Traffic Controller (PTC)

Route public package traffic through Artifactory via your security edge for JFrog Curation policy enforcement and audit.

JFrog Package Traffic Controller (PTC) intercepts public package traffic at the network layer and routes it through Artifactory, so JFrog Curation policies and audit logging apply to every intercepted install without changing how developers work. PTC integrates with your existing security edge, the same tool already inspecting outbound traffic, to redirect matching package requests to Artifactory's /package-reroute endpoint.

New to PTC? Start with PTC Quick Start for a concise end-to-end walkthrough, then use the linked topics for detailed configuration and troubleshooting.

Once the security edge client, the trust store, and redirect policies are in place, every process on that workstation is governed the same way, whether the install originates from a human developer or an AI coding agent. The technical entry point is the package-reroute service (Router path /package-reroute, REST API under /artifactory/api/package-reroute/).

Important — PTC requires a remote repository: The Package Reroute repo_key must point to a remote repository. Virtual repositories are not supported as the PTC repo_key. This keeps PTC configuration aligned to the upstream-facing repository used for consumption tracking and Curation behavior.

Supported Security Edges

PTC integrates with your existing security edge (SASE) to intercept package traffic and redirect it to Artifactory. Pick the vendor your organization already uses and follow that vendor's guide. This is not an additional configuration step.

For the shared registry hostname reference used by all SASE providers, see Public Registry Hostnames. For deployment order, see Deployment Sequence.

Supported Package Types (GA)

The following ecosystems are supported for PTC. For detailed client guidance, see Configuration by Package Type.

Supported Workstation Operating Systems

  • Windows
  • macOS
  • Linux

Install scripts, certificate placement, and environment variables are maintained in the scripts/ README.


How It Works

sequenceDiagram
    participant Dev as DeveloperMachine
    participant SASE as SASE
    participant AF as JFrog_Artifactory
    participant Repo as NPM_Repository
    participant Cur as CurationEngine
    participant Pub as PublicRegistry

    Dev->>SASE: npm install GET registry.npmjs.org/package
    SASE->>SASE: SSL Inspection and URL Match
    SASE-->>Dev: HTTP 307 Redirect to Artifactory
    Dev->>AF: Follow redirect to /package-reroute
    AF-->>Dev: Redirect to NPM Repository
    Dev->>Repo: Request package
    Repo->>Cur: Check curation policies
    alt Package Approved
        Cur-->>Repo: Approved
        Repo->>Pub: Fetch package
        Pub-->>Repo: Return package
        Repo-->>Dev: Package delivered
    else Package Blocked
        Cur-->>Dev: Policy violation error
    end

The sequence diagram shows the path when JFrog Curation is enabled on the remote that resolves the package. If Curation is not enabled, the curation policy check and approve/block branch do not occur.

A typical redirect format:

<YOUR_ARTIFACTORY_URL>/package-reroute?url=https%3A%2F%2Fregistry.npmjs.org%2Fexpress

The url value is percent-encoded in real redirects and in curl tests. See Step 5: Verify the Redirect Endpoint.

For end-to-end setup, see Configure Artifactory for PTC and your SASE provider's guide (see Supported Security Edges). For deployment-scope choices (organization-wide vs scoped to specific groups), see Scoped Versus Unscoped Deployment.



Document Map

TopicPage
PTC Quick Start (end-to-end walkthrough)PTC Quick Start
Deployment Sequence and Gradual RolloutDeployment and Rollout
PrerequisitesReview PTC Prerequisites
Workstation ConfigurationConfigure Workstation for PTC
JFrog Artifactory ConfigurationConfigure Artifactory for PTC
Zscaler ZIA Configuration GuideConfigure Zscaler ZIA
Netskope Configuration GuideConfigure Netskope
Configuration APIPackage Reroute Config API
Configuration by Package TypeConfiguration by Package Type
Package Reroute LogsPackage Reroute Logs for PTC
Known Limitations and TroubleshootingLimitations and Troubleshooting

Frequently Asked Questions

This section provides answers to frequently asked questions about Package Traffic Controller (PTC).

plusFAQs
Q: What is JFrog Package Traffic Controller (PTC)?

A: PTC integrates your existing SASE provider with JFrog Artifactory to intercept outbound public registry traffic and route it through Artifactory before packages reach developers. JFrog Curation policies and audit logging can apply to that traffic without changing package manager commands. See Supported Security Edges for the current vendor list.

Q: What do I need before deploying PTC?

A: You need JFrog Artifactory with Package Reroute configured, a SASE client on workstations, trust for the SASE CA per package client, and SASE redirect rules in the order described in Deployment and Rollout. See Prerequisites for the full checklist.

Q: Does PTC work with private or scoped npm packages?

A: The anonymous SASE redirect path is intended for public packages from public registries. For private or scoped packages that require client credentials, point the package manager at your Artifactory virtual URL with tokens instead of relying on redirect alone. See Anonymous Access Only for the full constraint and workarounds.

Q: Why must redirect rules exclude POST requests?

A: Commands such as npm audit send POST to registry hosts. Redirecting POST causes those commands to fail. Configure your SASE provider's redirect rules to allow only GET and HEAD for registry traffic. See your SASE provider's guide in Supported Security Edges for the per-vendor steps.

Q: Can I roll out PTC to a pilot group first?

A: Yes. Use your SASE group controls on the inspection and redirect rules, and phase package ecosystems one at a time. JFrog recommends this approach. See Gradual Rollout Recommendation.

Related Topics