Fixing - E401 NPM Errors

Working with private NPM registries can encounter error codes such as E401 NPM error. We go over a few ways to fix this!

Jan 3, 2023 | Read time 8 minutes

πŸ”” Table of contents

Introduction

A recent issue that I have come across is using NPM install for private registries. In this instance, I have a few NPM packages stored in Azure DevOps.

The error that came up when I run npm install is that the following can come up E401 NPM error.

The cause for this E401 NPM error is usually due to a recent password reset on your private NPM repository or your current credentials and access tokens have expired!

It looks something like the following error log:

  
npm ERR! code E401
npm ERR! Incorrect or missing password.
npm ERR! If you were trying to login, change your password, create an
npm ERR! authentication token or enable two-factor authentication then
npm ERR! that means you likely typed your password in incorrectly.
npm ERR! Please try again, or recover your password at:
npm ERR!     https://www.npmjs.com/forgot
npm ERR!
npm ERR! If you were doing some other operation then your saved credentials are
npm ERR! probably out of date. To correct this please try logging in again with:
npm ERR!     npm login

This just means that you are not authorised to access the private registry that the NPM package lives under. Variants of the same error depending on the version of NPM you used can include:

  • Npm install E401 Incorrect or missing password
  • Npm unable to authenticate, need: Basic realm

Fix 1 - Update the .npmrc file

NPM gets its config settings from the command line, environment variables, and npmrc files.

Now with .npmrc files they can contain user credentials and registry information. They can be per project, under each user (~/.npmrc or C:\Users\<username>\.npmrc) or globally - /etc/npmrc

So we get the E401 NPM error would mean that something is wrong with our auth config, so the first thing to check is the ./npmrc file.

Check all locations for the .npmrc file and make sure that we are using the correct registry and not using any stale access tokens.

The format should look something like the following:

//<repo_url>:_authToken=<token>

//<repo_url>:always-auth=true

The E401 error comes up when the Access Token have expired or become stale.

Tip: Also double check the registry location

In your .npmrc file just double check that you are pointing to the correct repo URL.

It should look something like this: registry=https:<company-registry-url>

Fix 2 - Add the user to your NPM private registry

This could be the most obvious one - make sure that the user actually have access to that private repository.

Open up your terminal and run npm whoami. If the previous command returns unauthenticated, run the following adduser command:

  

>> npm adduser  (then enter your name and complex password and your email)

>> npm whoami   (return your registered name)

Fix 3 - Using Azure DevOps Private Repository

If you are using Azure DevOps to host your private NPM packages - eg Azure Artifacts, we can use the azure specific tools to manage our credentials and resolve the code E401 npm ERR! Unable to authenticate errors!

To reauthenticate, make sure to install vsts-npm-auth. Then open up your terminal and run the command:

vsts-npm-auth -config .npmrc -F

Keep in mind the usage of -F flag to force it!

If that does not work, we can reset or update the vsts-npm-auth credentials:

  • Uninstall vsts-npm-auth.

npm uninstall -g vsts-npm-auth

  • Clear your npm cache.

npm cache clean --force

  • Delete your .npmrc file - can be under C:\Users\<username>\.npmrc or the root of your project folder

  • Reinstall vsts-npm-auth.

npm install -g vsts-npm-auth --registry https://registry.npmjs.com --always-auth false

Note: Setting up vsts-npm-auth

If you have not already done so, you can setup vsts-npm-auth by running the command:

npm install -g vsts-npm-auth

And then in your project folder, locate the package.json file and update the scripts like the below JSON:

  

"scripts": {
    "refreshVSToken" : "vsts-npm-auth -config ".\.npmrc\" -TargetConfig "$HOME\.npmrc\""
}

Fix 4 - Working with GitHub private packages

If you are working with GitHub private packages, firstly grab a Private Access Token from GitHub.

Note: Private Access Tokens in GitHub

For information to grab the access token, visit here: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token

Keep in mind that using Access Tokens is the classic way to authenticate. It is recommended to use the GitHub CLI or Git Credential Manager moving forward!

Now that you have your Access Token, open up your .npmrc file (this can be located under your project root or C:\Users\<username>\.npmrc location)

Create a new ~/.npmrc file if one doesn’t exist and add the following line:

//npm.pkg.github.com/:_authToken=TOKEN

Tip: Check Token encodings

I have had some cases where generating the new private access token still does not work. This could mean that the token generated needs to be Base64 encoded!

For example @ needs to be converted to %40. Just copy your token and find a website/ tool that can encode that for you!

An alternative to messing around with the .npmrc file is to use the CLI (GitHub CLI or Git Credential Manager) to log into NPM, just use the npm login command. Make sure to replace USERNAME with your GitHub username, TOKEN with your personal access token (classic), and PUBLIC-EMAIL-ADDRESS with your email address.

  

$ npm login --scope=@OWNER --registry=https://npm.pkg.github.com

Username: USERNAME
Password: TOKEN
Email: PUBLIC-EMAIL-ADDRESS

More information can be found here:

https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry

Fix 5 - Clear everything away!

If the above suggestions is not working, we have the last option to blow everything away and start fresh. We can following the below actions:

  • Run NPM clear cache and use the --force flag

npm cache clean --force

  • Delete the package-lock.json file. Keep in mind deleting package-lock.json has its own challenges - it could work well with 1 level of dependencies, but with dependencies thats more than 2 levels deep it could get messy. package-lock.json is there for stability and consider carefully before deleting this!

  • Delete all instances found of the .npmrc file. The .npmrc file can be located under user settings (C:\Users\<username>\.npmrc), project root directory (/path/to/my/project/.npmrc), global directory (/etc/npmrc) and the NPM install directory (path/to/npm/npmrc)

After deleting all the above, we can run:

npm logout

(Optional if you are using GitHub pakages)

  

npm login --scope=@OWNER --registry=https://npm.pkg.github.com`

And finally:

npm install

Summary

In this post, I went over a few options to fix the NPM error of E401 error that comes up when doing a npm install.

We see this error when dealing with private NPM package registries since they require authentication/ auhorization.

The cause of this error is usually due to changing passwords or the current credentials expired (access tokens).

To resolve this E401 error, we can try to clear out or reset our .npmrc file (which contains the registry feed and credentials)

If we are using GitHub packages to store our private NPM packages, we can just use the npm login command.

Additionally, when our private repo is hosted on Azure Artifacts (Azure DevOps), we can use vsts-npm-auth tool to manage credentials!

πŸ‘‹ About the Author

G'day! I am Huy a software engineer based in Australia. I have been creating design-centered software for the last 10 years both professionally and as a passion.

My aim to share what I have learnt with you! (and to help me remember πŸ˜…)

Follow along on Twitter , GitHub and YouTube

πŸ‘‰ See Also πŸ‘ˆ