version v7.2.
For up-to-date documentation, see the
latest version.
Secrets, Tokens and Credentials in Artifactory
4 minute read
This document lists all secrets, tokens and credentials that can be configured and managed by an administrator user in JFrog Artifactory.
List of credentials
| Credentials type | Usage | Official documentation link | Comment |
|---|---|---|---|
| Tokens | |||
| Access Token | JWT issued for API auth | Access Tokens | |
| Identity Scoped Token | User‑generated, limited‑permission scoped token | Understanding identity tokens | |
| Admin Scoped Token | Used for elevated administrative capabilities | Create admin scoped token | |
| Project Admin Token | Used to perform project‑level administrative actions | Create project admin token | |
| User Scoped Token | Tied to a specific user, allowing actions based on that user’s existing permissions | Create user scoped token | |
| Group Scoped Token | Group specific token, allowing actions based on groups permissions | Create group scoped token | |
| Keys | |||
| SSH Keys | Git LFS Integration/Git Workflows | Manage SSH Keys | |
| Other | |||
| Username/password | User Authentication | Security configuration | |
| Multi-factor authentication (MFA) | Higher level of security when accessing JFrog Artifactory | Multi-factor Authentication | |
| mTLS | Mutual TLS authentication via reverse proxy | mTLS | |
| API Keys | REST API authentication | API Key | Deprecated |
Not mentioned in the table: all scoped tokens can have a reference token created. It is a shorter 64 character string that references the actual token.
Credential Configuration Parameters
This section lists all parameters available for credential configuration. Each parameter can be set by an administrator through the Administration Module UI or defined in a configuration file.
Software Factory recommends implementing SAML-based authentication for Single Sign-On (SSO).
Using native users and groups should be avoided.
| Credentials type | Parameters | Configuration location | Admin panel configuration | Default configuration | Recommendation | Official documentation link |
|---|---|---|---|---|---|---|
| Login/password | Password Expiration Policy | Only in UI | Administration Modulel > Security > General > Password Expiration Policy | Disabled | 90 days | Password Expiration Policy |
| Password complexity | $JFROG_HOME/artifactory/var/etc/access/access.config.latest.yml | Not possible | Default values | Recommended values | Password Complexity | |
| Remember Me cookie | artifactory.security.disableRememberMe in $JFROG_HOME/artifactory/var/etc/artifactory.system.properties | Not possible | Enabled | Disabled | Remember Me cookie | |
| Access Tokens | Default Token Expiration | token.default-expiry in $JFROG_HOME/artifactory/var/etc/access/access.config.latest.yml | Admin Panel > Security > General > Token expiration | 31536000 seconds (1 year) | 7776000 seconds (90 days) | Token expiration |
| Max Token Expiration | token.max-expiry in $JFROG_HOME/artifactory/var/etc/access/access.config.latest.yml | Not possible | 0 (non-expiring) | 7776000 seconds (90 days) | Token expiration | |
| Revocable expiry threshold | $JFROG_HOME/artifactory/var/etc/access/access.config.latest.yml | Not possible | 21600 seconds (6 hours) | 21600 seconds (6 hours) | Revocable expiry threshold | |
| Persistency threshold | $JFROG_HOME/artifactory/var/etc/access/access.config.latest.yml | Not possible | 10800 seconds (3 hours) | 10800 seconds (3 hours) | Persistency Threshold | |
| API Keys | Deprecated | Disable API Keys |
API Key Recommendation
API Key has been EOL in Q4 2024. It is recommended to disable its usage and start using reference tokens.
To disable API Key: as admin, go to Administration Module > Security > General and check> the Disable API Key Usage option.
Default password complexity settings
Default configuration for password complexity for Artifactory when using native user authentication (not recommended).
password-policy: # users' password policy
uppercase: 0 # minimum number of uppercase letters that the password must contain
lowercase: 0 # minimum number of lowercase letters that the password must contain
special-char: 0 # minimum number of special char that the password must contain.
# Special chars list between double quotes " !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"
digit: 0 # minimum number of digits that the password must contain
length: 4 # minimum length of the password
cannot-match-username: true # If true, the password cannot be changed to match the username (case-insensitive)
not-match-old: true # should Access allow setting a new password to the same one currently set for the user
Recommended password-policy settings
Recommended password complexity configuration for Artifactory when using native user authentication (not recommended).
password-policy: # users' password policy
uppercase: 1 # minimum number of uppercase letters that the password must contain
lowercase: 1 # minimum number of lowercase letters that the password must contain
special-char: 1 # minimum number of special char that the password must contain. Special chars list
# between double quotes " !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"
digit: 1 # minimum number of digits that the password must contain
length: 12 # minimum length of the password
cannot-match-username: true # If true, the password cannot be changed to match the username (case-insensitive)
not-match-old: true # should Access allow setting a new password to the same one currently set for the user