version v7.2.
For up-to-date documentation, see the
latest version.
Secrets, Tokens and Credentials in Artifactory
4 minute read
This document lists all secrets, tokens and credentials that can be configured and managed by a non-administrator user in JFrog Artifactory.
For each item, a concise explanation of its usage and a link to the official documentation are provided.
Quick Selection Guide
Choose the appropriate credential type based on your needs:
| Your Need | Recommended Credential |
|---|---|
| Tokens | |
| Personal authentication with your permissions | Identity Token |
| Access scoped to a group | Group-scoped Token |
| Access scoped to a project role | Project Role Token |
| Administrative access | Admin Token |
| Keys | |
| SSH-based access (JFrog CLI, Git LFS, SCP) | SSH Keys |
| Other methods | |
| Mutual TLS authentication via reverse proxy | Client Certificates (mTLS) |
| Direct login to web UI | Username and Password |
Access Tokens
Description
Access tokens are full JSON Web Tokens (JWT) that can be used for authentication with Artifactory. These tokens are typically longer (700+ characters) and contain embedded claims and permissions.
Access tokens come in different types based on their scope, which determines what permissions the token has and how it authenticates.
Reference Token
A Reference Token is a short, opaque string (typically 64 characters, starting with “cm”) that acts as an alias or pointer to an actual Access Token (JWT). Reference Tokens were introduced by JFrog to address the length limitations and compatibility issues of full JWT access tokens (which can be 700+ characters).
graph LR
RT[Reference Token]
AT[Access Token JWT<br/>Full token ~700+ chars]
IT[Identity Token<br/>User-scoped]
GT[Group-scoped Token]
PT[Project Role Token]
AT2[Admin Token]
RT -.->|points to| AT
AT --> IT
AT --> GT
AT --> PT
AT --> AT2The Reference Token inherits the same permissions and scope as its underlying Access Token.
Reference Tokens support all authentication methods:
- Bearer token:
Authorization: Bearer <reference_token> X-JFrog-Art-Apiheader:X-JFrog-Art-Api: <reference_token>- Basic authentication:
curl -u username:<reference_token>
Usage:
- Authenticate with Artifactory REST API
- Use with package managers (Maven, Gradle, npm, Docker, etc.)
- Replace API Keys in CI/CD pipelines
- Compatible with all authentication methods (unlike full JWT tokens)
Reference Tokens are more flexible than full JWT Access Tokens because they work with all authentication methods.
Identity Token
A User-Scoped Access Token, called Identity Token, is based on a specific user’s permissions and provides the same level of access as that user account.
To obtain a reference token using the REST API, use the Create Token endpoint by setting the
include_reference_token parameter to true.
Or via the User Profile:
- User menu (top right) > Edit Profile > Generate Identity Token
- Parameters:
- Description (optional)
- Expiration time
Others Scoped Access Token
Using the REST API, you can create Access Tokens and associated reference tokens with the following scopes:
- User (aka Identity Token )
- Group
- Project role
- Admin
Common Parameters
When creating access tokens via REST API, common parameters include:
scope: Permissions scope (e.g.,member-of-groups:groupname,admin, etc.)expires_in: Token expiration time in seconds (default: 3600)refreshable: Whether the token can be refreshedinclude_reference_token: Generate a Reference Token in addition to the full token
Official Documentation
API Keys (Deprecated)
Description
User-specific API keys that were historically used for authentication with REST API and package managers.
instead of API Keys
API Keys are being replaced by tokens because:
- Identity Tokens provide the same functionality with better security
- Access Tokens offer more flexibility with scopes and permissions
- Tokens support expiration policies
- Tokens can be scoped to specific services or groups
Official Documentation
SSH Keys
Description
RSA public and private key pairs for SSH-based authentication with Artifactory. Supported from Artifactory version 4.4.
Inherits all permissions of the user who uploaded the public key. SSH authentication provides the same access level as the user’s account.
SSH authentication is supported with:
- JFrog CLI for direct Artifactory operations
- Git LFS repositories
- SCP/SFTP file transfers
To upload a public key to Artifactory: User menu (top right) > Edit Profile > SSH Keys section.
Official Documentation
Client Certificates (mTLS)
Description
From Artifactory release 7.38.4, you can authenticate users using a client certificate (mTLS). To do so will require a reverse proxy and some setup on the front reverse proxy (nginx).
To authenticate with the proxy using a client certificate, either configure your certificate once
using the jf c add command or use the --client-cert-path and --client-cert-key-path command
options with each command.
Authentication using client certificates (mTLS) is not supported by commands which integrate with package managers.
Official Documentation
Username and Password
While still supported, using tokens is strongly recommended over username/password.
Description
Traditional username and password authentication for Artifactory.
Usage:
- Direct login to Artifactory web UI
- REST API authentication (with Basic auth)
- Package manager authentication
When JFrog CLI is configured with username and password:
- It automatically generates a short-lived access token (1 hour validity)
- The CLI automatically refreshes the token before it expires
- This provides enhanced security over storing passwords