The site that you are currently viewing is a static version of the Software Factory documentation delivered with the

version v7.2.
For up-to-date documentation, see the latest version.

Secrets, Tokens and Credentials in Artifactory

This document lists all secrets, tokens and credentials that can be configured and managed by a non-administrator user in JFrog Artifactory.

For each item, a concise explanation of its usage and a link to the official documentation are provided.

Quick Selection Guide

Choose the appropriate credential type based on your needs:

Your NeedRecommended Credential
Tokens
Personal authentication with your permissionsIdentity Token
Access scoped to a groupGroup-scoped Token
Access scoped to a project roleProject Role Token
Administrative accessAdmin Token
Keys
SSH-based access (JFrog CLI, Git LFS, SCP)SSH Keys
Other methods
Mutual TLS authentication via reverse proxyClient Certificates (mTLS)
Direct login to web UIUsername and Password

Access Tokens

Description

Access tokens are full JSON Web Tokens (JWT) that can be used for authentication with Artifactory. These tokens are typically longer (700+ characters) and contain embedded claims and permissions.

Access tokens come in different types based on their scope, which determines what permissions the token has and how it authenticates.

Reference Token

A Reference Token is a short, opaque string (typically 64 characters, starting with “cm”) that acts as an alias or pointer to an actual Access Token (JWT). Reference Tokens were introduced by JFrog to address the length limitations and compatibility issues of full JWT access tokens (which can be 700+ characters).

Software Factory Recommendations
Prefer usage of Artifactory reference tokens for authentication whenever possible instead of other authentication methods
graph LR
    RT[Reference Token]
    AT[Access Token JWT<br/>Full token ~700+ chars]
    IT[Identity Token<br/>User-scoped]
    GT[Group-scoped Token]
    PT[Project Role Token]
    AT2[Admin Token]

    RT -.->|points to| AT
    AT --> IT
    AT --> GT
    AT --> PT
    AT --> AT2

The Reference Token inherits the same permissions and scope as its underlying Access Token.

Reference Tokens support all authentication methods:

  • Bearer token: Authorization: Bearer <reference_token>
  • X-JFrog-Art-Api header: X-JFrog-Art-Api: <reference_token>
  • Basic authentication: curl -u username:<reference_token>

Usage:

  • Authenticate with Artifactory REST API
  • Use with package managers (Maven, Gradle, npm, Docker, etc.)
  • Replace API Keys in CI/CD pipelines
  • Compatible with all authentication methods (unlike full JWT tokens)
Note

Reference Tokens are more flexible than full JWT Access Tokens because they work with all authentication methods.

Identity Token

A User-Scoped Access Token, called Identity Token, is based on a specific user’s permissions and provides the same level of access as that user account.

To obtain a reference token using the REST API, use the Create Token endpoint by setting the include_reference_token parameter to true.

Or via the User Profile:

  • User menu (top right) > Edit Profile > Generate Identity Token
  • Parameters:
    • Description (optional)
    • Expiration time

Others Scoped Access Token

Using the REST API, you can create Access Tokens and associated reference tokens with the following scopes:

Common Parameters

When creating access tokens via REST API, common parameters include:

  • scope: Permissions scope (e.g., member-of-groups:groupname, admin, etc.)
  • expires_in: Token expiration time in seconds (default: 3600)
  • refreshable: Whether the token can be refreshed
  • include_reference_token: Generate a Reference Token in addition to the full token

Official Documentation

API Keys (Deprecated)

Description

User-specific API keys that were historically used for authentication with REST API and package managers.

JFrog is phasing out API Keys in favor of Identity Tokens and Access Tokens.

instead of API Keys

API Keys are being replaced by tokens because:

  • Identity Tokens provide the same functionality with better security
  • Access Tokens offer more flexibility with scopes and permissions
  • Tokens support expiration policies
  • Tokens can be scoped to specific services or groups

Official Documentation

SSH Keys

Description

RSA public and private key pairs for SSH-based authentication with Artifactory. Supported from Artifactory version 4.4.

Inherits all permissions of the user who uploaded the public key. SSH authentication provides the same access level as the user’s account.

SSH authentication is supported with:

  • JFrog CLI for direct Artifactory operations
  • Git LFS repositories
  • SCP/SFTP file transfers

To upload a public key to Artifactory: User menu (top right) > Edit Profile > SSH Keys section.

Official Documentation

Client Certificates (mTLS)

Description

From Artifactory release 7.38.4, you can authenticate users using a client certificate (mTLS). To do so will require a reverse proxy and some setup on the front reverse proxy (nginx).

To authenticate with the proxy using a client certificate, either configure your certificate once using the jf c add command or use the --client-cert-path and --client-cert-key-path command options with each command.

Note

Authentication using client certificates (mTLS) is not supported by commands which integrate with package managers.

Official Documentation

Username and Password

Warning

While still supported, using tokens is strongly recommended over username/password.

Description

Traditional username and password authentication for Artifactory.

Usage:

  • Direct login to Artifactory web UI
  • REST API authentication (with Basic auth)
  • Package manager authentication
Note

When JFrog CLI is configured with username and password:

  • It automatically generates a short-lived access token (1 hour validity)
  • The CLI automatically refreshes the token before it expires
  • This provides enhanced security over storing passwords