Gitpulse
Merged
Size
L
Change Breakdown
Feature70%
Security20%
Bug Fix10%
#28228feat(core): Support npm registry token authentication to install private community node packages

Private npm registry authentication now supported

Private npm registry authentication now supported
MA
maspio
·Apr 15, 2026

n8n's community node installer now accepts an auth token via environment variable, enabling secure installs from private npm registries without manual .npmrc configuration.

n8n's community node installer had an authentication gap. When npm CLI commands were used, auth tokens placed in ~/.npmrc worked fine. But when the installer started using direct HTTP requests for version and integrity checks, those requests bypassed the .npmrc tokens entirely — breaking private registry access silently.

The fix: a new environment variable N8N_COMMUNITY_PACKAGES_AUTH_TOKEN that gets passed to every npm operation, whether CLI or HTTP. The token flows through package downloads, version checks, and integrity verification. For npm CLI commands, it's injected as a registry-specific auth argument. For HTTP requests, it becomes a Bearer token in the Authorization header.

Security was considered: auth tokens are redacted from all logs and error messages before output, so leaked logs won't expose credentials. Tokens only appear as ***** in debugging output.

This matters for enterprises and OEM partners publishing custom nodes to private registries. The alternative — loading nodes from the filesystem — lacks remote API management and distributed upgrades across worker instances. Now teams can set one environment variable and get full authentication support for their private community package pipelines.

View Original GitHub Description

Summary

Adds an env config N8N_COMMUNITY_PACKAGES_AUTH_TOKEN to install community nodes from authenticated npm registry accounts. Usage in combination with N8N_COMMUNITY_PACKAGES_REGISTRY enables enterprises and oem partners to build secure custom node publishing pipelines.

  • N8n used to support npm registry authentication placing an /home/node/.npmrc file with an auth token
  • The community node installer service used to rely fully on npm cli commands so each action could pick up auth
  • Some time ago n8n developers introduced npm http request for certain actions, like version/update checks
  • Naturally these requests did not pick up the auth token, so the strategy broke the .npmrc workaround
  • I decided to not build in support for .npmrc because env var configurations are much easier to do

This PR is critical for an OEM partner launch. Compared to our alternative "load nodes from filesystem" strategy, our community package installer supports remote api management and node upgrades without restart that are distributed across main and worker instances.

Related Linear tickets, Github issues, and Community forum posts

<!-- Include links to **Linear ticket** or Github issue or Community forum post. Important in order to close *automatically* and provide context to reviewers. https://linear.app/n8n/issue/ --> <!-- Use "closes #<issue-number>", "fixes #<issue-number>", or "resolves #<issue-number>" to automatically close issues when the PR is merged. -->

Review / Merge checklist

  • I have seen this code, I have run this code, and I take responsibility for this code.
  • PR title and summary are descriptive. (conventions) <!-- **Remember, the title automatically goes into the changelog. Use `(no-changelog)` otherwise.** -->
  • Docs updated or follow-up ticket created.
  • Tests included. <!-- A bug is not considered fixed, unless a test is added to prevent it from happening again. A feature is not complete without tests. -->
  • PR Labeled with Backport to Beta, Backport to Stable, or Backport to v1 (if the PR is an urgent fix that needs to be backported)
© 2026 · via Gitpulse