Publishing npm package to package registry using CI - Error 403

I have a private test project which I want to publish to a project package registry. This is my setup:


  "name": "@<my-group>/<my-project>",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  "repository": {
    "type": "git",
    "url": "git+<my-group>/<my-project>.git"
  "keywords": [],
  "author": "",
  "license": "ISC",
  "bugs": {
    "url": "<my-group>/<my-project>/issues"
  "homepage": "<my-group>/<my-project>#readme"


image: node:latest

  - deploy

  stage: deploy
    - echo "@<my-group>:registry=https://${CI_SERVER_HOST}/api/v4/projects/${CI_PROJECT_ID}/packages/npm/">.npmrc
    - echo "//${CI_SERVER_HOST}/api/v4/projects/${CI_PROJECT_ID}/packages/npm/:_authToken=${CI_JOB_TOKEN}">>.npmrc
    - npm publish




When I git commit my project, the pipeline job fails with the following output

npm notice package: @<my-group>/<my-project>@1.0.0
npm notice === Tarball Contents === 
npm notice 8B   
npm notice 20B  index.js    
npm notice 612B package.json
npm notice === Tarball Details === 
npm notice name:          @<my-group>/<my-project>                     
npm notice version:       1.0.0                                   
npm notice filename:      <my-group>-<my-project>-1.0.0.tgz            
npm notice package size:  475 B                                   
npm notice unpacked size: 640 B                                   
npm notice shasum:        7b3db...
npm notice integrity:     sha512-xDv0dl9A86...
npm notice total files:   3                                       
npm notice 
npm notice Publishing to<my-project-id>/packages/npm/ with tag latest and default access
npm ERR! code E403
npm ERR! 403 403 Forbidden - PUT<my-project-id>/packages/npm/@<my-group>%2f<my-project> - insufficient_scope
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy, or
npm ERR! 403 on a server you do not have access to.

NOTE: I have replaced the actual group name, project name and project id with <my-group>, <my-project>, and <my-project-id> in the code sections above. I have followed gitlab’s official documentation on setting this up (see npm packages in the Package Registry | GitLab) and believe that I can safely rule out the following:

  • I have made sure that Package registry is enabled in the project setup
  • I followed naming convention as described in the documentation
  • I am using a CI_JOB_TOKEN which should always be valid and should have appropriate permissions.
  • I made sure that there is no other package with the same name or version within the given scope.
  • I have made sure that the scoped package’s URL includes a trailing slash (see gitlab-ci.yml above)
  • I have confirmed the path of the <my-group> namespace querying (just to make sure that the root namespace is correct)
  • I have used npm init --scope=@<my-group> --yes for initialization

The url of the repository is indeed:<my-group>/<my-project>/

Any help on getting this to work would be much appreciated.

After changing from a job token ${CI_JOB_TOKEN} to a deploy token ${CI_DEPLOY_PASSWORD}, I was able to publish to the registry.

It worked for me with a CI_JOB_TOKEN

thanks for sharing. It’s the same for me for public repos. My issue was with a private repo.