Authentication

Package Manager supports multiple authentication methods to control access to repositories and administrative features. Choose the authentication method that best fits your organization’s infrastructure and security requirements.

Authenticated Repositories

EnhancedAdvanced

Package Manager supports creating repositories that require authentication to access. This feature allows you to restrict access to specific repositories, ensuring that only users with valid credentials can download packages.

How Authenticated Repositories Work

When a repository is configured to require authentication, Package Manager uses Basic HTTP authentication to control access. Users must provide a valid token when accessing the repository through tools like R or pip.

The token can be obtained in several ways:

• Manual API tokens: Long-lived tokens created directly in Package Manager
• SSO-based tokens: Short-lived tokens automatically obtained through your organization’s single sign-on system
• Federated tokens: Tokens exchanged from external systems like GitHub Actions

Regardless of how the token is obtained, the authentication process is seamless for end users once their tools are properly configured.

For detailed instructions on setting up authenticated repositories, refer to the guides for each authentication method below.

Token Authentication

EnhancedAdvanced

API tokens allow for programmatic access and authenticated repositories. This is the default authentication method and works well for most scenarios. API tokens are used to:

• Advanced Authenticate with the server when using the Package Manager CLI remotely.
• EnhancedAdvanced Authenticate users for repositories that require authentication.

See the API token documentation for more information.

Configure Token Authentication →

• Create and manage API tokens with specific scopes
• Control access to authenticated repositories
• Integrate with CI/CD systems and automated workflows

OpenID Connect Authentication (Single Sign-on)

Advanced

Integrate with your organization’s identity provider using OpenID Connect for single sign-on (SSO) and centralized user management.

Provider-Specific Guides:

• Okta Integration →
• Microsoft Entra ID Integration →
• Other OpenID Connect Providers →

Additional Resources:

• OpenID Connect Scope Mapping Guide → - Detailed examples for mapping groups and roles to Package Manager scopes

OpenID Connect with Identity Federation

Advanced

Configure Package Manager to validate OIDC tokens from external systems for API access, enabling scenarios like GitHub Actions workflows and cross-system integrations.

Configure OpenID Connect with Identity Federation →

• GitHub Actions integration
• CI/CD pipeline authentication
• Service account access from external systems

Choosing an Authentication Method

Method	Best For	Key Benefits
Token Authentication	API access, automated systems, simple setups	Easy to configure, fine-grained scope control, works with any client
OpenID Connect Authentication	Organizations with existing identity providers, SSO requirements	Centralized user management, single sign-on, group-based access control
Identity Federation	Cross-system integration, external service authentication	Accept tokens from multiple providers, GitHub Actions support, service account access

Note

You can use multiple authentication methods simultaneously. For example, you might use OpenID Connect for user authentication while also accepting tokens from GitHub Actions via identity federation.

Next Steps

1. For new deployments: Start with Token Authentication to get Package Manager running quickly
2. For enterprise deployments: Consider OpenID Connect Authentication for better user management
3. For CI/CD integration: Set up OpenID Connect with Identity Federation to allow automated systems to access Package Manager

For detailed configuration options, see the Authentication Configuration Reference.