DE EN
Packages & Feeds Using NuGet & npm Packages

Using NuGet & npm Packages

FlawDesk Packages is the private package registry at packages.flawdesk.de. It speaks the standard NuGet (V3) and npm protocols — so you keep using dotnet, nuget and npm as usual, just pointed at your FlawDesk registry.

Every tenant has its own slug. In the examples it appears as the placeholder {slug} — replace it with your own.

ℹ️ NuGet and npm share the same backend and the same access keys. One key pair is enough for both protocols.

Access keys

Manage keys under Project → Settings → FlawDesk Packages. There are two types:

  • Read key (flwpkg_r…) — for installing and restoring, i.e. read-only access.
  • Push key (flwpkg_p…) — for publishing, i.e. write access.
⚠️ Treat the push key like a password. It must not end up in a Git repository or in shipped software.

Username and password

Wherever credentials are requested — the Visual Studio credential dialog, a nuget.config, an .npmrc — the same scheme applies:

  • Username = your slug, i.e. the technical identifier of your workspace. For workspace "XantoSoft" that's xantosoft. You also see it right in the feed URL: packages.flawdesk.de/xantosoft/v3/… — that path segment is the slug.
  • Password = your read key for installing/restoring, or your push key for publishing.
⚠️ The username is not flawdesk and not your FlawDesk login. The feed server checks username == slug — if the username doesn't match the slug in the path you get a 401, even with the correct key.

A workspace has exactly one slug and one key pair; all projects within it share the same feed and the same username.

Projects set up by FlawDesk

When a project is connected through the Code Connector, FlawDesk configures the feed for you — you don't write the nuget.config (or .npmrc) yourself. On activating FlawDesk Packages, or during provisioning, FlawDesk commits a nuget.config to the repository that does not contain the read key in plain text but pulls it from an environment variable instead:

<add key="Username" value="{slug}" />
<add key="ClearTextPassword" value="%FLAWDESK_NUGET_KEY%" />

The placeholder %FLAWDESK_NUGET_KEY% is resolved from the environment at restore time. No key ends up in Git history, and the same feed works locally, in CI and on the server.

Where the key comes from

  • GitHub Actions — FlawDesk sets the repository secret FLAWDESK_NUGET_KEY automatically during provisioning. The Windows build workflow wires it in as a job environment variable; nothing more to do.
  • Server builds via the connector (flawdesk_code_dotnet) — the key is injected into the build environment automatically from the activated tenant. No manual step here either.
  • Your local dev machine — here, and only here, you hand over the key once yourself. The recommended way is below.

So the %FLAWDESK_NUGET_KEY% placeholder is primarily meant for CI and the server — neither has an interactive credential store, so both pull the key from the environment variable. On your desktop you do not need the variable; the Windows Credential Manager covers it more simply.

Set up your local machine (one-time, recommended)

On the first dotnet restore, or when opening the solution, Visual Studio prompts for credentials for packages.flawdesk.de. Enter:

  • Username: your slug (e.g. xantosoft)
  • Password: your read key (flwpkg_r…, found under Project → Settings → FlawDesk Packages → Show)
  • tick "Save password" → OK

This stores the login in the Windows Credential Manager, where it persists and works independently of environment variables. Enter it once, never again.

ℹ️ The Credential Manager applies per Windows user for all projects against packages.flawdesk.de — you enter the credentials once per machine, not per repository.

If you'd rather use the environment variable

For dotnet on the command line or headless scenarios you can also set the key as an environment variable — then the %FLAWDESK_NUGET_KEY% placeholder from the nuget.config resolves locally too:

[Environment]::SetEnvironmentVariable('FLAWDESK_NUGET_KEY','flwpkg_r…','User')
⚠️ On Windows it is not enough to just restart Visual Studio afterwards. GUI apps inherit their environment block from explorer.exe, which holds the stale state. For the variable to reach VS you must sign out and back in (or restart explorer.exe) — only then do newly started GUI processes see the new value. This is exactly why the Credential Manager route above is the more reliable one for VS.

You only need the manual route below (key directly in nuget.config) for projects not managed by the connector, or when you want to configure the feed globally in your user profile.

NuGet

Configure the feed source

Your feed's service index:

https://packages.flawdesk.de/{slug}/v3/index.json

Add it to your nuget.config (next to the project or globally in your user profile). On restore, NuGet authenticates via Basic auth — the username must be exactly your slug, the password is your read key:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="flawdesk" value="https://packages.flawdesk.de/{slug}/v3/index.json" />
  </packageSources>
  <packageSourceCredentials>
    <flawdesk>
      <add key="Username" value="{slug}" />
      <add key="ClearTextPassword" value="YOUR_READ_KEY" />
    </flawdesk>
  </packageSourceCredentials>
</configuration>

Then work as usual:

dotnet restore
dotnet add package MyPackage

Publish a package

Publish with the push key as the API key:

dotnet nuget push MyPackage.1.0.0.nupkg --source https://packages.flawdesk.de/{slug}/v3/index.json --api-key YOUR_PUSH_KEY
ℹ️ Versions are immutable. An already-published version cannot be overwritten — bump the version number for every push.

npm

Configure the registry

Add the scope mapping and the token to your .npmrc (in the project or globally in your user profile). For a scoped package under @{slug}:

@{slug}:registry=https://packages.flawdesk.de/{slug}/npm/
//packages.flawdesk.de/{slug}/npm/:_authToken=YOUR_KEY
ℹ️ The line starting with // is not a comment but npm syntax — it binds the auth token to this specific registry.

For _authToken, use the read key to install and the push key to publish.

npm install @{slug}/my-package

Publish a package

With the push key configured:

npm publish

Troubleshooting

  • 401 Unauthorized — key missing, wrong or revoked, or the username doesn't match the slug (most common slip: flawdesk entered instead of xantosoft — the username must be the slug, see "Username and password"). For projects set up by FlawDesk the FLAWDESK_NUGET_KEY environment variable may also be missing, so the placeholder in nuget.config resolves to an empty password — on the desktop this is easiest to fix via the credential dialog (see "Set up your local machine").
  • 403 Forbidden — the key type does not match the operation: a read key on a write endpoint, or vice versa. Push needs the push key, restore and install need the read key.
  • 409 Conflict (NuGet) — the version already exists in the feed. Bump the version number.