npm Registry API

Public REST API and CouchDB-based registry for the npm JavaScript package ecosystem. Provides package metadata lookup, version history, download statistics, search, and package manifest access. Also supports publishing packages and managing user/org scopes via authenticated endpoints. The download counts API tracks package popularity over time.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Developer Tools npm package-registry javascript nodejs packages semver couchdb registry downloads
⚙ Agent Friendliness
53
/ 100
Can an agent use this?
🔒 Security
83
/ 100
Is it safe for agents?
⚡ Reliability
75
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
72
Error Messages
72
Auth Simplicity
80
Rate Limits
60

🔒 Security

TLS Enforcement
100
Auth Strength
82
Scope Granularity
80
Dep. Hygiene
70
Secret Handling
78

Granular access tokens with IP allow-lists improve supply chain security. 2FA enforcement for publish operations on high-value packages is supported. The public registry has had historical supply chain attacks (typosquatting, account takeovers) — consumers should validate package integrity via checksums. npm audit uses a separate Advisory database, not the registry API.

⚡ Reliability

Uptime/SLA
78
Version Stability
75
Breaking Changes
72
Error Recovery
75
AF Security Reliability

Best When

You need to programmatically look up package metadata, versions, or download statistics for JavaScript/Node.js packages, especially for dependency analysis, security scanning, or developer tooling.

Avoid When

You need to host private packages, require guaranteed SLAs on the registry, or are building against the full CouchDB replication API which is no longer publicly supported.

Use Cases

  • Fetching package metadata (description, versions, dependencies, license, maintainers) for dependency analysis tools
  • Building security audit pipelines that enumerate transitive dependencies and check for known vulnerabilities
  • Tracking download trends for packages to measure adoption or compare alternatives
  • Automating package publication and tagging workflows in CI/CD pipelines via npm publish API
  • Building registry mirrors, caching proxies, or private registry federations on top of the public registry

Not For

  • High-frequency automated queries at scale without caching — the registry has rate limits and bans abusive crawlers
  • Private package hosting for proprietary code (use GitHub Packages, Verdaccio, or Artifactory instead)
  • Non-JavaScript ecosystems — use PyPI, crates.io, or Maven Central for other language packages

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
No

Authentication

Methods: api_key token legacy_password
OAuth: No Scopes: Yes

Read-only registry queries (package metadata, download counts) are unauthenticated. Publishing, deprecating, and team management require npm access tokens. Tokens are scoped: read-only, automation (publish without 2FA), and publish (requires 2FA or TOTP). Granular access tokens (GATs) introduced in 2022 support IP allow-lists and package-specific scope.

Pricing

Model: freemium
Free tier: Yes
Requires CC: No

Reading public package data and download stats is completely free. Private packages require a paid plan. The registry itself has no explicit published rate limits for reads, but aggressive scraping results in IP bans. Use the replicate endpoint or bulk download APIs for large-scale analysis.

Agent Metadata

Pagination
none
Idempotent
Partial
Retry Guidance
Not documented

Known Gotchas

  • The `dist-tags` field in package metadata (e.g., `latest`) is the authoritative resolved version for `npm install package` — agents that parse the full versions list and sort semantically may get a different result than what npm actually installs if the maintainer has set a non-latest dist-tag
  • Package names are case-insensitive in the registry but canonical names are lowercase — querying `Express` returns data but the canonical package is `express`; always normalize to lowercase before lookups
  • The download counts API (api.npmjs.org/downloads) is a separate service from registry.npmjs.org and uses a different base URL; agents that try to fetch download stats from the registry URL will get 404s
  • Scoped packages (@org/package) must be URL-encoded in API paths — `@scope/name` becomes `%40scope%2Fname`; forgetting the encoding returns 404 even for packages that exist
  • The `time` field in package manifests contains publish timestamps for every version but uses ISO 8601 with milliseconds — some JSON parsers that coerce dates may lose sub-second precision
  • npm's registry has eventually consistent mirrors — immediately after publishing, some CDN edge nodes may return a 404 for the new version for up to 30 seconds; build retry logic into publish verification steps

Alternatives

pypi-api crates-io-api github-rest-api dockerhub-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for npm Registry API.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5220
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered