Concepts

Understanding a few key concepts will help you get the most out of nproxy.

The invisible proxy

nproxy is designed to be invisible to developers. Once configured, it intercepts package registry requests transparently. Developers do not need to change their workflow, learn new tools, or think about security -- it just works.

When a package version is blocked, nproxy strips it from the metadata and your package manager resolves to the latest safe version. There is no error dialog, no approval workflow, and no context switch. The developer gets a slightly older version and moves on.

Defense in depth

No single security rule catches everything. nproxy uses multiple detection strategies layered together:

Known-bad detection (malware) — Catches identified threats using threat intelligence
Version-specific vulnerability detection (vulnerability) — Blocks individual package versions with known CVEs from OSV.dev
Temporal analysis (first seen) -- Quarantines brand-new packages until the community has time to vet them
Behavioral analysis (publisher change) -- Flags when a package's publisher identity changes unexpectedly
Structural analysis (unexpected deps, install scripts) -- Detects risky patterns in package metadata
Holistic scoring (package score) — Provides a composite risk assessment

Each layer catches attacks that the others miss. Together, they cover the full spectrum of supply chain threats.

Organizations and tenants

All nproxy configuration is scoped to an organization. When you create an org, you choose a slug (e.g. acme) that becomes your registry URL: https://acme.nproxy.app/.

Configuration changes (rules, auth settings, rate limits) take effect immediately — no deploy or restart needed.

Authentication

nproxy supports two types of bearer tokens:

nproxy tokens are generated in the dashboard. Each token:

Starts with the nproxy_ prefix
Is stored as a SHA-256 hash (the plaintext is shown only once at creation time)
Has configurable scopes (proxy, publish, cicd)
Can optionally have an expiration date
Inherits the organization's security rules

npm tokens are obtained via npm login and forwarded to the upstream npm registry. They enable npm write operations (publish, deprecate, star, owner) through the proxy. nproxy strips nproxy_ tokens before forwarding to upstream since npm would not accept them.

Token validation adds minimal latency to each request.

Code signing

nproxy provides Ed25519 code signing with a configurable enforcement spectrum (off / warn / internal / all). Internal packages are signed automatically at publish time. Public packages can be co-signed (attested) as they pass through the proxy. Org-level signing keys are generated in the dashboard or CLI and the private key never leaves the Durable Object. Available on all plans.

Fail-open design

nproxy is designed to fail open. If a threat intelligence service is unreachable, rules that depend on it (malware, score) skip rather than block all packages. Similarly, if the OSV.dev service is unreachable, the vulnerability rule skips. The goal is to never block legitimate work due to an infrastructure issue.