Attempt to access published Maven package resusts in Unauthorized error

[blackears]

Select Topic Area

Question

Body

I recently went through the process of creating and publishing a Maven package for an old Java project using Github. I had thought that once I published the project that this would be enough, but a user is saying that they're getting an unauthorized error when they try to include it in their Gradle build:

blackears/svgSalamander#111

I came across an old thread from 2020 that said that Github was not allowing Maven packages to be publicly referenced, but was wondering if anything had changed? Is there a way to allow unauthenticated public users to access my package?

[gpl-gowthamchand]

Hey @blackears,

I get what you’re running into. Even if your Maven package is public, GitHub Packages often requires some form of authentication, which is why users might see unauthorized errors. Usually, they need a personal access token (PAT) with the read:packages scope.

Make sure your package is set to public in the repository settings, and check that users have the correct repository URL in their pom.xml. For public packages, authentication might not always be needed, but if it still prompts for it, a PAT is the safest way to go.

If users are still having trouble, sharing the exact error message can help pinpoint what’s going wrong.

[blackears]

What do you do to make a package public? Does that just mean the repo is public? Or is there something special I need to add to the pom.xml file?

[gpl-gowthamchand]

Making the repository public is the main step- there isn’t anything extra you need to add in your pom.xml. However, for GitHub Packages, even if the repo is public, Maven/Gradle clients often still expect authentication with a personal access token.

So in short:
Repo visibility -- controls who can see the code and package page.
Authentication -- still usually required when consuming the package, even if it’s public.

Unfortunately, GitHub doesn’t yet support fully anonymous access to Maven packages (without a token).

[eggduzao]

TL;DR

• GitHub Packages Maven registry are always authenticated.
• If you want true public consumption, publish to Maven Central.
• Otherwise, document token setup in your project's README.

If your goal is to let any Gradle/Maven user pull your library without credentials, Maven Central is the right solution.

---

When publishing Java artifacts to GitHub Packages, there are two important things to know up front:

1. GitHub Packages for Maven/Gradle is not public by default.
   Even if your repository is public, the Maven package registry still requires authentication. This is different from GitHub's container registry (ghcr.io), which can serve images publicly.

2. There is no "anonymous access" for Maven packages hosted on maven.pkg.github.com.
   Every consumer needs a GitHub account + a Personal Access Token (PAT) with at least read:packages permission.

---

What you can do

• Option 1 - Document authentication in your README

  Tell users to add their GitHub username + PAT in gradle.properties or settings.xml. For example (Gradle):

  # ~/.gradle/gradle.properties
  gpr.user=USERNAME
  gpr.key=YOUR_GITHUB_PAT

And in build.gradle:

repositories {
    maven {
        url = uri("https://maven.pkg.github.com/OWNER/REPO")
        credentials {
            username = project.findProperty("gpr.user") ?: System.getenv("USERNAME")
            password = project.findProperty("gpr.key") ?: System.getenv("TOKEN")
        }
    }
}

• Option 2 - Re-publish to Maven Central (Sonatype OSSRH)

If you want true public access (no tokens required), the standard practice in the Java ecosystem is to deploy to Maven Central.

- Pros: Anyone can consume without credentials.
- Cons: Initial setup involves validation + signing keys, but once it's done, it's the most sustainable distribution channel.

• Option 3 - GitHub Actions mirror

Some projects keep their "source of truth" on GitHub Packages but add a CI job that republishes to Maven Central. This way, casual users get easy access from Central while you keep GitHub Packages for internal/dev builds.

---

Why GitHub hasn't changed this

GitHub has been consistent since ~2020: authentication is required for maven.pkg.github.com. This is not a bug but a design decision. As of 2025, there's no supported way to make those packages world-readable.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬