| title | Overview of NuGet.org |
|---|---|
| description | Overview of NuGet.org |
| author | mikejo5000 |
| ms.author | mikejo |
| ms.date | 06/05/2019 |
| ms.topic | concept-article |
NuGet.org is a public host of NuGet packages that are employed by millions of .NET and .NET Core developers every day.
In its role as a public host, NuGet.org itself maintains the central repository of over 100,000 unique packages at nuget.org. NuGet.org is not the only possible host for packages. The NuGet technology also enables you to host packages privately in the cloud (such as on Azure DevOps), on a private network, or even on just your local file system. If you are interested in a different host or hosting option, see Hosting your own NuGet feeds.
NuGet.org, like any host for NuGet packages, serves as the point of connection between package creators and package consumers. Creators build useful NuGet packages and publish them. Consumers then search for useful and compatible packages on accessible hosts, downloading and including those packages in their projects. Once installed in a project, the packages' APIs are available to the rest of the project code.
To publish packages on NuGet.org, you first create an individual (user) account. This becomes your identity on NuGet.org.
NuGet.org also allows you to create an organization account. An organization account has one or more individual accounts as its members. Members can manage a set of packages while maintaining a single identity for ownership. Through your individual account, you can be a member of any number of organizations.
A package can belong to an organization account like it can belong to an individual account. Package consumers don't see any difference between an individual account or the organization account: both appear as package owners.
Once you have a NuGet package (.nupkg file) to publish, you publish it to NuGet.org using either the nuget.exe CLI or the dotnet.exe CLI, along with an API key acquired from NuGet.org.
When you publish a package, you include the API key value in the CLI command.
NuGet.org supports Trusted Publishing, which is a secure and streamlined way to publish NuGet packages.
When you publish packages, you can reserve and protect your identity by reserving ID prefixes. When installing a package, package consumers are provided with additional information indicating that the package they are consuming is not deceptive in its identifying properties.
To use NuGet.org as a package repository with NuGet clients, you should use the following V3 API endpoint:
https://api.nuget.org/v3/index.json
Older clients can still use the V2 protocol to reach NuGet.org. However, please note, NuGet clients 3.0 or later will have slower and less reliable service using the V2 protocol:
https://www.nuget.org/api/v2 (The V2 protocol is deprecated!)
nuget.org also provides a vulnerability-data-only endpoint:
https://data.nuget.org/v3/index.json
This service index only contains the VulnerabilityInfo resource and doesn't serve packages.
It's designed for use as an audit source in environments where access to api.nuget.org is blocked at the network level.
Because this endpoint doesn't provide package content, network administrators who block api.nuget.org to prevent package downloads might be willing to allow data.nuget.org if asked.