Is your feature request related to a problem? Please describe.
Organizations often expose selected Artifactory repositories or artifacts for anonymous/public download. While these artifacts are accessible through their direct repository URLs, JFrog CLI's jf rt dl command cannot download them anonymously because it performs an AQL query before initiating the download.
For example, the following command fails when attempting to download a publicly accessible artifact from a repository with anonymous access enabled:
jf rt dl --url=https://<artifactory-url>/artifactory "<repository>/<path>/<artifact>"
Error:
403 Only non-anonymous users are allowed to access AQL queries
However, the same artifact can be downloaded successfully using its direct URL:
curl -O https://<artifactory-url>/artifactory/<repository>/<path>/<artifact>
This indicates that:
- The artifact is publicly accessible.
- Anonymous download permissions are configured correctly.
- The failure occurs because JFrog CLI requires an AQL query before downloading the artifact.
As a result, users cannot leverage JFrog CLI for anonymous downloads even when the artifact itself is publicly available.
Describe the solution you'd like to see
Allow jf rt dl to download a known artifact path from a public repository without requiring AQL authentication.
Possible implementations:
When the download target is a fully qualified artifact path, bypass AQL and perform a direct download request.
Introduce an option such as:
jf rt dl --url=https://<artifactory-url>/artifactory --direct-download "<repository>/<path>/<artifact>"
Automatically fall back to a direct artifact download when AQL fails due to anonymous-access restrictions and the target path is explicitly specified.
This would allow users to benefit from JFrog CLI features while supporting repositories intentionally exposed for anonymous consumption.
Describe alternatives you've considered
- Configuring JFrog CLI with credentials (jf c add).
- Passing a username/password or access token with every invocation.
- Using a dedicated read-only service account.
- Downloading artifacts directly using curl or wget.
While these alternatives work, they either require credential management or bypass JFrog CLI completely. Since direct downloads already succeed anonymously, it would be beneficial if JFrog CLI could support the same use case natively.
Additional context
Environment
JFrog CLI Version: 2.109.0
Artifactory anonymous access: Enabled
Repository: Publicly accessible
Artifact path: Fully known
Reproduction
jf rt dl --url=https://<artifactory-url>/artifactory "<repository>/<path>/<artifact>"
Result:
403 Only non-anonymous users are allowed to access AQL queries
At the same time:
curl -O https://<artifactory-url>/artifactory/<repository>/<path>/<artifact>
downloads the artifact successfully.
The repository is intentionally configured for anonymous access, but JFrog CLI cannot consume it because it depends on AQL before downloading. Supporting direct downloads for explicitly specified artifact paths would close this gap, improve the user experience for public repository consumers, and allow JFrog CLI to be used consistently across both authenticated and anonymous download scenarios.
We also evaluated jf rt curl as a CLI-based alternative. However, jf rt curl only supports Artifactory REST API endpoints and does not accept direct artifact URLs, so it cannot be used to anonymously download public artifacts from repository paths.
Is your feature request related to a problem? Please describe.
Organizations often expose selected Artifactory repositories or artifacts for anonymous/public download. While these artifacts are accessible through their direct repository URLs, JFrog CLI's jf rt dl command cannot download them anonymously because it performs an AQL query before initiating the download.
For example, the following command fails when attempting to download a publicly accessible artifact from a repository with anonymous access enabled:
jf rt dl --url=https://<artifactory-url>/artifactory "<repository>/<path>/<artifact>"Error:
403 Only non-anonymous users are allowed to access AQL queriesHowever, the same artifact can be downloaded successfully using its direct URL:
curl -O https://<artifactory-url>/artifactory/<repository>/<path>/<artifact>This indicates that:
As a result, users cannot leverage JFrog CLI for anonymous downloads even when the artifact itself is publicly available.
Describe the solution you'd like to see
Allow jf rt dl to download a known artifact path from a public repository without requiring AQL authentication.
Possible implementations:
When the download target is a fully qualified artifact path, bypass AQL and perform a direct download request.
Introduce an option such as:
jf rt dl --url=https://<artifactory-url>/artifactory --direct-download "<repository>/<path>/<artifact>"Automatically fall back to a direct artifact download when AQL fails due to anonymous-access restrictions and the target path is explicitly specified.
This would allow users to benefit from JFrog CLI features while supporting repositories intentionally exposed for anonymous consumption.
Describe alternatives you've considered
While these alternatives work, they either require credential management or bypass JFrog CLI completely. Since direct downloads already succeed anonymously, it would be beneficial if JFrog CLI could support the same use case natively.
Additional context
Environment
JFrog CLI Version: 2.109.0
Artifactory anonymous access: Enabled
Repository: Publicly accessible
Artifact path: Fully known
Reproduction
jf rt dl --url=https://<artifactory-url>/artifactory "<repository>/<path>/<artifact>"Result:
403 Only non-anonymous users are allowed to access AQL queries
At the same time:
curl -O https://<artifactory-url>/artifactory/<repository>/<path>/<artifact>downloads the artifact successfully.
The repository is intentionally configured for anonymous access, but JFrog CLI cannot consume it because it depends on AQL before downloading. Supporting direct downloads for explicitly specified artifact paths would close this gap, improve the user experience for public repository consumers, and allow JFrog CLI to be used consistently across both authenticated and anonymous download scenarios.