---
title: "Private NuGet Feed - Secure, Hosted Package Management"
description: "Cloudsmith gives your .NET teams a fully managed private NuGet feed with security scanning, native signing, upstream proxying, and entitlement token auth. Start today."
canonical_url: "https://cloudsmith.com/product/formats/nuget-feed-old"
last_updated: "2026-05-06T18:12:23Z"
---
# Private NuGet Feed - Secure, Hosted Package Management

## Your private **NuGet** feed, fully managed on Cloudsmith

Cloudsmith gives your .NET teams a secure, highly available private NuGet feed with built-in security scanning, upstream proxying, and native signing support. Push and pull with standard tooling, enforce policies across every package, and stop depending on public registries for build reliability.

## Create Your Private NuGet Feed

Cloudsmith simplifies the storage and sharing of NuGet packages, with support for both public and private repositories. By leveraging NuGet's built-in tooling with Cloudsmith, you will reduce collaboration costs and boost package distribution speeds. Cloudsmith's NuGet repository support is also compatible with Chocolatey, which is our recommended tool for Windows package management.

Universal format support

## **One home for NuGet** and every other format your teams rely on.

- Use NuGet + 30 other formats
- Store NuGet packages alongside Docker containers and raw binaries
- Manage internal libraries and open-source dependencies from a single registry

## How we support **NuGet**

Cloudsmith gives .NET teams a fully managed private NuGet feed with the security controls, performance, and reliability that public registries cannot provide.

[Read our NuGet documentation](https://docs.cloudsmith.com/formats/nuget-feed)

### Full NuGet v3 feed support

Cloudsmith exposes a standards-compliant NuGet v3 feed endpoint. Configure it as a source in the NuGet CLI, .NET Core CLI, Visual Studio Package Manager, or Paket without any changes to your existing workflow.

### Native package signing

Cloudsmith natively signs all NuGet packages using an X.509 certificate so consumers can verify repository signatures directly in the NuGet CLI. Author signatures are countersigned automatically on upload.

### Vulnerability scanning

Every NuGet package uploaded to Cloudsmith is scanned for known vulnerabilities. Pair scanning with OPA Rego policies to quarantine or block packages that fail your security thresholds before they reach developers.

### Upstream proxying and caching

Proxy NuGet.org and other upstream feeds through Cloudsmith to eliminate single points of failure in your CI pipelines. Cached packages are served from Cloudsmith's global CDN for fast, reliable restores regardless of upstream availability.

### Entitlement token and API key auth

Secure private NuGet feeds with entitlement token authentication or HTTP Basic auth using API keys. Tokens scope access per repository, giving you fine-grained control over who can push or pull packages.

## Why teams choose Cloudsmith for **NuGet**

Relying on NuGet.org directly and managing private feeds ad hoc creates fragile pipelines, security blind spots, and governance gaps that grow with your team. Cloudsmith replaces that chaos with a single, controlled source of truth.

| Without Cloudsmith | With Cloudsmith |

| --- | --- |

| Builds break whenever NuGet.org is slow or unreachable. Every pipeline is a direct dependency on a public registry your team does not control. | Cloudsmith proxies and caches NuGet.org so your builds restore from a private, CDN-backed feed. Upstream downtime no longer blocks your CI pipelines. |

| Version conflicts and unreviewed packages slip into builds because there is no central policy enforcement. Teams publish directly to shared feeds with no promotion process. | OPA Rego policies enforce package standards across every repository. Promotion workflows move packages from dev to test to production with full auditability and no manual intervention. |

| Security scanning is manual or non-existent. A vulnerable dependency can reach production before anyone notices, and there is no quarantine mechanism to stop it. | Cloudsmith scans every uploaded NuGet package for known vulnerabilities and applies policy rules automatically. Packages that fail your thresholds are quarantined before they are available to developers. |

## Signs you're ready to switch to Cloudsmith for **NuGet**

Most teams hit the limits of self-hosted feeds or direct NuGet.org reliance as they scale. If any of these sound familiar, Cloudsmith is the upgrade your workflow needs.

[Book a demo with one of our experts](/book-a-demo)

### CI pipelines break on upstream outages

NuGet.org downtime or rate limiting halts your builds. Cloudsmith proxies and caches upstream feeds so your pipelines keep running regardless of public registry availability.

### No visibility into vulnerable dependencies

Packages land in builds without any security review. Cloudsmith scans every NuGet package on upload and gives you automated quarantine policies to stop vulnerable artifacts before they reach developers.

### Version chaos across projects

Different teams pin different versions of the same package, leading to conflicts and unreproducible builds. Cloudsmith centralises your NuGet feed so version governance is consistent across every project.

### Self-hosted feed infrastructure is a burden

Running your own NuGet server means managing uptime, storage, and patching. Cloudsmith is fully managed, so you get SLA-backed availability without any operational overhead.

### NuGet is just one of many formats you need to manage

Your teams ship Docker images, Python wheels, and raw binaries alongside .NET packages. Cloudsmith consolidates every format into a single registry so you stop juggling separate tools and access controls.

## Get started with **NuGet** on Cloudsmith

[Book a demo](/book-a-demo)

[View pricing](/pricing)

## Frequently asked questions

### Does Cloudsmith support the NuGet v3 feed protocol?

Yes. Cloudsmith exposes a fully compliant NuGet v3 feed endpoint that works with the NuGet CLI, .NET Core CLI, Visual Studio Package Manager, Paket, and any other tool that supports the standard NuGet v3 service index.

### Can I use Cloudsmith as a Chocolatey repository?

Yes. Cloudsmith NuGet feeds are fully compatible with Chocolatey. Chocolatey packages are an enhanced NuGet format, and from Chocolatey v2.0.0 onwards, NuGet v3 feeds are supported as sources.

### How do I authenticate to a private Cloudsmith NuGet feed?

Cloudsmith supports both entitlement token authentication and HTTP Basic authentication using your username and API key. Entitlement tokens can be scoped per repository, giving you fine-grained control over read and write access.

### Does Cloudsmith support NuGet package signing?

Yes. Cloudsmith natively signs all NuGet packages using an X.509 certificate issued by its own Certificate Authority. If a package already has an author signature, Cloudsmith countersigns it. Consumers can verify signatures using the NuGet CLI.

### Can I proxy and cache NuGet.org through Cloudsmith?

Yes. Cloudsmith's upstream proxying feature lets you configure NuGet.org or any other NuGet feed as an upstream source. Packages are cached on first request, protecting your builds from upstream downtime and rate limits.

### How does vulnerability scanning work for NuGet packages?

Every NuGet package uploaded to Cloudsmith is automatically scanned for known vulnerabilities. You can pair scanning results with OPA Rego policies to quarantine or reject packages that exceed your risk thresholds before they are available to developers.

### Can Cloudsmith work as a NuGet Symbol Server?

Yes. Each Cloudsmith repository can be configured as a NuGet Symbol Server in Visual Studio. It stores and serves PDB files and source files so developers can step through compiled library code during debugging.

### How do I migrate from a self-hosted NuGet server to Cloudsmith?

You can upload existing packages to Cloudsmith using the Cloudsmith CLI or the web app, then update your NuGet source configuration to point at your new Cloudsmith feed endpoint. Cloudsmith's contextual setup instructions include pre-configured copy-paste commands for each repository.

### Can I store NuGet packages alongside other formats in the same repository?

Yes. Cloudsmith repositories are multi-format, so you can store NuGet packages, Docker images, npm packages, and more in a single repository. This simplifies access control and lets teams centralise all their artifacts in one place.

### What is the maximum NuGet package size Cloudsmith supports?

When using the native NuGet CLI to publish, the per-package file limit is 200 MiB. When uploading via the Cloudsmith CLI, the limit increases to 5 GiB, which accommodates large symbol packages or packages with embedded binaries.
