Thank you for your help! I am hoping that this is enough to lock down nuget restores: API Keys for Pulling/Listing Packages Most clients will not send the API key for operations like listing or pulling packages. In this case, ProGet will issue an authentication challenge, and the client will respond by prompting for a username and password. In this case, you can supply api for the username, and your API key for the password. I'll test that.