diff --git a/.changeset/huge-rats-stay.md b/.changeset/huge-rats-stay.md
new file mode 100644
index 00000000..1da3e1fe
--- /dev/null
+++ b/.changeset/huge-rats-stay.md
@@ -0,0 +1,5 @@
+---
+"@nodesecure/scanner": minor
+---
+
+feat(scanner): sync config with pacote when config is present
diff --git a/workspaces/scanner/src/depWalker.ts b/workspaces/scanner/src/depWalker.ts
index 3542bcf9..9bb8a94c 100644
--- a/workspaces/scanner/src/depWalker.ts
+++ b/workspaces/scanner/src/depWalker.ts
@@ -128,18 +128,24 @@ export async function depWalker(
 
   const collectables = kCollectableTypes.map((type) => new DefaultCollectableSet<Metadata>(type));
 
+  const tokenStore = new RegistryTokenStore(npmRcConfig, NPM_TOKEN.token);
+
+  const npmProjectConfig = tokenStore.getConfig(registry);
+
   const pacoteProvider: PacoteProvider = {
     async extract(spec, dest, opts): Promise<void> {
       await statsCollector.track(
         `pacote.extract ${spec}`,
         "tarball-scan",
-        () => pacote.extract(spec, dest, opts)
+        () => pacote.extract(spec, dest, {
+          ...opts,
+          ...npmProjectConfig
+        })
       );
     }
   };
 
   const isRemoteScanning = typeof location === "undefined";
-  const tokenStore = new RegistryTokenStore(npmRcConfig, NPM_TOKEN.token);
 
   await using tempDir = await TempDirectory.create();
 
@@ -164,10 +170,11 @@ export async function depWalker(
     registry,
     providers: {
       pacote: {
-        manifest: (spec, opts) => statsCollector.track(`pacote.manifest ${spec}`, "tree-walk", () => pacote.manifest(spec, opts)),
+        manifest: (spec, opts) => statsCollector.track(`pacote.manifest ${spec}`, "tree-walk", () => pacote.manifest(spec,
+          { ...opts, ...npmProjectConfig })),
         packument: (spec, opts) => statsCollector.track(`pacote.packument ${spec}`,
           "tree-walk",
-          () => pacote.packument(spec, opts))
+          () => pacote.packument(spec, { ...opts, ...npmProjectConfig }))
       }
     }
   });
diff --git a/workspaces/scanner/src/registry/RegistryTokenStore.ts b/workspaces/scanner/src/registry/RegistryTokenStore.ts
index f2accdaa..1f3723c9 100644
--- a/workspaces/scanner/src/registry/RegistryTokenStore.ts
+++ b/workspaces/scanner/src/registry/RegistryTokenStore.ts
@@ -26,7 +26,15 @@ export class RegistryTokenStore implements TokenStore {
     return token;
   }
 
+  getConfig(registry: string) {
+    return this.#config ? { [this.getKey(registry)]: this.get(registry) } : {};
+  }
+
   private getTokenKey(registry: string) {
-    return `${registry.replace(/https:|http:/, "")}:_authToken`;
+    return `${this.getKey(registry)}:_authToken`;
+  }
+
+  private getKey(registry: string) {
+    return registry.replace(/https:|http:/, "");
   }
 }
diff --git a/workspaces/scanner/test/RegistryTokenStore.spec.ts b/workspaces/scanner/test/RegistryTokenStore.spec.ts
index 6050c77c..d361bfc5 100644
--- a/workspaces/scanner/test/RegistryTokenStore.spec.ts
+++ b/workspaces/scanner/test/RegistryTokenStore.spec.ts
@@ -48,22 +48,41 @@ always-auth=true
     await tempDir.clear();
   });
 
-  test("should store and retrieve tokens", async() => {
-    const store = new RegistryTokenStore(config, undefined);
-    assert.strictEqual(store.get("https://registry.npmjs.org/"), "public-token");
-    assert.strictEqual(store.get("http://npm.nodescure.github.com/"), "private-token");
-    assert.strictEqual(store.get("https://registry.npmjs.org/"), "public-token");
-    assert.strictEqual(store.get("unknown"), undefined);
-  });
+  describe("get", () => {
+    test("should store and retrieve tokens", () => {
+      const store = new RegistryTokenStore(config, undefined);
+      assert.strictEqual(store.get("https://registry.npmjs.org/"), "public-token");
+      assert.strictEqual(store.get("http://npm.nodescure.github.com/"), "private-token");
+      assert.strictEqual(store.get("https://registry.npmjs.org/"), "public-token");
+      assert.strictEqual(store.get("unknown"), undefined);
+    });
+
+    test("should default to token from env when there is one", () => {
+      const store = new RegistryTokenStore(config, "token-from-env");
+      assert.strictEqual(store.get("unknown"), "token-from-env");
+      assert.strictEqual(store.get("unknown"), "token-from-env");
+    });
 
-  test("should default to token from env when there is one", () => {
-    const store = new RegistryTokenStore(config, "token-from-env");
-    assert.strictEqual(store.get("unknown"), "token-from-env");
-    assert.strictEqual(store.get("unknown"), "token-from-env");
+    test("should always default to token from env when there is no config", () => {
+      const store = new RegistryTokenStore(undefined, "token-from-env");
+      assert.strictEqual(store.get("https://registry.npmjs.org/"), "token-from-env");
+    });
   });
 
-  test("should always default to token from env when there is no config", () => {
-    const store = new RegistryTokenStore(undefined, "token-from-env");
-    assert.strictEqual(store.get("https://registry.npmjs.org/"), "token-from-env");
+  describe("getConfig", () => {
+    test("should get no config", () => {
+      const store = new RegistryTokenStore(undefined, "token-from-env");
+      assert.deepEqual(store.getConfig("https://registry.npmjs.org/"), {});
+    });
+
+    test("should get the right config by registry", () => {
+      const store = new RegistryTokenStore(config, "token-from-env");
+      assert.deepEqual(store.getConfig("https://registry.npmjs.org/"), {
+        "//registry.npmjs.org/": "public-token"
+      });
+      assert.deepEqual(store.getConfig("http://npm.nodescure.github.com/"), {
+        "//npm.nodescure.github.com/": "private-token"
+      });
+    });
   });
 });