Skip to content
Latchkey

How to Handle 2FA With Automation Tokens When Publishing

Interactive 2FA prompts break non-interactive CI, so use an automation token (which skips the OTP prompt) or OIDC-based publishing where the registry offers it.

When an account requires 2FA, an interactive publish asks for a one-time password that CI cannot supply. npm automation tokens are designed for this: they authorize publish without an OTP prompt. Prefer OIDC (provenance, trusted publishing) where available so no long-lived token is stored at all.

Steps

  • In npm settings, create an Automation access token (not a Publish token).
  • Store it as NPM_TOKEN and use it as NODE_AUTH_TOKEN.
  • Where the registry supports OIDC, prefer that over any stored token.

Workflow

.github/workflows/ci.yml
- uses: actions/setup-node@v4
  with:
    node-version: 20
    registry-url: 'https://registry.npmjs.org'
- run: npm publish --access public
  env:
    NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Gotchas

  • A non-automation token under 2FA fails with EOTP because CI cannot answer the OTP prompt.
  • Scope tokens to a single package where possible to limit exposure.
  • Rotate stored tokens on a schedule; OIDC removes that maintenance entirely.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →