How to Handle 2FA With Automation Tokens When Publishing
Interactive 2FA prompts break non-interactive CI, so use an automation token (which skips the OTP prompt) or OIDC-based publishing where the registry offers it.
When an account requires 2FA, an interactive publish asks for a one-time password that CI cannot supply. npm automation tokens are designed for this: they authorize publish without an OTP prompt. Prefer OIDC (provenance, trusted publishing) where available so no long-lived token is stored at all.
Steps
- In npm settings, create an Automation access token (not a Publish token).
- Store it as
NPM_TOKENand use it asNODE_AUTH_TOKEN. - Where the registry supports OIDC, prefer that over any stored token.
Workflow
.github/workflows/ci.yml
- uses: actions/setup-node@v4
with:
node-version: 20
registry-url: 'https://registry.npmjs.org'
- run: npm publish --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}Gotchas
- A non-automation token under 2FA fails with
EOTPbecause CI cannot answer the OTP prompt. - Scope tokens to a single package where possible to limit exposure.
- Rotate stored tokens on a schedule; OIDC removes that maintenance entirely.
Related guides
How to Publish an npm Package With ProvenancePublish an npm package with provenance by adding --provenance and id-token: write permission, letting the OID…
How to Publish to PyPI With Trusted Publishing (OIDC)Publish to PyPI from CI without a stored token using trusted publishing, where PyPI verifies the workflow OID…
How to Configure a Scoped Registry in .npmrc for PublishingRoute a scoped npm package to a specific registry in CI with an .npmrc that maps the scope and its auth token…