Skip to content
Latchkey

npm "403 Forbidden" on Publish - Fix Permission and Version Errors

A 403 on publish means the registry accepted your credentials but refused the action. The token is valid; it just is not allowed to publish this name/version.

What this error means

npm publish fails with 403 Forbidden - PUT. Reads work, so auth is fine - but the publish is rejected for a permission, name-ownership, or version-already-exists reason.

npm output
npm error code E403
npm error 403 Forbidden - PUT https://registry.npmjs.org/@acme%2fpkg
npm error 403 You cannot publish over the previously published versions: 1.4.2.

Common causes

The version already exists

npm registries are immutable - you cannot overwrite a published version. Re-running a release for an already-published version returns 403.

The token lacks publish rights or you do not own the name

A read-only token, or a name owned by another user/org, will be rejected even though authentication succeeded.

Missing publishConfig for a scoped/private package

A scoped package without the right publishConfig/access can be rejected, e.g. trying to publish public without the proper access flag.

How to fix it

Bump the version before publishing

Ensure the version is new; never attempt to overwrite.

Terminal
npm version patch        # or set a new version in package.json
npm publish --access public   # for a public scoped package

Check rights and ownership

  1. Use a token with publish (write) scope.
  2. Confirm you/your org own the package name.
  3. Set publishConfig.access for scoped packages as needed.

How to prevent it

  • Gate publish steps so they skip already-published versions.
  • Use a write-scoped token for release jobs only.
  • Set publishConfig once in package.json.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →