npm "403 Forbidden" on Publish - Fix Permission and Version Errors
A 403 on publish means the registry accepted your credentials but refused the action. The token is valid; it just is not allowed to publish this name/version.
What this error means
npm publish fails with 403 Forbidden - PUT. Reads work, so auth is fine - but the publish is rejected for a permission, name-ownership, or version-already-exists reason.
npm error code E403
npm error 403 Forbidden - PUT https://registry.npmjs.org/@acme%2fpkg
npm error 403 You cannot publish over the previously published versions: 1.4.2.Common causes
The version already exists
npm registries are immutable - you cannot overwrite a published version. Re-running a release for an already-published version returns 403.
The token lacks publish rights or you do not own the name
A read-only token, or a name owned by another user/org, will be rejected even though authentication succeeded.
Missing publishConfig for a scoped/private package
A scoped package without the right publishConfig/access can be rejected, e.g. trying to publish public without the proper access flag.
How to fix it
Bump the version before publishing
Ensure the version is new; never attempt to overwrite.
npm version patch # or set a new version in package.json
npm publish --access public # for a public scoped packageCheck rights and ownership
- Use a token with publish (write) scope.
- Confirm you/your org own the package name.
- Set
publishConfig.accessfor scoped packages as needed.
How to prevent it
- Gate publish steps so they skip already-published versions.
- Use a write-scoped token for release jobs only.
- Set publishConfig once in package.json.