npm 403 Forbidden on Publish in CI - Fix Publish Permission Errors
A 403 on npm publish means the registry accepted who you are but refused the action. The token may lack publish rights, the name may be taken, or the version may already exist.
What this error means
npm publish fails with 403 Forbidden. The token authenticated, but publishing is blocked because of access, an existing version, two-factor requirements, or a name owned by someone else.
npm
npm ERR! code E403
npm ERR! 403 403 Forbidden - PUT https://registry.npmjs.org/@acme%2fui
npm ERR! You cannot publish over the previously published versions: 1.4.0.Common causes
The token lacks publish access
A read-only or under-scoped token cannot publish to the package or scope.
The version already exists or the name is taken
npm refuses to overwrite a published version, and you cannot publish a name owned by another account.
How to fix it
Use a publish-scoped token and bump the version
- Issue an automation token with publish rights to the scope.
- Bump the version so you are not republishing an existing one.
Terminal
npm version patch
npm publish --access publicHandle two-factor for publish
- Use an automation token that bypasses interactive 2FA in CI.
- Or supply the OTP via --otp when required.
How to prevent it
- Publish with a dedicated automation token scoped to the package, bump the version every release, and confirm name ownership. A 403 reflects permissions or state, so retrying the same publish will not help.
Related guides
npm "403 Forbidden" on Publish - Fix Permission and Version ErrorsFix npm "403 Forbidden" when publishing in CI - caused by no publish rights, a taken package name, or republi…
npm 403 on Scoped Publish - Fix publishConfig access in CIFix npm 403 when publishing a scoped package in CI - a scoped package defaulting to restricted access without…
npm E401 / E403 Private Registry Auth in CI - Fix Registry AuthenticationFix npm E401 and E403 authentication errors against a private registry in CI by configuring a valid auth toke…