Skip to content
Latchkey

npm 403 Forbidden on Publish in CI - Fix Publish Permission Errors

A 403 on npm publish means the registry accepted who you are but refused the action. The token may lack publish rights, the name may be taken, or the version may already exist.

What this error means

npm publish fails with 403 Forbidden. The token authenticated, but publishing is blocked because of access, an existing version, two-factor requirements, or a name owned by someone else.

npm
npm ERR! code E403
npm ERR! 403 403 Forbidden - PUT https://registry.npmjs.org/@acme%2fui
npm ERR! You cannot publish over the previously published versions: 1.4.0.

Common causes

The token lacks publish access

A read-only or under-scoped token cannot publish to the package or scope.

The version already exists or the name is taken

npm refuses to overwrite a published version, and you cannot publish a name owned by another account.

How to fix it

Use a publish-scoped token and bump the version

  1. Issue an automation token with publish rights to the scope.
  2. Bump the version so you are not republishing an existing one.
Terminal
npm version patch
npm publish --access public

Handle two-factor for publish

  1. Use an automation token that bypasses interactive 2FA in CI.
  2. Or supply the OTP via --otp when required.

How to prevent it

  • Publish with a dedicated automation token scoped to the package, bump the version every release, and confirm name ownership. A 403 reflects permissions or state, so retrying the same publish will not help.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →