Skip to content
Latchkey

npm 403 on Scoped Publish - Fix publishConfig access in CI

Scoped packages publish as restricted by default. Without --access public (or publishConfig.access), or without a token allowed to publish that scope, the registry returns 403 even though auth succeeded.

What this error means

npm publish of a @scope/pkg fails with 403, while authenticated reads work. The token is valid; the publish is rejected because the package’s access is wrong for the plan, or the token cannot write to that scope/org.

npm output
npm error code E403
npm error 403 Forbidden - PUT https://registry.npmjs.org/@scope%2fpkg
npm error 403 You must sign up for private packages to publish this,
or set access to public.

Common causes

Scoped package defaults to restricted

Scoped packages are private by default. Publishing without declaring public access (and without a paid private plan) is forbidden.

Token lacks publish rights for the scope/org

A token without write access to the org/scope, or not a member with publish permission, is rejected at publish time.

How to fix it

Declare access and use a write token

Set access to public (for public scoped packages) and publish with a token that can write the scope.

Terminal / package.json
# one-off
npm publish --access public
# or persist it:
# package.json
"publishConfig": { "access": "public" }

Check scope/org membership and rights

  1. Confirm the token belongs to a user/org that can publish the scope.
  2. For private packages, ensure the account/plan permits private publishing.
  3. Gate the publish step so it does not retry an already-published version.

How to prevent it

  • Set publishConfig.access deliberately for scoped packages.
  • Use a least-privilege write token scoped to the org.
  • Confirm scope ownership before the first publish.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →