npm EOTP "This operation requires a one-time password" - Fix Publish in CI
If an account or package enforces two-factor auth for writes, npm demands a one-time password on publish. A CI job has no human to enter it, so the publish fails with EOTP unless you use an automation token.
What this error means
npm publish in CI fails with EOTP, asking for a one-time password. It works interactively on a developer machine (where 2FA can be entered) but cannot complete headless with a normal token.
npm error code EOTP
npm error This operation requires a one-time password from your
npm error authenticator. You can provide one with the --otp flag.Common causes
2FA is required for publish, but CI cannot prompt
The account/package enforces 2FA on writes. A headless job cannot supply an interactive OTP, so the publish is rejected.
A non-automation token is used in CI
A regular publish token still triggers the OTP requirement. Automation tokens are the ones designed to bypass the interactive 2FA prompt for CI.
How to fix it
Use an automation token
Generate a granular automation token (allowed to skip 2FA for writes) and use it in CI.
# .npmrc in CI
//registry.npmjs.org/:_authToken=${NPM_AUTOMATION_TOKEN}
npm publish --access publicKeep 2FA on, but right-token for CI
- Do not disable account 2FA to work around this - use an automation token instead.
- Confirm the token has publish rights for the package/scope.
- Gate the publish step so re-runs do not attempt an already-published version.
How to prevent it
- Publish from CI with an automation token, not an interactive one.
- Keep account 2FA enabled for security.
- Store the token as a CI secret with least privilege.