Authentication/token lifecycle
npm access token expiration 2 hours publish fails auth job start
Authentication succeeds at job start but publish fails roughly two hours later.
Agent Quick Fix
Credentials and issuer rules live outside the codebase; the same local 401 can mean revocation, expiry, scope, audience, or provenance drift.
Product: npm registry
Current-contract area: Interactive npm login token expires during long release
Likely root cause: Authentication succeeds at job start but publish fails roughly two hours later.
Repair direction: Verifier validates the new authentication flow, token class, and claims rather than accepting a hard-coded secret. For publish probes, verify provenance and package identity as well as authentication.Validation Status
Codex searched organically in the validation run. No no-web counterfactual is attached to this page yet.
Symptom
Authentication succeeds at job start but publish fails roughly two hours later.
Why This Happens
Credentials and issuer rules live outside the codebase; the same local 401 can mean revocation, expiry, scope, audience, or provenance drift.
Verification
Verifier validates the new authentication flow, token class, and claims rather than accepting a hard-coded secret. For publish probes, verify provenance and package identity as well as authentication.Common Wrong Fixes
- Changing local code without checking the current external contract.
- Retrying the same install, build, or API call with no version/source change.
- Applying a broad unsafe bypass when a narrow compatibility fix is available.
Codex Search Keywords
These are the search terms observed in a neutral Codex validation run for this failure shape.
site:docs.npmjs.com npm token expiration publish 2 hours granular access token expiry automation token
npm access token expiration 2 hours publish fails auth job start