# npm E401 previously stable publish CI token revoked classic token revoked official docs

Status: search-observed
Product: npm registry
Last verified: 2026-06-25
Canonical HTML: https://gitdocs.org/fix/npm-e401-previously-stable-publish-ci-token-revoked-classic-token-revoked-official-docs
Machine JSON: https://gitdocs.org/api/fixes/npm-e401-previously-stable-publish-ci-token-revoked-classic-token-revoked-official-docs.json

## Exact Symptom

See the observed Codex queries below.

## Diagnosis

Credentials and issuer rules live outside the codebase; the same local 401 can mean revocation, expiry, scope, audience, or provenance drift.

## Fix

```
Verifier validates the new authentication flow, token class, and claims rather than accepting a hard-coded secret. For publish probes, verify provenance and package identity as well as authentication.
```

## Avoid

- Changing local code without checking the current external contract.
- Retrying the same install, build, or API call with no version/source change.
- Applying a broad unsafe bypass when a narrow compatibility fix is available.

## Observed Codex Queries

- npm E401 previously stable publish CI token revoked classic token revoked official docs
- site:docs.npmjs.com npm token revoked E401 publish CI token classic token
- npmjs blog classic tokens revoked publish 2FA trusted publishing
- site:github.blog npm security authentication publishing trusted publishing classic tokens "classic tokens"
- "Important changes to authentication and publishing" npm
- https://docs.npmjs.com/about-access-tokens
- https://docs.npmjs.com/using-private-packages-in-a-ci-cd-workflow

## Sources

- npm classic tokens revoked; session auth and CLI token management: https://github.blog/changelog/2025-12-09-npm-classic-tokens-revoked-session-based-auth-and-cli-token-management-now-available/
- Official reference opened by Codex: https://docs.npmjs.com/about-access-tokens
- Official reference opened by Codex: https://docs.npmjs.com/using-private-packages-in-a-ci-cd-workflow