npm organization require two-factor authentication automation tokens publish 2FA official docs

Validation Status

Codex searched organically in the validation run. No no-web counterfactual is attached to this page yet.

Symptom

A user-bound workflow loses publish access after org security policy changes.

Why This Happens

Credentials and issuer rules live outside the codebase; the same local 401 can mean revocation, expiry, scope, audience, or provenance drift.

Verification

Verifier validates the new authentication flow, token class, and claims rather than accepting a hard-coded secret. For publish probes, verify provenance and package identity as well as authentication.

Common Wrong Fixes

• Changing local code without checking the current external contract.
• Retrying the same install, build, or API call with no version/source change.
• Applying a broad unsafe bypass when a narrow compatibility fix is available.

Codex Search Keywords

These are the search terms observed in a neutral Codex validation run for this failure shape.

npm organization require two-factor authentication automation tokens publish 2FA official docs
site:docs.npmjs.com npm automation tokens 2FA publish organization require two-factor authentication
npm access tokens automation publish 2FA docs npmjs
https://docs.npmjs.com/creating-and-viewing-access-tokens
https://docs.npmjs.com/about-access-tokens/

Source Trail

• npm classic tokens revoked; session auth and CLI token management: https://github.blog/changelog/2025-12-09-npm-classic-tokens-revoked-session-based-auth-and-cli-token-management-now-available/
• Official reference opened by Codex: https://docs.npmjs.com/creating-and-viewing-access-tokens
• Official reference opened by Codex: https://docs.npmjs.com/about-access-tokens/