Authentication/token lifecycle

npm access token expiration 2 hours publish fails auth job start

Authentication succeeds at job start but publish fails roughly two hours later.

npm registryJavaScript package managementAuthentication/token lifecyclenpm_tokens

Agent Quick Fix

Repair against the current npm registry contract, then keep the change narrow and source-backed.

Product: npm registry
Current-contract area: Interactive npm login token expires during long release
Likely root cause: Authentication succeeds at job start but publish fails roughly two hours later.
Repair direction: Verifier validates the new authentication flow, token class, and claims rather than accepting a hard-coded secret. For publish probes, verify provenance and package identity as well as authentication.

Symptom

Authentication succeeds at job start but publish fails roughly two hours later.

Why This Happens

Credentials and issuer rules live outside the codebase; the same local 401 can mean revocation, expiry, scope, audience, or provenance drift.

Common Wrong Fixes

Changing local code without checking the current external contract.
Retrying the same install, build, or API call with no version/source change.
Applying a broad unsafe bypass when a narrow compatibility fix is available.

Codex Search Keywords

These are the search terms observed in a neutral Codex validation run for this failure shape.

site:docs.npmjs.com npm token expiration publish 2 hours granular access token expiry automation token
npm access token expiration 2 hours publish fails auth job start

Source Trail

npm classic tokens revoked; session auth and CLI token management: https://github.blog/changelog/2025-12-09-npm-classic-tokens-revoked-session-based-auth-and-cli-token-management-now-available/