Authentication/token lifecycle

npm E401 previously stable publish CI token revoked classic token revoked official docs

A previously stable release job starts returning E401 with no repository change.

npm registryJavaScript package managementAuthentication/token lifecyclenpm_tokens

Agent Quick Fix

Repair against the current npm registry contract, then keep the change narrow and source-backed.

Product: npm registry
Current-contract area: Classic npm token permanently revoked in publish CI
Likely root cause: A previously stable release job starts returning E401 with no repository change.
Repair direction: Verifier validates the new authentication flow, token class, and claims rather than accepting a hard-coded secret. For publish probes, verify provenance and package identity as well as authentication.

Symptom

A previously stable release job starts returning E401 with no repository change.

Why This Happens

Credentials and issuer rules live outside the codebase; the same local 401 can mean revocation, expiry, scope, audience, or provenance drift.

Common Wrong Fixes

Changing local code without checking the current external contract.
Retrying the same install, build, or API call with no version/source change.
Applying a broad unsafe bypass when a narrow compatibility fix is available.

Codex Search Keywords

These are the search terms observed in a neutral Codex validation run for this failure shape.

npm E401 previously stable publish CI token revoked classic token revoked official docs
site:docs.npmjs.com npm token revoked E401 publish CI token classic token
npmjs blog classic tokens revoked publish 2FA trusted publishing
site:github.blog npm security authentication publishing trusted publishing classic tokens "classic tokens"
"Important changes to authentication and publishing" npm
https://docs.npmjs.com/about-access-tokens
https://docs.npmjs.com/using-private-packages-in-a-ci-cd-workflow