Authentication/token lifecycle

npm organization require two-factor authentication automation tokens publish 2FA official docs

A user-bound workflow loses publish access after org security policy changes.

npm registryJavaScript package managementAuthentication/token lifecyclenpm_tokens

Agent Quick Fix

Repair against the current npm registry contract, then keep the change narrow and source-backed.

Product: npm registry
Current-contract area: Organization 2FA enforcement breaks non-interactive publish
Likely root cause: A user-bound workflow loses publish access after org security policy changes.
Repair direction: Verifier validates the new authentication flow, token class, and claims rather than accepting a hard-coded secret. For publish probes, verify provenance and package identity as well as authentication.

Symptom

A user-bound workflow loses publish access after org security policy changes.

Why This Happens

Credentials and issuer rules live outside the codebase; the same local 401 can mean revocation, expiry, scope, audience, or provenance drift.

Common Wrong Fixes

Changing local code without checking the current external contract.
Retrying the same install, build, or API call with no version/source change.
Applying a broad unsafe bypass when a narrow compatibility fix is available.

Codex Search Keywords

These are the search terms observed in a neutral Codex validation run for this failure shape.

npm organization require two-factor authentication automation tokens publish 2FA official docs
site:docs.npmjs.com npm automation tokens 2FA publish organization require two-factor authentication
npm access tokens automation publish 2FA docs npmjs
https://docs.npmjs.com/creating-and-viewing-access-tokens
https://docs.npmjs.com/about-access-tokens/