9

NPM gives the ability to create access tokens with the right to publish packages to the NPM registry, assuming that you've set the package settings to "Require two-factor authentication or automation tokens" in "Publishing access" (and so implicitly it requires 2FA to be enabled, I assume).

How do I use this token to publish? I've checked the output of npm publish -- it asks for an OTP code, either as a prompt or a flag, and before I enabled 2FA it asked me for my password again. Using a fixed token would be easier than having to pull up my authenticator app. I could disable 2FA, but getting the token working is preferable.

Chris Midgley
  • 1,452
  • 2
  • 18
  • 29

2 Answers2

2

For verdaccio or similar you can use this:

> npm config set registry http://verdaccio/npm/

# then create and update local .npmrc file:
> npm config set _authToken=%YOUR_ACCES_TOKEN%

# and publish pointing to your registry
> npm publish --registry http://verdaccio/npm/

For proget:

[~]$ npm config set registry http://proget/npm/private-npm

[~]$ npm config set always-auth true
[~]$ npm config set _auth {ENCODEDAPIKEY}
[~]$ npm config set email {email address}

# then as usual
[~]$npm publish --registry {YOUR_REGISTRY}

Instructions are here proget and here verdaccio

Zac
  • 730
  • 1
  • 12
  • 19
697
  • 321
  • 4
  • 16
2

The npm registry has 3 different kinds of token: Read-only, Automation, and Publish.

It sounds like you created a Publish token. You need to create an Automation token instead, since this is the only one that bypasses 2FA.

Nathan
  • 505
  • 2
  • 8
  • 1
    That was it. The other key bit of information is that you can't use the CLI to create these tokens: you have to use the GUI on the website. – Chris Midgley May 20 '23 at 19:14