npmjs.com

How to require two-factor authentication for package publishing and settings modification

To protect your packages, as a package publisher, you can require everyone who has write access to a package to provide a one-time password in addition to their login token when they publish the package to the registry or modify package settings.

To publish or modify a package with the two factor authentication (2FA) setting enabled, a publisher must have 2FA enabled on their user account with "Authorization and Publishing" selected. For more information, see "How to use two-factor authentication".

Note: Currently, publishing a package with 2FA enabled on CI is not possible. For more secure CI publishing, enable 2FA on the npm account used for CI, and select "Authorization" only, and create a CIDR-restricted token for CI by following the steps in "Working with tokens".

Enabling two-factor authentication for package publishing

  1. Log in to https://www.npmjs.com/.
  2. Navigate to the package on which you want to require a second factor to publish or modify settings.
  3. Click Admin.
  4. Under "Package Access", select "Require Two Factor Authentication to publish or modify settings"
  5. Click Update Package Settings.

Disabling two-factor authentication for package publishing

  1. Log in to https://www.npmjs.com/.
  2. Navigate to the package on which you want to remove the requirement for a second factor to publish or modify settings.
  3. Click Admin.
  4. Under "Package Access", deselect "Require Two Factor Authentication to publish or modify settings"
  5. Click Update Package Settings.

          Found a typo? Let us know!

npm Services

Getting started

Private packages

Troubleshooting

Using npm

CLI commands

Configuring npm

View All On One Page