Skip to searchSkip to content
npm Docs
npmjs.comStatusSupport

Requiring 2FA for package publishing and settings modification

See DetailsTable of contents

To protect your packages, as a package publisher, you can require everyone who has write access to a package to have two-factor authentication (2FA) enabled. This will require that users provide 2FA credentials in addition to their login token when they publish the package. For more information, see "Configuring two-factor authentication".

You may also choose to allow publishing with either two-factor authentication or with granular access tokens with bypass 2FA enabled. This lets you configure tokens in a CI/CD workflow, but requires two-factor authentication from interactive publishes.

For CI/CD workflows, consider using trusted publishing, which provides secure, token-free publishing that automatically enforces strong authentication without requiring manual token management.

Important notes about granular access tokens:

  • Bypass 2FA configuration is set at token creation
  • When bypass 2FA is disabled: The system will check account-level and package-level settings to determine if 2FA is required
  • When bypass 2FA is enabled: The token will bypass all 2FA requirements at all times, regardless of account-level or package-level 2FA settings
  • When Require two-factor authentication and disallow tokens is selected at the package level, granular access tokens cannot be used regardless of their bypass 2FA setting

Configuring two-factor authentication

  1. On the npm "Sign In" page, enter your account details and click Sign In. Screenshot of npm login dialog

  2. Navigate to the package on which you want to require a second factor to publish or modify settings.

  3. Click Settings.

    Screenshot showing the admin tab on a package page

  4. Under "Publishing access", select the requirements to publish a package.

    1. Dont require two-factor authentication
      With this option, a maintainer can publish a package or change the package settings whether they have two-factor authentication enabled or not. This is the least secure setting.

    2. Require two-factor authentication or granular access tokens
      With this option, maintainers must have two-factor authentication enabled for their account. If they publish a package interactively, using the npm publish command, they will be required to enter 2FA credentials when they perform the publish. However, maintainers may also create a granular access token with bypass 2FA enabled and use that to publish. A second factor is not required when using these specific token types, making them useful for continuous integration and continuous deployment workflows.

    3. Require two-factor authentication and disallow tokens
      With this option, a maintainer must have two-factor authentication enabled for their account, and they must publish interactively. Maintainers will be required to enter 2FA credentials when they perform the publish. Granular access tokens cannot be used to publish packages, regardless of their bypass 2FA setting.

    Screenshot showing the require two-factor option for a package

  5. Click Update Package Settings.

Edit this page on GitHub
9 contributorskarenjligeneralmimonleobalterdependabot[bot]lukekarrysericmuttamonishcmb4mbooethomson
Last edited by karenjli on November 5, 2025

Table of contents