Add warning to 2FA bypass

karenjli · karenjli · commit 3171c06d3227 · 2025-11-04T15:19:41.000-05:00
diff --git a/content/integrations/integrating-npm-with-external-services/about-access-tokens.mdx b/content/integrations/integrating-npm-with-external-services/about-access-tokens.mdx
@@ -61,7 +61,7 @@ You can create up to 1000 granular access tokens on your npm account. You can se
 
 When you give a token access to an organization, the token can only be used for managing organization settings and teams or users associated with the organization. It does not give the token the right to publish packages managed by the organization.
 
-The Bypass 2FA capability applies to tokens with write access and is set to false by default at token creation. When the Bypass 2FA option is set to true, this setting takes precedence over account-level and package-level 2FA settings. This means that even if account-level 2FA is enabled and/or package-level 2FA is required, 2FA will still be bypassed when using the token.
+The Bypass 2FA capability applies to tokens with write access and is set to false by default at token creation. When the Bypass 2FA option is set to true, this setting takes precedence over account-level and package-level 2FA settings. This means that even if account-level 2FA is enabled and/or package-level 2FA is required, 2FA will still be bypassed when using the token. Do not set Bypass 2FA to true if a package or organization requires fully enforced 2FA. 
 
 [create-token]: creating-and-viewing-access-tokens
 [secure-token]: using-private-packages-in-a-ci-cd-workflow#securing-your-token
