npm · shmam · Nov 14, 2025 · Nov 24, 2025 · Nov 24, 2025 · Nov 24, 2025
@@ -26,7 +26,7 @@ npm access list packages [<user>|<scope>|<scope:team>] [<package>]
 npm access list collaborators [<package> [<user>]]
 npm access get status [<package>]
 npm access set status=public|private [<package>]
-npm access set mfa=none|publish|automation [<package>]
+npm access set mfa=publish|automation [<package>]
 npm access grant <read-only|read-write> <scope:team> [<package>]
 npm access revoke <scope:team> [<package>]
 ```

@@ -29,6 +29,16 @@ npm publish <package-spec>
 
 Publishes a package to the registry so that it can be installed by name.
 
+<Note>
+
+**Important:** Publishing to npm requires either:
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled (for CI/CD workflows)
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
 By default npm will publish to the public registry. This can be overridden by specifying a different default registry or using a [`scope`](/cli/v10/using-npm/scope) in the name, combined with a scope-configured registry (see [`package.json`](/cli/v10/configuring-npm/package-json)).
 
 A `package` is interpreted the same way as other commands (like `npm install`) and can be:
@@ -111,6 +121,8 @@ This is a one-time password from a two-factor authenticator. It's needed when pu
 
 If not set, and a registry response fails with a challenge for a one-time password, npm will prompt on the command line for one.
 
+**Note:** As an alternative to using 2FA with OTP, you can publish using a granular access token with bypass 2FA enabled. This is commonly used in CI/CD workflows where interactive authentication is not possible.
+
 #### `workspace`
 
 - Default:

@@ -42,7 +42,7 @@ npm access list packages [<user>|<scope>|<scope:team>] [<package>]
 npm access list collaborators [<package> [<user>]]
 npm access get status [<package>]
 npm access set status=public|private [<package>]
-npm access set mfa=none|publish|automation [<package>]
+npm access set mfa=publish|automation [<package>]
 npm access grant <read-only|read-write> <scope:team> [<package>]
 npm access revoke <scope:team> [<package>]
 ```

@@ -45,6 +45,16 @@ npm publish <package-spec>
 
 Publishes a package to the registry so that it can be installed by name.
 
+<Note>
+
+**Important:** Publishing to npm requires either:
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled (for CI/CD workflows)
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
 By default npm will publish to the public registry. This can be overridden by specifying a different default registry or using a [`scope`](/cli/v11/using-npm/scope) in the name, combined with a scope-configured registry (see [`package.json`](/cli/v11/configuring-npm/package-json)).
 
 A `package` is interpreted the same way as other commands (like `npm install`) and can be:
@@ -129,6 +139,8 @@ This is a one-time password from a two-factor authenticator. It's needed when pu
 
 If not set, and a registry response fails with a challenge for a one-time password, npm will prompt on the command line for one.
 
+**Note:** As an alternative to using 2FA with OTP, you can publish using a granular access token with bypass 2FA enabled. This is commonly used in CI/CD workflows where interactive authentication is not possible.
+
 #### `workspace`
 
 - Default:

@@ -46,7 +46,7 @@ For all of the subcommands, `npm access` will perform actions on the packages in
 
 - grant / revoke: Add or remove the ability of users and teams to have read-only or read-write access to a package.
 
-- 2fa-required / 2fa-not-required: Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account.
+- 2fa-required / 2fa-not-required: Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account. All packages now require either two-factor authentication or a granular access token with bypass 2FA enabled by default. The "Don't require two-factor authentication" option has been removed from the web interface.
 
 - ls-packages: Show all of the packages a user or a team is able to access, along with the access level, except for read-only public packages (it won't print the whole registry listing)
 

@@ -32,6 +32,16 @@ Sets tag 'latest' if no --tag specified
 
 Publishes a package to the registry so that it can be installed by name. All files in the package directory are included if no local `.gitignore` or `.npmignore` file exists. If both files exist and a file is ignored by `.gitignore` but not by `.npmignore` then it will be included. See [`developers`](/cli/v6/using-npm/developers) for full details on what's included in the published package, as well as details on how the package is built.
 
+<Note>
+
+**Important:** Publishing to npm requires either:
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled (for CI/CD workflows)
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
 By default npm will publish to the public registry. This can be overridden by specifying a different default registry or using a [`scope`](/cli/v6/using-npm/scope) in the name (see [`package.json`](/cli/v6/configuring-npm/package-json)).
 
 - `<folder>`: A folder containing a package.json file

@@ -46,7 +46,7 @@ For all of the subcommands, `npm access` will perform actions on the packages in
 
 - grant / revoke: Add or remove the ability of users and teams to have read-only or read-write access to a package.
 
-- 2fa-required / 2fa-not-required: Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account.
+- 2fa-required / 2fa-not-required: Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account. All packages now require either two-factor authentication or a granular access token with bypass 2FA enabled by default. The "Don't require two-factor authentication" option has been removed from the web interface.
 
 - ls-packages: Show all of the packages a user or a team is able to access, along with the access level, except for read-only public packages (it won't print the whole registry listing)
 

@@ -32,6 +32,16 @@ Sets tag 'latest' if no --tag specified
 
 Publishes a package to the registry so that it can be installed by name.
 
+<Note>
+
+**Important:** Publishing to npm requires either:
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled (for CI/CD workflows)
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
 By default npm will publish to the public registry. This can be overridden by specifying a different default registry or using a [`scope`](/cli/v7/using-npm/scope) in the name (see [`package.json`](/cli/v7/configuring-npm/package-json)).
 
 - `<folder>`: A folder containing a package.json file
@@ -116,6 +126,8 @@ This is a one-time password from a two-factor authenticator. It's needed when pu
 
 If not set, and a registry response fails with a challenge for a one-time password, npm will prompt on the command line for one.
 
+**Note:** As an alternative to using 2FA with OTP, you can publish using a granular access token with bypass 2FA enabled. This is commonly used in CI/CD workflows where interactive authentication is not possible.
+
 #### `workspace`
 
 - Default:

@@ -43,8 +43,7 @@ For all of the subcommands, `npm access` will perform actions on the packages in
 
 - grant / revoke (deprecated): Add or remove the ability of users and teams to have read-only or read-write access to a package.
 
-- 2fa-required / 2fa-not-required (deprecated): Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account.
-
+- 2fa-required / 2fa-not-required (deprecated): Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account. All packages now require either two-factor authentication or a granular access token with bypass 2FA enabled by default. The "Don't require two-factor authentication" option has been removed from the web interface.
 - ls-packages (deprecated): Show all of the packages a user or a team is able to access, along with the access level, except for read-only public packages (it won't print the whole registry listing)
 
 - ls-collaborators (deprecated): Show all of the access privileges for a package. Will only show permissions for packages to which you have at least read access. If `<user>` is passed in, the list is filtered only to teams _that_ user happens to belong to.

@@ -29,6 +29,16 @@ npm publish <package-spec>
 
 Publishes a package to the registry so that it can be installed by name.
 
+<Note>
+
+**Important:** Publishing to npm requires either:
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled (for CI/CD workflows)
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
 By default npm will publish to the public registry. This can be overridden by specifying a different default registry or using a [`scope`](/cli/v8/using-npm/scope) in the name, combined with a scope-configured registry (see [`package.json`](/cli/v8/configuring-npm/package-json)).
 
 A `package` is interpreted the same way as other commands (like `npm install` and can be:
@@ -107,6 +117,8 @@ This is a one-time password from a two-factor authenticator. It's needed when pu
 
 If not set, and a registry response fails with a challenge for a one-time password, npm will prompt on the command line for one.
 
+**Note:** As an alternative to using 2FA with OTP, you can publish using a granular access token with bypass 2FA enabled. This is commonly used in CI/CD workflows where interactive authentication is not possible.
+
 #### `workspace`
 
 - Default:

@@ -26,7 +26,7 @@ npm access list packages [<user>|<scope>|<scope:team> [<package>]
 npm access list collaborators [<package> [<user>]]
 npm access get status [<package>]
 npm access set status=public|private [<package>]
-npm access set mfa=none|publish|automation [<package>]
+npm access set mfa=publish|automation [<package>]
 npm access grant <read-only|read-write> <scope:team> [<package>]
 npm access revoke <scope:team> [<package>]
 ```
@@ -43,7 +43,7 @@ For all of the subcommands, `npm access` will perform actions on the packages in
 
 - grant / revoke (deprecated): Add or remove the ability of users and teams to have read-only or read-write access to a package.
 
-- 2fa-required / 2fa-not-required (deprecated): Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account.
+- 2fa-required / 2fa-not-required (deprecated): Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account. All packages now require either two-factor authentication or a granular access token with bypass 2FA enabled by default. The "Don't require two-factor authentication" option has been removed from the web interface.
 
 - ls-packages (deprecated): Show all of the packages a user or a team is able to access, along with the access level, except for read-only public packages (it won't print the whole registry listing)
 

@@ -29,6 +29,16 @@ npm publish <package-spec>
 
 Publishes a package to the registry so that it can be installed by name.
 
+<Note>
+
+**Important:** Publishing to npm requires either:
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled (for CI/CD workflows)
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
 By default npm will publish to the public registry. This can be overridden by specifying a different default registry or using a [`scope`](/cli/v9/using-npm/scope) in the name, combined with a scope-configured registry (see [`package.json`](/cli/v9/configuring-npm/package-json)).
 
 A `package` is interpreted the same way as other commands (like `npm install` and can be:
@@ -109,6 +119,8 @@ This is a one-time password from a two-factor authenticator. It's needed when pu
 
 If not set, and a registry response fails with a challenge for a one-time password, npm will prompt on the command line for one.
 
+**Note:** As an alternative to using 2FA with OTP, you can publish using a granular access token with bypass 2FA enabled. This is commonly used in CI/CD workflows where interactive authentication is not possible.
+
 #### `workspace`
 
 - Default:

@@ -20,6 +20,16 @@ When you enable 2FA, you will be prompted for a second form of authentication be
 
 </Note>
 
+<Note variant="warning">
+
+**Important:** Publishing packages to npm now requires either:
+- Two-factor authentication (2FA) enabled on your account, OR
+- A [granular access token with bypass 2FA enabled][granular-tokens] (for CI/CD workflows)
+
+For more information, see "[Requiring 2FA for package publishing][pkg-2fa]."
+
+</Note>
+
 ## Two-factor authentication on npm
 
 Two-factor authentication on npm can be enabled for authorization and writes, or authorization only.
@@ -63,6 +73,7 @@ If you enable 2FA for authorization only. We will request a second form of authe
 [token-create]: https://docs.npmjs.com/cli/token
 [token-revoke]: https://docs.npmjs.com/cli/token
 [publish]: https://docs.npmjs.com/cli/publish
+[granular-tokens]: /creating-and-viewing-access-tokens
 [unpublish]: https://docs.npmjs.com/cli/unpublish
 [deprecate]: https://docs.npmjs.com/cli/deprecate
 [access]: https://docs.npmjs.com/cli/access

@@ -6,6 +6,16 @@ import shared from '~/shared.js'
 
 You can enable two-factor authentication (2FA) on your npm user account to protect against unauthorized access to your account and packages using a [security-key][webauthn].
 
+<Note variant="warning">
+
+**Important:** Publishing packages to npm now requires either:
+- Two-factor authentication (2FA) enabled on your account, OR
+- A [granular access token with bypass 2FA enabled][creating-token] (for CI/CD workflows)
+
+If you plan to publish packages, you must enable 2FA or use a bypass 2FA token.
+
+</Note>
+
 ## Prerequisites
 
 Before you enable 2FA on your npm user account, you must:
@@ -54,34 +64,6 @@ For more information on supported 2FA methods, see "[About two-factor authentica
 
 8. Click **Go back to settings** after confirming that you have saved your codes.
 
-### Disabling 2FA for writes
-
-Check the [Authorization and writes][authorization-and-writes] section for more information on different operations that requires 2FA when this mode is enabled.
-
-<Note>
-
-**Note**: As a recommended setting, 2FA for write operations are _automatically enabled_ when setting up 2FA. The following steps explain how to disable it.
-
-</Note>
-
-1. <>{shared['user-login'].text}</>
-
-   <>{shared['user-login'].image}</>
-
-2. <>{shared['account-settings'].text}</>
-
-   <>{shared['account-settings'].image}</>
-
-3. On the account settings page, under "Two-Factor Authentication", click **Modify 2FA**.
-
-   <Screenshot src="/getting-started/setting-up-your-npm-user-account/2fa-modify.png" alt="Screenshot showing Modify 2FA button" />
-
-4. From the "Manage Two-Factor Authentication" navigate to "Additional Options" section
-
-5. Clear the checkbox for "Require two-factor authentication for write actions" and click "Update Preferences"
-
-   <Screenshot src="/getting-started/setting-up-your-npm-user-account/disable-2fa-button.png" alt="Screenshot showing a cleared check box to disable 2fa under Addition options" />
-
 ### Disabling 2FA
 
 If you have 2FA enabled, you can remove it from your account settings page.
@@ -193,6 +175,7 @@ The Twitter or GitHub account is now linked to your npm account. To remove the l
 [can-i-use]: https://caniuse.com/#search=webauthn
 [viewing-and-regenerating-recovery-code]: /recovering-your-2fa-enabled-account#viewing-and-regenerating-recovery-code
 [webauthn]: https://webauthn.guide/
+[creating-token]: /creating-and-viewing-access-tokens
 [u2f]: https://en.wikipedia.org/wiki/Universal_2nd_Factor
 [windows-hello]: https://support.microsoft.com/en-us/windows/learn-about-windows-hello-and-set-it-up-dae28983-8242-bb2a-d3d1-87c9d265a5f0
 [touch-id]: https://support.apple.com/en-gb/HT204587

@@ -22,30 +22,11 @@ You can work with tokens from the web or the CLI, whichever is easiest. What you
 npm token commands let you:
 
 - View tokens for easier tracking and management
-- Create new legacy tokens (deprecated)
 - Limit access according to IP address ranges (CIDR)
 - Delete/revoke tokens
 
 For more information on creating and viewing access tokens on the web and CLI, see "[Creating and viewing access tokens][create-token]".
 
-## About legacy tokens (Deprecated)
-
-<Note variant="danger">
-
-**Warning:** Legacy access tokens were removed on November 5, 2025.
-
-</Note>
-
-Legacy tokens are created with the same permissions as the user who created them. The npm CLI automatically generates and uses a publish token when you run `npm login`.
-
-There are three different types of legacy tokens:
-
-- **Read-only**: You can use these tokens to download packages from the registry. These tokens are best for automation and workflows where you are installing packages. For greater security, we recommend using [granular access tokens](#about-granular-access-tokens) instead.
-- **Automation**: You can use these tokens to download packages and install new ones. These tokens are best for automation workflows where you are publishing new packages. Automation tokens do not 2FA for executing operations on npm and are suitable for CI/CD workflows. For greater security, we recommend using [granular access tokens](#about-granular-access-tokens) instead.
-- **Publish**: You can use these tokens to download packages, install packages, and update user and package settings. We recommend using them for interactive workflows such as a CLI. If 2FA is enabled on your account, publish tokens will require 2FA to execute sensitive operations on npm.
-
-Legacy tokens do not have an expiration date. It is important to be aware of your tokens and keep them protected for account security. For more information, see "[Securing your token][secure-token]."
-
 ## About granular access tokens
 
 Granular access tokens allow you to restrict access provided to the token based on what you want to use the token for. With granular access tokens, you can:

@@ -25,6 +25,7 @@ You can [create](#creating-access-tokens) and [view](#viewing-access-tokens) acc
 5. (Optional) Check the **Bypass two-factor authentication** checkbox if you want this token to bypass 2FA requirements for write actions.
    - This setting is unchecked (false) by default
    - By checking this box, the token will bypass 2FA for write actions even if 2FA is enabled at the account or package level
+   - **Note:** For publishing packages, you must have either 2FA enabled on your account OR use a token with bypass 2FA enabled.
 
 6. In the **Expiration** field, enter a token expiration period. The date must be at least 1 day in the future.