Publishing failed because i cannot get otp code when i wanna pubulish a npm package

[nangongying]

Select Topic Area

Question

Body

After enabling 2FA authentication for an npm account, an OTP one-time password is required for sending packages. However, npm cannot bind an authentication device, so it cannot obtain the OTP password and publish the npm package. If 2FA is not enabled, npm packages cannot be published

[fawwazmuhammadarifin99-cell]

npm does not send OTP via SMS or email when publishing a package. The OTP required during npm publish is a TOTP code generated by an authenticator application such as Google Authenticator, Authy, 1Password, Microsoft Authenticator, or a hardware security key using WebAuthn.

To publish with 2FA enabled, ensure you are logged in by running npm whoami. Then run npm publish and enter the OTP from your authenticator when prompted, or include it directly using npm publish --otp=123456.

If you never linked an authenticator or cannot access the OTP, go to npmjs.com, open Account, then Security, and enable 2FA. Scan the QR code using an authenticator app and make sure to save the recovery codes. After that, retry publishing using the OTP.

If you lost access to your 2FA device, sign in using one of the recovery codes and reset 2FA. If you no longer have the recovery codes, you must go through the npm account recovery process with npm support to reset 2FA.

For CI/CD publishing without entering an OTP every time, create an Automation Token on npmjs.com with publish permissions, store it as NPM_TOKEN, and configure your .npmrc file with //registry.npmjs.org/:_authToken=${NPM_TOKEN}.

[Whitestar14]

I had this exact same issue, but I managed to find a workaround with automation tokens. you just have to:

1. go to npmjs access tokens in profile
2. select granular access token, create one with "Read and Write" access to your specific package
3. when creating the token, check the box for "Bypass 2FA" (this is essential for this workaround)
4. If you logged in to npm cli, log out with npm logout and instead of logging back in, run this command to save the token directly to your configuration:
   npm config set //registry.npmjs.org/:_authToken=YOUR_TOKEN_HERE
5. verify it worked by running npm whoami and it should return your username without any errors. then you can go publish without any errors or otp problems.

Hope this helps! (●'◡'●)

[shaynethiessen]

Thank you!!!

[leobalter]

npm no longer supports new TOTP configurations. You should create a security instead for your 2FA. Doing so, publishing a package should function without issues.