The E402 'Payment Required' error occurs when trying to publish or install scoped packages without proper access configuration or when an npm organization's billing is unpaid. Scoped packages default to private and require either a paid npm subscription or explicit public access declaration.
npm's E402 error indicates that the registry (npmjs.org) has rejected your request with an HTTP 402 Payment Required status. This typically happens in two scenarios: (1) You're attempting to publish a scoped package (like @org/package-name) without declaring it as public, and scoped packages are private by default, requiring a paid npm organization subscription. (2) Your npm organization has an unpaid or expired billing account, preventing access to private packages. The HTTP 402 status code is a standard web error meaning the server requires payment to fulfill the request. In npm's case, this gates access to premium features like private packages and organizations.
If your scoped package should be public, the most direct fix is to include the --access flag when publishing:
npm publish --access=publicThis tells npm registry that despite the package being scoped, it should be publicly available.
To avoid needing the flag every time, configure your package.json to default to public:
{
"name": "@your-scope/package-name",
"version": "1.0.0",
"publishConfig": {
"access": "public"
}
}This ensures that all future publishes default to public access without requiring the CLI flag.
If you're installing private packages or have a legitimate need for private scope packages, verify your npm organization account has active billing:
1. Go to https://www.npmjs.com/settings/your-org/billing
2. Check that your subscription is active and payment method is valid
3. Update billing information if needed
4. Run npm install again after confirming billing is active
If you're attempting to install private packages in CI/CD, ensure your authentication token has the correct permissions:
npm whoami
# For CI/CD, set the token in .npmrc
echo "//registry.npmjs.org/:_authToken=YOUR_TOKEN_HERE" >> ~/.npmrcMake sure the token has read-write access for private packages, not just read-only access.
If you don't need to use a scoped package name and don't have an npm organization account, rename your package to remove the scope:
{
"name": "my-package-name",
"version": "1.0.0"
}Unscoped packages are public by default. Rename your package to reflect this change, and publish without the scope prefix.
Understanding npm's pricing model is crucial: Individual npm accounts with the default free tier can publish public, unscoped packages freely. However, scoped packages (@scope/name) default to private regardless of account type and require npm Teams (paid organization account) or a paid private package subscription. When using monorepos with tools like Lerna or Nx, ensure each scoped package in the publishConfig includes 'access: public' if those packages should be publicly available. For CI/CD environments installing private packages, use granular access tokens with read-only permissions when possible.
npm ERR! code ENOAUDIT npm ERR! Audit endpoint not supported
How to fix "npm ERR! code ENOAUDIT - Audit endpoint not supported"
npm ERR! code EBADDEVENGINES npm ERR! devEngines.runtime incompatible with current node version
How to fix "npm ERR! code EBADDEVENGINES - devEngines.runtime incompatible with current node version"
npm ERR! code ETOOMANYARGS npm ERR! Too many arguments
How to fix "npm ERR! code ETOOMANYARGS - Too many arguments"
npm ERR! code EINVALIDTAGNAME npm ERR! Invalid tag name: tag names cannot contain spaces
How to fix "npm ERR! code EINVALIDTAGNAME - tag names cannot contain spaces"
npm ERR! code E400 npm ERR! 400 Bad Request
How to fix "npm ERR! code E400 - 400 Bad Request" error