npm requires a one-time password (OTP) from your 2FA authenticator to complete this operation. This error occurs when two-factor authentication is enabled on your npm account and you attempt write operations like npm publish without providing the OTP code.
This error occurs when two-factor authentication (2FA) is enabled on your npm account and you attempt write operations (like npm publish) without providing the OTP code. The operation cannot proceed until you supply the time-sensitive code from your authenticator app. EOTP stands for "Error One-Time Password". npm 2FA has two levels: 1. **Authorization only** - OTP required for login/account changes but not publishing 2. **Authorization and writes** - OTP required for all sensitive operations including publish The OTP code typically expires within 30 seconds, so you need to provide it quickly.
For immediate interactive use, append the --otp flag with your 6-digit code:
npm publish --otp=123456Replace 123456 with the current code from Google Authenticator, Authy, or your 2FA app. OTP codes expire in ~30 seconds, so complete the command quickly.
Set the OTP via environment variable to avoid typing it each time:
export NPM_CONFIG_OTP=123456
npm publishFor Windows PowerShell:
$env:NPM_CONFIG_OTP='123456'
npm publishThis is the recommended solution for automated publishing:
1. Log into https://www.npmjs.com/settings/~/tokens
2. Click 'Generate New Token'
3. Select 'Granular Access Token'
4. Grant 'write' or 'publish' permissions
5. Enable 'Bypass 2FA' checkbox
6. Store token as a secret in your CI/CD platform
Create .npmrc in your project:
//registry.npmjs.org/:_authToken=${NPM_TOKEN}Now npm publish will work without OTP prompts.
If you want to publish manually without OTP but keep 2FA for account security:
1. Go to https://www.npmjs.com/settings/~/security
2. Click 'Modify 2FA'
3. Navigate to 'Additional Options'
4. Uncheck 'Require two-factor authentication for write actions'
5. Click 'Update Preferences'
Note: This is less secure; prefer automation tokens instead.
Automation vs Granular Tokens: Automation tokens are being deprecated in favor of granular tokens with explicit "Bypass 2FA" capability. When creating new tokens, use granular tokens.
Trusted Publishing: For GitHub Actions or GitLab CI, use OIDC trusted publishing instead of long-lived tokens. This eliminates token rotation requirements and is the most secure approach.
Token Expiration: New write-capable granular tokens default to 7-day expiration (max 90 days). For CI/CD, use either trusted publishing or short-lived granular tokens with explicit 2FA bypass.
System Clock: OTP is time-sensitive. Ensure your system clock is synchronized (OTP is TOTP - Time-based One-Time Password).
npm ERR! code ENOAUDIT npm ERR! Audit endpoint not supported
How to fix "npm ERR! code ENOAUDIT - Audit endpoint not supported"
npm ERR! code EBADDEVENGINES npm ERR! devEngines.runtime incompatible with current node version
How to fix "npm ERR! code EBADDEVENGINES - devEngines.runtime incompatible with current node version"
npm ERR! code ETOOMANYARGS npm ERR! Too many arguments
How to fix "npm ERR! code ETOOMANYARGS - Too many arguments"
npm ERR! code EINVALIDTAGNAME npm ERR! Invalid tag name: tag names cannot contain spaces
How to fix "npm ERR! code EINVALIDTAGNAME - tag names cannot contain spaces"
npm ERR! code E400 npm ERR! 400 Bad Request
How to fix "npm ERR! code E400 - 400 Bad Request" error