Skip to main content

Authenticating your Npm CLI

Npm has recently been making a lot of changes around package publish security because of recent supply-chain attacks targeting Npm.

What does this mean for the lonely dev self-publishing packages from their local CLI?

In short, Npm's changes have been very annoying. While they've been ripping out auth functionality, they've failed to replace it with any ergonomic solutions. npm login, for example, simply doesn't work anymore. (Don't get me wrong I'm all for them improving their security but this sucks.)

Here's the only way I've figured out how to get my Npm CLI to authenticate itself so I can finally do my job again:

  1. Go to https://www.npmjs.com > your user > Access Tokens.
  2. Click "Generate New Token".
  3. Fill out the form.
    1. Make sure to check "Bypass two-factor authentication (2FA)". (I know, I don't like it either, but Npm has given us no other working solution.)
    2. Make sure to select "Read and write" under "Packages and scopes" permissions or you won't be able to use this token to publish anything.
  4. Click "Generate token".
  5. Add the following to your ~/.npmrc file: 
    //registry.npmjs.org/:_authToken=PASTE_YOUR_TOKEN_HERE

Now you can publish again! Make sure not to run npm login again: it'll mess this up.