[BUG] Publishing denied for 2FA reasons despite "Bypass 2FA" tokens

[notgapriel]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

This appears to be unrelated to #8869 despite the name of the issue reflecting the problem presented here.

I am attempting to publish my first package. My account does not have 2FA set up, I do not own a physical device with which to set up 2FA and the browser website only allows physical keys to be used to set up 2FA. I have followed the token creation steps as laid out in the documentation. When I run npm token list --json I can see two tokens, both of which should allow the bypassing of 2FA in publishing:

[
  {
    "name": REDACTED,
    "description": REDACTED,
    "key": REDACTED,
    "token": REDACTED,
    "expiry": "2026-04-29T14:11:13.703Z",
    "cidr": [],
    "bypass_2fa": true,
    "revoked": null,
    "created": "2026-04-22T14:11:13.713Z",
    "updated": "2026-04-22T14:11:13.713Z",
    "accessed": null,
    "permissions": [
      {
        "name": "package",
        "action": "write"
      }
    ],
    "scopes": [
      {
        "name": null,
        "type": "package"
      }
    ]
  },
  {
    "name": REDACTED,
    "description": REDACTED,
    "key": REDACTED,
    "token": REDACTED,
    "expiry": "2026-07-21T13:34:42.483Z",
    "cidr": [],
    "bypass_2fa": true,
    "revoked": null,
    "created": "2026-04-22T13:34:42.536Z",
    "updated": "2026-04-22T13:34:42.536Z",
    "accessed": null,
    "permissions": [
      {
        "name": "package",
        "action": "write"
      }
    ],
    "scopes": [
      {
        "name": REDACTED,
        "type": "package"
      }
    ]
  }
]

Instead, when I run npm publish --access public, I get the following logs:

npm error code E403
npm error 403 403 Forbidden - PUT https://registry.npmjs.org/@<my NPM username>%2ftest - Two-factor authentication or granular access token with bypass 2fa enabled is required to publish packages.
npm error 403 In most cases, you or one of your dependencies are requesting
npm error 403 a package version that is forbidden by your security policy, or
npm error 403 on a server you do not have access to.

with my NPM username redacted here.

I will note that whilst the website gave me the tokens when I created them, I have not needed to paste them verbatim anywhere.

Expected Behavior

I would expect this process to publish the package, per https://docs.npmjs.com/creating-and-publishing-scoped-public-packages.

Steps To Reproduce

1. In a new directory, npm init (npm init --scoped=@<your NPM username> can be used here but it does not appear to change anything).
2. Specify the package name @<your NPM username>/test and set the version to 0.0.0 and choose defaults for other properties.
3. Create a simple index.js file containing console.log("hello world");.
4. npm login and use the browser to log your account in.
5. If you do not already have one, create an access token in your NPM account that is scoped to your username. This should have "bypass 2FA" ticked.
6. For good measure, if you do not already have one, create another access token that has no scoping. This also should have "bypass 2FA" ticked.
7. Check that npm token list --json returns logs at least similar to what is presented in the "Current Behaviour" section of this report.
8. npm publish --access public

Environment

• npm: v11.12.1 (issue originally made for v10.9.3 but v11.12.1 has been tested as not working)
• Node.js: v22.18.0
• OS Name: Kubuntu Questing
• System Model Name: PC
• npm config: unchanged from defaults

[notgapriel]

Noting that it is possible that I am barking up the wrong tree by making this issue here. This could be a server-side issue with the repository and the CLI is just correctly reacting to receiving incorrect 403 error codes. If this is the case please direct me to how to file a bug report for that. I did not find the git repo for it when I looked but I may have missed it.