npm · shmam · Nov 14, 2025 · Nov 24, 2025 · Nov 24, 2025 · Nov 24, 2025
@@ -26,7 +26,7 @@ npm access list packages [<user>|<scope>|<scope:team>] [<package>]
 npm access list collaborators [<package> [<user>]]
 npm access get status [<package>]
 npm access set status=public|private [<package>]
-npm access set mfa=none|publish|automation [<package>]
+npm access set mfa=publish|automation [<package>]
 npm access grant <read-only|read-write> <scope:team> [<package>]
 npm access revoke <scope:team> [<package>]
 ```

@@ -29,6 +29,17 @@ npm publish <package-spec>
 
 Publishes a package to the registry so that it can be installed by name.
 
+<Note>
+
+**Important:** Publishing to npm requires either:
+
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled (for CI/CD workflows)
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
 By default npm will publish to the public registry. This can be overridden by specifying a different default registry or using a [`scope`](/cli/v10/using-npm/scope) in the name, combined with a scope-configured registry (see [`package.json`](/cli/v10/configuring-npm/package-json)).
 
 A `package` is interpreted the same way as other commands (like `npm install`) and can be:

@@ -42,7 +42,7 @@ npm access list packages [<user>|<scope>|<scope:team>] [<package>]
 npm access list collaborators [<package> [<user>]]
 npm access get status [<package>]
 npm access set status=public|private [<package>]
-npm access set mfa=none|publish|automation [<package>]
+npm access set mfa=publish|automation [<package>]
 npm access grant <read-only|read-write> <scope:team> [<package>]
 npm access revoke <scope:team> [<package>]
 ```

@@ -49,6 +49,17 @@ Publishes a package to the registry so that it can be installed by name.
 
 Publish the package in the current directory:
 
+<Note>
+
+**Important:** Publishing to npm requires either:
+
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled (for CI/CD workflows)
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
 ```bash
 npm publish
 ```

@@ -46,7 +46,7 @@ For all of the subcommands, `npm access` will perform actions on the packages in
 
 - grant / revoke: Add or remove the ability of users and teams to have read-only or read-write access to a package.
 
-- 2fa-required / 2fa-not-required: Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account.
+- 2fa-required / 2fa-not-required: Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account. All packages now require either two-factor authentication or a granular access token with bypass 2FA enabled by default. The "Don't require two-factor authentication" option has been removed from the web interface.
 
 - ls-packages: Show all of the packages a user or a team is able to access, along with the access level, except for read-only public packages (it won't print the whole registry listing)
 

@@ -32,6 +32,17 @@ Sets tag 'latest' if no --tag specified
 
 Publishes a package to the registry so that it can be installed by name. All files in the package directory are included if no local `.gitignore` or `.npmignore` file exists. If both files exist and a file is ignored by `.gitignore` but not by `.npmignore` then it will be included. See [`developers`](/cli/v6/using-npm/developers) for full details on what's included in the published package, as well as details on how the package is built.
 
+<Note>
+
+**Important:** Publishing to npm requires either:
+
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled (for CI/CD workflows)
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
 By default npm will publish to the public registry. This can be overridden by specifying a different default registry or using a [`scope`](/cli/v6/using-npm/scope) in the name (see [`package.json`](/cli/v6/configuring-npm/package-json)).
 
 - `<folder>`: A folder containing a package.json file

@@ -46,7 +46,7 @@ For all of the subcommands, `npm access` will perform actions on the packages in
 
 - grant / revoke: Add or remove the ability of users and teams to have read-only or read-write access to a package.
 
-- 2fa-required / 2fa-not-required: Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account.
+- 2fa-required / 2fa-not-required: Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account. All packages now require either two-factor authentication or a granular access token with bypass 2FA enabled by default. The "Don't require two-factor authentication" option has been removed from the web interface.
 
 - ls-packages: Show all of the packages a user or a team is able to access, along with the access level, except for read-only public packages (it won't print the whole registry listing)
 

@@ -32,6 +32,17 @@ Sets tag 'latest' if no --tag specified
 
 Publishes a package to the registry so that it can be installed by name.
 
+<Note>
+
+**Important:** Publishing to npm requires either:
+
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled (for CI/CD workflows)
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
 By default npm will publish to the public registry. This can be overridden by specifying a different default registry or using a [`scope`](/cli/v7/using-npm/scope) in the name (see [`package.json`](/cli/v7/configuring-npm/package-json)).
 
 - `<folder>`: A folder containing a package.json file

@@ -43,8 +43,7 @@ For all of the subcommands, `npm access` will perform actions on the packages in
 
 - grant / revoke (deprecated): Add or remove the ability of users and teams to have read-only or read-write access to a package.
 
-- 2fa-required / 2fa-not-required (deprecated): Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account.
-
+- 2fa-required / 2fa-not-required (deprecated): Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account. All packages now require either two-factor authentication or a granular access token with bypass 2FA enabled by default. The "Don't require two-factor authentication" option has been removed from the web interface.
 - ls-packages (deprecated): Show all of the packages a user or a team is able to access, along with the access level, except for read-only public packages (it won't print the whole registry listing)
 
 - ls-collaborators (deprecated): Show all of the access privileges for a package. Will only show permissions for packages to which you have at least read access. If `<user>` is passed in, the list is filtered only to teams _that_ user happens to belong to.

@@ -29,6 +29,17 @@ npm publish <package-spec>
 
 Publishes a package to the registry so that it can be installed by name.
 
+<Note>
+
+**Important:** Publishing to npm requires either:
+
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled (for CI/CD workflows)
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
 By default npm will publish to the public registry. This can be overridden by specifying a different default registry or using a [`scope`](/cli/v8/using-npm/scope) in the name, combined with a scope-configured registry (see [`package.json`](/cli/v8/configuring-npm/package-json)).
 
 A `package` is interpreted the same way as other commands (like `npm install` and can be:

@@ -26,7 +26,7 @@ npm access list packages [<user>|<scope>|<scope:team> [<package>]
 npm access list collaborators [<package> [<user>]]
 npm access get status [<package>]
 npm access set status=public|private [<package>]
-npm access set mfa=none|publish|automation [<package>]
+npm access set mfa=publish|automation [<package>]
 npm access grant <read-only|read-write> <scope:team> [<package>]
 npm access revoke <scope:team> [<package>]
 ```
@@ -43,7 +43,7 @@ For all of the subcommands, `npm access` will perform actions on the packages in
 
 - grant / revoke (deprecated): Add or remove the ability of users and teams to have read-only or read-write access to a package.
 
-- 2fa-required / 2fa-not-required (deprecated): Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account.
+- 2fa-required / 2fa-not-required (deprecated): Configure whether a package requires that anyone publishing it have two-factor authentication enabled on their account. All packages now require either two-factor authentication or a granular access token with bypass 2FA enabled by default. The "Don't require two-factor authentication" option has been removed from the web interface.
 
 - ls-packages (deprecated): Show all of the packages a user or a team is able to access, along with the access level, except for read-only public packages (it won't print the whole registry listing)
 

@@ -29,6 +29,17 @@ npm publish <package-spec>
 
 Publishes a package to the registry so that it can be installed by name.
 
+<Note>
+
+**Important:** Publishing to npm requires either:
+
+- Two-factor authentication (2FA) enabled on your account, OR
+- A granular access token with bypass 2FA enabled (for CI/CD workflows)
+
+For more information, see the npm documentation on [requiring 2FA for package publishing](/requiring-2fa-for-package-publishing-and-settings-modification).
+
+</Note>
+
 By default npm will publish to the public registry. This can be overridden by specifying a different default registry or using a [`scope`](/cli/v9/using-npm/scope) in the name, combined with a scope-configured registry (see [`package.json`](/cli/v9/configuring-npm/package-json)).
 
 A `package` is interpreted the same way as other commands (like `npm install` and can be:

@@ -20,6 +20,17 @@ When you enable 2FA, you will be prompted for a second form of authentication be
 
 </Note>
 
+<Note variant="warning">
+
+**Important:** Publishing packages to npm now requires either:
+
+- Two-factor authentication (2FA) enabled on your account, OR
+- A [granular access token with bypass 2FA enabled][granular-tokens] (for CI/CD workflows)
+
+For more information, see "[Requiring 2FA for package publishing][pkg-2fa]."
+
+</Note>
+
 ## Two-factor authentication on npm
 
 Two-factor authentication on npm can be enabled for authorization and writes, or authorization only.
@@ -63,6 +74,7 @@ If you enable 2FA for authorization only. We will request a second form of authe
 [token-create]: https://docs.npmjs.com/cli/token
 [token-revoke]: https://docs.npmjs.com/cli/token
 [publish]: https://docs.npmjs.com/cli/publish
+[granular-tokens]: /creating-and-viewing-access-tokens
 [unpublish]: https://docs.npmjs.com/cli/unpublish
 [deprecate]: https://docs.npmjs.com/cli/deprecate
 [access]: https://docs.npmjs.com/cli/access

@@ -6,6 +6,17 @@ import shared from '~/shared.js'
 
 You can enable two-factor authentication (2FA) on your npm user account to protect against unauthorized access to your account and packages using a [security-key][webauthn].
 
+<Note variant="warning">
+
+**Important:** Publishing packages to npm now requires either:
+
+- Two-factor authentication (2FA) enabled on your account, OR
+- A [granular access token with bypass 2FA enabled][creating-token] (for CI/CD workflows)
+
+If you plan to publish packages, you must enable 2FA or use a bypass 2FA token.
+
+</Note>
+
 ## Prerequisites
 
 Before you enable 2FA on your npm user account, you must:
@@ -54,34 +65,6 @@ For more information on supported 2FA methods, see "[About two-factor authentica
 
 8. Click **Go back to settings** after confirming that you have saved your codes.
 
-### Disabling 2FA for writes
-
-Check the [Authorization and writes][authorization-and-writes] section for more information on different operations that requires 2FA when this mode is enabled.
-
-<Note>
-
-**Note**: As a recommended setting, 2FA for write operations are _automatically enabled_ when setting up 2FA. The following steps explain how to disable it.
-
-</Note>
-
-1. <>{shared['user-login'].text}</>
-
-   <>{shared['user-login'].image}</>
-
-2. <>{shared['account-settings'].text}</>
-
-   <>{shared['account-settings'].image}</>
-
-3. On the account settings page, under "Two-Factor Authentication", click **Modify 2FA**.
-
-   <Screenshot src="/getting-started/setting-up-your-npm-user-account/2fa-modify.png" alt="Screenshot showing Modify 2FA button" />
-
-4. From the "Manage Two-Factor Authentication" navigate to "Additional Options" section
-
-5. Clear the checkbox for "Require two-factor authentication for write actions" and click "Update Preferences"
-
-   <Screenshot src="/getting-started/setting-up-your-npm-user-account/disable-2fa-button.png" alt="Screenshot showing a cleared check box to disable 2fa under Addition options" />
-
 ### Disabling 2FA
 
 If you have 2FA enabled, you can remove it from your account settings page.
@@ -193,6 +176,7 @@ The Twitter or GitHub account is now linked to your npm account. To remove the l
 [can-i-use]: https://caniuse.com/#search=webauthn
 [viewing-and-regenerating-recovery-code]: /recovering-your-2fa-enabled-account#viewing-and-regenerating-recovery-code
 [webauthn]: https://webauthn.guide/
+[creating-token]: /creating-and-viewing-access-tokens
 [u2f]: https://en.wikipedia.org/wiki/Universal_2nd_Factor
 [windows-hello]: https://support.microsoft.com/en-us/windows/learn-about-windows-hello-and-set-it-up-dae28983-8242-bb2a-d3d1-87c9d265a5f0
 [touch-id]: https://support.apple.com/en-gb/HT204587

@@ -22,30 +22,11 @@ You can work with tokens from the web or the CLI, whichever is easiest. What you
 npm token commands let you:
 
 - View tokens for easier tracking and management
-- Create new legacy tokens (deprecated)
 - Limit access according to IP address ranges (CIDR)
 - Delete/revoke tokens
 
 For more information on creating and viewing access tokens on the web and CLI, see "[Creating and viewing access tokens][create-token]".
 
-## About legacy tokens (Deprecated)
-
-<Note variant="danger">
-
-**Warning:** Legacy access tokens were removed on November 5, 2025.
-
-</Note>
-
-Legacy tokens are created with the same permissions as the user who created them. The npm CLI automatically generates and uses a publish token when you run `npm login`.
-
-There are three different types of legacy tokens:
-
-- **Read-only**: You can use these tokens to download packages from the registry. These tokens are best for automation and workflows where you are installing packages. For greater security, we recommend using [granular access tokens](#about-granular-access-tokens) instead.
-- **Automation**: You can use these tokens to download packages and install new ones. These tokens are best for automation workflows where you are publishing new packages. Automation tokens do not require 2FA for executing operations on npm and are suitable for CI/CD workflows. For greater security, we recommend using [granular access tokens](#about-granular-access-tokens) instead.
-- **Publish**: You can use these tokens to download packages, install packages, and update user and package settings. We recommend using them for interactive workflows such as a CLI. If 2FA is enabled on your account, publish tokens will require 2FA to execute sensitive operations on npm.
-
-Legacy tokens do not have an expiration date. It is important to be aware of your tokens and keep them protected for account security. For more information, see "[Securing your token][secure-token]."
-
 ## About granular access tokens
 
 Granular access tokens allow you to restrict access provided to the token based on what you want to use the token for. With granular access tokens, you can:

@@ -45,7 +45,7 @@ For more information on creating granular access tokens, including CIDR-whitelis
 
 For publishing packages in continuous deployment environments, we strongly recommend using [trusted publishing](/trusted-publishers) when available, as it provides enhanced security without requiring token management.
 
-If trusted publishing is not available for your CI/CD provider, you can create a [granular access token with bypass 2FA enabled][create-token] on the website. This will allow you to publish even if you have two-factor authentication enabled on your account.
+If trusted publishing is not available for your CI/CD provider, you must create a [granular access token with bypass 2FA enabled][create-token] on the website. This will allow you to publish in your CI/CD workflows even if you have two-factor authentication enabled on your account.
 
 <Note>
 

@@ -12,6 +12,12 @@ Two-factor authentication (2FA) is an extra layer of security used when logging
 
 <Note>
 
+**Important:** Publishing packages to npm now requires authentication via either two-factor authentication enabled on your account, or a granular access token with bypass 2FA enabled. This requirement applies at the platform level for all packages by default, regardless of organization-level 2FA settings.
+
+</Note>
+
+<Note>
+
 **Note:**
 
 - When you require use of two-factor authentication for your organization, members who do not use 2FA will be removed from the organization and lose access to its packages. You can add them back to the organization if they enable two-factor authentication.

@@ -81,6 +81,17 @@ npm install my-package
 
 By default, scoped packages are published with private visibility.
 
+<Note>
+
+**Important:** Before you can publish, you must have either:
+
+- [Two-factor authentication (2FA)][config-2fa] enabled on your account, OR
+- A [granular access token with bypass 2FA enabled][creating-token] (required for CI/CD workflows)
+
+For more information, see "[Requiring 2FA for package publishing][requiring-2fa]."
+
+</Note>
+
 1. On the command line, navigate to the root directory of your package.
 
    ```
@@ -109,3 +120,6 @@ For more information on the `publish` command, see the [CLI documentation][cli-p
 [cli-publish]: /cli/publish
 [reg-config]: configuring-your-registry-settings-as-an-npm-enterprise-user#using-npmrc-to-manage-multiple-profiles-for-different-registries
 [pii]: https://en.wikipedia.org/wiki/Personally_identifiable_information
+[config-2fa]: /configuring-two-factor-authentication
+[creating-token]: /creating-and-viewing-access-tokens
+[requiring-2fa]: /requiring-2fa-for-package-publishing-and-settings-modification
@@ -77,6 +77,17 @@ npm install /path/to/my-test-package
 
 By default, scoped packages are published with private visibility. To publish a scoped package with public visibility, use `npm publish --access public`.
 
+<Note>
+
+**Important:** Before you can publish, you must have either:
+
+- [Two-factor authentication (2FA)][config-2fa] enabled on your account, OR
+- A [granular access token with bypass 2FA enabled][creating-token] (required for CI/CD workflows)
+
+For more information, see "[Requiring 2FA for package publishing][requiring-2fa]."
+
+</Note>
+
 1. On the command line, navigate to the root directory of your package.
 
    ```
@@ -111,3 +122,6 @@ For more information on the `publish` command, see the [CLI documentation][cli-p
 [cli-publish]: /cli/publish
 [pii]: https://en.wikipedia.org/wiki/Personally_identifiable_information
 [provenance-how-to]: /generating-provenance-statements
+[config-2fa]: /configuring-two-factor-authentication
+[creating-token]: /creating-and-viewing-access-tokens
+[requiring-2fa]: /requiring-2fa-for-package-publishing-and-settings-modification
-Original file line number
+Diff line change
@@ Expand Up @@
     For publishing packages in continuous deployment environments, we strongly recommend using [trusted publishing](/trusted-publishers) when available, as it provides enhanced security without requiring token management.
-    If trusted publishing is not available for your CI/CD provider, you can create a [granular access token with bypass 2FA enabled][create-token] on the website. This will allow you to publish even if you have two-factor authentication enabled on your account.
+    If trusted publishing is not available for your CI/CD provider, you must create a [granular access token with bypass 2FA enabled][create-token] on the website. This will allow you to publish in your CI/CD workflows even if you have two-factor authentication enabled on your account.
     <Note>
@@ Expand Down @@