Fix it fast
Most likely: npm is using a registry or package scope that requires credentials, but the matching token is missing, expired, or attached to the wrong host.
1. Confirm this is your error
npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in.2. Check the cause
npm config get registry
npm config get @your-scope:registry
npm whoami
npm config list3. Apply the safe fix
# For interactive use, log in to the same registry npm is using.
npm login --registry=<registry-url>
npm whoami --registry=<registry-url>
# For CI, configure an auth token for the exact registry host in .npmrc or the CI environment.4. Verify it works
npm whoami --registry=<registry-url>
npm installDon't use unsafe shortcuts
- Do not commit npm tokens to the repository.
- Do not put a token under one registry host while the package scope points at another.
- Do not delete the lockfile or change package versions before fixing authentication.
What This Error Means
Read this as a precise clue about which part of the workflow broke first. Once you know the failing layer, the fix path gets much shorter.
How to Fix It
The fastest fixes here come from checking the immediate failing layer before you change anything unrelated. Make one correction at a time and re-test from the same environment.
Check which registry npm is using:npm config get registry
If the package is scoped, verify scope registry mapping in .npmrc (example: @your-scope:registry=...).
Confirm the registry identity:npm whoami (it should print a username for that registry).
Login again:npm logout then npm login (or set a token in .npmrc for the correct host).
If you are using a scope, confirm the scope registry mapping in .npmrc is correct.
If using GitHub Packages or a private registry, confirm the token has the correct scopes/permissions for that registry.
Retry with logs:npm --verbose (it shows which host returned 401/403).
Why It Happens
Usually this comes down to your .npmrc token is missing, expired, or scoped to the wrong registry host, you are installing a private package but you are not authenticated for that scope/registry, or the token is valid but lacks permission (forbidden) for the requested package or operation.
Verify the Fix
Run npm whoami and confirm it succeeds, and re-run the original command and confirm the registry no longer returns 401/403.
Manual authentication checks
Print effective config with npm config list -l (look for registry and auth entries), and check .npmrc precedence (project, user, global) to ensure you are editing the right file.
How npm uses registry credentials
npm sends requests to the configured registry using credentials from .npmrc. Registry hosts treat tokens differently (npmjs vs GitHub Packages vs private registries). A mismatched registry host/token pairing is a common cause of 401/403.
Prevent It From Coming Back
To prevent this, use dedicated tokens for CI and rotate them periodically, keep .npmrc registry routing explicit for scoped packages, and use a proxy/cache registry to reduce auth surprises between environments.
Docs and source code
github.com/npm/cli/blob/417daa72b09c5129e7390cd12743ef31bf3ddb83/lib/commands/logout.js
Open-source npm CLI code path where this error is raised. - GitHub
log.verbose('logout', `clearing user credentials for ${reg}`)
} else {
const msg = `not logged in to ${reg}, so can't log out!`
throw Object.assign(new Error(msg), { code: 'ENEEDAUTH' })
}
if (scope) {github.com/npm/cli/blob/417daa72b09c5129e7390cd12743ef31bf3ddb83/lib/commands/publish.js
Open-source npm CLI code path where this error is raised. - GitHub
if (dryRun) {
log.warn('', `${msg} (dry-run)`)
} else {
throw Object.assign(new Error(msg), { code: 'ENEEDAUTH' })
}
}