How do I prevent npm:EOTP in CI?

Use automation tokens for CI instead of personal tokens. Document org 2FA requirements so publish/install workflows are predictable.

How can I manually validate npm:EOTP?

Check current auth: `npm whoami`. Inspect `.npmrc` for token config and registry routing.

npm ERR! code EOTP

What This Error Means

npm requires a one-time password for this publish or settings change because two-factor authentication is enabled on the account.

Read this as a precise clue about which part of the workflow broke first. Once you know the failing layer, the fix path gets much shorter.

How to Fix It

The fastest fixes here come from checking the immediate failing layer before you change anything unrelated. Make one correction at a time and re-test from the same environment.

Check which registry npm is using:npm config get registry

If the package is scoped, verify scope registry mapping in .npmrc (example: @your-scope:registry=...).

If the command supports it, pass the OTP:npm <cmd> --otp=123456

For CI, use an automation token that is allowed for your org policy (or adjust the 2FA requirement for the operation).

Re-login if your token is stale:npm logout then npm login

Why It Happens

Usually this comes down to your account or the package requires 2FA for publish or restricted operations, or you are using a token that is not allowed for the requested 2FA policy.

Verify the Fix

Re-run the original command and confirm it completes without prompting for OTP again, and confirm the authenticated identity with npm whoami.

Manual authentication checks

Check current auth with npm whoami, and inspect .npmrc for token config and registry routing.

Examples

npm ERR! code EOTP
npm ERR! This operation requires a one-time password from your authenticator.

How npm uses registry credentials

npm uses registry tokens for authentication and enforces registry policy (including 2FA requirements). Some operations require an OTP in addition to a token.

Prevent It From Coming Back

To prevent this, use automation tokens for CI instead of personal tokens, and document org 2FA requirements so publish/install workflows are predictable.

Docs and source code

github.com/npm/cli/blob/417daa72b09c5129e7390cd12743ef31bf3ddb83/lib/utils/get-identity.js

This is a registry authentication call path. Auth errors like this code appear when the registry returns 401/403 for these endpoints. - GitHub


  // No username, but we have other credentials; fetch the username from registry
  if (creds.token || creds.certfile && creds.keyfile) {
    const registryData = await npmFetch.json('/-/whoami', { ...opts })
    if (typeof registryData?.username === 'string') {
      return registryData.username
    }