What This Error Means
npm requires a one-time password for this publish or settings change because two-factor authentication is enabled on the account.
How to Fix It
Check which registry npm is using:npm config get registry
If the package is scoped, verify scope registry mapping in .npmrc (example: @your-scope:registry=...).
If the command supports it, pass the OTP:npm <cmd> --otp=123456
For CI, use an automation token that is allowed for your org policy (or adjust the 2FA requirement for the operation).
Re-login if your token is stale:npm logout then npm login
Why It Happens
Your account or the package requires 2FA for publish or restricted operations.
You are using a token that is not allowed for the requested 2FA policy.
How to Verify
Re-run the original command and confirm it completes without prompting for OTP again.
Confirm the authenticated identity:npm whoami
Manual authentication checks
Check current auth:npm whoami
Inspect .npmrc for token config and registry routing.
Examples
npm ERR! code EOTP
npm ERR! This operation requires a one-time password from your authenticator.How npm uses registry credentials
npm uses registry tokens for authentication and enforces registry policy (including 2FA requirements).
Some operations require an OTP in addition to a token.
Prevention Tips
Use automation tokens for CI instead of personal tokens.
Document org 2FA requirements so publish/install workflows are predictable.
Where This Can Be Triggered
github.com/npm/cli/blob/417daa72b09c5129e7390cd12743ef31bf3ddb83/lib/utils/get-identity.js
This is a registry authentication call path. Auth errors like this code appear when the registry returns 401/403 for these endpoints. - GitHub
// No username, but we have other credentials; fetch the username from registry
if (creds.token || creds.certfile && creds.keyfile) {
const registryData = await npmFetch.json('/-/whoami', { ...opts })
if (typeof registryData?.username === 'string') {
return registryData.username
}