← knowledge.oriz.in

NPM publish via .env token (bypass 2FA)

service npmpublishsecretsreference

User confirmed 2026-06-21 there's a "bypass pass" in .env for publishes. Standard npm publish in this shell fails with HTTP 403 ("Two-factor authentication or granular access token with bypass 2fa enabled is required") because the npm account has web-2FA on.

Workflow:

NPM_TOKEN=$(grep -E '^NPM_TOKEN=' c:/D/oriz/.env | head -1 | sed 's/^NPM_TOKEN=//')
# Back up existing ~/.npmrc if any, write the temp one
[[ -f "$HOME/.npmrc" ]] && cp "$HOME/.npmrc" "$HOME/.npmrc.bak.$$"
echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > "$HOME/.npmrc"
trap 'mv "$HOME/.npmrc.bak.$$" "$HOME/.npmrc" 2>/dev/null || rm -f "$HOME/.npmrc"' EXIT
npm whoami    # should print chirag127
# ... npm publish ...

How to apply:

Reference script: scripts/stub-and-publish-22.sh is the working template.

Related: atomic-packages-lazy, no-card-on-file-prepaid-escape.