[docs]: bypass-2FA GATs blocked from account level operations starting august 2026#2006
Open
shmam wants to merge 2 commits into
Open
[docs]: bypass-2FA GATs blocked from account level operations starting august 2026#2006shmam wants to merge 2 commits into
shmam wants to merge 2 commits into
Conversation
Reflects the epic to remove account-identity capability from bypass-2FA Granular Access Tokens. Bypass 2FA still applies to publishing and other package write actions, but changes to email/password, 2FA configuration, recovery codes, token creation/escalation, and maintainer management now always require an interactive 2FA challenge. Refs github/npm#15355 Epic github/npm#15226 Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: 17ac1732-86bf-4b6f-a698-70850d2b7b27
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Starting early August 2026, Granular Access Tokens with Bypass 2FA enabled will no longer be permitted to perform account-identity or account-governance actions. Bypass-2FA tokens remain valid for publishing (for now)
Account-identity actions clarified across the docs:
Files updated
content/integrations/integrating-npm-with-external-services/about-access-tokens.mdx— added an "Account-identity actions require an interactive 2FA challenge" section and refined the Bypass 2FA description.content/integrations/integrating-npm-with-external-services/creating-and-viewing-access-tokens.mdx— clarified the Bypass 2FA checkbox scope during token creation and linked to the new section.content/packages-and-modules/securing-your-code/requiring-2fa-for-package-publishing-and-settings-modification.mdx— narrowed the "bypass 2FA is enabled" bullet to package write actions and added a bullet for account-identity actions.content/getting-started/setting-up-your-npm-user-account/about-two-factor-authentication.mdx— noted in the callout that account-identity actions cannot be performed with a bypass-2FA token.Notes