Skip to content

[docs]: bypass-2FA GATs blocked from account level operations starting august 2026#2006

Open
shmam wants to merge 2 commits into
mainfrom
docs-bypass-2fa-gat-limits
Open

[docs]: bypass-2FA GATs blocked from account level operations starting august 2026#2006
shmam wants to merge 2 commits into
mainfrom
docs-bypass-2fa-gat-limits

Conversation

@shmam

@shmam shmam commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Summary

Starting early August 2026, Granular Access Tokens with Bypass 2FA enabled will no longer be permitted to perform account-identity or account-governance actions. Bypass-2FA tokens remain valid for publishing (for now)

Account-identity actions clarified across the docs:

  • Change email or password
  • Modify or disable 2FA configuration
  • View or generate recovery codes
  • Create, escalate, or manage access tokens
  • Add or remove maintainers / other package-governance changes

Files updated

  • content/integrations/integrating-npm-with-external-services/about-access-tokens.mdx — added an "Account-identity actions require an interactive 2FA challenge" section and refined the Bypass 2FA description.
  • content/integrations/integrating-npm-with-external-services/creating-and-viewing-access-tokens.mdx — clarified the Bypass 2FA checkbox scope during token creation and linked to the new section.
  • content/packages-and-modules/securing-your-code/requiring-2fa-for-package-publishing-and-settings-modification.mdx — narrowed the "bypass 2FA is enabled" bullet to package write actions and added a bullet for account-identity actions.
  • content/getting-started/setting-up-your-npm-user-account/about-two-factor-authentication.mdx — noted in the callout that account-identity actions cannot be performed with a bypass-2FA token.

Notes

  • Wording aligns with the epic's "raise the floor, ease the path" framing and points users toward trusted publishing for CI/CD as a migration path.
  • No changes to nav or redirects were needed.

Reflects the epic to remove account-identity capability from bypass-2FA
Granular Access Tokens. Bypass 2FA still applies to publishing and other
package write actions, but changes to email/password, 2FA configuration,
recovery codes, token creation/escalation, and maintainer management
now always require an interactive 2FA challenge.

Refs github/npm#15355
Epic github/npm#15226

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 17ac1732-86bf-4b6f-a698-70850d2b7b27
@shmam
shmam requested review from a team and leobalter as code owners July 17, 2026 17:51
@shmam
shmam temporarily deployed to github-pages July 17, 2026 17:56 — with GitHub Actions Inactive
@shmam shmam changed the title Docs: bypass-2FA GATs cannot perform account-identity actions [docs]: bypass-2FA GATs blocked from account level operations starting august 2026 Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant