Fix: npm ERR! code E401 Unauthorized

Your npm credentials are invalid or expired.

Frequently documented in developer and vendor support forums.

• Your npm auth token in ~/.npmrc has expired. Tokens from npm login sessions or CI/CD pipelines expire or get rotated.
• You are trying to install a private or scoped package from a registry that requires authentication but you have not logged in.
• Your .npmrc file points to the wrong registry URL, or the _authToken line references a token that was revoked.
• A CI/CD environment (GitHub Actions, GitLab CI) is missing the NPM_TOKEN environment variable or it is set incorrectly.

• Not logged in to npm — run npm login to authenticate
• Auth token in .npmrc has expired or been revoked
• Wrong registry URL configured in .npmrc or project config
• Trying to install a private package without proper authentication

• npm ERR! code E403 — E403 means you are authenticated but do not have permission to publish or access the package. E401 means authentication itself failed.
• npm ERR! code E404 — E404 means the package does not exist on the registry. E401 means the package may exist but you cannot authenticate to access it.
• npm WARN deprecated — A deprecation warning during install. Not an authentication error — the package installs but is outdated.

• The npm registry is down or unreachable. E401 is specifically an authentication failure, not a network issue.
• Your package.json is broken or corrupt. The error is about credentials, not about your project configuration.
• You need to create a new npm account. Your existing account is fine — you just need to re-authenticate or refresh your token.

1. Run npm login to re-authenticate with the registry
2. Generate a new access token at npmjs.com and update .npmrc
3. Check .npmrc for correct registry URL and auth token format
4. For scoped packages, set the registry per scope: npm config set @scope:registry https://registry.example.com

Last reviewed: March 2026 How we review solutions

npm returns E401 when the registry server rejects your credentials with an HTTP 401 Unauthorized status. This happens during both read and write operations—pulling private packages, publishing, or even accessing org-scoped packages behind authentication. The npm CLI stores auth tokens in your user-level .npmrc file (usually ~/.npmrc), and these tokens can expire, be revoked, or simply never exist if you skipped npm login. The most common trigger is a stale or missing auth token for a private registry: corporate environments often run Verdaccio, Artifactory, or GitHub Packages, each requiring its own token. When teams onboard new members, the project .npmrc may include a registry URL but not the token (which should be in the user-level .npmrc or injected as an environment variable). Another frequent cause is publishing to the wrong registry—if you run npm publish without specifying the registry and your package is scoped, npm sends it to the default public registry where your private org credentials do not apply. CI/CD pipelines are particularly vulnerable because auth tokens must be explicitly injected as secrets and mapped to the correct environment variable name (NPM_TOKEN or npm_config_//registry:_authToken).

1. Run npm whoami to check if you are authenticated
2. Inspect ~/.npmrc for an auth token line matching the registry URL
3. Verify the token has not expired or been revoked in your registry dashboard
4. Check if the project .npmrc overrides the registry without providing a token
5. For CI: confirm the NPM_TOKEN secret is set and not empty in the pipeline config

Two-factor authentication required

If your npm account has 2FA enabled for publishing, npm login alone is not enough for publish operations. You must pass a one-time password with --otp=123456 when running npm publish, or use an automation token that bypasses 2FA for CI pipelines.

GitHub Packages with fine-grained PAT

GitHub personal access tokens (classic) need the read:packages scope for installs and write:packages for publishing. Fine-grained tokens need the specific repository permission. A token without the right scope returns 401 even though it is a valid GitHub token.

Token in wrong .npmrc file

npm reads .npmrc from three locations: project, user (~/.npmrc), and global. A token in the project .npmrc is often committed to git accidentally, while the user .npmrc is where tokens should live. If the project .npmrc sets the registry but the token is nowhere, you get E401.

How do I log in?

Run npm login and enter credentials.

Where are tokens stored?

In ~/.npmrc file.

What causes npm ERR! code E401 Unauthorized?

This error occurs when npm cannot authenticate with the package registry. The most common causes are an expired or missing auth token in your .npmrc file, not being logged in, or trying to access a private package without proper credentials.

How do I fix npm E401 with a private registry?

Set the registry for your scope: npm config set @yourscope:registry https://your-registry-url. Then authenticate with npm login --registry=https://your-registry-url. Verify your .npmrc contains the correct //your-registry-url/:_authToken=YOUR_TOKEN entry.

What is the difference between E401 and E403?

E401 means your identity could not be verified—you are not logged in or your token is invalid. E403 means your identity was verified but you lack permission for the requested action (e.g., publishing to a package you do not own).

How do I create an automation token for CI?

On npmjs.com, go to Access Tokens > Generate New Token > Automation. This token type bypasses 2FA requirements, making it safe for CI pipelines where interactive OTP entry is impossible.

Why does npm login work but npm install still gives E401?

This usually means the project .npmrc overrides the registry URL to a different server than the one you logged into. Check the project .npmrc for a registry= line and log in to that specific registry.

• Fix: -bash: systemctl: command not found
• Fix: sudo unable to resolve host ubuntu
• npm install – Official npm Docs
• package.json Reference – npm Docs