npm-access(1) npm-access(1)
NAME
npm-access - Set access level on published packages
Synopsis
npm access list packages [<user>|<scope>|<scope:team>] [<package>]
npm access list collaborators [<package> [<user>]]
npm access get status [<package>]
npm access set status=public|private [<package>]
npm access set mfa=none|publish|automation [<package>]
npm access grant <read-only|read-write> <scope:team> [<package>]
npm access revoke <scope:team> [<package>]
Note: This command is unaware of workspaces.
Description
Used to set access controls on private packages.
For all of the subcommands, npm access will perform actions on the
packages in the current working directory if no package name is passed
to the subcommand.
o grant / revoke: Add or remove the ability of users and teams to
have read-only or read-write access to a package.
Details
npm access always operates directly on the current registry,
configurable from the command line using --registry=<registry url>.
Unscoped packages are always public.
Scoped packages default to restricted, but you can either publish them
as public using npm publish --access=public, or set their access as
public using npm access set status=public after the initial publish.
You must have privileges to set the access of a package:
o You are an owner of an unscoped or scoped package.
o You are a member of the team that owns a scope.
o You have been given read-write privileges for a package, either as
a member of a team or directly as an owner.
If you have two-factor authentication enabled then you'll be prompted
to provide a second factor, or may use the --otp=... option to specify
it on the command line.
If your account is not paid, then attempts to publish scoped packages
will fail with an HTTP 402 status code (logically enough), unless you
use --access=public.
Management of teams and team memberships is done with the npm team
command.
Configuration
json
o Default: false
o Type: Boolean
Whether or not to output JSON data, rather than the normal output.
o In npm pkg set it enables parsing set values with JSON.parse()
before saving them to your package.json.
Not supported by all npm commands.
otp
o Default: null
o Type: null or String
This is a one-time password from a two-factor authenticator. It's
needed when publishing or changing package permissions with npm access.
If not set, and a registry response fails with a challenge for a one-
time password, npm will prompt on the command line for one.
registry
o Default: "https://registry.npmjs.org/"
o Type: URL
The base URL of the npm registry.
See Also
o libnpmaccess <https://npm.im/libnpmaccess>
o npm help team
o npm help publish
o npm help config
o npm help registry
NPM@11.6.2 October 2025 npm-access(1)
npm 11.6.2 - Generated Sun Oct 12 18:08:33 CDT 2025