npm-adduser

Create a new user in the specified registry and save credentials to .npmrc

$ npm adduser --registry [registry_url]

$ npm login --scope [@mycorp] --registry [https://registry.mycorp.com]

$ npm logout --scope [@mycorp]

$ npm init --scope [@foo] [[-y|--yes]]

npm adduser [--registry <url>] [--scope <scope>] [--auth-type <type>]

--registry <url>
    Specifies the URL of the npm registry to use for this operation. If not specified, npm uses the default registry configured in .npmrc or the public npm registry.

--scope <scope>
    Associates the user credentials with a specific scope. This is useful when you need to authenticate against a private registry for packages under a particular scope (e.g., @myscope:registry=https://private.registry.com).

--auth-type <type>
    Defines the authentication method. Possible values include always (sends basic auth on every request), web (opens a browser for login), and legacy (the default interactive prompt, using username/password). web is often used for two-factor authentication or SSO workflows.

The npm adduser command is used to either create a new user account on the configured npm registry or to log in an existing user. When executed, it interactively prompts the user for a username, password, and email address. These credentials are then used to authenticate with the registry. Once successfully logged in, npm stores an authentication token or credentials in the user's ~/.npmrc configuration file. This allows subsequent commands like npm publish to securely interact with the registry without requiring re-authentication.

It's a fundamental command for package maintainers and anyone needing to publish packages to npm or a private registry. The command is essentially an alias for npm login, which is often preferred for its clearer intent.

The command requires an active internet connection to communicate with the npm registry. While credentials are typically transmitted over HTTPS, the overall security depends on the registry's implementation. For automation, npm adduser is interactive and not easily scriptable without tools like expect.

For better security, consider using API tokens instead of username/password, and ensure your .npmrc file permissions are restrictive to prevent unauthorized access to stored credentials.

Upon successful authentication, npm adduser modifies the user's ~/.npmrc file (or a specified .npmrc if --userconfig is used). It typically adds an authentication token (e.g., //registry.npmjs.org/:_authToken="YOUR_TOKEN") or username/password entries for the specified registry. This token is then automatically included in headers for subsequent authenticated requests to that registry. Understanding this file is key for managing npm's behavior and credentials.

When using npm adduser, especially with the default interactive prompt, credentials are exchanged. For public npm, token-based authentication is preferred over username/password. Users should be aware that the .npmrc file stores these tokens. Protecting this file with appropriate file system permissions (e.g., chmod 600 ~/.npmrc) is critical to prevent unauthorized access to your npm account. Using environment variables for sensitive data (e.g., NPM_TOKEN) or credential helpers can further enhance security, especially in CI/CD environments.

npm adduser has been a core command since the early days of npm, providing the initial mechanism for users to authenticate and publish packages. Over time, its functionality has evolved to support various authentication methods, including the transition from simple username/password basic authentication to more secure token-based authentication.

The introduction of npm login as an alias aimed to clarify the command's primary purpose of logging in, rather than exclusively adding new users, as existing users also use it to authenticate. It remains crucial for the decentralized package ecosystem enabled by npm.

npm login(1), npm logout(1), npm config(1), npm publish(1), npm whoami(1)