> For the complete documentation index, see [llms.txt](https://docs.continuousauth.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.continuousauth.dev/security/multi-user-2fa.md). # Multi-User 2FA {% hint style="warning" %} Although this is documented the implementation has not yet shipped {% endhint %} When an open source project is large enough a potential use case involves having multiple developers with merge rights to master. This combined with Semantic Release technically means multiple developers have the ability to trigger a release. On CI there is traditionally only a single `NPM_TOKEN`, this means that either: * The developers share a single npm account like specific for that project. An example of this is the `electron-bot` npm user. * Or the developers use a single developers account on CI. The issue with the second one is that in order for other developers to be able to enter 2FA tokens into CFA they would need the 2FA secret for that single developers npm account. This would be terrible for the security of that users account and doesn't make a whole lot of sense. To help with this use case CFA supports the use of **multiple** npm tokens on your CI configuration and allows the user entering the 2FA token to choose which one they want to use. ### How to set this up? Traditionally Semantic Release uses a single environment variable `NPM_TOKEN` to provide the npm access token required to publish the package. With CFA instead of providing `NPM_TOKEN` you can provide a number of `NPM_TOKEN_{username}` variables such as `NPM_TOKEN_marshallofsound` or `NPM_TOKEN_electronbot` which CFA will read and let you choose from when asking for your 2FA token. Please note that if you provide tokens in that format you should **not** provide the default `NPM_TOKEN` variable. ### What is the benefit of this system? By putting multiple access tokens on CI you can let developers publish with their own access token and their own 2FA codes. This means you don't have to share access to a single npm account or distribute your 2FA secret around all your maintainers. ### What does it look like? *Screenshots coming soon* --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.continuousauth.dev/security/multi-user-2fa.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.