# Multi-User 2FA

{% hint style="warning" %}
Although this is documented the implementation has not yet shipped
{% endhint %}

When an open source project is large enough a potential use case involves having multiple developers with merge rights to master.  This combined with Semantic Release technically means multiple developers have the ability to trigger a release.  On CI there is traditionally only a single `NPM_TOKEN`, this means that either:

* The developers share a single npm account like specific for that project.  An example of this is the `electron-bot` npm user.
* Or the developers use a single developers account on CI.

The issue with the second one is that in order for other developers to be able to enter 2FA tokens into CFA they would need the 2FA secret for that single developers npm account.  This would be terrible for the security of that users account and doesn't make a whole lot of sense.

To help with this use case CFA supports the use of **multiple** npm tokens on your CI configuration and allows the user entering the 2FA token to choose which one they want to use.

### How to set this up?

Traditionally Semantic Release uses a single environment variable `NPM_TOKEN` to provide the npm access token required to publish the package.  With CFA instead of providing `NPM_TOKEN` you can provide a number of `NPM_TOKEN_{username}` variables such as `NPM_TOKEN_marshallofsound` or `NPM_TOKEN_electronbot` which CFA will read and let you choose from when asking for your 2FA token.

Please note that if you provide tokens in that format you should **not** provide the default `NPM_TOKEN` variable.

### What is the benefit of this system?

By putting multiple access tokens on CI you can let developers publish with their own access token and their own 2FA codes.  This means you don't have to share access to a single npm account or distribute your 2FA secret around all your maintainers.

### What does it look like?

*Screenshots coming soon*