- RubyGems Basics
- What is a gem?
- Make your own gem
- Gems with Extensions
- Name your gem
- Publishing your gem
- Security Practices
- Managing owners using UI
- Removing a Published gem
- SSL Certificate Update
- Patterns
- Specification Reference
- Command Reference
- RubyGems.org API
- RubyGems.org API V2.0
- RubyGems.org Compact Index API
- RubyGems.org rate limits
- API key scopes
- Run your own gem server
- Setting up multi-factor authentication
- Using multi-factor authentication in command line
- MFA requirement opt in
- Using S3 as gem source
- Resources
- Contributing to RubyGems
- Frequently Asked Questions
- Plugins
- Common Vulnerabilities and Exposures
- Releasing RubyGems
- Trusted Publishing
- Organizations
- Credits
Want to better protect your RubyGems.org account?
Your RubyGems.org account is important! Unauthorized access of your account
can lead to irrevocable damage to your gem’s reputation. We highly recommend
that you enable MFA for both UI and API. When enabled, this will mean that
you need to use MFA for signing into RubyGems.org and when running gem signin,
push, owner --add, owner --remove and yank.
You may enable MFA using WebAuthn or by using one-time passwords (OTP).
Authentication levels
When you register a new device or enable MFA for the first time, we will enable MFA for both the UI and the API. If you go to the "Edit Settings" page again, in the "Multi-factor Authentication" section, you will see a dropdown menu with these options:
- UI and gem signin: UI operations and
gem signinwill require OTP code. - UI and API: UI operations,
gem signin,push,owner --addandowner --removewill require OTP code.
UI only was previously a valid MFA level. However, it has been removed, and only accounts that are currently at that level will still see it in the dropdown.
Note: If you are on the UI and gem signin authentication level, you can selectively enable MFA on specific API keys (see API key scopes). This is different from the UI and API level as MFA is enabled on all API keys by default and cannot be selectively enabled.
Steps to change your MFA level:
- Sign in and go to the edit settings page. If you have enabled MFA for your account, in the "Multi-factor Authentication" section, you will see a dropdown menu. Select your intended option, and click Update. Multi-factor section on the edit settings page
- You will be prompted to use your MFA device to authorize the MFA level change. Multi-factor authentication prompt to update MFA level
Using recovery codes to reconfigure previously enabled MFA
You might be in a situation where you no longer have access to your MFA device.
In this situation, you’ll need your recovery codes to gain access to your RubyGems.org account. Each recovery code can only be used once and you may need up to 2 recovery codes to re-setup a previously enabled MFA RubyGems.org account on a new device.
- To login into your account, enter an unused recovery code as the OTP code when prompted.
- To reconfigure an authenticator app, you’ll need to use a recovery code to remove the current authenticator app. Then, you are able to enable and configure your authenticator app again. For security devices, you are able to associate a new security device to your account in the security devices section.