Requires npm version 5.5.1 or greater
Whenever you login to npm, a security token is generated. Tokens authenticate your account, and give you rights to publish and access your modules.
Because a token is simply a hexadecimal string, you can use the token in other tools, such as continuous integration testing environments, so that the tool can run with the access it needs to complete tasks. For example, Travis-CI provides an environment variable that you can assign to a token value. This gives Travis-CI the ability to run npm as your npm user, including the ability to install private packages to which you have access.
Read this chapter to learn how to manage security tokens.
Note: There are additional steps required if you wish to use tokens for testing and other special purposes. These steps are not in the scope of this chapter.
Token commands empower you to:
To view the tokens associated with your account, type:
npm token list
.
The following table explains the token list.
A token can be both read-only as well as CIDR-whitelisted.
If you have enabled two-factor authentication on your profile, you have implemented an additional layer of security.
Note: The token list shows a truncated version of the token. View the npmrc file if you need to see the full token.
npm token create [--read-only] [--cidr=list]
Before you create a new token, decide which type of token you want:
The default setting for new tokens is full-permission.
When a token is read-only, it cannot be used to make changes to a package. If a token is not explicitly set to read-only, it has full permissions, including publish and modification rights.
To create a new full permission token, type:
'npm token create'
If you have set up two-factor authentication, you will be prompted for your npm password, followed by an OTP. npm will display this table:
TIP: Save a screen shot of the token field, as this will be your only chance to view it.
Note that read-only defaults to false.
To create a new read-only token, type:
npm token create --read-only
If you have set up two-factor authentication, you will be prompted for an npm password, followed by an OTP. npm will display this table:
Note that read-only is set to true.
To limit the token so that it can only be used from specified ip addresses, you can create a CIDR-restricted token. CIDR is an acronym for Classless Inter-Domain Routing. The CIDR Wiki page will get you started.
Using a CIDR restriction makes it possible for you to force anyone or any system using the token to either physically or remotely be within the specified ip address range.
npm token create --[--cidr=list]
example.:
npm token create --cidr=192.0.2.0/24
If you have set up two-factor authentication, you will be prompted for an npm password, followed by an OTP. npm will display this table:
If you see a message like this one:
npm ERR! CIDR whitelist contains invalid CIDR entry: X.X.X.X./YY,Z.Z.. . .
(where the string returned is the one you entered) please ensure that the CIDR string is valid and in the appropriate format. Note: npm only supports IPv4 at this time.
To create a CIDR-restricted token that is also read-only, type:
npm token create --read-only --cidr=list
You can delete (revoke) a token, regardless of when it was created. This allows you to gain control of access you may wish to take back.
The command to delete a token is:
npm token delete
Here are the steps:
npm token list
npm will report 'Removed 1 token'
Type 'npm token list' to confirm that the token has been removed.
The following screen shot demonstrates these steps:
Note: All tokens shown in screen illustrations have been revoked.
Note: In certain cases, there may be a delay of up to an hour before a token is successfully revoked. npm is currently working to make revocation occur immediately in all cases.
Last modified February 13, 2023 Found a typo? Send a pull request!