Skip to content

NPM token rotation for node API client

Emmet edited this page Feb 20, 2026 · 9 revisions

notifications-node-client NPM token rotation

As of October 2025 npm now uses granular access tokens which expire every 90 days. As such we have decided it only makes sense to renew the token when required.

The token is stored in notifications-credentials at

notify-pass credentials/npm/auth-token

To log into the npm portal use the username in this entry (not the email address):

notify-pass credentials/npm/user

Authenticate using the password at:

notify-pass credentials/npm/password

Use the MFA code like this:

notify-pass show credentials/npm/2fa-key | python -c "import sys, pyotp; print(pyotp.TOTP(sys.stdin.read().strip()).now())" | pbcopy

Follow the instructions at the link below to renew the token and generate a new secret token which you will store in notifications-credentials. Use these options when asked:

Token name: notifycicd<month><year>
Description: cicd token
Choose to Bypass two-factor authentication
Allowed IP range: Add all the IP ranges specified in this file
Packages and scopes: All packages
Organizations: No access
Choose the maximum expiry time frame (90 days)

https://docs.npmjs.com/creating-and-viewing-access-tokens

Once you have the new secret token, create a new branch on notifications-credentials, update the token like this:

git checkout -b rotating-npm-token
notify-pass edit credentials/npm/auth-token

Raise a PR to the notifications-credentials repo to get the new token into the main branch.

After the PR has been merged, retry releasing the client using the api-clients node-client pipeline.

Clone this wiki locally