Skip to content

NPM token rotation for node API client

Emmet edited this page Jan 9, 2026 · 9 revisions

notifications-node-client NPM token rotation

As of October 2025 npm now uses granular access tokens which expire every 90 days. As such we have decided it only makes sense to renew the token when required.

The token is stored in notifications-credentials at

notify-pass credentials/npm/auth-token

To log into the npm portal use the username in this entry (not the email address):

notify-pass credentials/npm/user

Authenticate using the password at:

notify-pass credentials/npm/password

Use the MFA code like this:

notify-pass show credentials/npm/2fa-key | python -c "import sys, pyotp; print(pyotp.TOTP(sys.stdin.read().strip()).now())" | pbcopy

Follow the instructions here to renew the token:

https://docs.npmjs.com/creating-and-viewing-access-tokens

Clone this wiki locally