diff --git a/.github/scripts/publish-npm.sh b/.github/scripts/publish-npm.sh
index 847ce0bd0..4876fe7cb 100644
--- a/.github/scripts/publish-npm.sh
+++ b/.github/scripts/publish-npm.sh
@@ -39,7 +39,6 @@ do
     echo "🔑 Authenticated with GITHUB"
   elif [[ $REGISTRY == 'NPM' ]]; then
     npm config set @db-ui:registry https://registry.npmjs.org/
-    npm set //registry.npmjs.org/:_authToken "$NPM_TOKEN"
     echo "🔑 Authenticated with NPM"
   else
     echo "Could not authenticate with $REGISTRY"
diff --git a/.github/workflows/03-publish-packages.yml b/.github/workflows/03-publish-packages.yml
index 941cb8bc9..1ab234e48 100644
--- a/.github/workflows/03-publish-packages.yml
+++ b/.github/workflows/03-publish-packages.yml
@@ -26,6 +26,7 @@ jobs:
     runs-on: ubuntu-24.04 # Use Ubuntu 24.04 explicitly
     permissions:
       id-token: write  # Required for OIDC
+      contents: read
     steps:
       - name: ⬇ Checkout repo
         uses: actions/checkout@v4
@@ -48,7 +49,6 @@ jobs:
           PRE_RELEASE: ${{ inputs.preRelease }}
           VALID_SEMVER_VERSION: ${{ inputs.version }}
           GITHUB_COMMITISH: ${{ github.event.release.target_commitish }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           GPR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: ⬆ Upload Package Artifact db-ui-base
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9d5112428..94a420cb4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,6 +8,10 @@ on:
   release:
     types: [published]
 
+permissions:
+  id-token: write  # Required for OIDC
+  contents: read
+
 jobs:
   init:
     uses: ./.github/workflows/00-init.yml