diff --git a/lib/index.js b/lib/index.js
index c58f1fc..93fbcad 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -367,9 +367,11 @@ class Config {
       if (!/^npm_config_/i.test(envKey) || envVal === '') {
         continue
       }
-      const key = envKey.slice('npm_config_'.length)
-        .replace(/(?!^)_/g, '-') // don't replace _ at the start of the key
-        .toLowerCase()
+      let key = envKey.slice('npm_config_'.length)
+      if (!key.startsWith('//')) { // don't normalize nerf-darted keys
+        key = key.replace(/(?!^)_/g, '-') // don't replace _ at the start of the key
+          .toLowerCase()
+      }
       conf[key] = envVal
     }
     this[_loadObject](conf, 'env', 'environment')
@@ -693,8 +695,6 @@ class Config {
       this.delete(`_password`, 'user')
       this.delete(`username`, 'user')
     }
-    this.delete(`${nerfed}:-authtoken`, 'user')
-    this.delete(`${nerfed}:_authtoken`, 'user')
     this.delete(`${nerfed}:_authToken`, 'user')
     this.delete(`${nerfed}:_auth`, 'user')
     this.delete(`${nerfed}:_password`, 'user')
@@ -734,8 +734,6 @@ class Config {
     // send auth if we have it, only to the URIs under the nerf dart.
     this.delete(`${nerfed}:always-auth`, 'user')
 
-    this.delete(`${nerfed}:-authtoken`, 'user')
-    this.delete(`${nerfed}:_authtoken`, 'user')
     this.delete(`${nerfed}:email`, 'user')
     if (certfile && keyfile) {
       this.set(`${nerfed}:certfile`, certfile, 'user')
@@ -783,8 +781,6 @@ class Config {
     }
 
     const tokenReg = this.get(`${nerfed}:_authToken`) ||
-      this.get(`${nerfed}:_authtoken`) ||
-      this.get(`${nerfed}:-authtoken`) ||
       nerfed === nerfDart(this.get('registry')) && this.get('_authToken')
 
     if (tokenReg) {
diff --git a/tap-snapshots/test/index.js.test.cjs b/tap-snapshots/test/index.js.test.cjs
index 3b91b26..6680fd2 100644
--- a/tap-snapshots/test/index.js.test.cjs
+++ b/tap-snapshots/test/index.js.test.cjs
@@ -109,22 +109,6 @@ exports[`test/index.js TAP credentials management nerfed_authToken > other regis
 Object {}
 `
 
-exports[`test/index.js TAP credentials management nerfed_lcAuthToken > default registry 1`] = `
-Object {
-  "token": "0bad1de4",
-}
-`
-
-exports[`test/index.js TAP credentials management nerfed_lcAuthToken > default registry after set 1`] = `
-Object {
-  "token": "0bad1de4",
-}
-`
-
-exports[`test/index.js TAP credentials management nerfed_lcAuthToken > other registry 1`] = `
-Object {}
-`
-
 exports[`test/index.js TAP credentials management nerfed_mtls > default registry 1`] = `
 Object {
   "certfile": "/path/to/cert",
diff --git a/test/index.js b/test/index.js
index ddbc6c2..91f2318 100644
--- a/test/index.js
+++ b/test/index.js
@@ -394,6 +394,41 @@ loglevel = yolo
       'should return true once again now that values is retrieved from defaults')
   })
 
+  t.test('normalize config env keys', async t => {
+    const env = {
+      npm_config_bAr: 'bAr env',
+      NPM_CONFIG_FOO: 'FOO env',
+      'npm_config_//reg.example/UP_CASE/:username': 'ME',
+      'npm_config_//reg.example/UP_CASE/:_password': 'Shhhh!',
+      'NPM_CONFIG_//reg.example/UP_CASE/:_authToken': 'sEcReT',
+    }
+    const config = new Config({
+      npmPath: `${path}/npm`,
+      env,
+      argv,
+      cwd: `${path}/project`,
+
+      shorthands,
+      definitions,
+    })
+
+    await config.load()
+
+    t.strictSame({
+      bar: config.get('bar'),
+      foo: config.get('foo'),
+      '//reg.example/UP_CASE/:username': config.get('//reg.example/UP_CASE/:username'),
+      '//reg.example/UP_CASE/:_password': config.get('//reg.example/UP_CASE/:_password'),
+      '//reg.example/UP_CASE/:_authToken': config.get('//reg.example/UP_CASE/:_authToken'),
+    }, {
+      bar: 'bAr env',
+      foo: 'FOO env',
+      '//reg.example/UP_CASE/:username': 'ME',
+      '//reg.example/UP_CASE/:_password': 'Shhhh!',
+      '//reg.example/UP_CASE/:_authToken': 'sEcReT',
+    })
+  })
+
   t.test('do not double-load project/user config', async t => {
     const env = {
       npm_config_foo: 'from-env',
@@ -615,7 +650,6 @@ t.test('raise error if reading ca file error other than ENOENT', async t => {
 t.test('credentials management', async t => {
   const fixtures = {
     nerfed_authToken: { '.npmrc': '//registry.example/:_authToken = 0bad1de4' },
-    nerfed_lcAuthToken: { '.npmrc': '//registry.example/:_authtoken = 0bad1de4' },
     nerfed_userpass: {
       '.npmrc': `//registry.example/:username = hello
 //registry.example/:_password = ${Buffer.from('world').toString('base64')}