diff --git a/content/integrations/integrating-npm-with-external-services/about-access-tokens.mdx b/content/integrations/integrating-npm-with-external-services/about-access-tokens.mdx index 561872712be..cd937a23cc5 100644 --- a/content/integrations/integrating-npm-with-external-services/about-access-tokens.mdx +++ b/content/integrations/integrating-npm-with-external-services/about-access-tokens.mdx @@ -22,30 +22,11 @@ You can work with tokens from the web or the CLI, whichever is easiest. What you npm token commands let you: - View tokens for easier tracking and management -- Create new legacy tokens (deprecated) - Limit access according to IP address ranges (CIDR) - Delete/revoke tokens For more information on creating and viewing access tokens on the web and CLI, see "[Creating and viewing access tokens][create-token]". -## About legacy tokens (Deprecated) - - - -**Warning:** Legacy access tokens were removed on November 5, 2025. - - - -Legacy tokens are created with the same permissions as the user who created them. The npm CLI automatically generates and uses a publish token when you run `npm login`. - -There are three different types of legacy tokens: - -- **Read-only**: You can use these tokens to download packages from the registry. These tokens are best for automation and workflows where you are installing packages. For greater security, we recommend using [granular access tokens](#about-granular-access-tokens) instead. -- **Automation**: You can use these tokens to download packages and install new ones. These tokens are best for automation workflows where you are publishing new packages. Automation tokens do not 2FA for executing operations on npm and are suitable for CI/CD workflows. For greater security, we recommend using [granular access tokens](#about-granular-access-tokens) instead. -- **Publish**: You can use these tokens to download packages, install packages, and update user and package settings. We recommend using them for interactive workflows such as a CLI. If 2FA is enabled on your account, publish tokens will require 2FA to execute sensitive operations on npm. - -Legacy tokens do not have an expiration date. It is important to be aware of your tokens and keep them protected for account security. For more information, see "[Securing your token][secure-token]." - ## About granular access tokens Granular access tokens allow you to restrict access provided to the token based on what you want to use the token for. With granular access tokens, you can: