From cb8d9e8bef4d24e69252b86a174806667ea31c04 Mon Sep 17 00:00:00 2001 From: Michael Smith Date: Wed, 26 Nov 2025 09:03:09 -0800 Subject: [PATCH 1/4] docs: updates the token create documentation --- docs/lib/content/commands/npm-token.md | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/docs/lib/content/commands/npm-token.md b/docs/lib/content/commands/npm-token.md index 9fc763b82ddf4..d6122ae67977d 100644 --- a/docs/lib/content/commands/npm-token.md +++ b/docs/lib/content/commands/npm-token.md @@ -26,14 +26,24 @@ Publish token npm_… with id e0cf92 created 2017-10-02 ``` -* `npm token create [--read-only] [--cidr=]`: - Create a new authentication token. - It can be `--read-only`, or accept a list of [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) ranges with which to limit use of this token. +* `npm token create --name= [--token-description=] [--packages=] [--packages-all] [--scopes=] [--orgs=] [--packages-and-scopes-permission=] [--orgs-permission=] [--expires=] [--cidr=] [--bypass-2fa] [--password=]`: + Create a new token. + You can customize the token with various options: + - `--name=`: Set the token name/description (required) + - `--token-description=`: Additional description text + - `--packages=`: Limit token access to specific packages + - `--packages-all`: Grant access to all packages + - `--scopes=`: Limit token access to specific scopes + - `--orgs=`: Limit token access to specific organizations + - `--packages-and-scopes-permission=`: Set permission level for packages and scopes + - `--orgs-permission=`: Set permission level for organizations + - `--expires=`: Set token expiration in days (default: 7, maximum: 90) + - `--cidr=`: Limit token use to specific [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) IP ranges + - `--bypass-2fa`: Allow token to bypass two-factor authentication (useful for automation) + - `--password=`: Provide password via command line (safer to be prompted) + This will prompt you for your password, and, if you have two-factor authentication enabled, an otp. - Currently, the cli cannot generate automation tokens. - Please refer to the [docs website](https://docs.npmjs.com/creating-and-viewing-access-tokens) for more information on generating automation tokens. - ``` Created publish token a73c9572-f1b9-8983-983d-ba3ac3cc913d ``` From 7b8885ac0f294d027c5df1848bca9b0c9ce878be Mon Sep 17 00:00:00 2001 From: Gar Date: Wed, 26 Nov 2025 09:32:12 -0800 Subject: [PATCH 2/4] fixup: update description copy --- docs/lib/content/commands/npm-token.md | 57 ++++++++------------------ 1 file changed, 16 insertions(+), 41 deletions(-) diff --git a/docs/lib/content/commands/npm-token.md b/docs/lib/content/commands/npm-token.md index d6122ae67977d..e077534d3a8a9 100644 --- a/docs/lib/content/commands/npm-token.md +++ b/docs/lib/content/commands/npm-token.md @@ -12,47 +12,22 @@ description: Manage your authentication tokens This lets you list, create and revoke authentication tokens. -* `npm token list`: - Shows a table of all active authentication tokens. - You can request this as JSON with `--json` or tab-separated values with `--parseable`. - -``` -Read only token npm_1f… with id 7f3134 created 2017-10-21 - -Publish token npm_af… with id c03241 created 2017-10-02 -with IP Whitelist: 192.168.0.1/24 - -Publish token npm_… with id e0cf92 created 2017-10-02 - -``` - -* `npm token create --name= [--token-description=] [--packages=] [--packages-all] [--scopes=] [--orgs=] [--packages-and-scopes-permission=] [--orgs-permission=] [--expires=] [--cidr=] [--bypass-2fa] [--password=]`: - Create a new token. - You can customize the token with various options: - - `--name=`: Set the token name/description (required) - - `--token-description=`: Additional description text - - `--packages=`: Limit token access to specific packages - - `--packages-all`: Grant access to all packages - - `--scopes=`: Limit token access to specific scopes - - `--orgs=`: Limit token access to specific organizations - - `--packages-and-scopes-permission=`: Set permission level for packages and scopes - - `--orgs-permission=`: Set permission level for organizations - - `--expires=`: Set token expiration in days (default: 7, maximum: 90) - - `--cidr=`: Limit token use to specific [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) IP ranges - - `--bypass-2fa`: Allow token to bypass two-factor authentication (useful for automation) - - `--password=`: Provide password via command line (safer to be prompted) - - This will prompt you for your password, and, if you have two-factor authentication enabled, an otp. - -``` -Created publish token a73c9572-f1b9-8983-983d-ba3ac3cc913d -``` - -* `npm token revoke `: - Immediately removes an authentication token from the registry. - You will no longer be able to use it. - This can accept both complete tokens (such as those you get back from `npm token create`, and those found in your `.npmrc`), and ids as seen in the parseable or json output of `npm token list`. - This will NOT accept the truncated token found in the normal `npm token list` output. +#### Listing tokens + +When listing tokens, an abbreviated token will be displayed. For security purposes the full token is not displayed. + +#### Generating tokens + +When generating tokens, you will be prompted you for your password and, if you have two-factor authentication enabled, an otp. + +Currently, the npm registry doesn't allow the cli to generate automation tokens. This feature should be re-enabled soon. +For the time being, please refer to the [docs website](https://docs.npmjs.com/creating-and-viewing-access-tokens) for more information on generating automation tokens. + +#### Revoking tokens + +When revoking a token, you can use the full token (such as those you get back from `npm token create`, and those found in your `.npmrc`), or the truncated id. If the truncated id given is not distinct enough to differentiate between multiple existing tokens, you will need to use enough of the id to allow npm to distinguish between them. Full token ids can be found on the [npm website](https://www.npmjs.com), or in the `--parseable` or `--json` output of `npm token list`. This command will NOT accept the truncated token found in the normal `npm token list` output. + +A revoked token will immediately be removed from the registry and you will no longer be able to use it. ### Configuration From bf33f95100c8999a25bd547de33fa7aa411d7931 Mon Sep 17 00:00:00 2001 From: Gar Date: Wed, 26 Nov 2025 09:36:12 -0800 Subject: [PATCH 3/4] fixup: copy --- docs/lib/content/commands/npm-token.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/lib/content/commands/npm-token.md b/docs/lib/content/commands/npm-token.md index e077534d3a8a9..9f7d8c4c59644 100644 --- a/docs/lib/content/commands/npm-token.md +++ b/docs/lib/content/commands/npm-token.md @@ -25,7 +25,7 @@ For the time being, please refer to the [docs website](https://docs.npmjs.com/cr #### Revoking tokens -When revoking a token, you can use the full token (such as those you get back from `npm token create`, and those found in your `.npmrc`), or the truncated id. If the truncated id given is not distinct enough to differentiate between multiple existing tokens, you will need to use enough of the id to allow npm to distinguish between them. Full token ids can be found on the [npm website](https://www.npmjs.com), or in the `--parseable` or `--json` output of `npm token list`. This command will NOT accept the truncated token found in the normal `npm token list` output. +When revoking a token, you can use the full token (e.g. what you get back from `npm token create`, or as can be found in an `.npmrc` file), or a truncated id. If the given truncated id is not distinct enough to differentiate between multiple existing tokens, you will need to use enough of the id to allow npm to distinguish between them. Full token ids can be found on the [npm website](https://www.npmjs.com), or in the `--parseable` or `--json` output of `npm token list`. This command will NOT accept the truncated token found in the normal `npm token list` output. A revoked token will immediately be removed from the registry and you will no longer be able to use it. From 6a21efb262d145d427d376d99196a0ffad3c4e20 Mon Sep 17 00:00:00 2001 From: Gar Date: Wed, 26 Nov 2025 09:59:12 -0800 Subject: [PATCH 4/4] fixup: copy --- docs/lib/content/commands/npm-token.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/lib/content/commands/npm-token.md b/docs/lib/content/commands/npm-token.md index 9f7d8c4c59644..fe451917fbd34 100644 --- a/docs/lib/content/commands/npm-token.md +++ b/docs/lib/content/commands/npm-token.md @@ -18,10 +18,11 @@ When listing tokens, an abbreviated token will be displayed. For security purpo #### Generating tokens +NOTE: Currently, the npm registry doesn't allow the cli to generate tokens. This feature should be re-enabled soon. + When generating tokens, you will be prompted you for your password and, if you have two-factor authentication enabled, an otp. -Currently, the npm registry doesn't allow the cli to generate automation tokens. This feature should be re-enabled soon. -For the time being, please refer to the [docs website](https://docs.npmjs.com/creating-and-viewing-access-tokens) for more information on generating automation tokens. +Please refer to the [docs website](https://docs.npmjs.com/creating-and-viewing-access-tokens) for more information on generating tokens for CI/CD. #### Revoking tokens