About access tokens

Note: You must be using npm version 5.5.1 or greater to use access tokens.

An access token is an alternative to using your username and password for authenticating to npm when using the API or the npm command-line interface (CLI). An access token is a hexadecimal string that you can use to authenticate, and which gives you the right to install and/or publish your modules.

The npm CLI automatically generates an access token for you when you run npm login. You can also create an access token to give other tools (such as continuous integration testing environments) access to your npm packages. For example, GitHub Actions provides the ability to store secrets, like access tokens, that you can then use to authenticate. When your workflow runs, it will be able to complete npm tasks as you, including installing private packages you can access.

You can work with tokens from the web or the CLI, whichever is easiest. What you do in each environment will be reflected in the other environment.

npm token commands let you:

  • View tokens for easier tracking and management
  • Create new tokens, specifying read-only or full-permission
  • Limit access according to IP address ranges (CIDR)
  • Delete/revoke tokens

For more information on creating and viewing access tokens on the web and CLI, see "Creating and viewing access tokens".