Using private packages in a CI/CD workflow
See Details
Table of contents
You can use access tokens to test private npm packages with continuous integration (CI) systems, or deploy them using continuous deployment (CD) systems.
Recommended: Use trusted publishing for package publishing
For publishing packages from CI/CD workflows, we recommend using trusted publishing instead of access tokens. Trusted publishing uses OpenID Connect (OIDC) to provide secure publishing that eliminates the security risks associated with long-lived tokens.
Trusted publishing is supported for:
- GitHub Actions (GitHub-hosted runners)
- GitLab CI/CD (GitLab.com shared runners)
If you use a different CI/CD provider, or if you need to install private packages (not publish), you can use access tokens as described below.
Create a new access token
Create a new access token that will be used only to access npm packages from a CI/CD server.
Continuous integration
When generating an access token for use in a continuous integration environment, we recommend using a granular access token with limited access to provide greater security.
For most CI workflows that only install dependencies and run tests, a read-only granular access token is sufficient and most secure.
Note: If your CI workflow requires write operations (such as publishing test packages), you may need a granular access token with read and write permissions and bypass 2FA enabled to prevent automated workflows from being blocked by 2FA prompts. However, we strongly recommend using read-only tokens whenever possible and reserving bypass 2FA for deployment workflows only.
Warning: Legacy access tokens are removed as of November 2025.
For more information on creating granular access tokens, including CIDR-whitelisted tokens, see "Creating and viewing access tokens".
Continuous deployment
For publishing packages in continuous deployment environments, we strongly recommend using trusted publishing when available, as it provides enhanced security without requiring token management.
If trusted publishing is not available for your CI/CD provider, you can create a granular access token with bypass 2FA enabled on the website. This will allow you to publish even if you have two-factor authentication enabled on your account.
Security considerations for bypass 2FA:
- Only enable bypass 2FA when necessary for automated publishing workflows
- Use restrictive permissions and short expiration dates
- Consider IP address restrictions and regular token rotation
- Use trusted publishing instead of bypass 2FA tokens whenever possible
Interactive workflows
If your workflow produces a package, but you publish it manually after validation, then you will want to create a granular access token with read and write permissions. See "Creating and viewing access tokens" for instructions.
CIDR whitelists
For increased security, you may use a CIDR-whitelisted granular access token that can only be used from a certain IP address range. You can configure IP address restrictions when creating your granular access token on the website.
For more information, see "Creating and viewing access tokens".
Set the token as an environment variable on the CI/CD server
Set your token as an environment variable, or a secret, in your CI/CD server.
For example, in GitHub Actions, you would add your token as a secret. Then you can make the secret available to workflows.
If you named the secret NPM_TOKEN, then you would want to create an environment variable named NPM_TOKEN from that secret.
steps:- run: |npm install- env:NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
Consult your CI/CD server's documentation for more details.
Create and check in a project-specific .npmrc file
Use a project-specific .npmrc file with a variable for your token to securely authenticate your CI/CD server with npm.
-
In the root directory of your project, create a custom
.npmrcfile with the following contents://registry.npmjs.org/:_authToken=${NPM_TOKEN}Note: that you are specifying a literal value of
${NPM_TOKEN}. The npm cli will replace this value with the contents of theNPM_TOKENenvironment variable. Do not put a token in this file. -
Check in the
.npmrcfile.
Securing your token
Your token may have permission to read private packages, publish new packages on your behalf, or change user or package settings. Protect your token.
Do not add your token to version control or store it insecurely. Store it in a password manager, your cloud provider's secure storage, or your CI/CD provider's secure storage.
When possible, use granular access tokens with the minimum permissions necessary, and set short expiration dates for your tokens. For more information, see "About access tokens."
