You can create and view access tokens from the website and command line interface (CLI).
In the upper right corner of the page, click your profile picture, then click Access Tokens.
Click Generate New Token.
(Optional) Name your token
Select the type of access token:
Read-only: a read-only token can only be used to download packages from the registry. It will have permission to read any private package that you have access to. This is recommended for automation and workflows where you are installing packages, but not publishing new ones.
Automation: an automation token can download packages and publish new ones, but if you have two-factor authentication (2FA) configured on your account, it will not be enforced. You can use an automation token in continuous integration workflows and other automation systems to publish a package even when you cannot enter a one-time passcode. This is recommended for automation workflows where you are publishing new packages.
Publish: a publish token can perform any action on your behalf, including downloading packages, publishing packages, and changing user settings or package settings. If you have two-factor authentication configured on your account, you will be required to enter a one-time passcode when using a publish token. This is recommended for interactive workflows.
Click Generate Token.
Copy the token from the top of page.
You can create tokens with read-only permissions or read and publish permissions with the CLI; you cannot currently create automation tokens.
In addition, you can specify that the token is only valid for a specific IPv4 address range, using CIDR notation. The token will only be valid when used from the specified IP addresses.
npm token create
for a read and publish tokennpm token create --read-only
for a read-only tokennpm token create --cidr=[list]
for a CIDR-restricted read and publish token. For example, npm token create --cidr=192.0.2.0/24
npm token create --read-only --cidr=[list]
for a CIDR-restricted read-only tokenIf the CIDR string you enter is invalid or in an inappropriate format, you will get an error similar to the one below:
npm ERR! CIDR whitelist contains invalid CIDR entry: X.X.X.X./YY,Z.Z.. . .
Make sure you are using a valid IPv4 range and try creating the token again.
Note: Full tokens are never displayed, only the first and last four characters will be shown. You can only view a full token immediately after creation.
To view all tokens associated with your account, in the upper right corner of the page, click your profile picture, then click Access Tokens.
To view all tokens associated with your account, on the command line, run the following command:
npm token list