NPM token rotation for node API client - alphagov/notifications-manuals GitHub Wiki
As of October 2025 npm now uses granular access tokens which expire every 90 days. As such we have decided it only makes sense to renew the token when required.
The token is stored in notifications-credentials at
notify-pass credentials/npm/auth-token
To log into the npm portal use the username in this entry (not the email address):
notify-pass credentials/npm/user
Authenticate using the password at:
notify-pass credentials/npm/password
Use the MFA code like this:
notify-pass show credentials/npm/2fa-key | python -c "import sys, pyotp; print(pyotp.TOTP(sys.stdin.read().strip()).now())" | pbcopy
Follow the instructions at the link below to renew the token and generate a new secret token which you will store in notifications-credentials. Use these options when asked:
Token name: notifycicd<month><year>
Description: cicd token
Choose to Bypass two-factor authentication
Allowed IP range: Add all the IP ranges specified in this file
Packages and scopes: All packages
Organizations: No access
Choose the maximum expiry time frame (90 days)
https://docs.npmjs.com/creating-and-viewing-access-tokens
Once you have the new secret token, create a new branch on notifications-credentials, update the token like this:
git checkout -b rotating-npm-token
notify-pass edit credentials/npm/auth-token
Raise a PR to the notifications-credentials repo to get the new token into the main branch.
After the PR has been merged, retry releasing the client using the api-clients node-client pipeline.