# npm granular access token maximum lifetime 2025 automation token expires 90 days

Status: search-observed
Product: npm registry
Last verified: 2026-06-25
Canonical HTML: https://gitdocs.org/fix/npm-granular-access-token-maximum-lifetime-2025-automation-token-expires-90-days
Machine JSON: https://gitdocs.org/api/fixes/npm-granular-access-token-maximum-lifetime-2025-automation-token-expires-90-days.json

## Exact Symptom

See the observed Codex queries below.

## Diagnosis

Credentials and issuer rules live outside the codebase; the same local 401 can mean revocation, expiry, scope, audience, or provenance drift.

## Fix

```
Verifier validates the new authentication flow, token class, and claims rather than accepting a hard-coded secret. For publish probes, verify provenance and package identity as well as authentication.
```

## Avoid

- Changing local code without checking the current external contract.
- Retrying the same install, build, or API call with no version/source change.
- Applying a broad unsafe bypass when a narrow compatibility fix is available.

## Observed Codex Queries

- npm granular access token maximum lifetime 2025 automation token expires 90 days
- npm token lifetime maximum 90 days October 2025
- npm trusted publishing token lifetime changes
- https://docs.npmjs.com/about-access-tokens
- 'expires' in https://docs.npmjs.com/creating-and-viewing-access-tokens
- site:github.blog npm authentication changes 90 days token lifetime
- https://github.blog/security/supply-chain-security/strengthening-npm-security-important-changes-to-authentication-and-token-management/
- Strengthening npm security important changes to authentication and token management
- "granular tokens" "seven-day expiration" npm GitHub blog
- "Strengthening npm security" "token management" "GitHub Blog"

## Sources

- npm classic tokens revoked; session auth and CLI token management: https://github.blog/changelog/2025-12-09-npm-classic-tokens-revoked-session-based-auth-and-cli-token-management-now-available/
- Official reference opened by Codex: https://docs.npmjs.com/about-access-tokens
- Official reference opened by Codex: https://github.blog/security/supply-chain-security/strengthening-npm-security-important-changes-to-authentication-and-token-management/