npm granular access token maximum lifetime 2025 automation token expires 90 days

Symptom

A provisioning script cannot create the formerly long-lived granular token requested by policy.

Why This Happens

Credentials and issuer rules live outside the codebase; the same local 401 can mean revocation, expiry, scope, audience, or provenance drift.

Common Wrong Fixes

• Changing local code without checking the current external contract.
• Retrying the same install, build, or API call with no version/source change.
• Applying a broad unsafe bypass when a narrow compatibility fix is available.

Codex Search Keywords

These are the search terms observed in a neutral Codex validation run for this failure shape.

npm granular access token maximum lifetime 2025 automation token expires 90 days
npm token lifetime maximum 90 days October 2025
npm trusted publishing token lifetime changes
https://docs.npmjs.com/about-access-tokens
'expires' in https://docs.npmjs.com/creating-and-viewing-access-tokens
site:github.blog npm authentication changes 90 days token lifetime
https://github.blog/security/supply-chain-security/strengthening-npm-security-important-changes-to-authentication-and-token-management/
Strengthening npm security important changes to authentication and token management
"granular tokens" "seven-day expiration" npm GitHub blog
"Strengthening npm security" "token management" "GitHub Blog"

Source Trail

• npm classic tokens revoked; session auth and CLI token management: https://github.blog/changelog/2025-12-09-npm-classic-tokens-revoked-session-based-auth-and-cli-token-management-now-available/
• Official reference opened by Codex: https://docs.npmjs.com/about-access-tokens
• Official reference opened by Codex: https://github.blog/security/supply-chain-security/strengthening-npm-security-important-changes-to-authentication-and-token-management/