Problem:

You may see authorization failures related to the NPM registry and an informational string in jobs that interact with the NPM registry:

npm notice SECURITY NOTICE: Classic tokens expire December 9. Granular tokens now limited to 90 days with 2FA enforced by default. Update your CI/CD workflows to avoid disruption. Learn more: https://gh.io/npm-token-changes

npm error code E401

npm error 401 Unauthorized - GET https://registry.npmjs.org/-/npm/v1/tokens

There have been recent security changes with the NPM repo. Classic tokens have been deprecated, creation of new classic tokens have been disabled and existing tokens are being revoked beginning December 9th, 2025.

Solutions:

• Solution 1 - Generate new npm granular access tokens with appropriate scoped permissions.

  • Note, the default token expiration of 7 days and maximum of 90 days
  • You will need to manage the tracking and rotation of these keys

• Solution 2 - Trusted publishing via OIDC

  • Trusted publishing allows you to publish npm packages directly from your CI/CD workflows using OpenID Connect (OIDC) authentication
  • CircleCI has been actively working with GitHub/npm to become an approved trusted publisher. We have updated our OIDC implementation to have parity with what’s needed based on current trusted publishers. We are ready to integrate when approval is granted. Based on GitHub/npm’s projections, this may occur in Q1, 2026.

Outcome:

Once granular keys have been generated and maintained or OIDC has been enabled your CircleCI jobs will be able to successfully authenticate.

Granular tokens will allow authentication during the transition period prior to enablement of trusted publishing via OIDC

Additional Resources:

• CircleCI Discuss: CircleCI and npm Trusted Publishing

• Github Blog: NPM Strengthening npm security: Important changes to authentication and token management