Thursday, 18 May, 2017 UTC


Since before the release of npm 2.0 in 2014 we have encouraged developers using our APIs to use token authentication instead of passing username and password in a basic auth header. Over the next few weeks we will be turning the recommendation into a requirement: basic http authentication will no longer work for any of the npm registry endpoints that require authorization. Instead you should use bearer tokens.
There are two exceptions:
  • The /login endpoint remains the endpoint to use to log into the npm registry & generate an auth token for later use.
  • The /whoami endpoint will continue to respond with the username for a successful login.
Both of these endpoints are monitored and rate-limited to detect abuse.
If you’re an npm user, this change will likely not affect you. Log in with the npm cli as you would normally:
npm login 
A successful login will store an auth token in your .npmrc , which the client will use for all actions that require auth.
If you are using the npm cli to interact with registries other than npm’s, you should also not be affected. We have no plans to remove support for basic auth from the npm cli.
If you are a developer using npm’s API, make sure you’re using a bearer token when you need to authenticate with the registry. For more information about how to do this, please see the documentation for npm/npm-registry-client. This package is what the official command-line client uses to do this work.
If you have any questions or requests for us, please contact npm support. We want to hear about how you’re using our APIs and how you’d like them to evolve to support your use cases.