注意: 你必须使用 5.5.1 或更高版本的 npm 才能使用访问令牌。
访问令牌是在使用 API 或 npm 命令行接口 (CLI) 进行身份验证时,替代使用用户名和密码的一种方式。访问令牌是一个十六进制字符串,可以用来进行身份验证,并赋予你安装和/或发布模块的权限。
🌐 An access token is an alternative to using your username and password for authenticating to npm when using the API or the npm command-line interface (CLI). An access token is a hexadecimal string that you can use to authenticate, and which gives you the right to install and/or publish your modules.
截至 2025 年 11 月,仅支持 Granular access tokens。已删除传统访问令牌。
🌐 As of November 2025, only Granular access tokens are supported. Legacy access tokens have been removed.
你可以创建访问令牌,以便让其他工具(例如持续集成测试环境)访问你的 npm 包。例如,GitHub Actions 提供了存储密钥的功能,比如访问令牌,你可以用它们来进行身份验证。当你的工作流运行时,它将能够以你的身份完成 npm 任务,包括安装你有权限访问的私有包。
🌐 You can create access tokens to give other tools (such as continuous integration testing environments) access to your npm packages. For example, GitHub Actions provides the ability to store secrets, such as access tokens, that you can then use to authenticate. When your workflow runs, it will be able to complete npm tasks as you, including installing private packages you can access.
你可以使用来自网页或命令行接口的令牌,无论哪种方式最方便。在每个环境中所做的操作都会反映到另一个环境中。
🌐 You can work with tokens from the web or the CLI, whichever is easiest. What you do in each environment will be reflected in the other environment.
npm 令牌命令让你:
🌐 npm token commands let you:
有关在网页和命令行接口上创建和查看访问令牌的更多信息,请参见“创建和查看访问令牌”。
🌐 For more information on creating and viewing access tokens on the web and CLI, see "Creating and viewing access tokens".
🌐 About granular access tokens
细粒度访问令牌允许你根据使用令牌的目的来限制令牌提供的访问权限。使用细粒度访问令牌,你可以:
🌐 Granular access tokens allow you to restrict access provided to the token based on what you want to use the token for. With granular access tokens, you can:
你可以在你的 npm 账户上创建最多 1000 个细粒度访问令牌。你可以设置令牌的有效期限,至少为未来一天。每个令牌可以访问最多 50 个组织,以及最多 50 个软件包、50 个作用域,或者 50 个软件包和作用域的组合。访问令牌与用户的权限相关联;因此,它在任何时候都不能拥有超过用户本身的权限。如果用户对某个软件包或组织的访问被撤销,他们的细粒度访问令牌对这些软件包或组织的访问权限也会被撤销。
🌐 You can create up to 1000 granular access tokens on your npm account. You can set how long your token is valid for, at least one day in the future. Each token can access up to 50 organizations, and up to either 50 packages, 50 scopes, or a combination of 50 packages and scopes. Access tokens are tied to users’ permission; hence it cannot have more permission than the user at any point in time. If a user has their access revoked from a package or an org., their granular access token will also have its access revoked from those packages or org.
当你授予令牌对一个组织的访问权限时,该令牌只能用于管理组织设置以及与组织相关的团队或用户。它并不赋予令牌发布组织管理的包的权限。
🌐 When you give a token access to an organization, the token can only be used for managing organization settings and teams or users associated with the organization. It does not give the token the right to publish packages managed by the organization.
绕过双因素认证(2FA)的功能适用于具有写入权限的令牌,并且在创建令牌时默认设置为 false。当绕过 2FA 选项设置为 true 时,该设置优先于账户级和包级的 2FA 设置。这意味着即使账户级 2FA 已启用和/或包级 2FA 被要求,在使用该令牌时仍将绕过 2FA。如果某个包或组织要求完全强制执行 2FA,请不要将绕过 2FA 设置为 true。
🌐 The Bypass 2FA capability applies to tokens with write access and is set to false by default at token creation. When the Bypass 2FA option is set to true, this setting takes precedence over account-level and package-level 2FA settings. This means that even if account-level 2FA is enabled and/or package-level 2FA is required, 2FA will still be bypassed when using the token. Do not set Bypass 2FA to true if a package or organization requires fully enforced 2FA.