关于访问令牌

在使用 API 或 npm 命令行接口 (CLI) 时，访问令牌是使用你的用户名和密码对 npm 进行身份验证的替代方法。访问令牌是可用于身份验证的十六进制字符串，它赋予你安装和/或发布模块的权利。

¥An access token is an alternative to using your username and password for authenticating to npm when using the API or the npm command-line interface (CLI). An access token is a hexadecimal string that you can use to authenticate, and which gives you the right to install and/or publish your modules.

截至 2025 年 11 月，仅支持 粒度访问令牌。旧版访问令牌已被移除。

¥As of November 2025, only Granular access tokens are supported. Legacy access tokens have been removed.

你可以创建访问令牌以授予其他工具（例如持续集成测试环境）访问你的 npm 包的权限。例如，GitHub Actions 提供了存储 密码 的能力，例如访问令牌，你随后可以使用它来进行身份验证。当你的工作流程运行时，它将能够像你一样完成 npm 任务，包括安装你可以访问的私有包。

¥You can create access tokens to give other tools (such as continuous integration testing environments) access to your npm packages. For example, GitHub Actions provides the ability to store secrets, such as access tokens, that you can then use to authenticate. When your workflow runs, it will be able to complete npm tasks as you, including installing private packages you can access.

你可以使用来自 Web 或 CLI 的令牌，以最简单的为准。你在每个环境中所做的事情都会反映在另一个环境中。

¥You can work with tokens from the web or the CLI, whichever is easiest. What you do in each environment will be reflected in the other environment.

npm 令牌命令让你：

¥npm token commands let you:

• 查看令牌以便于跟踪和管理

  ¥View tokens for easier tracking and management

• 根据 IP 地址范围 (CIDR) 限制访问

  ¥Limit access according to IP address ranges (CIDR)

• 删除/撤销令牌

  ¥Delete/revoke tokens

有关在 Web 和 CLI 上创建和查看访问令牌的更多信息，请参阅“创建和查看访问令牌”。

¥For more information on creating and viewing access tokens on the web and CLI, see "Creating and viewing access tokens".

关于粒度访问令牌

¥About granular access tokens

粒度访问令牌允许你根据令牌的用途来限制提供给令牌的访问权限。使用粒度访问令牌，你可以：

¥Granular access tokens allow you to restrict access provided to the token based on what you want to use the token for. With granular access tokens, you can:

• 限制令牌可以访问的包和范围

  ¥Restrict which packages and scopes a token has access to

• 授予特定组织的令牌访问权限

  ¥Grant tokens access to specific organizations

• 设置令牌到期日期

  ¥Set a token expiration date

• 基于 IP 地址范围限制令牌访问

  ¥Limit token access based on IP address ranges

• 选择只读或读写访问权限

  ¥Select between read-only or read and write access

• 配置令牌以绕过 2FA 要求。

  ¥Configure a token to Bypass 2FA requirements

你可以在 npm 账户上创建最多 1000 个粒度访问令牌。你可以设置令牌的有效期，至少是未来的一天。每个令牌最多可以访问 50 个组织，以及最多 50 个包、50 个范围或 50 个包和范围的组合。访问令牌与用户的许可相关联；因此它在任何时间点都不能拥有比用户更多的权限。如果用户对某个软件包或组织的访问权限被撤销，则其细粒度访问令牌对这些软件包或组织的访问权限也将被撤销。

¥You can create up to 1000 granular access tokens on your npm account. You can set how long your token is valid for, at least one day in the future. Each token can access up to 50 organizations, and up to either 50 packages, 50 scopes, or a combination of 50 packages and scopes. Access tokens are tied to users’ permission; hence it cannot have more permission than the user at any point in time. If a user has their access revoked from a package or an org., their granular access token will also have its access revoked from those packages or org.

当你向组织授予令牌访问权限时，该令牌只能用于管理组织设置以及与该组织关联的团队或用户。它不赋予令牌发布由组织管理的包的权利。

¥When you give a token access to an organization, the token can only be used for managing organization settings and teams or users associated with the organization. It does not give the token the right to publish packages managed by the organization.

绕过双重身份验证 (2FA) 功能适用于具有写入权限的令牌，并且在创建令牌时默认设置为 false。当“绕过双重身份验证 (2FA)”选项设置为 true 时，此设置优先于账户级和包级 2FA 设置。这意味着即使启用了账户级双重身份验证 (2FA) 和/或要求包级 2FA，使用此令牌时仍会绕过 2FA。如果软件包或组织需要完全强制执行双重身份验证 (2FA)，请勿将“绕过 2FA”设置为 true。

¥The Bypass 2FA capability applies to tokens with write access and is set to false by default at token creation. When the Bypass 2FA option is set to true, this setting takes precedence over account-level and package-level 2FA settings. This means that even if account-level 2FA is enabled and/or package-level 2FA is required, 2FA will still be bypassed when using the token. Do not set Bypass 2FA to true if a package or organization requires fully enforced 2FA.