注意:你必须使用 npm 5.5.1 或更高版本才能使用访问令牌。

Note: You must be using npm version 5.5.1 or greater to use access tokens.

在使用 API 或 npm 命令行接口 (CLI) 时,访问令牌是使用你的用户名和密码对 npm 进行身份验证的替代方法。访问令牌是可用于身份验证的十六进制字符串,它赋予你安装和/或发布模块的权利。

An access token is an alternative to using your username and password for authenticating to npm when using the API or the npm command-line interface (CLI). An access token is a hexadecimal string that you can use to authenticate, and which gives you the right to install and/or publish your modules.

有两种类型的访问令牌可用:

There are two types of access tokens available:

你可以创建访问令牌以授予其他工具(例如持续集成测试环境)访问你的 npm 包的权限。例如,GitHub Actions 提供了存储 密码 的能力,例如访问令牌,你随后可以使用它来进行身份验证。当你的工作流程运行时,它将能够像你一样完成 npm 任务,包括安装你可以访问的私有包。

You can create access tokens to give other tools (such as continuous integration testing environments) access to your npm packages. For example, GitHub Actions provides the ability to store secrets, such as access tokens, that you can then use to authenticate. When your workflow runs, it will be able to complete npm tasks as you, including installing private packages you can access.

你可以使用来自 Web 或 CLI 的令牌,以最简单的为准。你在每个环境中所做的事情都会反映在另一个环境中。

You can work with tokens from the web or the CLI, whichever is easiest. What you do in each environment will be reflected in the other environment.

npm 令牌命令让你:

npm token commands let you:

  • 查看令牌以便于跟踪和管理

    View tokens for easier tracking and management

  • 创建新的旧版令牌

    Create new legacy tokens

  • 根据 IP 地址范围 (CIDR) 限制访问

    Limit access according to IP address ranges (CIDR)

  • 删除/撤销令牌

    Delete/revoke tokens

有关在 Web 和 CLI 上创建和查看访问令牌的更多信息,请参阅“创建和查看访问令牌”。

For more information on creating and viewing access tokens on the web and CLI, see "Creating and viewing access tokens".

关于旧令牌

About legacy tokens

旧版令牌的创建权限与创建它们的用户相同。当你运行 npm login 时,npm CLI 会自动生成并使用发布令牌。

Legacy tokens are created with the same permissions as the user who created them. The npm CLI automatically generates and uses a publish token when you run npm login.

旧版令牌分为三种不同类型:

There are three different types of legacy tokens:

  • 只读:你可以使用这些令牌从注册表下载包。这些令牌最适合安装包的自动化和工作流程。为了提高安全性,我们建议改用 粒度访问令牌

    Read-only: You can use these tokens to download packages from the registry. These tokens are best for automation and workflows where you are installing packages. For greater security, we recommend using granular access tokens instead.

  • 自动化:你可以使用这些令牌下载软件包和安装新软件包。这些令牌最适合你发布新包的自动化工作流程。自动化令牌不用于在 npm 上执行操作的 2FA,适用于 CI/CD 工作流。为了提高安全性,我们建议改用 粒度访问令牌

    Automation: You can use these tokens to download packages and install new ones. These tokens are best for automation workflows where you are publishing new packages. Automation tokens do not 2FA for executing operations on npm and are suitable for CI/CD workflows. For greater security, we recommend using granular access tokens instead.

  • 发布:你可以使用这些令牌下载包、安装包以及更新用户和包设置。我们建议将它们用于交互式工作流程,例如 CLI。如果你的账户启用了 2FA,发布令牌将需要 2FA 才能在 npm 上执行敏感操作。

    Publish: You can use these tokens to download packages, install packages, and update user and package settings. We recommend using them for interactive workflows such as a CLI. If 2FA is enabled on your account, publish tokens will require 2FA to execute sensitive operations on npm.

旧版令牌没有到期日。了解你的令牌并保护它们以确保账户安全非常重要。欲了解更多信息,请参阅“保护你的令牌”。

Legacy tokens do not have an expiration date. It is important to be aware of your tokens and keep them protected for account security. For more information, see "Securing your token."

关于粒度访问令牌

About granular access tokens

粒度访问令牌允许你根据令牌的用途来限制提供给令牌的访问权限。使用粒度访问令牌,你可以:

Granular access tokens allow you to restrict access provided to the token based on what you want to use the token for. With granular access tokens, you can:

  • 限制令牌可以访问的包和范围

    Restrict which packages and scopes a token has access to

  • 授予特定组织的令牌访问权限

    Grant tokens access to specific organizations

  • 设置令牌到期日期

    Set a token expiration date

  • 基于 IP 地址范围限制令牌访问

    Limit token access based on IP address ranges

  • 选择只读或读写访问权限

    Select between read-only or read and write access

你可以在 npm 账户上创建最多 1000 个粒度访问令牌。你可以设置令牌的有效期,至少是未来的一天。每个令牌最多可以访问 50 个组织,以及最多 50 个包、50 个范围或 50 个包和范围的组合。访问令牌与用户的许可相关联;因此它在任何时间点都不能拥有比用户更多的权限。如果用户从包或组织中撤消了他们的访问权限,则他们的粒度访问令牌也将从这些包或组织中撤消其访问权限。

You can create up to 1000 granular access tokens on your npm account. You can set how long your token is valid for, at least one day in the future. Each token can access up to 50 organizations, and up to either 50 packages, 50 scopes, or a combination of 50 packages and scopes. Access tokens are tied to users’ permission; hence it cannot have more permission than the user at any point in time. If a user has their access revoked from a package or an org., their granular access token also will have its access revoked from those packages or org.

当你向组织授予令牌访问权限时,该令牌只能用于管理组织设置以及与该组织关联的团队或用户。它不赋予令牌发布由组织管理的包的权利。

When you give a token access to an organization, the token can only be used for managing organization settings and teams or users associated with the organization. It does not give the token the right to publish packages managed by the organization.

npm 中文网 - 粤ICP备13048890号