Product Updates
Security
Securing Your NPM Publishing: Transitioning to Trusted Publishing
Speakeasy Team
November 5, 2025 - 3 min read
The npm ecosystem is evolving, and if you’re publishing TypeScript or MCP TypeScript SDKs, there are important changes on the horizon that you need to know about.
The Landscape is Changing
In the wake of recent supply chain attacks targeting the NPM ecosystem, the maintainers have made a decisive move to strengthen security across the platform. At the heart of these changes is a recognition that long-lived authentication tokens—once a convenient standard—have become a significant security vulnerability.
Starting in October, NPM introduced a fundamental shift: all newly created write-enabled granular access tokens now come with a default expiration of just seven days, with a maximum lifespan of 90 days. But that’s just the beginning.
In the coming weeks, NPM will take two additional steps:
- Revoking all existing legacy classic tokens for npm publishers
- Permanently disabling legacy classic token generation on npmjs.com
If your publishing workflow relies on these tokens, the clock is ticking.
A Better Way Forward: Trusted Publishing
Rather than simply adapting to shorter-lived tokens and the rotation headaches they bring, there’s a more elegant solution: Trusted Publishing.
At Speakeasy, we strongly recommend migrating to trusted publishing for your publishing workflows. Here’s why it’s worth the effort:
- Simplified authentication using OpenID Connect (OIDC)—no more juggling tokens
- Zero token rotation required—ever
- Automatic provenance attestation for enhanced supply chain security
It’s not just more secure; it’s actually easier to maintain.
What You Need to Do
Step 1: Update Your GitHub Workflow Permissions
First, ensure your GitHub workflows have the necessary permissions to generate OIDC tokens. Add the id-token: write permission to any workflows used for publishing NPM packages:
name: Publish
permissions:
checks: write
contents: write
pull-requests: write
statuses: write
id-token: write # Required for OpenID Connect (OIDC)
...Pro tip
Not sure if you’ve got it right? Run speakeasy configure publishing in your local repository. This command will automatically add the required permission and provide instructions tailored to your specific SDK configuration.
Step 2: Configure Trusted Publishing on NPM
Head over to your package settings on npmjs.com and configure trusted publishing :
- Select GitHub Actions as your Trusted Publisher
- Enter the GitHub user and Repository Name for your SDK
- Identify your publishing workflow file (typically found in
.github/workflows/):- For
prmode: usuallysdk_publish.yaml - For
directmode: usuallysdk_generation.yaml
- For
- Leave the Environment field blank
- Keep the “Don’t require two-factor authentication” option selected in the
Publishing accesssection.
Step 3: Test Your Configuration
Before you celebrate, let’s make sure everything works:
- Navigate to your repository’s Actions tab on GitHub
- Run the Generate workflow with these settings:
- ✅ Check the
Force generation of SDKsbox - Bump the SDK version using the optional
set a specific SDK versionfield
- ✅ Check the
- Once published, visit your package on npmjs.com
Look for two things that confirm success:
- A green checkmark ✓ indicating the package was published using OIDC
- A Provenance badge at the end of the README
The Bottom Line
The NPM ecosystem is moving toward a more secure future, and trusted publishing is the path forward. While these changes might require a bit of setup work now, they’ll save you time and headaches down the road—not to mention significantly improving your supply chain security posture.
Don’t wait until your legacy tokens are revoked. Make the transition to trusted publishing today, and publish with confidence.
Questions about setting up trusted publishing for your Speakeasy-generated SDKs? Check out our documentation or reach out to our support team.