Npm token TTL


Had a look at NPM tokens (generate, revoke) but wasn’t helpful.

We are taking a look at the security aspects of using npm tokens and would like to have more description from Sonatype on the following points which are not described in the official documentation.

  • What is the time to live of a npm token once generated against NX3
  • For user accounts being in the LDAP, if the password change in the LDAP, is the token invalidated?
  • How can the NX3 administrator list all current npm tokens
  • How can the NX3 administrators revoke some or all npm tokens

We had some tests and and seems the npm token stays valid for a user even when its password has been updated (LDAP account in our test).

Thank you for your support

@issa-gorissen have you ever found answers to your questions? I would like to know about token TTL as well. It seems that tokens are expiring from time to time, but I couldn’t find any documentation about it.

The tokens do not expire by time. But if the user associated with a token can no longer be found (e.g., a mapped LDAP user is no longer in the LDAP server), the token will expire.


@rseddon Thanks for your reply! We are a team of about 20 developers using the same user (local, no LDAP) to login to a NPM group containing a proxy to npm and a private repo. At least 2-3 times a week we get a 401 error while installing/restoring packages. The resolution for that is to manually remove the auth token generated by npm adduser from our local .npmrc file, and generate a new one (again with npm adduser). When we worked directly with npmjs (we have private packages there), we didn’t have this kind of issue even though we used one user for everyone.
So if there’s no TTL on tokens, I can’t explain why our tokens are expiring… Would appreciate you insight on this issue!