Enhance security recommendations for trusted publishers (#1703)

leobalter · Copilot · p- · web-flow · commit ae95f5514ee4 · 2025-09-15T09:02:43.000-07:00
Improve OIDC docs recommending disallowing non-OIDC tokens.

## References

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
Co-authored-by: Peter Stöckli &lt;p-@github.com&gt;
diff --git a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx
@@ -147,6 +147,32 @@ The `id_tokens` configuration tells GitLab to generate an OIDC token for npm. Le
 
 You can modify or remove your trusted publisher configuration at any time through your package settings on [npmjs.com](https://npmjs.com). Each package can only have one trusted publisher connection at a time, but this connection can be edited or deleted as needed. To change providers (for example, switching from GitHub Actions to GitLab CI/CD), simply edit your existing configuration and select the new provider. The change takes effect immediately for future publishes. To remove trusted publishing entirely and return to token-based authentication, delete the trusted publisher configuration from your package settings.
 
+## Recommended: Restrict token access when using trusted publishers
+
+Once you've configured trusted publishers for your package, we strongly recommend restricting traditional token-based publishing access for enhanced security.
+
+### How to configure maximum security
+
+1. After enabling trusted publishers, navigate to your package's **Settings** → **Publishing access**
+2. Select **"Require two-factor authentication and disallow tokens"**
+3. Save your changes by clicking on **Update Package Settings**
+
+### Why this matters
+
+Trusted publishers use short-lived, scoped credentials that are generated on-demand during your CI/CD workflow, eliminating the need for long-lived tokens. By restricting traditional token access while using trusted publishers, you reduce potential security risks associated with credential management.
+
+**Note:** The "disallow tokens" setting only affects traditional token authentication. Your trusted publishers will continue to work normally, as they use OIDC tokens.
+
+### Migration tip
+
+If you're transitioning from token-based publishing:
+
+1. Set up trusted publishers first and verify they work
+2. Then restrict token access as described above
+3. [Revoke any existing automation tokens](https://docs.npmjs.com/revoking-access-tokens) that are no longer needed
+
+This ensures a smooth transition without disrupting your release process.
+
 ## Automatic provenance generation
 
 When you publish using trusted publishing, npm automatically generates and publishes [provenance attestations](./generating-provenance-statements) for your package. This happens by default—you don't need to add the `--provenance` flag to your publish command.
