npm · leobalter · Aug 29, 2025 · Sep 2, 2025 · Sep 2, 2025 · Sep 2, 2025
@@ -148,6 +148,32 @@ The `id_tokens` configuration tells GitLab to generate an OIDC token for npm. Le
 
 You can modify or remove your trusted publisher configuration at any time through your package settings on [npmjs.com](https://npmjs.com). Each package can only have one trusted publisher connection at a time, but this connection can be edited or deleted as needed. To change providers (for example, switching from GitHub Actions to GitLab CI/CD), simply edit your existing configuration and select the new provider. The change takes effect immediately for future publishes. To remove trusted publishing entirely and return to token-based authentication, delete the trusted publisher configuration from your package settings.
 
+## Recommended: Restrict token access when using trusted publishers
+
+Once you've configured trusted publishers for your package, we strongly recommend restricting traditional token-based publishing access for enhanced security.
+
+### How to configure maximum security
+
+1. After enabling trusted publishers, navigate to your package's **Settings** → **Publishing access**
+2. Select **"Require two-factor authentication and disallow tokens"**
+3. Save your changes by clicking on **Update Package Settings**
+
+### Why this matters
+
+Trusted publishers use short-lived, scoped credentials that are generated on-demand during your CI/CD workflow, eliminating the need for long-lived tokens. By restricting traditional token access while using trusted publishers, you reduce potential security risks associated with credential management.
+
+**Note:** The "disallow tokens" setting only affects traditional token authentication. Your trusted publishers will continue to work normally, as they use OIDC tokens.
+
+### Migration tip
+
+If you're transitioning from token-based publishing:
+
+1. Set up trusted publishers first and verify they work
+2. Then restrict token access as described above
+3. [Revoke any existing automation tokens](https://docs.npmjs.com/revoking-access-tokens) that are no longer needed
+
+This ensures a smooth transition without disrupting your release process.
+
 ## Automatic provenance generation
 
 When you publish using trusted publishing, npm automatically generates and publishes [provenance attestations](./generating-provenance-statements) for your package. This happens by default—you don't need to add the `--provenance` flag to your publish command.