At GitHub, we’re constantly striving to secure the supply chain with our products and features. Earlier this year, we announced a new authentication token format for GitHub, and we’re excited to share that npm access tokens will now follow the same format of GitHub authentication tokens.
Previously, the npm access tokens were created as a UUID pattern of 36 characters. This has its limitations, such as inaccurate detection of compromised npm tokens in packages and GitHub repositories.
Identifiable prefixes and higher entropy patterns
With the new pattern, access tokens now start with an identifiable prefix: npm
so it is easier to be indexed by features like GitHub secret scanning and npm’s internal secret scanners to provide higher security for your packages. Moreover, the delimiter following after is no longer a -
but an underscore _
which means that the full token can be selected when double-clicked (saving you 0.005 seconds 🎉 ).
Entropy is the logarithmic measure for information predictability. In the case of an access token, the higher the entropy, the better. By matching GitHub’s token format, our tokens are longer and have a larger alphabet. Because of this, we increased our entropy from 128 to 178!
The last six characters of the tokens consist of CRC32 checksum, which is encoded in our Base62 implementation to further eliminate false positives when scanning for leaked tokens.
Read more about the new format here.
What this means for you
We strongly encourage you to make the move toward the new format by resetting your existing access tokens. These improvements will help you mitigate any risk to compromised tokens as well as make our secret scanning detection more precise.
You can reset your personal access tokens by clicking on Access tokens
under your npm Profile
, deleting all of your old tokens, and creating new ones.
Thank you for helping us make npm more secure. ❤️
Tags:
Written by
Related posts
![](https://github.blog/wp-content/uploads/2024/02/Security-DarkMode-2-2.png?resize=400%2C212)
How GitHub uses CodeQL to secure GitHub
How GitHub’s Product Security Engineering team manages our CodeQL implementation at scale and how you can, too.
![](https://github.blog/wp-content/uploads/2024/09/Security-LightMode-3-1.png?resize=400%2C212)
From finding to fixing: GitHub Advanced Security integrates Endor Labs SCA
The partnership between GitHub and Endor Labs enables application security engineers and developers to drastically reduce time spent on open source vulnerabilities, and gives them the tools to go from finding to fixing.
![A cartoon detective with a magnifying glass and keyboard, followed by a barcode-nosed dog sniffing the ground. The style is whimsical and cartoonish, symbolizing investigation.](https://github.blog/wp-content/uploads/2025/01/cybersecurity_header_large.jpg?resize=400%2C212)
Cybersecurity researchers: Digital detectives in a connected world
Discover the exciting world of cybersecurity research: what researchers do, essential skills, and actionable steps to begin your journey toward protecting the digital world.