npm Granular Access Token page stuck, cannot generate token or publish package

[qiao915]

Select Topic Area

Question

Body

Account: qiao_27
Package: joe-webserver

Problem Description

I'm unable to generate a Granular Access Token (or Classic Token) on npm's website, and the page is completely unresponsive:

1. When creating a Granular Access Token, there's no option to select my existing package (joe-webserver) in the "Packages and scopes" section.
2. Clicking the "Generate Token" button has no response (tried multiple browsers, incognito mode, and page refreshes).
3. I've also tried CLI commands to create tokens, but they fail with errors like "Token name is required" (even when the --name parameter is set) or "You must have at least one package added to this token" (though my account has joe-webserver published).

As a result, I can't publish updates to my package (joe-webserver) — all attempts (via token or direct npm login + npm publish) are blocked.

Steps I've Tried

• Refreshed the token page multiple times.
• Used incognito mode in Chrome/Edge.
• Tried CLI commands (e.g., npm token create --name=xxx --packages=joe-webserver).
• Attempted to delete old tokens (CLI/website, but CLI returns 403).

Expected Outcome

• Be able to generate a token (with read-write access to joe-webserver) to publish package updates.
• Or resolve the page stuck issue so I can complete token configuration.

[WekesaKelvin]

Confirm you actually own the package
Granular tokens only list packages you own.

npm owner ls joe-webserver

If your username isn’t there:

npm owner add joe-webserver
if it deesn't work try this

npm logout
npm login
npm whoami

then  create 

npm token create --type=automation --name="publish-token"

[qiao915]

Thank you for your help, but I have tried the method you provided and it still doesn't work.

[leobalter]

I couldn't reproduce this error here.

The command you mentioned above similar to npm token create --name="something" --packages="job-webserver" should be sufficient to work, I did something very similar on my end and I couldn't find any issues.

I wonder if by quoting the packages values you avoid any issue with the dash.

[Siphelele-Maphumulo]

To simplify the process of verifying ownership and creating a token, use these direct steps for 2025:

1. Fast Ownership Check
   Instead of logging out and back in, check your current identity and the package owners in one go:
   Verify identity: Run npm whoami to see your current logged-in user.
   Verify package owners: Run npm owner ls to see who can manage it.
2. Quick Fix for Ownership
   If you are logged in as the correct user but aren't listed as an owner, add yourself:
   Command: npm owner add .
   Note: If 2FA is enabled, append --otp=123456 with your current code.
3. Creating the Token (Recommended Way)
   As of 2025, the most secure and reliable method for creating granular automation tokens is through the npm website, as the CLI has limitations for certain automation token types.
   Navigate: Go to your npm profile → Access Tokens.
   Generate: Select "Generate New Token" and choose "Granular Access Token".
   Configure:
   Permissions: Select "Read and write".
   Packages: Choose "Only select packages" and pick your package.
   Automation: Check "Bypass two-factor authentication" to allow CI/CD tools to publish without a manual code.
   Save: Copy the token immediately; it will not be shown again.
   Why this is better:
   Safety: Granular tokens limit access to only the specific package you select, rather than your entire account.
   Reliability: The web interface correctly handles the complex 2FA bypass settings needed for automation.

[qiao915]

The webpage is not functioning properly. 'Packages and scopes' should require selecting a package, but there is no place to choose from. There is no response when clicking the 'Generate Token' button,

[UnknownOrange]

To be honest, classic tokens should be supported until A) There are clear step by step instructions on how to use granular access tokens, and B) Existing instructions that do not work with granular access tokens are removed.

I have been running into issues with npm tokens since the latest downgrade that removed classic token support. Removing classic token support is not improving security.

[qiao915]

Totally agree with every word! The removal of classic token support feels so rushed and unplanned. I’ve been stuck for hours trying to publish my package joe-webserver—the CLI commands for granular tokens keep throwing meaningless errors (like "Token name is required" even when I specified --name), and the npm web interface is either unresponsive or won’t let me select my own package to grant permissions.
It’s not just inconvenient—it’s counterproductive to security. Instead of guiding developers to use granular tokens properly, npm’s forcing us to workaround broken tools, which probably leads to more insecure practices (like sharing accounts or skipping 2FA checks just to get work done). Clear, step-by-step docs and removing outdated guides shouldn’t be an afterthought—they’re essential before sunsetting a core feature.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[SIMARSINGHRAYAT]

I understand your frustration. This is a known npm website issue with Granular Access Token generation.

Immediate Solutions:

1. Try the npm CLI Instead:

npm login
npm token create --read-only

2. Clear Browser Cache:

• Clear npm.js cookies
• Clear localStorage
• Try incognito mode

3. Alternative Browser:

• Some users report success with Firefox after Chrome fails
• Try different browser entirely

4. Check Account Status:

• Verify email is confirmed
• Ensure 2FA is properly enabled (not misconfigured)
• Check if account has publishing permissions

Why It Fails:

• npm.js has ongoing frontend issues
• Session/CSRF token problems
• Browser compatibility issues
• Account configuration conflicts

For Package Publishing:
If tokens keep failing:

npm publish --access public  # Uses existing auth

Contact npm Support:

• support.npmjs.com
• Include:
  • Account name
  • Package details
  • Browser/OS info
  • Error console logs

The npm website token generation is frustratingly unreliable. CLI method usually works when web interface fails. Hope this helps!