Where are the trusted publisher settings on npmjs.com?

[binarykitchen]

Good evening,

That's great, you have improved security massively. Thanks for that.
I've read github.blog/changelog/2025-12-09-npm-classic-tokens-revoked-session-based-auth-and-cli-token-management-now-available

But unfortunately, I'm still stuck because I'm unable to add a trusted publisher on npmjs.com.

I've followed your instructions from docs.npmjs.com/trusted-publishers#step-1-add-a-trusted-publisher-on-npmjscom, but still cannot find a Trusted Publisher section under my npm settings:

Perhaps I missed some steps or some more information is missing in the documentation? Thanks

[ljharb]

It's under each individual package, in "settings".

[binarykitchen]

Eeeek, thanks @ljharb - I think this should be documented better.

[binarykitchen]

@ljharb I don't mind improving the documentation with a small PR if you could point where they are :)

[jabranr]

@ljharb, how do we set up for a package that is being published for the first time to npm? I think I am having an issue with this from GitHub actions, as it keeps error that the token has expired or is invalid, even for a newly created token.

[ljharb]

@jabranr there's no way to do that - you have to publish it first with a token, probably locally, and then you can set up trusted publishing.