docs: Update GAT documentation #1762
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
karenjli commented Oct 31, 2025
| When you give a token access to an organization, the token can only be used for managing organization settings and teams or users associated with the organization. It does not give the token the right to publish packages managed by the organization. | ||
| | ||
| The Bypass 2FA capability applies to tokens with write access and is set to false by default at token creation. When the Bypass 2FA option is set to true, this setting takes precedence over account-level and package-level 2FA settings. This means that even if account-level 2FA is enabled and/or package-level 2FA is required, 2FA will still be bypassed when using the token. | ||
| |
There was a problem hiding this comment.
Changes are highlighted in orange box
| <Screenshot src="/integrations/integrating-npm-with-external-services/granular-access-token-summary.png" alt="Screenshot of the granular access token summary and the generate token button" /> | ||
| | ||
| 10. Copy the token from the top of page. | ||
| 11. Copy the token from the top of page. |
There was a problem hiding this comment.
Added the bypass 2FA step to the instruction
| | ||
| 4. Confirm the deletion when prompted. | ||
| | ||
| ## Revoking tokens using the CLI |
There was a problem hiding this comment.
Previous documentation doesn't include instruction for revoking tokens via UI
| For more information, see "[Creating and viewing authentication tokens][create-token]". | ||
| For more information, see "[Creating and viewing access tokens][create-token]". | ||
| | ||
| ## Set the token as an environment variable on the CI/CD server |
There was a problem hiding this comment.
Added bypass 2FA implications and recommendations
| | ||
| 3. **Require two-factor authentication and disallow tokens** | ||
| With this option, a maintainer must have two-factor authentication enabled for their account, and they must publish interactively. Maintainers will be required to enter 2FA credentials when they perform the publish. Automation tokens and granular access tokens cannot be used to publish packages. | ||
| With this option, a maintainer must have two-factor authentication enabled for their account, and they must publish interactively. Maintainers will be required to enter 2FA credentials when they perform the publish. Granular access tokens cannot be used to publish packages, regardless of their bypass 2FA setting. |
There was a problem hiding this comment.
This page explains the nuance of when 2FA will be prompted
There was a problem hiding this comment.
Also, references of automation tokens are removed as we are deprecating it
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
This PR updates GAT related documentation to cover how 2FA will be handled for GATs