[docs]: Document changes for legacy token deprecation and GAT bypass 2FA configuration #1764
Conversation
…documentation (#1756) ### Summary: Added notes on deprecated legacy access token references and removed few documentation due to deprecation ### File Changes (3 files) 1. `content/integrations/integrating-npm-with-external-services/creating-and-viewing-access-tokens.mdx` 2. `content/integrations/integrating-npm-with-external-services/about-access-tokens.mdx` 3. `content/integrations/integrating-npm-with-external-services/using-private-packages-in-a-ci-cd-workflow.mdx` ### Changes Made - Added `note` for legacy token creation workflow from access tokens documentation --------- Co-authored-by: Di Hei <dhei@github.com>
This PR updates GAT related documentation to cover how 2FA will be handled for GATs
|
|
||
| - [Legacy tokens](#about-legacy-tokens) | ||
| - [Granular access tokens](#about-granular-access-tokens) | ||
| As of November 2025, access tokens can only be [Granular access tokens](#about-granular-access-tokens). Legacy access tokens are removed. |
There was a problem hiding this comment.
can be rephrased to As of November 2025, only [Granular access tokens](#about-granular-access-tokens) are supported. Legacy access tokens have been removed.
|
|
||
| <Note variant="danger"> | ||
|
|
||
| **Warning:** Legacy access tokens were removed on November 5, 2025. |
There was a problem hiding this comment.
We might wanna add another note saying npm token is not deprecated and it will eventually work with Granular tokens.
There was a problem hiding this comment.
We removed all the documentation about npm token in https://npm-bb091a8293-15913497.drafts.github.io/creating-and-viewing-access-tokens
This is the current verbiage under Creating tokens with the CLI
Note: You cannot create granular access tokens from the CLI. You must use the website to generate these types of tokens. For more information, see "Creating granular access tokens on the website."
We can change it and mention npm token there as follow
Note: You cannot create granular access tokens from the CLI currently. You must use the website to generate these types of tokens. Support for creating granular access token via
npm tokenCLI command will be added in the future. For more information, see "Creating granular access tokens on the website."
|
|
||
| When you give a token access to an organization, the token can only be used for managing organization settings and teams or users associated with the organization. It does not give the token the right to publish packages managed by the organization. | ||
|
|
||
| The Bypass 2FA capability applies to tokens with write access and is set to false by default at token creation. When the Bypass 2FA option is set to true, this setting takes precedence over account-level and package-level 2FA settings. This means that even if account-level 2FA is enabled and/or package-level 2FA is required, 2FA will still be bypassed when using the token. |
There was a problem hiding this comment.
We might add a sentence that such granular tokens should never be created if a fully enforced 2fa is required.
I added a comment on slack concerned with this full bypass part to discuss the feature rather than the just the docs text.
4 participants
This PR addresses the following two changes related to tokens