Who does this NPM token belong to?

Featured image for sharing metadata for article

Let's say you've just found something that looks like it's an NPM token, and you want to work out whether it's still valid.

One option is to try and download a dependency using it, but that can be a little more awkward to do, when there are easier means to do so.

With npm

Let's say we've found a .npmrc:


Alternatively if this is a newer token, it'll be prefixed with npm_.

Fortunately the npm CLI contains a whoami subcommand, which means we can run:

env NPM_TOKEN=f... npm whoami

This will return the user that's authenticated, or an error.

With curl

This works when you're using the main registry, but when trying to check with different registry, i.e. registry.yarnpkg.com, you get:

env NPM_TOKEN=f... npm whoami --registry https://registry.yarnpkg.com
npm ERR! need auth This command requires you to be logged in.
npm ERR! need auth You need to authorize this machine using `npm adduser`

However, if we run npm whoami --verbose, we can see that it performs an HTTP GET request like so:

curl https://registry.npmjs.org/-/whoami -H 'Authorization: Bearer npm_...'

This is implemented by other registries such as the Yarn registry, meaning that if we were to find credentials such as:

    npmAlwaysAuth: true
    npmAuthToken: f.....

Then we'd be able to check if they were still valid by running:

curl -i https://registry.yarnpkg.com/-/whoami -H 'Authorization: Bearer f...'
HTTP/2 200

Alternatively we'd see a 401 when invalid:

curl -i https://registry.yarnpkg.com/-/whoami -H 'Authorization: Bearer f...'
HTTP/2 401

Written by Jamie Tanna's profile image Jamie Tanna on , and last updated on .

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.

#blogumentation #nodejs.

This post was filed under articles.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.