How do you distribute an npm private package to customers?

There are lots of use cases for teams leveraging private npm packages for internal purposes. Is there a model in github for to distributing access to a private package to external customers? Basically subscription access to an npm package. Each customer would get their own npm access token giving them access to the private package. When they leave their access token would be removed and they wouldn’t be able to access the package anymore.

Ideally I could create an access token via api when the customer is created and provide it to them to install the package and delete the token when they cancel.

From what I can tell github apis can’t create access tokens for security reasons. Is there something I’m missing that would allow me to distribute access to a private package programmatically in github? Thanks

1 Like

Hi @dberringer – I’m on the Github Packages team and can help you out here.

Right now, npm package permissions are driven off the permissions of the repository to which they belong. Users can rely on personal access tokens to authenticate with Github Registry.

In your use case, you could add the user to the repository (read would be enough if they are just consuming the package), and then remove them later once the access is no longer needed. I’m not sure this 100% satisfies your use case though. We are, however, working on a more robust permissions model, so these items are on the roadmap.

Hey @whitneyimura. Thanks for the response. Can you confirm there is currently no way to create and/or rotate personal access tokens on an account except by manually doing so in the UI. Is that correct? Thanks

Hey @dberringer – Yep, that’s correct. From what I can tell from the documentation, PATs can only be revoked through the UI.

Thanks for confirming. Controlling access programmatically opens up some interesting use cases and would be a great addition to a future release. Thanks.

1 Like

Hi @whitneyimura - I’d be interested in leveraging Github Packages in the same scenario @dberringer has described, so providing external customers (some of whom might not even have Github accounts) with access to private NPM modules but without having to provide them with access to the repository itself. The reason for this is that the repository itself would be a mono-repo hosting code for a number of external customers, so I’d like to be able to configure what customers can access which packages.

I’m glad to hear that a more robust permissions model is on the roadmap, so I’d be keen to learn if you think it would support the scenario I described? And if so, do you happen to know when it would available?