Skip to content
Latchkey

semantic-release "EINVALIDNPMTOKEN" invalid npm token in CI

semantic-release sent your NPM_TOKEN to the configured registry to verify it during "Verify Conditions", and the registry rejected it. The token is set but not valid: expired, revoked, or for the wrong registry.

What this error means

The run fails with "EINVALIDNPMTOKEN Invalid npm token" naming the registry it checked, even though NPM_TOKEN is populated.

semantic-release
[semantic-release] > EINVALIDNPMTOKEN Invalid npm token.
The npm token (https://registry.npmjs.org/) configured in the NPM_TOKEN environment variable
must be a valid token allowing to publish to the registry https://registry.npmjs.org/.

Common causes

The token expired or was revoked

npm automation tokens can be revoked or expire; a stale value in the secret authenticates as invalid.

The token is for a different registry

The token belongs to a private registry while the package resolves to registry.npmjs.org (or vice versa), so verification fails.

How to fix it

Regenerate the automation token

  1. Create a fresh npm automation token with publish rights.
  2. Update the NPM_TOKEN repository secret with the new value.
  3. Re-run so the registry accepts it.
npmjs.com
# create a token in npm, then update the CI secret
# Settings > Secrets > Actions > NPM_TOKEN

Point the token at the right registry

Ensure the registry the token belongs to matches the publishConfig registry the package publishes to.

package.json
{
  "publishConfig": { "registry": "https://registry.npmjs.org/" }
}

How to prevent it

  • Use long-lived automation tokens rather than tokens tied to a user session.
  • Rotate the token before it expires and update the secret in one place.
  • Match the token registry to the package publishConfig registry.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →