Publish TypeScript SDKs automatically

View as Markdown

You can publish SDKs generated in Postman to the npm public registry. Automated publishing is supported through GitHub Actions, which can be configured to publish your SDKs to npm whenever a new release is created in your GitHub repository. By default, the predefined workflow creates a new release every time an automatic PR is merged.

You can also publish manually from your local machine. To learn more, see Publish TypeScript SDKs manually.

Choose one of the following methods to publish your SDKs automatically:

  • Publish using an npm token stored in GitHub secrets.
  • Publish using trusted publishing (OpenID Connect).

Prerequisites

  • An npm account.
  • The package name is available on npm, or your account has publish rights to it.
  • For a scoped package (@org/name), the org/scope exists and your account is a member. The package publishes with public access.

Create an npm token and add it to your GitHub repo

An npm token (NPM_TOKEN) is used for authentication with the npm publish command.

To create an npm token and add it to your GitHub repo, do the following:

  1. Sign in at npmjs.com and select Your avatar > Access Tokens > Generate New Token.

  2. Create a granular token with read and write packages, scoped to the specific package or scope, with a set expiration. Enable Bypass two-factor authentication so the token can publish from CI. For more information, see Create and manage access tokens.

    To publish, npm requires either two-factor authentication (2FA) or a bypass-2FA token. Without this step, the SDK publish action fails asking for an OTP.

  3. Copy the token (starts with npm_...). It’s shown only once.

  4. In GitHub, select your repository and click Settings > Secrets and variables > Actions > New repository secret. Name it NPM_TOKEN and paste the token you copied from npm.

Tokens expire. Rotate the secret when CI starts failing authentication.

Use trusted publishing (OpenID Connect)

npm supports trusted publishing, a token-free flow where npm authenticates the GitHub Actions run directly over OpenID Connect (OIDC). No NPM_TOKEN secret is required, and OIDC satisfies the 2FA requirement automatically.

To use OIDC, do the following:

  1. On npmjs.com, configure a trusted publisher for the package, linking the GitHub repo and the release workflow filename.
  2. Update the release workflow file (or add a new one) on the connected repo using a custom code change. Make the following changes to the workflow:
    • Add id-token: write to the job permissions.
    • Remove the NODE_AUTH_TOKEN / NPM_TOKEN env from the publish step.
    • Keep npm publish (npm picks up the OIDC credentials automatically).