Registry tokens

Scoped, expiring tokens for installs and CI publishes.

Registry tokens are credentials that do one job. Each is scoped to an organisation, limited to reading or publishing, and optionally expiring, so the token in your CI config cannot do anything beyond what you minted it for.

Create a token

From Settings → Registry tokens, or the CLI:

pln token create --name "ci publish" --org <org> --ttl-minutes 60
pln token create --name "readonly installs" --org <org> --read-only

The token (prefixed plain_rt_) is shown once, with a ready-to-paste .npmrc block. Plain stores only a hash; if you lose the value, mint a new one.

Scopes and expiry

Organisation. A token reads and publishes only within one org's scope.
Action. --read-only tokens install private packages but can never publish.
TTL. --ttl-minutes sets an expiry. Short-lived publish tokens are the right shape for release pipelines; this is what pln publish does internally.

Use in .npmrc

@<org>:registry=https://alpha.plain.jxd.dev/api/registry/
//alpha.plain.jxd.dev/api/registry/:_authToken=plain_rt_xxxxxxxx

Locally this lives in your home .npmrc; in CI, inject the token from a secret rather than committing it.

Revoking

Revoke any token from the settings page and it stops working immediately. Because tokens are named, "which credential is this" has an answer when you are cleaning up.