Publish your public-facing Fern TypeScript SDK to the npmjs registry. After following the steps on this page, you’ll have a versioned package published on npm.
If you’re using token-based authentication, npm has deprecated long-lived classic tokens. See Migrating from token-based to OpenID Connect (OIDC) publishing to upgrade to the more secure OIDC authentication.
This page assumes that you have:
fern folder, a GitHub repository for your TypeScript SDK, and a TypeScript generator group in generators.yml. See Generating an SDK (TypeScript).You’ll need to update your generators.yml file to configure the package name, output location, and client naming for npm publishing. Your generators.yml should live in your source repository (or on your local machine), not the repository that contains your TypeScript SDK code.
Configure output location
In the group for your TypeScript SDK, change the output location from local-file-system (the default) to npm to indicate that Fern should publish your package directly to the npmjs registry:
Fern can automatically publish your SDK to npmjs via GitHub Actions. Configure your GitHub repository and publishing mode:
Optionally set the mode to control how Fern handles SDK publishing:
mode: release (default): Fern generates code, commits to the default branch (or the branch you specify), and tags a release automaticallymode: pull-request (recommended): Fern generates code and creates a PR for you to review before releasemode: push: Fern generates code and pushes to a branch you specify for you to review before releaseYou can also configure other settings, like the reviewers or license. Refer to the full github (generators.yml) reference for more information.
Choose how you want to authenticate with npmjs when publishing.
npm has deprecated long-lived classic tokens for publishing from CI/CD workflows. OpenID Connect (OIDC) authentication is strongly recommended for security.
OIDC-based publishing (also known as “trusted publishing”) is the most secure way to publish. With OIDC, you don’t need to manage authentication tokens - npmjs trusts your GitHub repository to publish directly.
3.12.3 or later0.94.0 or later (only required for local generation with --local)Generate your SDK to create the GitHub Actions workflow with OIDC configuration:
This creates a .github/workflows/ci.yml file that’s configured to use OIDC for npmjs publishing. Alternatively, you can push your generators.yml changes and let the Fern GitHub Action generate the workflow for you.
This creates a .github/workflows/ci.yml file that’s configured to use OIDC for npm publishing.
Configure trusted publishing on npmjs.com to allow your GitHub repository to publish:
your-org/your-repository)ci.ymlFor more details, see npm’s trusted publishing documentation.
“Unable to authenticate” error
Common causes:
ci.yml)Solution: Double-check your trusted publisher configuration on npmjs.com matches your repository name and workflow filename exactly.
Private repository limitations
Provenance attestations aren’t generated for packages published from private repositories, even when using trusted publishing. This is a known limitation.
npm has deprecated long-lived classic tokens. Long-lived authentication tokens can be exposed in logs, compromised, and are difficult to manage and rotate. OIDC-based authentication is strongly recommended instead.
Your SDK will automatically be published to npmjs when you create a GitHub release with a version tag:
v1.0.0)If you prefer to trigger publishes manually, create a .github/workflows/publish.yml file:
Add your FERN_TOKEN as a repository secret (run fern token to generate one), then trigger the workflow from the Actions tab.
If you’re using token-based authentication and need to migrate to OIDC, follow these steps:
npmjs is implementing trusted publishing to remove security risks associated with long-lived tokens, which can be:
OIDC-based publishing uses short-lived, cryptographically signed tokens that are specific to your workflow and can’t be extracted or reused.
Before migrating, ensure you have:
0.94.0 or later (for local generation)Select the approach that fits your situation:
This is the easiest path if you can upgrade to version 3.12.3 or later of the TypeScript SDK generator.
When to use this path:
.fernignore’d your CI workflow fileFollow npm’s “Add a trusted publisher on npmjs.com” instructions:
ci.yml (the default Fern workflow file)Change the output.token field from ${NPM_TOKEN} to OIDC and ensure you’re using version 3.12.3 or later:
Regenerate your SDK with the updated CI configuration. You can do this either:
Locally:
Or via GitHub Actions:
If you use the Fern GitHub Action to generate your SDK, simply push your updated generators.yml file and let the workflow regenerate the SDK for you.
This will update your .github/workflows/ci.yml file with the required OIDC permissions.
Use this path if you can’t upgrade the generator or have customized your CI workflow.
When to use this path:
.fernignoreFollow the same instructions as Path 1 to add your repository as a trusted publisher on npmjs.com.
Open your .github/workflows/ci.yml file and make these changes to the publish job:
Key changes:
permissions block with id-token: write and contents: read to the publish jobnpm config set line from the publish stepenv block with NPM_TOKEN from the publish stepAfter completing either migration path:
v1.0.0-alpha)Common causes:
ci.yml with the .yml extension)id-token: write or contents: read permissions in workflowSolution: Double-check your trusted publisher configuration on npmjs.com matches your actual workflow file name and verify all requirements are met.
If your workflow continues using token-based authentication:
npm config set line and the env: NPM_TOKEN block from the publish step--local generation, you need to use Fern CLI version 0.94.0 or later