docs: updates the token create documentation (#8785)

owlstronaut · wraithgar · web-flow · commit 4a32606ff50c · 2025-11-26T10:14:14.000-08:00
This update removes the copied config that is in the description header.

We can remove the part about the registry not working yet when the
registry enabled this.

---------

Co-authored-by: Gar &lt;gar+gh@danger.computer&gt;
diff --git a/docs/lib/content/commands/npm-token.md b/docs/lib/content/commands/npm-token.md
@@ -12,37 +12,23 @@ description: Manage your authentication tokens
 
 This lets you list, create and revoke authentication tokens.
 
-* `npm token list`:
-  Shows a table of all active authentication tokens.
-  You can request this as JSON with `--json` or tab-separated values with `--parseable`.
+#### Listing tokens
 
-```
-Read only token npm_1f… with id 7f3134 created 2017-10-21
+When listing tokens, an abbreviated token will be displayed.  For security purposes the full token is not displayed.
 
-Publish token npm_af…  with id c03241 created 2017-10-02
-with IP Whitelist: 192.168.0.1/24
+#### Generating tokens
 
-Publish token npm_… with id e0cf92 created 2017-10-02
+NOTE: Currently, the npm registry doesn't allow the cli to generate tokens.  This feature should be re-enabled soon.
 
-```
+When generating tokens, you will be prompted you for your password and, if you have two-factor authentication enabled, an otp.
 
-* `npm token create [--read-only] [--cidr=<cidr-ranges>]`:
-  Create a new authentication token.
-  It can be `--read-only`, or accept a list of [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) ranges with which to limit use of this token.
-  This will prompt you for your password, and, if you have two-factor authentication enabled, an otp.
+Please refer to the [docs website](https://docs.npmjs.com/creating-and-viewing-access-tokens) for more information on generating tokens for CI/CD.
 
-  Currently, the cli cannot generate automation tokens.
-  Please refer to the [docs website](https://docs.npmjs.com/creating-and-viewing-access-tokens) for more information on generating automation tokens.
+#### Revoking tokens
 
-```
-Created publish token a73c9572-f1b9-8983-983d-ba3ac3cc913d
-```
+When revoking a token, you can use the full token (e.g. what you get back from `npm token create`, or as can be found in an `.npmrc` file), or a truncated id.  If the given truncated id is not distinct enough to differentiate between multiple existing tokens, you will need to use enough of the id to allow npm to distinguish between them.  Full token ids can be found on the [npm website](https://www.npmjs.com), or in the `--parseable` or `--json` output of `npm token list`.  This command will NOT accept the truncated token found in the normal `npm token list` output.
 
-* `npm token revoke <token|id>`:
-  Immediately removes an authentication token from the registry.
-  You will no longer be able to use it.
-  This can accept both complete tokens (such as those you get back from `npm token create`, and those found in your `.npmrc`), and ids as seen in the parseable or json output of `npm token list`.
-  This will NOT accept the truncated token found in the normal `npm token list` output.
+A revoked token will immediately be removed from the registry and you will no longer be able to use it.
 
 ### Configuration
 
