Get an npm access token (install @kofile/* packages)
The Neumo Design System packages are private on npm. Before you can install
any @kofile/* package — components, tokens, the MCP server, the Figma toolkit —
npm needs proof that you're allowed to. You do this once with an access
token. This page is the single source of truth; other docs link here.
Everyone needs this — designers, product, and engineers. It's the same handful of steps for all of us. First time and not comfortable in a terminal? The onboarding guide walks through it (and everything around it) in more detail.
What you need first
- An npmjs.com account that's a member of the
@kofileorganization. Don't have npm access? Message Scott Stroupe on Teams to be added to the org — without membership the token won't grant access.
1. Create the token
- Sign in at npmjs.com with your
@kofile-org account. - Click your avatar (top-right) → Access Tokens.
- Click Generate New Token → Classic Token.
- Name it something memorable (e.g.
neumo-ds), choose type Read-only, and click Generate Token. - Copy the token now — npm won't show it again after you leave the page.
Read-only is all you need to install. Only publishers need write/automation tokens.
2. Save the token in your .npmrc
Your ~/.npmrc file is where npm keeps this credential. The safest way to set it
is with a command (it creates/edits the file for you). Replace
PASTE_TOKEN_HERE with what you copied:
npm config set //registry.npmjs.org/:_authToken=PASTE_TOKEN_HERE
That's it — npm (and npx) will now authenticate automatically for every
@kofile/* install on your machine.
Other ways to configure it (per-project, CI)
Per-project .npmrc (checked into a repo, token from an env var so the
secret isn't committed):
//registry.npmjs.org/:_authToken=${NPM_TOKEN}
Then set NPM_TOKEN in your environment before installing. Never commit the
raw token — only the ${NPM_TOKEN} reference.
CI — store the token as a secret (e.g. NPM_TOKEN) and write the same line
into .npmrc during the job. Use an Automation token for CI so it isn't
blocked by 2FA.
3. Verify it works
npm view @kofile/gds-react version
- A version number prints → you're authenticated. Install away.
E404/E401→ the token or your org membership isn't right. See Troubleshooting.
Troubleshooting
| What you see | Likely cause | Fix |
|---|---|---|
npm error 404 Not Found on a @kofile/* package |
Token missing/invalid, or you're not in the @kofile org |
Re-run step 2 with a fresh token; if it persists, message Scott Stroupe on Teams to confirm org membership |
npm error 401 Unauthorized |
Token is wrong, expired, or revoked | Generate a new Read-only token (step 1) and re-save it (step 2) |
npm whoami says 401 even though you have a valid token in .env |
npm reads ~/.npmrc, not .env — you likely have an old token in ~/.npmrc that's overriding the good one |
Re-run step 2 to overwrite ~/.npmrc with the working token: npm config set //registry.npmjs.org/:_authToken=YOUR_TOKEN |
| Works in your terminal but fails in CI | CI has no token | Add the token as a CI secret and write the .npmrc line in the job |
npx @kofile/… hangs or fails |
Same auth issue — npx uses the same .npmrc |
Verify with step 3 first; fix the token, then retry |
Not sure where ~/.npmrc is |
It's in your home folder | cat ~/.npmrc prints it; the command in step 2 creates it if missing |
Security: treat the token like a password. It lives in your private
~/.npmrc; never paste it into a shared file, a repo, or a screenshot.
These packages went private as part of locking the design system to the
@kofile org. If a teammate can't get access, the fix is almost always org
membership — message Scott Stroupe on Teams to be added.