Skip to content

new endpoints #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wraithgar wants to merge 3 commits into
base: main
Choose a base branch
from
+377 −20
Open

new endpoints #35

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
710d930
fix: remove spaces
wraithgar Mar 20, 2026
b943752
feat: add new package/org/user access endpoint
wraithgar Mar 20, 2026
8afddd1
feat: add org membership endpoints
wraithgar Mar 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion api/base.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,8 @@ x-tagGroups:
- Tokens
- OIDC
- Trust
- Access
- Org

components:
securitySchemes:
Expand Down Expand Up @@ -141,4 +143,4 @@ components:
Short-lived npm registry token obtained by exchanging an OIDC id_token
via the `/oidc/token/exchange` endpoint. These tokens are package-scoped
and have limited lifetime (typically 1 hour).


2 changes: 2 additions & 0 deletions api/merge-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
inputs:
- inputFile: base.yaml
- inputFile: registry.npmjs.com/access.yaml
- inputFile: registry.npmjs.com/oidc.yaml
- inputFile: registry.npmjs.com/org.yaml
- inputFile: registry.npmjs.com/token.yaml
- inputFile: registry.npmjs.com/trust.yaml

Expand Down
184 changes: 184 additions & 0 deletions api/registry.npmjs.com/access.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,184 @@
components:
parameters:
TeamName:
name: teamName
in: path
required: true
schema:
type: string
description: Name of a team
responses:
PackageAccessLevels:
description: "Packages with their access levels"
content:
application/json:
schema:
type: object
additionalProperties:
type: string
example:
"@npmcli/arborist": "read-write"
"@npmcli/config": "read-only"
PackageVisibility:
description: "Packages with their visibility"
content:
application/json:
schema:
type: object
additionalProperties:
type: string
example:
"@npmcli/arborist": "public"
"@npmcli/hidden": "private"
UserAccessLevels:
description: "User access levels"
content:
application/json:
schema:
type: object
additionalProperties:
type: string
example:
"npm": "read-write"
"microsoft": "read-only"
paths:
/-/team/{orgName}/{teamName}/package:
parameters:
- $ref: './api/shared-components.yaml#/components/parameters/OrgName'
- $ref: '#/components/parameters/TeamName'
- $ref: "./api/shared-components.yaml#/components/parameters/RequiredBearerToken"
get:
tags:
- Access
summary: Get all packages for a team
description: Get all of the packages a team has access to, as well a the access level that team has for each package.
operationId: getTeamPackageGrants
security:
- npmSessionToken: []
responses:
"200":
$ref: '#/components/responses/PackageAccessLevels'
"401":
$ref: './api/shared-components.yaml#/components/responses/Unauthorized'
put:
tags:
- Access
summary: Grant access to a package for a team
operationId: createTeamPackageGrant
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
package:
type: string
description: The name of the package to give access to
permissions:
type: string
enum:
- read-only
- read-write
description: The access level of the package to grant to the team
security:
- npmSessionToken: []
responses:
"201":
$ref: './api/shared-components.yaml#/components/responses/EmptySuccess'
"401":
$ref: './api/shared-components.yaml#/components/responses/Unauthorized'
delete:
summary: Remove access to a package for a team
operationId: deleteTeamPackageGrant
security:
- npmSessionToken: []
responses:
"204":
$ref: './api/shared-components.yaml#/components/responses/EmptySuccess'
"401":
$ref: './api/shared-components.yaml#/components/responses/Unauthorized'
/-/org/{orgName}/package:
parameters:
- $ref: './api/shared-components.yaml#/components/parameters/OrgName'
- $ref: "./api/shared-components.yaml#/components/parameters/RequiredBearerToken"
get:
tags:
- Access
summary: Get all packages for an org
description: Get all of the packages an org has access to, as well a the access level that org has for each pacakge.
operationId: getOrgPackages
security:
- npmSessionToken: []
responses:
"200":
$ref: '#/components/responses/PackageAccessLevels'
"401":
$ref: './api/shared-components.yaml#/components/responses/Unauthorized'
/-/package/{escapedPackageName}/collaborators:
parameters:
- $ref: './api/shared-components.yaml#/components/parameters/EscapedPackageName'
- $ref: "./api/shared-components.yaml#/components/parameters/RequiredBearerToken"
get:
tags:
- Access
summary: Get all of the users that have access to a package, as well as the access level that user has for each package.
operationId: getPackageCollaborators
security:
- npmSessionToken: []
responses:
"200":
$ref: '#/components/responses/UserAccessLevels'
"401":
$ref: './api/shared-components.yaml#/components/responses/Unauthorized'
/-/package/{escapedPackageName}/visibility:
parameters:
- $ref: './api/shared-components.yaml#/components/parameters/EscapedPackageName'
- $ref: "./api/shared-components.yaml#/components/parameters/RequiredBearerToken"
get:
tags:
- Access
summary: Get the visibility of a package.
operationId: getPackageVisibility
security:
- npmSessionToken: []
responses:
"200":
$ref: '#/components/responses/PackageVisibility'
"401":
$ref: './api/shared-components.yaml#/components/responses/Unauthorized'
/-/package/{escapedPackageName}/access:
parameters:
- $ref: './api/shared-components.yaml#/components/parameters/EscapedPackageName'
post:
tags:
- Access
summary: Sets the various access levels for a package.
operationId: setPackageAccess
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
# cidr_whitelist?
access:
type: string
enum:
- public
- private
description: Visibility of a package
publish_requires_tfa:
type: boolean
description: Whether publishing this package requires multifactor auth
automation_token_overrides_tfa:
type: boolean
description: Whether or not automation tokens override the requirement for multifactor auth
security:
- npmSessionToken: []
responses:
"200":
$ref: './api/shared-components.yaml#/components/responses/EmptySuccess'
"401":
$ref: './api/shared-components.yaml#/components/responses/Unauthorized'
111 changes: 111 additions & 0 deletions api/registry.npmjs.com/org.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
components:
responses:
OrgMembers:
description: "Org members with their access levels"
content:
application/json:
schema:
type: object
additionalProperties:
type: string
example:
"npm": "owner"
"npm-cli-bot": "developer"
OrgInvite:
description: "Confirmation about the org membership or invite that was generated"
headers:
npm-notice:
description: Additional info about the invite sent to the user
schema:
type: string
content:
application/json:
schema:
type: object
properties:
org:
type: object
properties:
name:
type: string
description: The name of the org
size:
type: string
description: current size of the org, including invites
user:
type: string
description: The username that was invited or edited
role:
type: string
description: The role that the user was given in the org
paths:
/-/org/{orgName}/user:
parameters:
- $ref: './api/shared-components.yaml#/components/parameters/OrgName'
- $ref: "./api/shared-components.yaml#/components/parameters/RequiredBearerToken"
get:
tags:
- Org
summary: Get users in an org
description: Get all of the users in an org, along with their access levels in that org
operationId: getOrgMembership
security:
- npmSessionToken: []
responses:
"200":
$ref: '#/components/responses/OrgMembers'
"401":
$ref: './api/shared-components.yaml#/components/responses/Unauthorized'
put:
tags:
- Org
summary: Set user membership in an org
description: Set a user's membership in an org. If the user is not already a member, an invite will be sent.
operationId: changeOrgMembership
security:
- npmSessionToken: []
requestBody:
required: true
content:
application;/json:
schema:
type: object
properties:
user:
type: string
description: Username to grant membership to org
role:
type: string
enum:
- developer
- admin
- owner
description: Role to give user in org
responses:
"201":
$ref: '#/components/responses/OrgInvite'
"401":
$ref: './api/shared-components.yaml#/components/responses/Unauthorized'
delete:
tags:
- Org
summary: Remove user membership in an org
description: Remove a user's membership in an org
operationId: deleteOrgMembership
security:
- npmSessionToken: []
requestBody:
required: true
content:
application;/json:
schema:
type: object
properties:
user:
type: string
description: Username to remove from the org
responses:
"204":
$ref: './api/shared-components.yaml#/components/responses/EmptySuccess'
"401":
$ref: './api/shared-components.yaml#/components/responses/Unauthorized'
Loading
Loading