Publisher Setup

Sign attestations for your npm packages in 5 minutes.

1. Install npmvc

npm install -g @ajna-inc/npmvc

Pure TypeScript, zero native dependencies. Works everywhere Node 20+ runs.

2. Create your identity

npmvc init

Creates an Ed25519 key pair and a did:key identifier. Stored at ~/.npmvc/wallet/key.json.

3. Set up recovery (recommended)

npmvc init --force \
  --guardians "did:key:z6MkFriend1,did:key:z6MkFriend2,did:key:z6MkFriend3" \
  --threshold 2 \
  --backup-passphrase "strong-passphrase"

4. Add your DID to package.json

{ "name": "my-lib", "publisher": "did:key:z6Mk..." }

5. Register on npmvc.com

npmvc register --name my-company --registry https://npmvc.com

This registers your DID on the public registry and saves an auth token locally.

6. Add a prepack hook

Add --registry so attestations are automatically synced to npmvc.com on every publish:

npm pkg set scripts.prepack="npmvc attest --registry https://npmvc.com"

Include .npmvc in your files array so attestations ship with the tarball:

npm pkg set files='["dist", ".npmvc"]' --json

Works with npm, pnpm, and yarn. For pnpm monorepos, SBOM is generated automatically from the root lockfile.

7. Publish

npm publish --access public
# prepack hook runs: npmvc attest --registry https://npmvc.com
# → signs Provenance + Lifecycle + SBOM credentials
# → syncs to npmvc.com registry
# → .npmvc/attestations.jsonld included in the tarball

8. Back up your key

npmvc wallet export --passphrase "strong-pass" > key.enc

9. Transfer to a new maintainer

npmvc credential handover --package my-lib --to did:key:z6MkNewOwner...