diff --git a/.github/workflows/dev-release.yml b/.github/workflows/dev-release.yml
index 615e3396..77e72e7a 100644
--- a/.github/workflows/dev-release.yml
+++ b/.github/workflows/dev-release.yml
@@ -58,9 +58,11 @@ jobs:
   publish-server:
     needs: build-and-upload
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     env:
       NODE_VERSION: 20
-      NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
       VERSION: ${{ needs.prepare-dev.outputs.version }}
     steps:
       - name: Checkout
@@ -85,4 +87,4 @@ jobs:
         run: npm run build --workspace @neuralnomads/codenomad
 
       - name: Publish server package to dev tag
-        run: npm publish --workspace @neuralnomads/codenomad --access public --tag dev
+        run: npm publish --workspace @neuralnomads/codenomad --access public --tag dev --provenance
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 68d3c573..c4ea0386 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -75,9 +75,11 @@ jobs:
   publish-server:
     needs: build-and-upload
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     env:
       NODE_VERSION: 20
-      NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -98,4 +100,4 @@ jobs:
         run: npm run build --workspace @neuralnomads/codenomad
 
       - name: Publish server package
-        run: npm publish --workspace @neuralnomads/codenomad --access public --tag latest
+        run: npm publish --workspace @neuralnomads/codenomad --access public --tag latest --provenance