diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 81a1196e..95fdf9d4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -24,6 +24,7 @@ on:
 
 permissions:
   contents: write
+  id-token: write
 
 concurrency:
   group: ktx-release-${{ github.ref }}
@@ -124,4 +125,3 @@ jobs:
           KTX_RELEASE_KIND: ${{ inputs.release_kind }}
           KTX_PRERELEASE_BRANCH: next
           FORCE_RELEASE: ${{ inputs.force_release }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/scripts/release-workflow.test.mjs b/scripts/release-workflow.test.mjs
index d2936207..60a82011 100644
--- a/scripts/release-workflow.test.mjs
+++ b/scripts/release-workflow.test.mjs
@@ -14,6 +14,7 @@ describe('release workflow', () => {
     assert.match(workflow, /publish_live:/);
     assert.match(workflow, /default: false/);
     assert.match(workflow, /^  contents: write$/m);
+    assert.match(workflow, /^  id-token: write$/m);
     assert.match(workflow, /fetch-depth: 0/);
     assert.match(workflow, /registry-url: "https:\/\/registry\.npmjs\.org"/);
     assert.match(workflow, /Prepare next prerelease branch/);
@@ -24,7 +25,7 @@ describe('release workflow', () => {
     assert.match(workflow, /KTX_RELEASE_KIND: \$\{\{ inputs.release_kind \}\}/);
     assert.match(workflow, /KTX_PRERELEASE_BRANCH: next/);
     assert.match(workflow, /FORCE_RELEASE: \$\{\{ inputs.force_release \}\}/);
-    assert.match(workflow, /NODE_AUTH_TOKEN: \$\{\{ secrets.NPM_TOKEN \}\}/);
+    assert.doesNotMatch(workflow, /NODE_AUTH_TOKEN/);
     assert.doesNotMatch(workflow, /^  push:/m);
     assert.doesNotMatch(workflow, /^  pull_request:/m);
   });