diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index c0d1b15..99c1d49 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -7,7 +7,10 @@ name: Publish to npm
 # version bump is committed back to master. You do not edit package.json
 # by hand for a release - just publish a GitHub Release with the right tag.
 #
-# Requires an npm access token stored as the repository secret NPM_TOKEN.
+# Authentication uses npm Trusted Publishing (OIDC) - no token or secret is
+# needed. Configure a trusted publisher for this package on npmjs.com:
+#   Repository: Skylar-Tech/node-red-contrib-matrix-chat
+#   Workflow:   publish.yml
 
 on:
   release:
@@ -18,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write   # commit the version bump back to master
-      id-token: write   # npm provenance attestation
+      id-token: write   # npm Trusted Publishing (OIDC) + provenance
     steps:
       - name: Checkout master
         uses: actions/checkout@v4
@@ -31,13 +34,15 @@ jobs:
           node-version: 22
           registry-url: https://registry.npmjs.org
 
+      - name: Update npm
+        # Trusted Publishing requires npm 11.5.1 or newer; Node 22 ships npm 10.
+        run: npm install -g npm@latest
+
       - name: Set version from release tag
         run: npm version "${GITHUB_REF_NAME#v}" --no-git-tag-version --allow-same-version
 
       - name: Publish to npm
         run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Commit version bump back to master
         run: |