diff --git a/.github/workflows/manual-publish.yml b/.github/workflows/manual-publish.yml
index c4fd6b7..5973100 100644
--- a/.github/workflows/manual-publish.yml
+++ b/.github/workflows/manual-publish.yml
@@ -18,6 +18,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   publish-npm:
@@ -36,7 +37,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '22'
+          node-version: '20'
           registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
@@ -45,12 +46,42 @@ jobs:
       - name: Build TypeScript package
         run: npm run build
 
+      - name: Preflight OIDC availability
+        run: |
+          if [ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ]; then
+            echo "OIDC token request URL is missing (check id-token: write permissions)."
+            exit 1
+          fi
+          echo "OIDC environment is available."
+
+      - name: OIDC token check
+        run: |
+          if [ -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]; then
+            echo "OIDC request token is missing (check id-token: write permissions)."
+            exit 1
+          fi
+          curl -fsS -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \
+            "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=npm:registry.npmjs.org" > /tmp/oidc.json
+          echo "OIDC token fetch OK"
+
       - name: Publish to npm
         id: npm_publish
         working-directory: packages/flarelette-jwt-ts
-        env:
-          NODE_AUTH_TOKEN: ''
-        run: npm publish --provenance --access public
+        run: |
+          unset NODE_AUTH_TOKEN
+          if [ -n "${NPM_CONFIG_USERCONFIG:-}" ] && [ -f "${NPM_CONFIG_USERCONFIG}" ]; then
+            rm -f "${NPM_CONFIG_USERCONFIG}"
+          fi
+          npm publish --provenance --access public --registry=https://registry.npmjs.org
+
+      - name: Upload npm debug logs (on failure)
+        if: failure() && steps.npm_publish.outcome == 'failure'
+        uses: actions/upload-artifact@v4
+        with:
+          name: npm-debug-logs
+          path: /home/runner/.npm/_logs/*
+          if-no-files-found: warn
+          retention-days: 14
 
       - name: Upload npm debug logs (on failure)
         if: failure() && steps.npm_publish.outcome == 'failure'
diff --git a/packages/flarelette-jwt-ts/package.json b/packages/flarelette-jwt-ts/package.json
index c22b457..651d14b 100644
--- a/packages/flarelette-jwt-ts/package.json
+++ b/packages/flarelette-jwt-ts/package.json
@@ -44,6 +44,9 @@
     "README.md",
     "LICENSE"
   ],
+  "publishConfig": {
+    "access": "public"
+  },
   "bin": {
     "flarelette-jwt-secret": "dist/cli.js",
     "flarelette-jwt-keygen": "dist/keygen.js"