That's new, then. When we were looking at it, you had to supply the npm auth token to the yaml config: it was just plaintext checking against its list of available logins.

We wanted something available "now," not "in a bit, after we write an auth plugin for it."