diff --git a/.github/workflows/sdk-publish.yaml b/.github/workflows/sdk-publish.yaml
index 2f0240992..1d314b03f 100644
--- a/.github/workflows/sdk-publish.yaml
+++ b/.github/workflows/sdk-publish.yaml
@@ -7,6 +7,9 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     if: ${{ github.repository == 'jellyfin/jellyfin-sdk-typescript' }}
     steps:
       - name: Check out Git repository
@@ -24,6 +27,6 @@ jobs:
         run: npm ci --no-audit
 
       - name: Publish the SDK to npm
-        run: npm publish
+        run: npm publish --provenance
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/sdk-unstable-publish.yaml b/.github/workflows/sdk-unstable-publish.yaml
index 563bee4d1..9445bc18f 100644
--- a/.github/workflows/sdk-unstable-publish.yaml
+++ b/.github/workflows/sdk-unstable-publish.yaml
@@ -9,6 +9,9 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     if: ${{ github.repository == 'jellyfin/jellyfin-sdk-typescript' }}
     steps:
       - name: Check out Git repository
@@ -34,6 +37,6 @@ jobs:
         run: npm ci --no-audit
 
       - name: Publish the SDK to npm
-        run: npm publish --tag unstable
+        run: npm publish --tag unstable --provenance
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}