diff --git a/.github/workflows/release-sdk.yml b/.github/workflows/release-sdk.yml
index 97f7c2e..e2c7a44 100644
--- a/.github/workflows/release-sdk.yml
+++ b/.github/workflows/release-sdk.yml
@@ -9,8 +9,11 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: jdx/mise-action@v4
       - uses: Swatinem/rust-cache@v2
       - name: Set version
@@ -20,8 +23,9 @@ jobs:
           npm version "$VERSION" --no-git-tag-version
       - name: Build
         run: mise run build:ts
+      - name: upgrade npm
+        # OIDC trusted publishing requires npm >= 11.5.1; node LTS ships npm 10.
+        run: npm install -g npm@latest
       - name: Publish
         run: npm publish --access public
         working-directory: sdk/ts
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/sdk/ts/package-lock.json b/sdk/ts/package-lock.json
index 386d2cb..2ce621c 100644
--- a/sdk/ts/package-lock.json
+++ b/sdk/ts/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@beyond.dev/objects",
-  "version": "0.1.0-dev",
+  "version": "0.1.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@beyond.dev/objects",
-      "version": "0.1.0-dev",
+      "version": "0.1.0",
       "dependencies": {
         "openapi-fetch": "^0.17.0",
         "std-env": "^3.9.0"
diff --git a/sdk/ts/package.json b/sdk/ts/package.json
index 63b059e..6257ffc 100644
--- a/sdk/ts/package.json
+++ b/sdk/ts/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@beyond.dev/objects",
-  "version": "0.1.0-dev",
+  "version": "0.1.0",
   "description": "S3-compatible object storage SDK for the Beyond platform.",
   "type": "module",
   "repository": {