Using Gitlab package registry to distribute commercial software as NPM package to customers

Hi community

I’m building a commercial JavaScript library that I intend to distribute to customers as an NPM package.
Currently I have my pipeline set up to build and deploy to Gitlab’s NPM package registry as described in the guide (npm packages in the Package Registry | GitLab) which works great so far.

As I’m onboarding my first customers I’m a bit uncertain on whether to allow these customers read-only access to the private package registry via an auth token (npm packages in the Package Registry | GitLab) that the customer has to add to the .npmrc file, or if I should publish to as this is what every dev is familiar with.

Publishing it only to the Gitlab package registry has a certain appeal to me as it avoids duplication, and has a more “private” feel to it, which for the moment is preferable for my product. On the other hand, I’m not 100% sure if this will scale well (i.e. is it possible to easily/programmatically generate a new r/o auth token for every customer), and I’m afraid that I’d accidentally open up private infrastructure to the outside world.

Does anyone have advice on how to best proceed?