diff --git a/.npmignore b/.npmignore
index 0f36221d..00ca9df7 100644
--- a/.npmignore
+++ b/.npmignore
@@ -3,6 +3,7 @@ docs/
 *.md
 !README.md
 CODEOWNERS
+!LICENSE
 
 # Test and mock files
 __tests__/
@@ -19,12 +20,34 @@ backups/
 *.swp
 *.tgz
 
+# editor / OS files
+.vscode/
+.idea/
+.DS_Store
+Thumbs.db
+
 # Local configuration files
 .env
 .env.*
+!.env.example
 config.local.js
 *.local.js
 
+# logs
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+
+# local scripts / temp files
+tmp/
+temp/
+
 # Tooling and CI
+.git/
 .github/
-.claude/
\ No newline at end of file
+.claude/
+
+# dependency folders
+node_modules/
+
diff --git a/README.md b/README.md
index 04a7b8fe..2973a43f 100644
--- a/README.md
+++ b/README.md
@@ -65,6 +65,15 @@ documentation, but broadly, you will find:
 
 ## 🌟👍 Contributors 👍🌟
 Trying to contribute or perform a fix in the public RERUM API?  If not, are you _sure_ you don't want to?  Read the [Contributors Guide](CONTRIBUTING.md) for inspiration!  If you are trying to set up your own RERUM then keep reading to learn more.
+
+## Install via npm
+
+If published as a package, install using:
+
+```shell
+npm install rerum_server_nodejs
+```
+This allows the use of the exported API programmatically without cloning the repository.
   
 ### Installation
 
@@ -99,6 +108,9 @@ DOWN = false
 READONLY = false
 ```
 
+**Important:** Do not commit `.env` files or include secrets in version control.
+These files are excluded from the published npm package to prevent leaking sensitive credentials.
+
 #### Set Up Auth0 Authorization
 Please contact the [Research Computing Group at Saint Louis University](https://github.com/CenterForDigitalHumanities) via an E-mail to research.computing@slu.edu for more information and assistance with this step of the installation process.
 
@@ -126,6 +138,24 @@ npm start
 ```
 To stop the application, kill or exit the process via your shell (<kbd>CTRL + C</kbd> or <kbd>CTRL + X</kbd>).
 
+## Packaging and Publishing
+
+Before publishing this package to npm, verify that only the intended files are included and that no sensitive data (such as `.env`) is exposed.
+
+### Check package contents
+
+```shell
+npm run pack:check
+```
+
+### Simulate publishing
+
+```shell
+npm run publish:dry-run
+```
+This ensures the package can be published successfully without actually uploading it.
+
+
 ## Who is to blame?
 The developers in the Research Computing Group at Saint Louis University authored and maintain this service.
 Neither specific warranty or rights are associated with RERUM; registering and contributing implies only those rights 
diff --git a/package.json b/package.json
index 33d5d063..4a31eedf 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,6 @@
   "name": "rerum_server_nodejs",
   "type": "module",
   "version": "0.0.0",
-  "main": "./app.js",
   "description": "Rerum API server for database access.",
   "keywords": [
     "rerum",
@@ -30,10 +29,25 @@
     "npm": ">=11.7.0"
   },
   "main": "index.js",
+    "files": [
+    "app.js",
+    "index.js",
+    "bin/",
+    "auth/",
+    "config/",
+    "controllers/",
+    "database/",
+    "public/",
+    "routes/",
+    "README.md"
+  ],
   "scripts": {
     "start": "node ./bin/rerum_v1.js",
     "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js",
-    "runtest": "npm test"
+    "runtest": "npm test",
+    "pack:check": "npm pack --dry-run",
+    "publish:dry-run": "npm publish --dry-run",
+    "prepublishOnly": "npm test && npm pack --dry-run"
   },
   "dependencies": {
     "cookie-parser": "~1.4.7",