You can now use API tokens to upload packages to PyPI and Test PyPI! Warning that this is a beta feature. More details on the wiki and PyPI’s help section.
This is a first step to enforcing that Users with Two-Factor Authentication enabled will require API Tokens to upload, rather than just their password sans second factor.
Once the beta period for API Tokens is complete, we will notify parties with Two-Factor Authentication enabled that uploads for their projects will require API Tokens. After a suitable waiting period we will then begin to enforce this restriction and include a notice in the error message returned to clients.
Please do test this while it’s in beta. Lead developer William Woodruff says, “Our current auth-policy is drop-in compatible with Twine and distutils. When using a token, your “username” will be @token and your “password” will be the token itself.” So, if your token is pypi:Ab9GpH-H5y your command will be:
twine upload --repository-url https://test.pypi.org/legacy/ -u @token -p pypi:Ab9GpH-H5y dist/*
(but actual tokens are 160+ characters long).
API tokens also support scoping! To ensure that your newly created tokens only contain the minimum permissions they require, make sure to select the package you’d like to use them with on the creation page. By default, newly created tokens will have “user” scope, meaning that they’ll behave exactly like your password. Once created, the permissions associated with a token cannot change, the token can only be revoked.
We’d particularly like testing from:
- Orgs that automate uploads using continuous integration
- People who save PyPI credentials in a .pypirc file
- Windows users
- People on mobile devices
- People on very slow connections
- Organizations where users share an auth token within a group
- 4+ maintainers or owners for one project
- Use an unusual TOTP app or U2F token
- Usually block cookies and JavaScript (note that you can’t set up a U2F key without JavaScript)
- Maintain 20+ projects
- Created PyPI account 6+ years ago