pythonpypi

Does PyPI no longer allow uploads with username and password?


I've just republished one of my packages, but to do so, I had to give the username as __token__ and use an API Token I generated from the website as my password. Is there another way to authenticate when I publish? The error reads

100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 19.1/19.1 kB • 00:00 • 9.0 MB/s
WARNING  Error during upload. Retry with the --verbose option for more details.                                                                                         
ERROR    HTTPError: 403 Forbidden from https://upload.pypi.org/legacy/                                                                                                  
         Invalid or non-existent authentication information. See https://pypi.org/help/#invalid-auth for more information.

And if I go to that help page, there is no mention of usernames or passwords, only authentication tokens.

enter image description here

When I logged in to my account I was made to set up 2FA and download recovery codes. That clued me in that PyPI may have decided to go all out on security. I mean, fair enough: If someone compromised a popular package and then millions of us downloaded malicious code...yeesh. All the same, I found it slightly annoying to figure out, because twine still takes a username and password.


Solution

  • Yes, you should generate an API token and set the username to __token__ in your configuration files. It has been that way for some time now.

    Announced here on PyPI.org, here on python.org.

    There is Use API tokens by default for PyPI #561 issue on twine for tracking a better UX there. twine still takes a username and password and basic auth can not be removed altogether because of non-PyPI destinations.