I've just republished one of my packages, but to do so, I had to give the username as __token__
and use an API Token I generated from the website as my password. Is there another way to authenticate when I publish? The error reads
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 19.1/19.1 kB • 00:00 • 9.0 MB/s
WARNING Error during upload. Retry with the --verbose option for more details.
ERROR HTTPError: 403 Forbidden from https://upload.pypi.org/legacy/
Invalid or non-existent authentication information. See https://pypi.org/help/#invalid-auth for more information.
And if I go to that help page, there is no mention of usernames or passwords, only authentication tokens.
When I logged in to my account I was made to set up 2FA and download recovery codes. That clued me in that PyPI may have decided to go all out on security. I mean, fair enough: If someone compromised a popular package and then millions of us downloaded malicious code...yeesh. All the same, I found it slightly annoying to figure out, because twine
still takes a username and password.
Yes, you should generate an API token and set the username to __token__
in your configuration files. It has been that way for some time now.
Announced here on PyPI.org, here on python.org.
There is Use API tokens by default for PyPI #561 issue on twine for tracking a better UX there. twine
still takes a username and password and basic auth can not be removed altogether because of non-PyPI destinations.