[PYTHON] Don't use your username and password to register with PyPI. Use API tokens

Introduction

When I was looking at the article about registering a package to PyPI, I saw many examples of passing a user name and password.

** Stop it because it's the old way. ** **

Recent PyPIs are also focusing on security and have an API token mechanism.

PyPI now supports uploading via API token

Generally, it is said that using API tokens is more secure than using user names/passwords for this type of API authentication.

This article will show you how to use an API token instead of a username/password when registering with PyPI.

Create an API token on PyPI

First, create an API token with PyPI.

  1. Log in to PyPI
  2. On the Add API token page, fill in the Token name and Scope and then press the Add Token button.
  1. The resulting long alphanumeric string starting with pypi- is the API token ( pypi- is also part of the API token). Please copy and paste this into notepad etc. Screenshot 2021-01-04 14.02.38.png

Register with PyPI using API token

Next, register the package with PyPI using the API token.

The registration server to PyPI still only provides a username/password type interface, but the registration server will recognize the value in the password field as an API token if you specify a fixed value __token__ in the ** username field Will be **.

Recently, it is more common to use package managers such as Poetry and Pyflow to register with PyPI rather than using twine itself. Here, I will describe the method of Poetry and twine that I have used, but it is the same to specify __token__ as the user name and API token as the password for twine, Poetry, and Pyflow.

Only the method of specifying the API token on the CLI is introduced. In either case, there is a way to describe it in the configuration file, but I will introduce it because there is a possibility that it will be (accidentally) entered under the control of a file management system such as git and the API token will be exposed to the outside. I will not. If you want to do it with file management, please search by yourself.

Register with PyPI on Poetry using API token

poetry publish --build -u "__token__" -p "<API token>"

Register with PyPI on Twine using API token

twine upload -u "__token__" -p "<API token>"

in conclusion

that's all.

Recommended Posts

Don't use your username and password to register with PyPI. Use API tokens
Easy to use Nifty Cloud API with botocore and python
How to use Service Account OAuth and API with Google API Client for python
I don't want to use -inf with np.log
Install tweepy with pip and use it for API 1.1
How to use pyenv and pyenv-virtualenv in your own way
Get the package version to register with PyPI from Git
Use mitmproxy to force your app's API into your development environment
Use Trello API with python
Use Twitter API with Python
How to register on pypi
Use subsonic API with python3
Operate Jupyter with REST API to extract and save Python code
Get conversions and revenue with Google Analytics API and report to Slack
Sample to use after OAuth authentication of BOX API with Python
How to use jupyter notebook without polluting your environment with Docker
Prepare an environment to use OpenCV and Pillow with AWS Lambda
The strongest way to use MeCab and CaboCha with Google Colab
How to use Python with Jw_cad (Part 2 Command explanation and operation)