Use API tokens by default for PyPI

[bhrutledge]

This idea occurred to me after responding to https://github.com/pypa/packaging-problems/issues/313, and the reporter subsequently suggested something similar.

In my head, this would look something like:

$ twine upload dist/* 
Uploading distributions to https://upload.pypi.org/legacy/
Enter your API token: 

On the implementation side of things, I wonder if it'd be sufficient to default username to __token__ for PyPI and TestPyPI. But, maybe it would be clearer to add an explicit token option.

Very open to opinions on this.

[sigmavirus24]

I don't think we can reliably always ask for an API token because I strongly suspect some folks haven't gone through the trouble of generating/finding it. Our prompts would need to be far more convoluted by asking first if the user wants to use an API token or user/password auth.

I think this also speaks to the open issues about twine configure and twine accounts.

[bhrutledge]

I think this also speaks to the open issues about twine configure and twine accounts.

For other folks' reference, that's https://github.com/pypa/twine/issues/216 and https://github.com/pypa/twine/issues/324.

It seems like the PyPA guides are guiding newcomers to use API tokens from the start:

https://packaging.python.org/tutorials/packaging-projects/#uploading-the-distribution-archives https://packaging.python.org/guides/distributing-packages-using-setuptools/#create-an-account

I wonder how convoluted it would be in practice, since I think this would only apply if credentials aren't provided via the command line, environment variables, or .pypirc.

What about something like:

$ twine upload dist/* 
The PyPA recommends authenticating with API tokens: https://pypi.org/help/#apitoken
Do you have an API token? [Y/n]
Enter your API token: 

Or:

The PyPA recommends authenticating with API tokens: https://pypi.org/help/#apitoken
Enter your API token (or your username): 

[sebix]

It seems like the PyPA guides are guiding newcomers to use API tokens from the start:

They'll go further:

In the future, PyPI will set and enforce a policy requiring users with two-factor authentication enabled to use API tokens to upload (rather than just their password, without a second factor). We do not yet know when we will make this policy change. When we do, we'll announce it.

See https://pyfound.blogspot.com/2020/01/start-using-2fa-and-api-tokens-on-pypi.html

[bhrutledge]

Related: https://github.com/pypa/twine/issues/565 - Not obvious how to use multiple project API tokens with keyring

[Doondondon]

This idea occurred to me after responding to pypa/packaging-problems#313, and the reporter subsequently suggested something similar.

In my head, this would look something like:

• [/***]()

Uploading distributions to https:/ Enter your API token:

On the implementation side of things, I wonder if it'd be sufficient to default `username` to `__token__` for PyPI and TestPyPI. But, maybe it would be clearer to add an explicit `token` option.

Very open to opinions on this.

[jeanas]

Now that 2FA is mandatory on PyPI, I think this becomes a reasonable change.

[woodruffw]

CCing @miketheman as well 🙂

(Context: dpo discussion: https://discuss.python.org/t/announcement-2fa-now-required-for-pypi/42251)

[sigmavirus24]

I agree. It's reasonable now to start prompting (in the case of repository_url == upload.pypi.org) for tokens only instead of username + password. Regardless, we can't drop basic auth altogether because of non-PyPI destinations

[woodruffw]

For deconflicting purposes: I'll work on a PR for this today.

[woodruffw]

I've opened #1040 for this. The actual change is relatively small, but I've left a comment describing potential improvements/current shortcomings.

[Butanium]

How can I avoid having to fill in my api key everytime? Can I set an environment variable that twine will check before prompting me for the key?

[jeanas]

Hi Clément. You can write

[pypi]
username = __token__
password = <your token here>

to your ~/.pypirc file, then twine should use those credentials automatically.

Alternatively, set TWINE_USERNAME=__token__ and TWINE_PASSWORD=<token> in the environment.