Over the last few months, we've added two-factor authentication (2FA) login security methods. We added Time-based One-Time Password (TOTP) support in late May and physical security device support in mid-June. Now, over 1600 users have started using physical security devices or TOTP applications to better secure their accounts. And over the past week, over 7.8% of logins to PyPI.org have been protected by 2FA, up from 3% in the month of June.
Now, we have another improvement: you can use API tokens to upload packages to PyPI and Test PyPI! And we've designed the token to be a drop-in replacement for the username and password you already use (warning: this is a beta feature that we need your help to test).
PyPI interface for adding an API token for package upload |
The token management screen shows you when each of your tokens were created, and last used. And you can revoke one token without revoking others, and without having to change your password on PyPI and in configuration files.
PyPI API token management interface |
Uploading with an API token is currently optional but encouraged; in the future, PyPI will set and enforce a policy requiring users with two-factor authentication enabled to use API tokens to upload (rather than just their password sans second factor). Watch our announcement mailing list for future details.
Immediately after creating the API token, PyPI gives the user one chance to copy it |
Help us test: Please try this out! This is a beta feature and we expect that users will find minor issues over the next few weeks; we ask for your bug reports. If you find any potential security vulnerabilities, please follow our published security policy. (Please don't report security issues in Warehouse via GitHub, IRC, or mailing lists. Instead, please directly email security@python.org.) If you find an issue that is not a security vulnerability, please report it via GitHub.
We'd particularly like testing from:
- Organizations that automate uploads using continuous integration
- People who save PyPI credentials in a .pypirc file
- Windows users
- People on mobile devices
- People on very slow connections
- Organizations where users share an auth token within a group
- Projects with 4+ maintainers or owners
- People who usually block cookies and JavaScript
- People who maintain 20+ projects
- People who created their PyPI account 6+ years ago
Thanks to the Open Technology Fund for funding this work. And please sign up for the PyPI Announcement Mailing List for future updates.
Written by Sumana Harihareswara, published initially to https://pyfound.blogspot.com/2019/07/pypi-now-supports-uploading-via-api.html