PyPIToken: Manipulate PyPI API tokens

PyPIToken is an open-source Python 3.8+ library for generating and manipulating PyPI tokens.

PyPI tokens are very powerful, as that they are based on Macaroons. They allow the bearer to add additional restrictions to an existing token. For example, given a PyPI token that can upload releases for any project of its owner, you can generate a token that will only allow some projects, or even a single one.

Here’s an example:

$ pip install pypitoken

import pypitoken

token = pypitoken.Token.load("pypi-foobartoken")

print(token.restrictions)
# [ProjectIDsRestriction(project_ids=["00000000-0000-0000-0000-000000000000"])]

token.restrict(project_names=["requests"])

print(token.restrictions)
# [
#     ProjectIDsRestriction(project_ids=["00000000-0000-0000-0000-000000000000"]),
#     ProjectNamesRestriction(project_names=["requests"]),
# ]

token.dump()
# pypi-newfoobartoken

This token we’ve created above will be restricted to uploading releases of requests. Of course, your PyPI user will still need to have upload permissions on requests for this to happen.

The aim of this library is to provide a simple toolbelt for manipulating PyPI tokens. Ideally, someday, PyPI (Warehouse) itself may generate their tokens using this library too. This should make it easier to iterate on new kinds of restrictions for PyPI tokens, such as those discussed in the original implementation issue.

A discussion for integrating this library to the Warehouse environment is ongoing:

• In the Python Packaging discussions for putting the project under the PyPA umbrella

• In the Warehouse tracker for replacing the current macaroon implementation with this lib

This documentation is mainly split into four parts:

• A tutorial guide, for a complete hands-on approach to restricting existing tokens

• How-to recipes, if you need something specific done

• Discussions, if you want to understand how it works beneath the surface

• Reference guide, to ease integration into your own code

• Tutorial
  • Prerequisites & installation
  • A bit of boilerplate
  • Preparing our token
  • Creating a project to upload
  • Add a restriction
  • Test it
  • Looking back
  • Going further
• How to…
  • “User” documentation: you’re a PyPI user
  • “Integrator” documentation: you code for PyPI itself
  • Version 6.x upgrade
• Discussions
  • What is a macaroon, how does it work, how is it secure?
  • How are macaroons implemented in this library?
  • How are macaroons implemented in PyPI?
  • Do we really need an abstraction layer over PyMacaroons?
  • Can we add new restrictions?
  • Is this library a part of PyPI?
  • Why is there a noop restriction?
  • What does “normalized name” mean?
  • What would be good practice regarding token restrictions and traceability
  • All this talking about Macaroons, I’m hungry now!
  • Nice logo! Where did you get it?
• API Reference
  • Token
  • Restriction classes
  • Exceptions
• Contributing
  • I just want the simple straightfoward thing
  • I want to prepare my development environment
  • I want to run the CI checks locally
  • I want a venv to play locally
  • I want a quicker feedback loop
  • I want to build the documentation
  • I want to hack around
  • Core contributor additional documentation
• Changelog
  • 7.0.1
  • 7.0.0: Drop Python 3.7
  • 6.0.3: Fix badge
  • 6.0.2: Fix DateRestriction
  • 6.0.1: switch do to Furo
  • 6.0.0: New restriction format, and breaking changes
  • 5.0.0: Remove support for Python 3.6, add 3.10
  • 4.0.0: Add DateRestrictions
  • 3.0.7
  • 3.0.6
  • 3.0.5
  • 3.0.4
  • 3.0.3
  • 3.0.2
  • 3.0.1
  • 3.0.0
  • 2.0.0
  • 1.1.0
  • 1.0.6
  • 1.0.5
  • 1.0.4
  • 1.0.3
  • 1.0.2
  • 1.0.1
  • 1.0.0