PyPIToken: Manipulate PyPI API tokens

Deployed to PyPI Deployed to PyPI GitHub Repository Continuous Integration Documentation Coverage MIT License Contributor Covenant

PyPIToken is an open-source Python 3.6+ library for generating and manipulating PyPI tokens.

PyPI tokens are very powerful, as that they are based on Macaroons. They allow the bearer to add additional restrictions to an existing token. For example, given a PyPI token that can upload releases for any project of its owner, you can generate a token that will only allow some projects, or even a single one.

Here’s an example:

$ pip install pypitoken
import pypitoken

token = pypitoken.Token.load("pypi-foobartoken")

print(token.restrictions)
# [NoopRestriction()]

token.restrict(projects=["requests"])

print(token.restrictions)
# [NoopRestriction(), ProjectsRestriction(projects=["requests"])]

token.dump()
# pypi-newfoobartoken

This token we’ve created above will be restricted to uploading releases of requests. Of course, your PyPI user will still need to have upload permissions on requests for this to happen.

The aim of this library is to provide a simple toolbelt for manipulating PyPI tokens. Ideally, someday, PyPI (Warehouse) itself may generate their tokens using this library too. This should make it easier to iterate on new kinds of restrictions for PyPI tokens, such as those discussed in the original implementation issue.

A discussion for integrating this library to the Warehouse environment is ongoing:

This documentation is mainly split into four parts:

  • A tutorial guide, for a complete hands-on approach to restricting existing tokens

  • How-to recipes, if you need something specific done

  • Discussions, if you want to understand how it works beneath the surface

  • Reference guide, to ease integration into your own code