Skip to content

How to authenticate for index publishing

The username is derived from the following sources, in order of precedence:

  1. The --user / -u cli option.
  2. The HATCH_INDEX_USER environment variable.
  3. The repos tables.
  4. The ~/.pypirc file.
  5. The input to an interactive prompt.

As a fallback the value __token__ is applied.

The password is looked up in these:

  1. The ~/.pypirc file if the username was provided by it.
  2. The --auth / -a cli option.
  3. The HATCH_INDEX_AUTH environment variable.
  4. The repos tables.
  5. A variety of OS-level credentials services backed by keyring.
  6. The input to an interactive prompt.

If interactively provided credentials were used, the username will be stored in Hatch's cache and the password stored in the available keyring backed credentials stores.

For automated releasing to PyPI, it is recommended to use "Trusted Publishing" with OIDC (e.g. PyPA's pypi-publish GitHub Action) or per-project API tokens.