Skip to content

PyPI API Token

Service Name: Python Package Index (PyPI)

Service Description: PyPI is the official package repository for Python, where developers can publish and share their Python packages with the community.

Service Address: https://pypi.org/

Validation Type: -

IP Allow list: Does not exist

Secret Access Scope: Grants access to publish, update, and manage Python packages on PyPI under the associated account.

Secret Revokement URL: https://pypi.org/manage/account/

Secret Example: pypi-AgEIcHlwaS5vcmcCJDFjMTk2YWEyLTM4NTAtNGNkOS1iNjc3LTc4ZDRhZjMwYmZkMQACJXsicGVybWlzc2lvbnMiOiAidXNlciIsICJ2ZXJzaW9uIjogMX0AAAYgbvG5wEV6pZ2NjFCk7mRFJyxL9JVOU_2vxn2-Xm4Gw7A

Suspicious Activity Investigation Instructions:

  • Check PyPI account for unauthorized package uploads or modifications
  • Review package download statistics for unusual patterns
  • Check for unexpected package versions or metadata changes
  • Verify the integrity of previously uploaded packages
  • Review account access logs if available

Mitigation Instructions:

  • Log in to your PyPI account at https://pypi.org/
  • Navigate to Account Settings > API tokens
  • Revoke the compromised token immediately
  • Create a new token with appropriate permissions if needed
  • Check for and remove any unauthorized packages or versions
  • Change your PyPI account password
  • Enable two-factor authentication if not already enabled