Skip to main content

Common questions

Basics

My Account

Integrating

Administration of projects on PyPI

Troubleshooting

About

Basics

What's a package, project, or release?

We use a number of terms to describe software available on PyPI, like "project", "release", "file", and "package". Sometimes those terms are confusing because they're used to describe different things in other contexts. Here's how we use them on PyPI:

A "project" on PyPI is the name of a collection of releases and files, and information about them. Projects on PyPI are made and shared by other members of the Python community so that you can use them.

A "release" on PyPI is a specific version of a project. For example, the requests project has many releases, like "requests 2.10" and "requests 1.2.1". A release consists of one or more "files".

A "file", also known as a "package", on PyPI is something that you can download and install. Because of different hardware, operating systems, and file formats, a release may have several files (packages), like an archive containing source code or a binary wheel.

How do I install a file (package) from PyPI?

To learn how to install a file from PyPI, visit the installation tutorial on the Python Packaging User Guide.

How do I package and publish my code for PyPI?

For full instructions on configuring, packaging and distributing your Python project, refer to the packaging tutorial on the Python Packaging User Guide.

What's a trove classifier?

Classifiers are used to categorize projects on PyPI. See the classifiers page for more information, as well as a list of valid classifiers.

My account

Why do I need a verified email address?

Currently, PyPI requires a verified email address to perform the following operations:

  • Register a new project.
  • Upload a new version or file.

The list of activities that require a verified email address is likely to grow over time.

This policy will allow us to enforce a key policy of PEP 541 regarding maintainer reachability. It also reduces the viability of spam attacks to create many accounts in an automated fashion.

You can manage your account's email addresses in your account settings. This also allows for sending a new confirmation email for users who signed up in the past, before we began enforcing this policy.

Why is PyPI telling me my password is compromised?

PyPI itself has not suffered a breach. This is a protective measure to reduce the risk of credential stuffing attacks against PyPI and its users.

Each time a user supplies a password — while registering, authenticating, or updating their password — PyPI securely checks whether that password has appeared in public data breaches.

During each of these processes, PyPI generates a SHA-1 hash of the supplied password and uses the first five (5) characters of the hash to check the Have I Been Pwned API and determine if the password has been previously compromised. The plaintext password is never stored by PyPI or submitted to the Have I Been Pwned API.

PyPI will not allow such passwords to be used when setting a password at registration or updating your password.

If you receive an error message saying that "This password appears in a breach or has been compromised and cannot be used", you should change it all other places that you use it as soon as possible.

If you have received this error while attempting to log in or upload to PyPI, then your password has been reset and you cannot log in to PyPI until you reset your password.

What is two factor authentication and how does it work on PyPI?

Two factor authentication (2FA) makes your account more secure by requiring two things in order to log in: something you know and something you own.

In PyPI's case, "something you know" is your username and password, while "something you own" can be an application to generate a temporary code, or a security device (most commonly a USB key).

It is strongly recommended that you set up two factor authentication on your PyPI account.

Users who have chosen to set up two factor authentication will be asked to provide their second method of identity verification during the log in process. This only affects logging in via a web browser, and not (yet) package uploads.

You can follow the improvements to 2FA on discuss.python.org.

How does two factor authentication with an authentication application (TOTP) work? How do I set it up on PyPI?

PyPI users can set up two-factor authentication using any authentication application that supports the TOTP standard.

TOTP authentication applications generate a regularly changing authentication code to use when logging into your account.

Because TOTP is an open standard, there are many applications that are compatible with your PyPI account. Popular applications include:

Some password managers (e.g. 1Password) can also generate authentication codes. For security reasons, PyPI only allows you to set up one application per account.

To set up 2FA with an authentication application:

  1. Open an authentication (TOTP) application
  2. Log in to your PyPI account, go to your account settings, and choose "Add 2FA with authentication application"
  3. PyPI will generate a secret key, specific to your account. This is displayed as a QR code, and as a text code.
  4. Scan the QR code with your authentication application, or type it in manually. The method of input will depend on the application you have chosen.
  5. Your application will generate an authentication code - use this to verify your set up on PyPI

The PyPI server and your application now share your PyPI secret key, allowing your application to generate valid authentication codes for your PyPI account.

Next time you log in to PyPI you'll need to:

  1. Provide your username and password, as normal
  2. Open your authentication application to generate an authentication code
  3. Use this code to finish logging into PyPI

Note: If you lose your authentication application and can no longer log in, the PyPI team cannot currently help you recover your account. We plan to develop a manual account recovery policy and implement account recovery codes to address this issue.

In the short term, we recommend that all PyPI users set up both supported two factor authentication methods - using an authentication application and setting up a security device (e.g. USB key).

How does two factor authentication with a security device (e.g. USB key) work? How do I set it up on PyPI? Beta feature

A security device is a USB key or other device that generates a one-time password and sends that password to the browser. This password is then used by PyPI to authenticate you as a user.

To set up two factor authentication with a USB key, you'll need:

Follow these steps:

  1. Log in to your PyPI account, go to your account settings, and choose "Add 2FA with security device (e.g. USB key)"
  2. Give your key a name. This is necessary because it's possible to add more than one security device to your account.
  3. Click on the "Set up security device" button
  4. Insert and touch your USB key, as instructed by your browser

Once complete, your USB key will be registered to your PyPI account and can be used during the log in process.

Next time you log in to PyPI you'll need to:

  1. Provide your username and password, as normal
  2. Insert and touch your USB key to finish logging into PyPI

Note: If you lose your security device and can no longer log in, the PyPI team cannot currently help you recover your account. We plan to develop a manual account recovery policy and implement account recovery codes to address this issue.

In the short term, we recommend that all PyPI users set up both supported two factor authentication methods - using an authentication application and setting up a security device (e.g. USB key).

What devices (other than a USB key) can I use as a security device? Beta feature

There is a growing ecosystem of devices that are FIDO compliant, and can therefore be used with PyPI.

Emerging solutions include biometric (facial and fingerprint) scanners and FIDO compatible credit cards. There is also growing support for mobile phones to act as security devices.

As PyPI's two factor implementation follows the WebAuthn standard, PyPI users will be able to take advantage of any future developments in this field.

How can I use API tokens to authenticate with PyPI? Beta feature

API tokens provide an alternative way (instead of username and password) to authenticate when uploading packages to PyPI.

You can create a token for an entire PyPI account, in which case, the token will work for all projects associated with that account. Alternatively, you can limit a token's scope to a specific project.

We strongly recommend you authenticate with an API token where possible.

To make an API token:

To use an API token:

  • Set your username to __token__
  • Set your password to the token value, including the pypi- prefix

Where you edit or add these values will depend on your individual use case. For example, some users may need to edit their .pypirc file, while others may need to update their CI configuration file (e.g. .travis.yml if you are using Travis).

Advanced users may wish to inspect their token by decoding it with base64, and checking the output against the unique identifier displayed on PyPI.

Integrating

Does PyPI have APIs I can use?

Yes, including RSS feeds of new packages and new releases. See the API reference.

How can I run a mirror of PyPI?

If you need to run your own mirror of PyPI, the bandersnatch project is the recommended solution. Note that the storage requirements for a PyPI mirror would exceed 1 terabyte—and growing!

How do I get notified when a new version of a project is released?

PyPI itself does not offer a way to get notified when a project uploads new releases. However, there are several third-party services that offer comprehensive monitoring and notifications for project releases and vulnerabilities listed as GitHub apps.

Where can I see statistics about PyPI, downloads, and project/package usage?

You can analyze PyPI download usage statistics via Google BigQuery.

Libraries.io provides statistics for PyPI projects (example, API) including GitHub stars and forks, dependency tracking (in progress), and other relevant factors.

For recent statistics on uptime and performance, see our status page.

Administration of projects on PyPI

How can I publish my private packages to PyPI?

PyPI does not support publishing private packages. If you need to publish your private package to a package index, the recommended solution is to run your own deployment of the devpi project.

Why isn't my desired project name available?

Your publishing tool may return an error that your new project can't be created with your desired name, despite no evidence of a project or release of the same name on PyPI. Currently, there are three primary reasons this may occur:

  • The project name conflicts with a Python Standard Library module from any major version from 2.5 to present.
  • The project name has been explicitly prohibited by the PyPI administrators. For example, pip install requirements.txt is a common typo for pip install -r requirements.txt, and should not surprise the user with a malicious package.
  • The project name has been registered by another user, but no releases have been created.

How do I claim an abandoned or previously registered project name?

There is currently no established process for performing this administrative task that is explicit and fair for all parties. However, one is currently in development per PEP 541.

PEP 541 has been accepted, and PyPI is creating a workflow which will be documented here.

What collaborator roles are available for a project on PyPI?

There are two possible roles for collaborators:

Maintainer: Can upload releases for a package. Cannot add collaborators. Cannot delete files, releases, or the project.

Owner: Can upload releases. Can add other collaborators. Can delete files, releases, or the entire project.

How do I become a owner/maintainer of a project on PyPI?

Only the current owners of a project have the ability to add new owners or maintainers. If you need to request ownership, you should contact the current owner(s) of the project directly. Many project owners provide their contact details in the 'Author' field of the 'Meta' details on the project page.

If the owner is unresponsive, see How do I claim an abandoned or previously registered project name?

How can I upload a project description in a different format?

By default, an upload's description will render with reStructuredText. If the description is in an alternate format like Markdown, a package may set the long_description_content_type in setup.py to the alternate format.

Refer to the Python Packaging User Guide for details on the available formats.

PyPI will reject uploads if the description fails to render. To check a description locally for validity, you may use readme_renderer, which is the same description renderer used by PyPI.

How do I get a file size limit exemption or increase for my project?

If you can't upload your project's release to PyPI because you're hitting the upload file size limit, we can sometimes increase your limit. Make sure you've uploaded at least one release for the project that's under the limit (a developmental release version number is fine). Then, file an issue and tell us:

  • A link to your project on PyPI (or Test PyPI)
  • The size of your release, in megabytes
  • Which index/indexes you need the increase for (PyPI, Test PyPI, or both)
  • A brief description of your project, including the reason for the additional size.

Note: All users submitting feedback, reporting issues or contributing to Warehouse are expected to follow the PyPA Code of Conduct.

Troubleshooting

I forgot my PyPI password. Can you help me?

If you've forgotten your PyPI password but you remember your email address or username, follow these steps to reset your password:

  1. Go to reset your password.
  2. Enter the email address or username you used for PyPI and submit the form.
  3. You'll receive an email with a password reset link.
  4. If you no longer have access to the email address associated with your account, file an issue on our tracker.

Note: All users submitting feedback, reporting issues or contributing to Warehouse are expected to follow the PyPA Code of Conduct.

Why am I getting "No matching distribution found" or "Could not fetch URL" errors during pip install?

Transport Layer Security, or TLS, is part of how we make sure connections between your computer and PyPI are private and secure. It's a cryptographic protocol that's had several versions over time. PyPI turned off support for TLS versions 1.0 and 1.1 in April 2018. Learn why on the PSF blog.

If you are having trouble with pip install and get a No matching distribution found or Could not fetch URL error, try adding -v to the command to get more information:

pip install --upgrade -v pip

If you see an error like There was a problem confirming the ssl certificate or tlsv1 alert protocol version or TLSV1_ALERT_PROTOCOL_VERSION, you need to be connecting to PyPI with a newer TLS support library.

The specific steps you need to take will depend on your operating system version, where your installation of Python originated (python.org, your OS vendor, or an intermediate distributor), and the installed versions of Python, setuptools, and pip.

For help, go to the #pypa IRC channel on Freenode, file an issue at pypa/packaging-problems/issues, or post to the python-help mailing list, including your OS and installation details and the output of pip install --upgrade -vvv pip.

Note: All users submitting feedback, reporting issues or contributing to Warehouse are expected to follow the PyPA Code of Conduct.

I am having trouble using the PyPI website. Can you help me?

We take accessibility very seriously and want to make the website easy to use for everyone.

If you are experiencing an accessibility problem, report it to us on GitHub, so we can try to fix the problem, for you and others.

Note: All users submitting feedback, reporting issues or contributing to Warehouse are expected to follow the PyPA Code of Conduct.

Why can't I manually upload files to PyPI, through the browser interface?

In a previous version of PyPI, it used to be possible for maintainers to upload releases to PyPI using a form in the web browser. This feature was deprecated with the new version of PyPI – we instead recommend that you use twine to upload your project to PyPI.

Why did my package or user registration get blocked?

Spammers return to PyPI with some regularity hoping to place their Search Engine Optimized phishing, scam, and click-farming content on the site. Since PyPI allows for indexing of the Long Description and other data related to projects and has a generally solid search reputation, it is a prime target.

When the PyPI administrators are overwhelmed by spam or determine that there is some other threat to PyPI, new user registration and/or new project registration may be disabled. Check our status page for more details, as we'll likely have updated it with reasoning for the intervention.

Why am I getting a "Filename or contents already exists" or "Filename has been previously used" error?

PyPI will return these errors for one of these reasons:

  • Filename has been used and file exists
  • Filename has been used but file no longer exists
  • A file with the exact same content exists

PyPI does not allow for a filename to be reused, even once a project has been deleted and recreated.

To avoid this situation, use Test PyPI to perform and check your upload first, before uploading to pypi.org.

How do I request a new trove classifier?

If you would like to request a new trove classifier file a bug on our issue tracker. Include the name of the requested classifier and a brief justification of why it is important.

Note: All users submitting feedback, reporting issues or contributing to Warehouse are expected to follow the PyPA Code of Conduct.

Where can I report a bug or provide feedback about PyPI?

If you're experiencing an issue with PyPI itself, we welcome constructive feedback and bug reports via our issue tracker. Please note that this tracker is only for issues with the software that runs PyPI. Before writing a new issue, first check that a similar issue does not already exist.

If you are having an issue is with a specific package installed from PyPI, you should reach out to the maintainers of that project directly instead.

Note: All users submitting feedback, reporting issues or contributing to Warehouse are expected to follow the PyPA Code of Conduct.

About

Who maintains PyPI?

PyPI is powered by the Warehouse project; Warehouse is an open source project developed under the umbrella of the Python Packaging Authority (PyPA) and supported by the Python Packaging Working Group (PackagingWG).

The PyPA is an independent group of developers whose goal is to improve and maintain many of the core projects related to Python packaging.

The PackagingWG is a working group of the Python Software Foundation (PSF) whose goal is to raise and disburse funds to support the ongoing improvement of Python packaging. Most recently it secured an award from the Open Technology Fund whose funding is enabling developers to improve Warehouse's security and accessibility.

What powers PyPI?

PyPI is powered by Warehouse and by a variety of tools and services provided by our generous sponsors.

Can I depend on PyPI being available?

As of April 16, 2018, PyPI.org is at "production" status, meaning that it has moved out of beta and replaced the old site (pypi.python.org). It is now robust, tested, and ready for expected browser and API traffic.

PyPI is heavily cached and distributed via CDN thanks to our sponsor Fastly and thus is generally available globally. However, the site is mostly maintained by volunteers, we do not provide any specific Service Level Agreement, and as could be expected for a giant distributed system, things can and sometimes do go wrong. See our status page for current and past outages and incidents. If you have high availability requirements for your package index, consider either a mirror or a private index.

How can I contribute to PyPI?

We have a huge amount of work to do to continue to maintain and improve PyPI (also known as the Warehouse project).

Financial: We would deeply appreciate your donations to fund development and maintenance.

Development: Warehouse is open source, and we would love to see some new faces working on the project. You do not need to be an experienced open-source developer to make a contribution – in fact, we'd love to help you make your first open source pull request!

If you have skills in Python, ElasticSearch, HTML, SCSS, JavaScript, or SQLAlchemy then skim our "Getting started" guide, then take a look at the issue tracker. We've created a 'Good first issue' label – we recommend you start here.

Issues are grouped into milestones; working on issues in the current milestone is a great way to help push the project forward. If you're interested in working on a particular issue, leave a comment and we can guide you through the contribution process.

Stay updated: You can also follow the ongoing development of the project on the distutils-sig mailing list and the PyPA Dev message group.

Note: All users submitting feedback, reporting issues or contributing to Warehouse are expected to follow the PyPA Code of Conduct.

How do I keep up with upcoming changes to PyPI?

Changes to PyPI are generally announced on both the pypi-announce mailing list and the PSF blog under the label "pypi". The PSF blog also has Atom and RSS feeds for the "pypi" label.

What does the "beta feature" badge mean? What are Warehouse's current beta features?

When Warehouse's maintainers are deploying new features, at first we mark them with a small "beta feature" symbol to tell you: this should probably work fine, but it's new and less tested than other site functionality.

Currently, the following features are in beta:

How do I pronounce "PyPI"?

"PyPI" should be pronounced like "pie pea eye", specifically with the "PI" pronounced as individual letters, rather as a single sound. This minimizes confusion with the PyPy project, which is a popular alternative implementation of the Python language.

Resources

Looking for something else? Perhaps these links will help:

Contact

The Python Packaging Authority (PyPA) is a working group who work together to improve Python packaging. If you'd like to get in touch with a core packaging developer, use #pypa on IRC (freenode), or join the distutils-sig mailing list.

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page