Token Exchange

As a PyPI package maintainer, your mission is to securely publish your package without compromising your long-lived passwords or API tokens. To achieve this, you must adopt the new 'Trusted publishing' method using OpenID Connect. You must configure PyPI to trust an identity provided by a given OpenID Connect Identity Provider, which will delegate trust to your identity, authorize you to request short-lived, tightly-scoped API tokens. You will have to navigate through different levels of security protocols as you battle with hackers and secure your release workflow using trusted publishers.