Skip to main content
Authentication is required when working with private package indexes and repositories. uv supports multiple authentication methods for HTTP requests.

Authentication Sources

Credentials are retrieved from the following sources, in order of precedence:
  1. URL credentials - Embedded in the URL (e.g., https://user:pass@example.com)
  2. netrc files - Standard .netrc configuration
  3. uv credentials store - Managed via uv auth commands
  4. Keyring providers - External keyring integration (opt-in)

The uv auth CLI

uv provides a high-level interface for managing credentials.

Logging In

Add credentials for a service:
Provide secrets via stdin for security:

Viewing Credentials

Show stored credentials for a URL:

Logging Out

Remove credentials from local storage:
Credentials are only removed locally, not invalidated on the remote server.

uv Credentials Store

The uv credentials store persists credentials in a plaintext file located in uv’s state directory:
This file is not intended to be edited manually. Use the uv auth commands instead.

Native Auth Storage (Preview)

A secure, system-native storage mechanism is available as a preview feature:
When enabled, uv uses the operating system’s native credential storage:
  • macOS: Keychain Services
  • Windows: Windows Credential Manager
  • Linux: DBus-based Secret Service API
Currently, uv only retrieves credentials it has added to the native store. It will not retrieve credentials persisted by other applications.

netrc Files

.netrc files are a standard plaintext format for storing credentials.

Configuration

Create a .netrc file in your home directory:
~/.netrc
machine
string
required
The hostname of the server.
login
string
required
The username for authentication.
password
string
required
The password or token for authentication.

Custom netrc Location

Use the NETRC environment variable to specify a custom location:
Reading credentials from .netrc files is always enabled. If NETRC is not defined, uv falls back to ~/.netrc.

Keyring Providers

Keyring providers allow credential retrieval from external tools compatible with Python’s keyring package.

Subprocess Provider

The “subprocess” provider invokes the keyring command-line tool:
Or configure it persistently:
pyproject.toml
keyring-provider
string
Keyring provider to use:
  • "disabled": No keyring (default)
  • "subprocess": Invoke keyring CLI
Command-line usage:
The keyring executable must be in PATH (installed globally or in the active environment).

Authentication Context

Authentication applies to hosts specified in:
  • [[tool.uv.index]] - Custom package indexes
  • --index-url / --extra-index-url - Command-line index URLs
  • --find-links - Flat index locations
  • package @ https://... - Direct URL dependencies

Index Authentication

Environment Variable Credentials

Provide credentials for named indexes via environment variables:
pyproject.toml
Environment variable naming:
  • Pattern: UV_INDEX_<NORMALIZED_NAME>_USERNAME and UV_INDEX_<NORMALIZED_NAME>_PASSWORD
  • <NORMALIZED_NAME>: Uppercase index name with non-alphanumeric characters replaced by underscores
Examples:
Index NameUsername VariablePassword Variable
internal-proxyUV_INDEX_INTERNAL_PROXY_USERNAMEUV_INDEX_INTERNAL_PROXY_PASSWORD
my.registryUV_INDEX_MY_REGISTRY_USERNAMEUV_INDEX_MY_REGISTRY_PASSWORD
azure_artifactsUV_INDEX_AZURE_ARTIFACTS_USERNAMEUV_INDEX_AZURE_ARTIFACTS_PASSWORD

URL-Embedded Credentials

Embed credentials directly in the index URL:
pyproject.toml
Credentials are never stored in uv.lock for security. Index credentials must be available at installation time through environment variables, netrc, keyring, or URL.

Authentication Behavior

Control credential discovery behavior per index:
pyproject.toml
authenticate
string
default:"auto"
Controls when uv searches for credentials:
  • "auto": Attempt unauthenticated request first; search for credentials on failure
  • "always": Eagerly search for credentials before making requests; error if not found
  • "never": Never search for credentials; error if credentials are provided directly
Use "always" when:
  • The index forwards unauthenticated requests to public indexes (like GitLab)
  • You want to fail fast if credentials are missing
Use "never" when:
  • You want to prevent credential leaking
  • The index should never use authentication
If a username is set (in URL or environment variable), uv searches for credentials before attempting an unauthenticated request, regardless of the authenticate setting.

Credential Persistence

Request-Level Caching

If authentication is found for an index URL or net location (scheme, host, port), it’s cached for the duration of the command and reused for other queries to that location. Credentials are not cached across invocations of uv.

In Project Files

When using uv add, uv will not persist index credentials to pyproject.toml or uv.lock (files often included in source control). Exception: uv will persist credentials for direct URL dependencies:
pyproject.toml
If credentials were attached to an index URL during uv add, subsequent operations may fail to fetch dependencies from indexes requiring authentication. Configure persistent authentication using environment variables, netrc, or the uv credentials store.

Authentication Examples

Private PyPI Mirror with netrc

~/.netrc
pyproject.toml

Azure Artifacts with Environment Variables

pyproject.toml

Google Artifact Registry with Keyring

pyproject.toml

AWS CodeArtifact with Token

pyproject.toml

Using uv auth for Multiple Indexes

pyproject.toml

TLS Certificates

For custom TLS certificate configuration, see the TLS Certificates documentation.

Third-Party Services

For provider-specific authentication guides: