Skip to main content
By default, uv uses the Python Package Index (PyPI) for dependency resolution and package installation. However, uv can be configured to use other package indexes, including private indexes.

Defining an Index

To include an additional index when resolving dependencies, add a [[tool.uv.index]] entry to your pyproject.toml:
pyproject.toml
name
string
Optional identifier for the index. Must contain only alphanumeric characters, dashes, underscores, and periods (valid ASCII).
url
string
required
The URL of the package index (Simple API endpoint).

Command-Line Usage

Indexes can also be provided via command line or environment variables:

Index Priority

Indexes are prioritized in the order they’re defined:
  1. Command-line indexes (highest priority)
  2. Configuration file indexes (in order of appearance)
  3. Default index (lowest priority)
The first index listed is the first consulted when resolving dependencies.

Default Index

By default, uv includes PyPI as the “default” index (used when a package is not found on other indexes). To replace PyPI with a different default index:
pyproject.toml
default
boolean
default:false
Mark this index as the default. The default index is always treated as lowest priority, regardless of position.
Command-line equivalent:

Pinning Packages to an Index

Pin a package to a specific index using tool.uv.sources:
pyproject.toml
This ensures torch is always installed from the pytorch index.

Platform-Specific Indexes

Use environment markers to select indexes by platform:
pyproject.toml

Explicit Indexes

Mark an index as explicit = true to prevent packages from being installed from it unless explicitly pinned:
pyproject.toml
explicit
boolean
default:false
When true, packages can only be installed from this index if explicitly pinned via tool.uv.sources.
Named indexes referenced via tool.uv.sources must be defined within the project’s pyproject.toml. Indexes provided via command-line, environment variables, or user-level configuration will not be recognized.

Index Search Strategies

Control how uv searches across multiple indexes using the --index-strategy option or UV_INDEX_STRATEGY environment variable:

first-index (Default)

Search for each package across all indexes, limiting candidate versions to those present in the first index that contains the package.
This prevents “dependency confusion” attacks where an attacker publishes a malicious package on PyPI with the same name as an internal package.

unsafe-first-match

Search across all indexes, but prefer the first index with a compatible version, even if newer versions are available on other indexes.

unsafe-best-match

Search across all indexes and select the best version from the combined set of candidate versions (closest to pip’s behavior).
The unsafe-best-match strategy exposes users to “dependency confusion” attacks. See the torchtriton attack for an example.

Authentication

Most private package indexes require authentication. See the Authentication documentation for detailed information.

Credentials via Environment Variables

Provide credentials without storing them in plaintext:
pyproject.toml
The environment variable name follows the pattern UV_INDEX_<NORMALIZED_NAME>_USERNAME and UV_INDEX_<NORMALIZED_NAME>_PASSWORD, where <NORMALIZED_NAME> is the uppercase index name with non-alphanumeric characters replaced by underscores.

Credentials in URL

Alternatively, embed credentials directly in the URL:
pyproject.toml
Credentials are never stored in the uv.lock file. uv must have access to authenticated URLs at installation time.

Authentication Behavior

Control when uv searches for credentials:
authenticate
string
default:"auto"
Controls credential discovery behavior:
  • "auto": Attempt unauthenticated request first, search for credentials on failure
  • "always": Always search for credentials before making requests (required for some indexes like GitLab)
  • "never": Never search for credentials (prevents credential leaking)
pyproject.toml
If a username is set, uv will search for credentials before making an unauthenticated request, regardless of the authenticate setting.

Error Handling

Ignored Error Codes

When using the first-index strategy, uv stops searching across indexes on HTTP 401 or 403 errors. Customize this behavior:
pyproject.toml
ignore-error-codes
array
List of HTTP status codes to ignore when searching across indexes. uv will continue to the next index if these codes are encountered.
uv always continues searching on 404 Not Found errors. This cannot be overridden.

Cache Control

Customize caching behavior for an index:
pyproject.toml
cache-control
object
Override HTTP cache control headers:
  • api: Controls caching for Simple API requests (package metadata)
  • files: Controls caching for artifact downloads (wheels and source distributions)
By default, uv respects the cache control headers provided by the index. PyPI uses:
  • Metadata: max-age=600 (10 minutes)
  • Artifacts: max-age=365000000, immutable (indefinite)
Force revalidation:
pyproject.toml

Flat Indexes

In addition to PyPI-style registries (PEP 503), uv supports “flat” indexes (local directories or HTML pages with flat lists of wheels and source distributions):
pyproject.toml
format
string
default:"simple"
Index format:
  • "simple": PyPI-style registry (PEP 503 Simple Repository API)
  • "flat": Flat index (equivalent to pip’s --find-links)
Flat indexes support the same features as Simple API indexes, including explicit = true and pinning via tool.uv.sources.

Legacy pip Compatibility

For compatibility with pip, uv supports --index-url and --extra-index-url:
Mapping:
  • --index-url--default-index (sets default index)
  • --extra-index-url--index (adds additional index)
These can be combined with [[tool.uv.index]] configuration and follow the same prioritization rules.

Examples

Multiple Indexes with Priority

pyproject.toml

Private Registry with Authentication

pyproject.toml

Explicit Index for Specific Packages

pyproject.toml