# What is PyPI (Python Package Index)? PyPI (Python Package Index) is the official package repository for Python. When a developer runs `uv add requests` or `pip install requests`, the package is downloaded from PyPI by default. It hosts over 600,000 projects and serves billions of downloads per month. PyPI is maintained by the [Python Packaging Authority (PyPA)](https://pydevtools.com/handbook/explanation/what-is-pypa.md) and powered by an open-source application called [Warehouse](https://warehouse.pypa.io). ## What PyPI hosts PyPI stores two types of [distribution packages](https://pydevtools.com/handbook/explanation/what-is-a-python-package.md): - [Wheels](https://pydevtools.com/handbook/reference/wheel.md) (`.whl` files) are pre-built distributions that install quickly. A single project can upload multiple wheels for different platforms and Python versions. - [Source distributions](https://pydevtools.com/handbook/reference/sdist.md) (`.tar.gz` files) contain raw source code. Installers build the package locally when no matching wheel is available. Each project on PyPI also includes metadata defined by [PEP 621](https://peps.python.org/pep-0621/): name, version, description, dependencies, supported Python versions, and project URLs. ## How packages get installed from PyPI Package installers like [uv](https://pydevtools.com/handbook/reference/uv.md) and [pip](https://pydevtools.com/handbook/reference/pip.md) communicate with PyPI through the [Simple Repository API defined in PEP 503](https://pydevtools.com/handbook/explanation/what-is-pep-503.md). The installer queries the index for available versions, resolves dependencies, downloads the best matching distribution, and installs it into the active [virtual environment](https://pydevtools.com/handbook/explanation/what-is-a-virtual-environment.md). ```bash uv add requests # adds to project and installs from PyPI uv pip install flask # pip-compatible interface to PyPI ``` ## How packages get published to PyPI Package authors build distributions with a [build frontend](https://pydevtools.com/handbook/explanation/what-is-a-build-frontend.md) and upload them to PyPI. With [uv](https://pydevtools.com/handbook/reference/uv.md): ```bash uv build # creates wheel and sdist in dist/ uv publish # uploads to PyPI ``` Authentication uses either an API token (generated at pypi.org) or [trusted publishing](https://pydevtools.com/handbook/explanation/why-use-trusted-publishing-for-pypi.md), which lets GitHub Actions and other CI providers upload packages without storing long-lived credentials. See [How to publish to PyPI with trusted publishing](https://pydevtools.com/handbook/how-to/how-to-publish-to-pypi-with-trusted-publishing.md) for a step-by-step guide. ## TestPyPI [TestPyPI](https://test.pypi.org/) is a separate instance of PyPI intended for testing package uploads without affecting the real index. It uses the same API and interface, so switching between them requires only a URL change. See [Publishing your first Python package to PyPI](https://pydevtools.com/handbook/tutorial/publishing-your-first-python-package-to-pypi.md) for a tutorial that uses TestPyPI. ## Private package indexes [PEP 503](https://pydevtools.com/handbook/explanation/what-is-pep-503.md) defines the Simple Repository API that PyPI implements. Any server that speaks the same protocol works as a drop-in replacement. Organizations use this to host internal packages on services like AWS CodeArtifact, Google Artifact Registry, and JFrog Artifactory. See [How to use private package indexes with uv](https://pydevtools.com/handbook/how-to/how-to-use-private-package-indexes-with-uv.md) for configuration details. ## Supply-chain security PyPI supports [digital attestations](https://pydevtools.com/handbook/how-to/how-to-publish-python-packages-with-digital-attestations.md) and [trusted publishing](https://pydevtools.com/handbook/explanation/why-use-trusted-publishing-for-pypi.md) to help users verify that packages were built from the claimed source repository. uv can also [verify download hashes](https://pydevtools.com/handbook/how-to/how-to-pin-dependencies-with-hashes-in-uv.md) against what PyPI reports. See [How to protect against Python supply chain attacks with uv](https://pydevtools.com/handbook/how-to/how-to-protect-against-python-supply-chain-attacks-with-uv.md) for a broader overview of defense measures. ## Learn more - [PyPI website](https://pypi.org/) - [PyPI Help](https://pypi.org/help/) - [Warehouse documentation](https://warehouse.pypa.io) - [What is a Python package?](https://pydevtools.com/handbook/explanation/what-is-a-python-package.md) - [What is PyPA?](https://pydevtools.com/handbook/explanation/what-is-pypa.md) - [What is PEP 503?](https://pydevtools.com/handbook/explanation/what-is-pep-503.md) - [How to publish to PyPI with trusted publishing](https://pydevtools.com/handbook/how-to/how-to-publish-to-pypi-with-trusted-publishing.md) - [Publishing your first Python package to PyPI](https://pydevtools.com/handbook/tutorial/publishing-your-first-python-package-to-pypi.md)