What is PyPI (Python Package Index)?

PyPI (Python Package Index) is the official package repository for Python. When a developer runs uv add requests or pip install requests, the package is downloaded from PyPI by default. It hosts over 600,000 projects and serves billions of downloads per month.

PyPI is maintained by the Python Packaging Authority (PyPA) and powered by an open-source application called Warehouse.

What PyPI hosts

PyPI stores two types of distribution packages:

• Wheels (.whl files) are pre-built distributions that install quickly. A single project can upload multiple wheels for different platforms and Python versions.
• Source distributions (.tar.gz files) contain raw source code. Installers build the package locally when no matching wheel is available.

Each project on PyPI also includes metadata defined by PEP 621: name, version, description, dependencies, supported Python versions, and project URLs.

How packages get installed from PyPI

Package installers like uv and pip communicate with PyPI through the Simple Repository API defined in PEP 503. The installer queries the index for available versions, resolves dependencies, downloads the best matching distribution, and installs it into the active virtual environment.

uv add requests        # adds to project and installs from PyPI
uv pip install flask   # pip-compatible interface to PyPI

How packages get published to PyPI

Package authors build distributions with a build frontend and upload them to PyPI. With uv:

uv build       # creates wheel and sdist in dist/
uv publish     # uploads to PyPI

Authentication uses either an API token (generated at pypi.org) or trusted publishing, which lets GitHub Actions and other CI providers upload packages without storing long-lived credentials. See How to publish to PyPI with trusted publishing for a step-by-step guide.

TestPyPI

TestPyPI is a separate instance of PyPI intended for testing package uploads without affecting the real index. It uses the same API and interface, so switching between them requires only a URL change. See Publishing your first Python package to PyPI for a tutorial that uses TestPyPI.

Private package indexes

PEP 503 defines the Simple Repository API that PyPI implements. Any server that speaks the same protocol works as a drop-in replacement. Organizations use this to host internal packages on services like AWS CodeArtifact, Google Artifact Registry, and JFrog Artifactory. See How to use private package indexes with uv for configuration details.

Supply-chain security

PyPI supports digital attestations and trusted publishing to help users verify that packages were built from the claimed source repository. uv can also verify download hashes against what PyPI reports. See How to protect against Python supply chain attacks with uv for a broader overview of defense measures.

Learn more

• PyPI website
• PyPI Help
• Warehouse documentation
• What is a Python package?
• What is PyPA?
• What is PEP 503?
• How to publish to PyPI with trusted publishing
• Publishing your first Python package to PyPI