Pypi API token invalid

I am using the Github Actions publish python package.
The following is the code in my python-publish.yml file:

name: Upload Python Package

on: push


runs-on: ubuntu-latest

- uses: actions/checkout@v2
- name: Set up Python
  uses: actions/setup-python@v2
    python-version: '3.x'
- name: Install dependencies
  run: |
    python -m pip install --upgrade pip
    pip install build
    pip install requests
- name: Build package
  run: python -m build
- name: Publish package
  uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29
    user: __token__
    password: ${{ secrets.PYPI_API_TOKEN }}

However, whenever I run it, it gives the error:

Warning: It looks like you are trying to use an API token to authenticate in the package index and your token value does not start with "pypi-" as it typically should. This may cause an authentication error. Please verify that you have copied your token properly if such an error occurs.

I suspect it has something to do with the user: __token__ line, but I can’t seem to figure out what the token is. I have obtained the correct PYPI_API_TOKEN as it starts with pypi-, but the action runs into another error when I put it as user: ${{ secrets.PYPI_API_TOKEN}}.

Follow the python package publishing with CI/CD guide

Once you create your API token on PyPI, you can paste it in the secrets tab of your repository as a new token. Then, whatever NAME you give that token is used in the python-publish.yml file as ${{secrets.NAME}}. In this case, it’s PYPI_API_TOKEN

Does that help?

Having a similar issue

> name: Publish distribution 📦 to PyPI
>       uses: pypa/gh-action-pypi-publish@master
>       with:
>         password: ${{secrets.PYPI_API_TOKEN}}
>         repository_url:

it’s giving me the same error I’ve tried generating a new token which definitely starts with pypi- but still getting the same warning and the following error:

> HTTPError: 403 Forbidden from
> [22](

Any thoughts

I think your repository_url is wrong:

    user: __token__
    password: ${{ secrets.TEST_PYPI_API_TOKEN }}

I experienced this when creating a PR and pushing to a fork. More info here.