Generate token for new not yet uploaded package ?

[Carreau]

What's the problem this feature will solve?

I want to create a token to upload a package that does not exist yet. I can only use a general token for the first upload and then need to change the token, which is annoying (as far as I can tel).

Describe the solution you'd like

Ability to create a "lazy" token, that once used to upload a given package can only be used for this package forward.

Additional context

I was helping someone upload their first package, and it was not super frictionless.

[di]

Our recommendation is to use Trusted Publishing to create the project instead -- see https://github.com/pypi/warehouse/issues/6378.

[woodruffw]

To add to what @di said: Trusted Publishing has a concept of "pending publishers" for this exact scenario: you can register a "pending publisher" for a project that doesn't exist yet, and it'll be turned into a full Trusted Publisher once you use it.

(You can also technically do this by manually attenuating a user-scoped API token locally, since it's a Macaroon under the hood. But I suspect that'll be much less beginner-friendly than Trusted Publishing 🙂)