In pypi to obtain a token that is limited in scope you must first generate an unlimited token.

True story.

In gh you can generate a limited one, but it's not really clear on what the permissions actually mean, so it's trial and error… which means most people will get tired and grant random stuff to have them working.

I didn’t know that about pypi but github has seemed ok to me. I’ve also implemented my own scoped authentication systems so even if they’re not perfect I know it can be done