From b835fb1583c03b2ca8788fcc948ca36e831dda43 Mon Sep 17 00:00:00 2001
From: Zach Kurtz <zkurtz@protonmail.com>
Date: Sat, 22 Feb 2025 11:33:31 -0500
Subject: [PATCH] clarify Azure PAT usage

---
 docs/configuration/indexes.md                  | 11 ++++-------
 docs/guides/integration/alternative-indexes.md | 12 +++++++++---
 2 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/docs/configuration/indexes.md b/docs/configuration/indexes.md
index 7e9327d6fdb9..a6d0479c2f1c 100644
--- a/docs/configuration/indexes.md
+++ b/docs/configuration/indexes.md
@@ -138,10 +138,7 @@ While `unsafe-best-match` is the closest to pip's behavior, it exposes users to
 ## Providing credentials
 
 Most private registries require authentication to access packages, typically via a username and
-password (or access token).
-
-To authenticate with a provide index, either provide credentials via environment variables or embed
-them in the URL.
+password (or access token), either loaded from environment variables or embedded in the URL.
 
 For example, given an index named `internal-proxy` that requires a username (`public`) and password
 (`koala`), define the index (without credentials) in your `pyproject.toml`:
@@ -152,9 +149,9 @@ name = "internal-proxy"
 url = "https://example.com/simple"
 ```
 
-From there, you can set the `UV_INDEX_INTERNAL_PROXY_USERNAME` and
-`UV_INDEX_INTERNAL_PROXY_PASSWORD` environment variables, where `INTERNAL_PROXY` is the uppercase
-version of the index name, with non-alphanumeric characters replaced by underscores:
+Then set the `UV_INDEX_INTERNAL_PROXY_USERNAME` and `UV_INDEX_INTERNAL_PROXY_PASSWORD` environment
+variables, where `INTERNAL_PROXY` is the uppercase version of the index name, with non-alphanumeric
+characters replaced by underscores:
 
 ```sh
 export UV_INDEX_INTERNAL_PROXY_USERNAME=public
diff --git a/docs/guides/integration/alternative-indexes.md b/docs/guides/integration/alternative-indexes.md
index 0492de87b2d0..c13ea10fae81 100644
--- a/docs/guides/integration/alternative-indexes.md
+++ b/docs/guides/integration/alternative-indexes.md
@@ -29,15 +29,21 @@ Authenticate to a feed using a
 
 If there is a PAT available (eg
 [`$(System.AccessToken)` in an Azure pipeline](https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken)),
-credentials can be provided via the "Basic" HTTP authentication scheme. Include the PAT in the
-password field of the URL. A username must be included as well, but can be any string.
+credentials can be provided via the `UV_INDEX_[index name]_[username/password]` environment
+variables as described in
+[Providing credentials](../../configuration/indexes.md#providing-credentials), using your PAT as the
+password and an arbitrary string like "dummy" as the username.
 
-For example, with the token stored in the `$ADO_PAT` environment variable, set the index URL with:
+Alternatively, encode credentials in the `UV_INDEX` environment variable. For example, with the
+token stored in the `$ADO_PAT` environment variable, set the index URL with:
 
 ```console
 $ export UV_INDEX=https://dummy:$ADO_PAT@pkgs.dev.azure.com/{organisation}/{project}/_packaging/{feedName}/pypi/simple/
 ```
 
+This method is not normally recommended since `uv sync` then copies the url to the `pyproject.toml`,
+exposing the PAT in plaintext.
+
 ### Using `keyring`
 
 If there is not a PAT available, authenticate to Artifacts using the