diff --git a/.github/workflows/publish-pypi-release-aboutcode-api-auth.yml b/.github/workflows/publish-pypi-release-aboutcode-api-auth.yml
new file mode 100644
index 00000000..313a196e
--- /dev/null
+++ b/.github/workflows/publish-pypi-release-aboutcode-api-auth.yml
@@ -0,0 +1,62 @@
+name: Build aboutcode.api_auth Python distributions and publish on PyPI
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - "aboutcode.api_auth/*"
+
+jobs:
+  build:
+    name: Build and publish library to PyPI
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false  # do not keep the token around
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+        with:
+          python-version: 3.14
+
+      - name: Install flot
+        run: python -m pip install flot --user
+
+      - name: Build a binary wheel and a source tarball
+        run: python -m flot --pyproject pipeline-pyproject.toml --sdist --wheel --output-dir dist/
+
+      - name: Upload package distributions as GitHub workflow artifacts
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        with:
+          name: python-package-distributions
+          path: dist/
+
+  # Only set the id-token: write permission in the job that does publishing, not globally.
+  # Also, separate building from publishing — this makes sure that any scripts
+  # maliciously injected into the build or test environment won't be able to elevate
+  # privileges while flying under the radar.
+  pypi-publish:
+    name: Upload package distributions to PyPI
+    if: startsWith(github.ref, 'refs/tags/')  # only publish to PyPI on tag pushes
+    needs:
+      - build
+    runs-on: ubuntu-24.04
+    environment:
+      name: pypi
+      url: https://pypi.org/p/aboutcode.api_auth
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
+
+    steps:
+      - name: Download all the dists
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8.0.0
+        with:
+          name: python-package-distributions
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0
diff --git a/aboutcode/api_auth/RELEASE.md b/aboutcode/api_auth/RELEASE.md
new file mode 100644
index 00000000..7ee4dfa8
--- /dev/null
+++ b/aboutcode/api_auth/RELEASE.md
@@ -0,0 +1,29 @@
+# Release instructions for `aboutcode.api_auth`
+
+### Automated release workflow
+
+- Create a new `aboutcode.api_auth-release-x.x.x` branch
+- Update the version in:
+  - `api_auth-pyproject.toml`
+  - `aboutcode/api_auth/__init__.py`
+- Commit and push this branch
+- Create a PR and merge once approved
+- Tag and push to trigger the `publish-pypi-release-aboutcode-api-auth.yml` workflow 
+  that takes care of building the distribution archives and upload those to pypi::
+  ```
+  VERSION=x.x.x  # <- Set the new version here
+  TAG=aboutcode.api_auth/$VERSION
+  git tag -a $TAG -m ""
+  git push origin $TAG
+  ```
+
+### Manual build
+
+```
+cd dejacode
+source .venv/bin/activate
+pip install flot
+flot --pyproject api_auth-pyproject.toml --sdist --wheel --output-dir dist/
+```
+
+The distribution archives will be available in the local `dist/` directory.
diff --git a/aboutcode/api_auth/__init__.py b/aboutcode/api_auth/__init__.py
index 0b781760..99691db2 100644
--- a/aboutcode/api_auth/__init__.py
+++ b/aboutcode/api_auth/__init__.py
@@ -19,6 +19,8 @@
 from rest_framework.authentication import TokenAuthentication
 from rest_framework.exceptions import AuthenticationFailed
 
+__version__ = "0.1.0"
+
 
 class AbstractAPIToken(models.Model):
     """
diff --git a/api_auth-pyproject.toml b/api_auth-pyproject.toml
new file mode 100644
index 00000000..72b9184d
--- /dev/null
+++ b/api_auth-pyproject.toml
@@ -0,0 +1,44 @@
+[build-system]
+requires = ["flot"]
+build-backend = "flot.buildapi"
+
+[project]
+name = "aboutcode.api_auth"
+version = "0.1.0"
+description = ""
+license = { text = "Apache-2.0" }
+readme = "aboutcode/api_auth/README.md"
+requires-python = ">=3.11"
+authors = [ { name = "nexB. Inc. and others", email = "info@aboutcode.org" } ]
+keywords = [
+    "open source",
+    "api",
+    "authentication",
+]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3 :: Only",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
+    "Topic :: Software Development",
+    "Topic :: Utilities",
+]
+
+[project.urls]
+Homepage = "https://github.com/aboutcode-org/dejacode"
+Documentation = "https://dejacode.readthedocs.io/"
+Repository = "https://github.com/aboutcode-org/dejacode/tree/main/aboutcode/api_auth"
+Issues = "https://github.com/aboutcode-org/dejacode/issues"
+
+[tool.flot]
+includes = [
+    "aboutcode/api_auth/*",
+]
+metadata_files = [
+    "LICENSE",
+    "NOTICE",
+]