diff --git a/{{cookiecutter.project_name}}/{% if cookiecutter.__ci=='gitlab' %}.gitlab-ci.yml{% endif %} b/{{cookiecutter.project_name}}/{% if cookiecutter.__ci=='gitlab' %}.gitlab-ci.yml{% endif %}
index 7d05d089..a1fe0423 100644
--- a/{{cookiecutter.project_name}}/{% if cookiecutter.__ci=='gitlab' %}.gitlab-ci.yml{% endif %}	
+++ b/{{cookiecutter.project_name}}/{% if cookiecutter.__ci=='gitlab' %}.gitlab-ci.yml{% endif %}	
@@ -17,7 +17,7 @@ cache:
 image: python:3.8-buster
 before_script:
   # want to set up a virtualenv to cache
-  - apt-get install -y --no-install-recommends git
+  - apt-get install -y --no-install-recommends git jq
   - python -V
   - python -m venv .venv
   - source .venv/bin/activate
@@ -152,23 +152,34 @@ make_wheels:
     - make_wheels
     {%- endif %}
   script:
-    - pipx run twine upload --verbose dist/*whl dist/*gz
+    # Retrieve the OIDC token from GitLab CI/CD and exchange it for a PyPI API token
+    - oidc_token=$(pipx run id PYPI)
+    - response=$(curl -X POST "${OIDC_MINT_TOKEN_URL}" -d "{\"token\":\"${oidc_token}\"}")
+    - api_token=$(jq --raw-output '.token' <<< "${response}")
+
+    - pipx run twine upload --password "${api_token}" --verbose dist/*whl dist/*gz
 
 deploy_staging:
   extends: .deploy
   rules:
     - if:
         $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push"
+  id_tokens:
+    PYPI_ID_TOKEN:
+      aud: testpypi
   variables:
     TWINE_REPOSITORY: testpypi
     TWINE_USERNAME: __token__
-    TWINE_PASSWORD: $TESTPYPI_TOKEN
+    OIDC_MINT_TOKEN_URL: "https://test.pypi.org/_/oidc/mint-token"
 
 deploy_production:
   extends: .deploy
   only:
     - tags
+  id_tokens:
+    PYPI_ID_TOKEN:
+      aud: pypi
   variables:
     TWINE_REPOSITORY: pypi
     TWINE_USERNAME: __token__
-    TWINE_PASSWORD: $PYPI_TOKEN
+    OIDC_MINT_TOKEN_URL: "https://pypi.org/_/oidc/mint-token"