Deploying app which uses secret api_id and api_hash on Streamlit Cloid

I’m going to deploy an app which requires pyrogram library on Streamlit Cloud.

pyrogram.Client uses api_id and api_hash to authorize and perform on Telergam API. More on this here: Authorization — Pyrogram Documentation

I’m rookie to development of any apps and I’m very concerned about security in this particular case.

First, I have to place both of my api_id and api_hash into my repository on GitHub or directly in app directory on Streamlit Cloud. Have anyone any suggestions, which way is better?

As far as I understand, my app folder on Streamlit is private, but my GitHub repository currently isn’t. Would it be possible for me to simply make my repo private and place file with accesses to API there, or placing it in the app folder on Streamlit will be enough?

Though on the first run pyrogram.Client requires an autorization via my phone number, it creates .session file to further perform API requests (to excess auth later on). Where it will create the file - I have no idea, due I did try to run my app on my local host only. I can’t confirm, whether .session will be created in my app directory, in GitHub repo or on the server which my app is running at. If not on the server - how can I assure that nobody can work with API using my api_id and api_hash and .session files?

I hope that I made the problem clear. Btw, I’m not greedy to share, but pyrogram isn’t that fast in work with API, and any interference will be a huge slow down. Performance speed in the first place, u know)

Thanks to anyone in advance!

Use Environment/secret variables in your application and add secrets in settings

Example : account_sid = st.secrets["account_sid"] in your code
So then it will work for sure
And about Session files they will be stored in streamlit server AFAIK so no need to worry i guess

1 Like

Creating a .env file and adding environment variables inside it , including the .env in .gitignore will help in hiding the API keys. However, if you still have concerns you can set your github repository to ‘private’ and still host the app without any disruptions.

1 Like

Thank you guys!
I thought over your propositions and have come to the conclusion, that I’ll use both of them, partly.

Hope that using st.secrets for my api_id and api_hash and keeping my GitHub repo private will be enough for anyone not to bother)

Fun fact: I haven’t found any way to create a new .session file on the first launch in Streamlit Cloud (due to console doesn’t allow any inputs), but the uploaded .session file works just well.

The community here is always ready to help, so heartwarming <3

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.