How safe it is to take API token as input from user via streamlit text input?

How safe it is to take API token as input from user via streamlit text input? Does it gets cached anywhere or chances of leaking those secret tokens anyhow?

Hey @Shadab_Hussain, welcome to Streamlit!

Every input widget’s value gets stored in a dictionary in streamlit. This is a per-user dict, so when that user’s session ends, the dictionary will go away. (It doesn’t get written to disk or have any other form of persistence.)

I think the biggest “leak” risk comes from exceptions. If your script throws an exception, the exception text will be printed to the frontend (along with the traceback).

If the token text makes it into an exception somehow - for example, if some code were to do something like

user_token = st.text_input("API token")
raise BadTokenException(f"Invalid token: {user_token}")

^if your script doesn’t catch this exception internally, Streamlit will print it to the user’s browser. That may or may not be an issue (assuming you’re not storing user A’s token and then retrieving and using it in user B’s session, only the token owner should see this).

This stuff is all under your control, of course - but it probably makes sense to take care that sensitive data doesn’t show up in exception text.

(In an upcoming Streamlit release, we’ll be adding an option to hide exception text from the frontend, so this will become less of an issue.)

2 Likes