Protecting streamlit behind AWS API Gateway

Hi there,

We want to make it easy for our data scientists to deploy streamlit apps at a public URL without having to worry about users and authentication.

We run REST APIs behind API Gateway with a JWT Authorizer (incidentally, we’re using Auth0). We’d like to make it so that if you try to access the frontend without a token at, you get redirected to a login UI.

This login UI would have you login, and then redirect you back to and this time show you the page.

I can come up with ways to make this redirect happen, but what happens when you finally connect to streamlit? If you press buttons and interact with the page, does streamlit need to somehow add our JWT token to its request headers before sending the usual streamlit requests to the streamlit server behind API Gateway? Will the requests that the frontend sends back to the backend be blocked?

We’d like to avoid modifying the streamlit app itself to accommodate any sort of UI so that the concerns of Auth and the streamlit app are totally decoupled.

Is this possible?


@Eric_Riddoch Did you have any success here? I am also trying to put Streamlit (running on ECS) behind API GW, and am not able to get it working.

@mdsambol Ultimately I decided API GW is the wrong tool for this job and gave up. API GW is a difficult tool to use in general any time you’re trying to put it over a UI.

We ended up using the ALB in ECS. You can set up an OIDC redirect rule that redirects the user to a login page (Cognito, Auth0, etc.) if a valid token isn’t present.

If anyone ever discovers how to do this with API GW, I’d love to know how they did it.