Are API requests in streamlit done server-side or client side?

I am using the st_supabase_connection library in my streamlit app. I am wondering if the network requests to supabase are visible from the client, or if they happen server side. Will they be able to see the secret key stored in the secrets.toml file by inspecting network traffic in chrome dev tools, for example?

This could extend to other 3rd party REST APIs as well — will the secrets be seen when inspecting network traffic on the client’s browser, or are these requests happening server side?

Secrets are application secrets and should never be sent to the client. It can only happen by mistake or malicious intent.

Ok, for clarity’s sake, when running a basic script like this…

import streamlit as st
import requests

# Load the secret URL from Streamlit secrets
url = st.secrets["api"]["url"]

# Streamlit app
st.title("Basic Streamlit App with GET Request")

# Button to make the GET request
if st.button("Get Data"):
    try:
        response = requests.get(url)
        response.raise_for_status()  # Raise an error for bad status codes
        data = response.json()
        st.write("Data fetched successfully:", data)
    except requests.exceptions.RequestException as e:
        st.error(f"Error fetching data: {e}")

The request will run on the server and be hidden from the browser?

Yes, only the data or the exception would be sent to the browser. Note that the exception may include the url, but that would be your mistake.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.