Show API reference for

st.user

A read-only, dict-like object for accessing information about the current user.

st.user is dependent on the host platform running your Streamlit app. If your host platform has not configured the object, st.user will behave as it does in a locally running app.

When authentication is configured in secrets.toml, Streamlit will parse the OpenID Connect (OIDC) identity token and copy the attributes to st.user. Check your provider's documentation for their available attributes (known as claims).

When authentication is not configured, st.user has no attributes.

You can access values via key or attribute notation. For example, use st.user["email"] or st.user.email to access the email attribute.

Important

Identity tokens include an issuance and expiration time. Streamlit does not implicitly check these. If you want to automatically expire a user's authentication, check these values manually and programmatically log out your user (st.logout()) when needed.

Class description[source]

st.user()

Methods

Get user info as a dictionary.

Attributes

is_logged_in (bool)

Whether a user is logged in. For a locally running app, this attribute is only available when authentication (st.login()) is configured in secrets.toml. Otherwise, it does not exist.

tokens (TokensProxy)

A read-only, dict-like object for accessing exposed tokens from the identity provider.

Examples

Example 1: Google's identity token

If you configure a basic Google OIDC connection as shown in Example 1 of st.login(), the following data is available in st.user. Streamlit adds the is_logged_in attribute. Additional attributes may be available depending on the configuration of the user's Google account. For more information about Google's identity tokens, see Obtain user information from the ID token in Google's docs.

import streamlit as st

if st.user.is_logged_in:
    st.write(st.user)

Displayed data when a user is logged in:

{
    "is_logged_in":true
    "iss":"https://accounts.google.com"
    "azp":"{client_id}.apps.googleusercontent.com"
    "aud":"{client_id}.apps.googleusercontent.com"
    "sub":"{unique_user_id}"
    "email":"{user}@gmail.com"
    "email_verified":true
    "at_hash":"{access_token_hash}"
    "nonce":"{nonce_string}"
    "name":"{full_name}"
    "picture":"https://lh3.googleusercontent.com/a/{content_path}"
    "given_name":"{given_name}"
    "family_name":"{family_name}"
    "iat":{issued_time}
    "exp":{expiration_time}
    "tokens":{}

System Message: WARNING/2 (<string>, line 41)

Explicit markup ends without a blank line; unexpected unindent.

}

Example 2: Microsoft's identity token

If you configure a basic Microsoft OIDC connection as shown in Example 2 of st.login(), the following data is available in st.user. For more information about Microsoft's identity tokens, see ID token claims reference in Microsoft's docs.

import streamlit as st

if st.user.is_logged_in:
    st.write(st.user)

Displayed data when a user is logged in:

{
    "is_logged_in":true
    "ver":"2.0"
    "iss":"https://login.microsoftonline.com/{tenant_id}/v2.0"
    "sub":"{application_user_id}"
    "aud":"{application_id}"
    "exp":{expiration_time}
    "iat":{issued_time}
    "nbf":{start_time}
    "name":"{full_name}"
    "preferred_username":"{username}"
    "oid":"{user_GUID}"
    "email":"{email}"
    "tid":"{tenant_id}"
    "nonce":"{nonce_string}"
    "aio":"{opaque_string}"
    "tokens":{}
}

TokensProxy

A read-only, dict-like object for accessing exposed tokens from the identity provider.

This class provides access to tokens that have been explicitly exposed via the expose_tokens setting in your authentication configuration. Tokens contain sensitive credentials that your app can use to authenticate with external services on behalf of the logged-in user.

To expose tokens in st.user.tokens, add the expose_tokens parameter to your authentication configuration in .streamlit/secrets.toml. expose_tokens must be in the [auth] section and can't be a nested dictionary. You can specify a single token type as a string or multiple token types as a list. Streamlit supports exposing "id" tokens and "access" tokens. If expose_tokens isn't configured, st.user.tokens is an empty dict.

Warning

Tokens are sensitive credentials that should be handled securely. Never expose tokens in your app's UI, logs, or error messages. Only use tokens for server-side API calls, and be mindful of token expiration times. Only expose tokens if your app needs them for specific API integrations.

You can access token values using either key or attribute notation. For example, use st.user.tokens["id"] or st.user.tokens.id to access the id token. The object is read-only to prevent accidental modification of sensitive credentials.

Attributes

id (str)

The identity token. This is only available if "id" is in expose_tokens.

access (str)

The access token. This is only available if "access" is in expose_tokens.

Examples

Example 1: Expose the ID token

To expose only the identity token, add expose_tokens to your authentication configuration. This example uses an unnamed default provider.

[auth]
redirect_uri = "http://localhost:8501/oauth2callback"
cookie_secret = "xxx"
client_id = "xxx"
client_secret = "xxx"
server_metadata_url = "https://accounts.google.com/.well-known/openid-configuration"
expose_tokens = "id"

import streamlit as st

if st.user.is_logged_in:
    id_token = st.user.tokens["id"]
    # Use the token for API verification

Example 2: Expose both ID and access tokens

You can use a list to expose multiple tokens. If you use one or more named identity providers, the same tokens must be exposed for all providers in the shared [auth] section.

[auth]
redirect_uri = "http://localhost:8501/oauth2callback"
cookie_secret = "xxx"
expose_tokens = ["id", "access"]

[auth.google]
client_id = "xxx"
client_secret = "xxx"
server_metadata_url = "https://accounts.google.com/.well-known/openid-configuration"

[auth.microsoft]
client_id = "xxx"
client_secret = "xxx"
server_metadata_url = "https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration"

import streamlit as st

if st.user.is_logged_in:
    id_token = st.user.tokens["id"]
    access_token = st.user.tokens["access"]
    # Use the tokens for API verification

Community Cloud

Starting from Streamlit version 1.42.0, you can't use st.user to retrieve a user's Community Cloud account email. To access user information, you must set up an identity provider and configure authentication ([auth]) in your app's secrets. Remember to update your identity provider's configuration and your app's secrets to allow your new domain. A list of IP addresses used by Community Cloud is available if needed. An authentication-configured app counts as your single allowed private app.

st.user.to_dict

Get user info as a dictionary.

This method primarily exists for internal use and is not needed for most cases. st.user returns an object that inherits from dict by default.

Function signature[source]

st.user.to_dict()

Returns

(Dict[str,str])

A dictionary of the current user's information.

arrow_backPrevious: st.logoutarrow_forwardNext: Navigation and pages
forum

Still have questions?

Our forums are full of helpful information and Streamlit experts.