Storing unencrypted secrets in a git repository is a bad practice. For applications that require access to sensitive credentials, the recommended solution is to store those credentials outside the repository - such as using a credentials file not committed to the repository or passing them as environment variables.
Streamlit provides native file-based secrets management to easily store and securely access your secrets in your Streamlit app.
Existing secrets management tools, such as dotenv files, AWS credentials files, Google Cloud Secret Manager, or Hashicorp Vault, will work fine in Streamlit. We just add native secrets management for times when it's useful.
How to use secrets management
Develop locally and set up secrets
Streamlit provides two ways to set up secrets locally using TOML format:
In a global secrets file at
~/.streamlit/secrets.tomlfor macOS/Linux or
# Everything in this section will be available as an environment variable db_username = "Jane" db_password = "mypassword" # You can also add other sections if you like. # The contents of sections as shown below will not become environment variables, # but they'll be easily accessible from within Streamlit anyway as we show # later in this doc. [my_other_secrets] things_i_like = ["Streamlit", "Python"]
If you use the global secrets file, you don't have to duplicate secrets across several project-level files if multiple Streamlit apps share the same secrets.
In a per-project secrets file at
$CWDis the folder you're running Streamlit from. If both a global secrets file and a per-project secrets file exist, secrets in the per-project file overwrite those defined in the global file.
Add this file to your
.gitignore so you don't commit your secrets!
Use secrets in your app
Access your secrets by querying the
st.secrets dict, or as environment variables. For example, if you enter the secrets from the section above, the code below shows you how to access them within your Streamlit app.
import streamlit as st # Everything is accessible via the st.secrets dict: st.write("DB username:", st.secrets["db_username"]) st.write("DB password:", st.secrets["db_password"]) # And the root-level secrets are also accessible as environment variables: import os st.write( "Has environment variables been set:", os.environ["db_username"] == st.secrets["db_username"], )
You can access
st.secrets via attribute notation (e.g.
st.secrets.key), in addition to key notation (e.g.
st.secrets["key"]) — like st.session_state.
You can even compactly use TOML sections to pass multiple secrets as a single attribute. Consider the following secrets:
[db_credentials] username = "my_username" password = "my_password"
Rather than passing each secret as attributes in a function, you can more compactly pass the section to achieve the same result. See the notional code below, which uses the secrets above:
# Verbose version my_db.connect(username=st.secrets.db_credentials.username, password=st.secrets.db_credentials.password) # Far more compact version! my_db.connect(**st.secrets.db_credentials)
Here are some common errors you might encounter when using secrets management.
.streamlit/secrets.tomlis created while the app is running, the server needs to be restarted for changes to be reflected in the app.
If you try accessing a secret, but no
secrets.tomlfile exists, Streamlit will raise a
If you try accessing a secret that doesn't exist, Streamlit will raise a
import streamlit as st st.write(st.secrets["nonexistent_key"])
Use secrets on Streamlit Community Cloud
When you deploy your app to Streamlit Community Cloud, you can use the same secrets management workflow as you would locally. However, you'll need to also set up your secrets in the Community Cloud Secrets Management console. Learn how to do so via the Cloud-specific Secrets management documentation.