Streamlit <\/a>makes it simple to build data apps. But simplicity should not mean unsafe. A disciplined secrets approach prevents accidental commits of API keys, reduces blast radius if a key leaks, and keeps dev, test, and prod neatly separated. Using TOML for secrets gives you an easy, typed, and structured configuration that Streamlit understands out of the box.<\/p>\n\n\n\nThe technology behind it<\/h2>\n\n\n\nStreamlit secrets<\/h3>\n\n\n\n
Streamlit provides st.secrets<\/code>, a secure configuration interface that loads from a .streamlit\/secrets.toml<\/code> file during local development. On Streamlit Community Cloud, you store secrets in the app settings UI; those values are injected into st.secrets<\/code> at runtime, never committed to your repo.<\/p>\n\n\n\nTOML essentials<\/h3>\n\n\n\n
TOML (Tom\u2019s Obvious, Minimal Language) is a human-friendly configuration format with typed values and nested sections. Think of it like a safer, more structured alternative to .env<\/code> files. It supports strings, integers, booleans, arrays, and tables (sections), which makes it ideal for grouping credentials and environment settings. Streamlit natively reads TOML for secrets, which is why it\u2019s the preferred format here.<\/p>\n\n\n\nHigh-level workflow<\/h2>\n\n\n\n\n- Local development: Place secrets in
.streamlit\/secrets.toml<\/code>, which you never commit.<\/li>\n\n\n\n- Streamlit Community Cloud: Add secrets in the app\u2019s \u201cSecrets\u201d section;
st.secrets<\/code> reads them at runtime.<\/li>\n\n\n\n- Other hosting (Docker, VM, Kubernetes): Mount or generate a
secrets.toml<\/code> at deploy time, or read from environment variables as a fallback.<\/li>\n<\/ul>\n\n\n\nThis pattern keeps secrets out of your codebase and makes promotion from dev to prod predictable.<\/p>\n\n\n\n
Project structure<\/h2>\n\n\n\nmy-streamlit-app\/\n\u251c\u2500 app.py\n\u251c\u2500 requirements.txt\n\u2514\u2500 .streamlit\/\n \u2514\u2500 secrets.toml # local only; DO NOT COMMIT\n<\/code><\/pre>\n\n\n\nCreate your secrets.toml<\/h2>\n\n\n\n
Define logical sections so you can rotate secrets independently and limit what each component can access.<\/p>\n\n\n\n
# .streamlit\/secrets.toml (local dev only)\n[api]\nopenai_key = \"<your-openai-key>\"\nmaps_key = \"<your-maps-key>\"\n\n[database]\nurl = \"postgresql+psycopg2:\/\/user:pass@host:5432\/dbname\"\n\n[email]\nsmtp_host = \"smtp.example.com\"\nsmtp_user = \"apikey\"\nsmtp_password = \"<your-smtp-password>\"\n<\/code><\/pre>\n\n\n\nKeep it out of git<\/h3>\n\n\n\n
Add this to your .gitignore<\/code>:<\/p>\n\n\n\n.streamlit\/secrets.toml\n<\/code><\/pre>\n\n\n\nUse secrets in your Streamlit app<\/h2>\n\n\n\n
Access values through st.secrets<\/code>. Optionally fall back to OS environment variables so your app can run even if a TOML file isn\u2019t present in production.<\/p>\n\n\n\nimport os\nimport streamlit as st\nfrom sqlalchemy import create_engine\n\n# Prefer st.secrets; fall back to environment variables when needed\nOPENAI_KEY = st.secrets.get(\"api\", {}).get(\"openai_key\") or os.getenv(\"OPENAI_API_KEY\")\nDB_URL = st.secrets.get(\"database\", {}).get(\"url\") or os.getenv(\"DATABASE_URL\")\n\n# Example: use a DB engine without logging credentials\nengine = create_engine(DB_URL) if DB_URL else None\n\nst.title(\"Secrets demo\")\nif OPENAI_KEY:\n st.write(\"OpenAI key configured.\")\nelse:\n st.warning(\"OpenAI key missing. Set api.openai_key in secrets or OPENAI_API_KEY env var.\")\n\nif engine:\n st.write(\"Database configured for:\", engine.url.database) # safe: database name only\nelse:\n st.warning(\"Database URL missing. Set database.url or DATABASE_URL.\")\n<\/code><\/pre>\n\n\n\nNever log secrets<\/h3>\n\n\n\n\n- Do not print or write secrets to Streamlit widgets or logs.<\/li>\n\n\n\n
- When debugging, reveal only non-sensitive portions, e.g., hostnames or database names.<\/li>\n<\/ul>\n\n\n\n
Local vs cloud<\/h2>\n\n\n\nLocal development<\/h3>\n\n\n\n\n- Create
.streamlit\/secrets.toml<\/code> as shown above.<\/li>\n\n\n\n- Run
streamlit run app.py<\/code>. st.secrets<\/code> will load your TOML values.<\/li>\n<\/ul>\n\n\n\n