Skip to content

Instantly share code, notes, and snippets.

Last active October 28, 2021 14:05
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Python API Credentials Storage

How to store & access API credentials in Python projects

This gist will explore how to leverage a "dotenv" ecosystem to mange application credentials.

Github Repo

The gist follows code in the repo

The twelve-factor app

The Twelve-Factor App concept provides numerous best-practice guidelines for applications and scipts. This gist will provide a python-based foundation, using the dotenv concept, to manage application credentials as described here:


The pyton-dotenv project reads key-value pairs from a .env file and set them as environment variables.


This gist assumes a few items are already set up:

  • A sane Pyton 3.8+ environment.
  • A functional package management system such as pip, pipenv, or Poetry.
  • Some credentials to store, such as Twitter or Spotify API keys.

Set up

First, install the python-dotenv package:

% pipenv install python-dotenv
Installing python-dotenv...
Adding python-dotenv to Pipfile's [packages]...
✔ Installation Succeeded 
Pipfile.lock (16c839) out of date, updating to (89b591)...
Locking [dev-packages] dependencies...
Locking [packages] dependencies...
Building requirements...
Resolving dependencies...
✔ Success! 
Updated Pipfile.lock (89b591)!
Installing dependencies from Pipfile.lock (89b591)...
  🐍   ▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉ 0/0 — 00:00:00

Next, set up a "dotenv" file and add the secrets.

# .env
# This file contains Spotify application config data
# Lines starting with '#' are remarks.


The Script

A simple Python script demonstrates how to load and use the secrets.

#!/usr/bin/env python

# Import modules.
from dotenv import load_dotenv
from os import getenv

# Load configs from .env file into the envionment.

# Bind envionment variables into the script.
clientId = getenv("client_id")
clientSecret = getenv("client_secret")
callbackURI = getenv("callback_uri")

# Print the configs.
print(f"Client ID:     {clientId}")
print(f"Client Secret: {clientSecret}")
print(f"Callback URI:  {callbackURI}")

Then run the script.

% ./pycreds 
Client ID:     xxxxyyyyzzzz1234567890123abcdefg
Client Secret: vvvvrrrrzzzz1234567890123abcdefg
Callback URI:  http://localhost:8080/auth/spotify


Application secrets shuould never be stored in a git repo. A simple strategy can be used to protect your secrets.

Initialize the git repo.

% git init
Initialized empty Git repository in /home/user/pycreds/.git/

Create a .gitignore file

# Ignore/exclude .env

Add your code to the new git repo.

% git add .
% git status  
On branch main

No commits yet

Changes to be committed:
  (use "git rm --cached <file>..." to unstage)
	new file:   .gitignore
	new file:   Pipfile
	new file:   Pipfile.lock
	new file:   pycreds

% git commit -m "Initial commit"
[main (root-commit) 2a2fdb0] Initial commit
 4 files changed, 52 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 Pipfile
 create mode 100644 Pipfile.lock
 create mode 100755 pycreds

Note that .env is not included. You have commited the code, but excluded your secrets.

Best Practices

Long-term secret storage

Because your secrets are not saved in the git repo, they should be stored in a safe place, such as a password manager, parameter store, or other safe place.


When sharing your git repo with friends, it's helpful to provide a distribution file to show how to use and setup the .env file.

# env.DIST
# This file contains Spotify application config data
# Lines starting with '#' are remarks.
# Rename this file to .env and fill in the blanks below.


Next, commit env.DIST to your repo.

% git add env.DIST
% git commit -m "Adding env.DIST"
[main cd72901] Adding env.DIST
 1 file changed, 9 insertions(+)
 create mode 100644 env.DIST


A good repo always has a and a license. The MIT License is a good choice.

% git add LICENSE
% git commit -m "Adding LICENSE and"
[main 5203d49] Adding LICENSE and
 2 files changed, 40 insertions(+)
 create mode 100644 LICENSE
 create mode 100644
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment