Basic privacy for public repositories
If you write python code requires you to enter a private Application Programming Interface (API) key or secret credential, you will want to hide this information from your code before posting it to a public repository. One of the easiest ways to handle this is by creating a config.py file.
Background
APIs enable applications to communicate with one another. An API key is a unique identifier that indicates rights and permissions available to you — the calling user or application. The key determines how you are able to interact with an endpoint's data. Actions available to APIs include the following request types:
- GET: In a GET request, the calling application asks to be able to retrieve information from a receiving application/server/endpoint.
- POST: Sending a POST request asks to send or write data to an endpoint.
- PUT: Updating server data using an API is accomplished via PUT requests.
- DELETE: DELETE requests ask to remove data from an endpoint.
While API keys indicate who is making the request and what permissions are available to that identity, additional keys or tokens (such as passwords) may be required to complete the requested action.
Keep It Confidential
Before pushing a python or notebook file to a public repository, you will want to make sure your private key/secret data is not publicly accessible. For all intents and purposes, anyone with access to the internet has access to a public git repository.
If you store an API key in a public repository, anyone with access to the internet will have the ability to read and use your personal rights and permissions to make requests under your identity. This could mean viewers of your code are able to tweet on your Twitter profile, delete research data from a research database on your login, or even make updates to your repository that could get you banned from the service.
config.py
One way to secure your personal API data is to create variables for them and store them locally, in a config.py file that does not get uploaded to your public repository. Depending on the data required by the API, your config.py file may resemble the following:
# storing API data
api_key = "[YOUR API KEY]"
api_secret = "[YOUR API SECRET]"
access_token = "[YOUR API ACCESS TOKEN]"
token_secret = "[YOUR API TOKEN SECRET]"In your file, the brackets and capitalized text in the above code snippet should be replaced with your relevant personal information. This file should be saved locally as config.py and not included among files to be pushed to your repository. You can reference the variables in your main python or notebook code:
# importing `config.py` to access its variables
import configSince the API data is not included in your main file, only variables referencing the data stored in your local file, you can use the variables (such asapi_key) in your code. Before committing your files to a public repository, however, you will need to take at least one additional step to avoid without exposing your private credentials.
.gitignore
To prevent the config.py file from being accidentally committed to your public repository, include the filename in a .gitignore file, in the repository's root directory. The .gitignore file is simply a text file (with no file extension) listing files, directories, and patterns that will be excluded in git updates. Omitting your config.py file is as simple as including the following line in .gitignore and saving it:
config.pyNow, the config.py file and its private data will be excluded from your git commits.
Add a note to your repository's README, to make those using your code aware that they will need to enter their own credentials to reproduce your code results.
You can find a number of libraries and services designed to help coders secure their private permissions from prying eyes while maintaining reproducible code in public repositories. This article describes one of the simplest ways to accomplish the task.
Thanks for reading.