Where would you save tokens and other confidential settings ?

Hi there, what is the best practice for Django - where to store tokens ?
For example, I will use several API calls from my Django application to some web services like Facebook Graph API, Instagram API, etc…
To be able to make such API calls, I need a token.
The question is where to safely store such tokens ?
I would like to avoid having them in source code.

You could use django-environ to store private variables as environment variables.


Hope this helps!

– Austin

And just as an addendum, we use that package to store that type of information in files, using an environment variable to point to that file. We have a variety of files created for different environments, and just point to the one we need for any particular instance.

@Suttonium , @KenWhitesell - thank you for your answers !
Since you both mentioned external packages, I can conclude that built-in solutions are not good (secure) enough like settings.py. I will check your recommendations. Thanks !

Please don’t draw that conclusion from our answers.

Other solutions have other tradeoffs, it’s not that one is better or worse, or more or less secure than the others. If for any reason you find that django-environ doesn’t suit your needs, go ahead and investigate other ideas.

In my personal case, django-environ is the most flexible for what we are trying to do, providing some flexibility that others may not.


There’s also the python-decouple package that helps you put secret settings into .ini files when hosted on a server (not sure if it works locally but I don’t see why it wouldn’t).