Recently I was working on building myself a script to download my securities transactions from Robinhood and save it as a CSV. I found an unofficial python library that was reverse engineered from the app. As I started building the script, I realized that I could not host it on git. I had hardcoded my credentials in the code.

My first wish was to be able to add a mark up to the code that git would ignore. Looking around I figured out that git does not yet let users to stop tracking changes to specific lines of the code. Sad. But it would not have been a very effective way as preceding lines may change in future. The only solution is not to hard code usernames and passwords.

The solution I came up with was to store my credentials in a .json file and to get python read in the credentials.json file into a dictionary.

Here is my solution -

import json

with open('credentials.json') as json_data:
    credentials = json.load(json_data)

login(username=credentials['user'] password=credentials['password']")

Here is the gist containing the code.

credentials.json is as follows. You may add additional attributed such as API_key etc.


I eventually hosted this python script as a CGI on my apache web server. In this case, you can protect your credentials using the following configuration directives -

<Files ~ "credentials.json$">
    Require all denied

Attempting to access credentials.json now results in a 400 Forbidden error.

Armed with this snippet, I am looking forward to publishing the Hello World of my FinTech application.