Skip to content

StreamTree

Authentication gate

streamtree-dev/streamtree

Authentication gate

Goal

Wrap authenticated subtrees behind AuthGate using streamlit-authenticator with StreamTree’s thin builder API.

Install

pip install "streamtree[auth]"

Treat authenticator config as trusted secrets—never commit real credentials to git.

Pattern

Full demo:

"""Demo: optional login gate (requires ``pip install \"streamtree[auth]\"``).

Replace ``AUTH_CONFIG`` with a real **streamlit-authenticator** YAML-shaped dict
(credentials + cookie). Treat it as **trusted secrets** (same posture as API keys).
See https://github.com/mkhorasani/Streamlit-Authenticator for hashing passwords and
full config layout. This file is a structural example only.
"""

from __future__ import annotations

from streamtree import component, render_app
from streamtree.app import App
from streamtree.auth import AuthGate
from streamtree.elements import Page, Text, VStack

# Minimal shape only — replace before use in production.
AUTH_CONFIG: dict = {
    "credentials": {"usernames": {}},
    "cookie": {"name": "streamtree_auth", "key": "change_this_random_secret", "expiry_days": 30},
}


@component
def Protected() -> object:
    return Page(VStack(Text("You are signed in (example).")))


if __name__ == "__main__":
    render_app(App(page_title="Auth demo", body=AuthGate(config=AUTH_CONFIG, child=Protected())))

Run (after you supply a real config dict in your own app):

streamlit run examples/auth_demo.py

Integration notes

streamtree.auth.build_authenticator returns objects the renderer expects when it mounts AuthGate.
Keep login UI and post-login shell as separate subtrees so reruns do not recreate expensive authenticator state unnecessarily.
Alternate identity providers (OIDC, SSO) remain app-wrapped until a pinned StreamTree abstraction exists (Roadmap, Dependency strategy).

See also