DocumentationHow PyCafe works

How does PyCafe work?

Python in the browser

You might be used to having Python run on your local machine, or a remote server. You are most likely running a version of CPython compiled for that particular machine, running on an operating system that you are familiar with. But CPython can also be compiled for WASM (WebAssembly), which can run in the browser. PyCafe uses this technology through Pyodide.

Limitations of PyCafe

Although PyCafe (thanks to Pyodide) can run any Python code, there are some limitations. Most notably:

  • Threading: PyCafe does not support threading. This means that you cannot use the threading module in Python. If you need to run code concurrently, you can consider using asyncio. Note that threading might be supported in the future.
  • File system: PyCafe does not have access to the file system of your computer. All files live in your browser, and get synchronized to the browser url (when creating snippets), or to the cloud (when creating projects). This means that you cannot read or write files to your local file system. This is a security feature, as it would be a security risk to allow websites to read or write files on your computer.
  • Available packages: All pure Python packages can be used in PyCafe, but packages that have C extensions (like numpy, pandas, scipy, matplotlib, etc) need to be compiled for WASM. Many of these core packages are available in Pyodide, but not all. If you want to know if a package is available, you can check the Pyodide documentation. Note that we do support packages Pyodide natively does not, such as Tornado. The best way to check if a package works is to simply try to install it in PyCafe.

Advantages of PyCafe

PyCafe has some advantages over running Python on your local machine:

  • No installation: You can run Python code in your browser without having to install anything. This is great for sharing code with others, or for running code on a computer where you cannot install software.
  • No setup: You don’t have to set up a Python environment, or install packages. You can just start coding.
  • No infrastructure: You don’t have to manage servers, or pay for cloud services. PyCafe is free to use, and you can run your code in the browser.
  • Shareable: You can share your code with others by sharing a link. This link will open and run the code in their browser. This is great for sharing code in GitHub issues, or in other text-based communication channels.
  • Interactive: You can create interactive applications with PyCafe. You can create dashboards and other interactive applications that can be shared with others. This is great for creating data visualizations, or interactive tutorials.
  • Infinitely scalable: PyCafe runs in the browser on the user’s computer. This means that PyCafe can scale to an infinite number of users, in a way no other platform can.
  • Sandboxed environment: PyCafe runs in a sandboxed environment (your browser), which means that it cannot access the file system, or other resources on your computer. Since your browser is already vetted by your company, running code in PyCafe is safe.

New Perspective

Running Python in your browser has its advantages and limitations, but some parts of the way you are used to thinking might need a new perspective:

  • Python source code gets sent to the user: Since the code runs in the browser, the code needs to be sent to the user. This means that the users’ browser will see the code that you write. This is not a problem for open-source code, but it might be a problem for proprietary code. We are thinking about ways to make this more secure for the pro version of PyCafe.
    Note that traditional software also sends the code to the user, but it is usually compiled to a binary, which is harder to reverse engineer. However even though users/hackers could steal your code, it is still protected by copyright. For example, the Dropbox client is written in Python, and the code is sent to the user, but it is not a problem for Dropbox due to copyright protection.
  • Handling secrets: Often, when Python code is run at a server, it needs to access secrets, like API keys, or database passwords. Since the Python code of your PyCafe app is sent to the end user, it is not possible to keep these secrets private using techniques like environment variables. Make sure you do not include secrets in code is shared with others.
    We do provide a way for people to bring their own secrets. This can be useful for LLM based applications where you want the user of your program to provide their own OPENAI_API_KEY, for instance so you don’t pay for the API usage. Another use case is a demonstration application for your company’s API, where you want your clients to provide their own API key so they use their own data.
  • Database connections: Since API keys and usernames and passwords cannot be kept secret, you should not connect to a database with a username that has read and write access. You may want to connect to a database as a read-only user, or use use row level security to make sure that the app can only access the data that they have permissions to. Services such as Supabase or Hasura can be useful for this, as they provide a way to create a read-only user that can access the database using row level security.

CORS

When Python is running in your browser, HTTP request are also made from your browser. This means that the browser will enforce the CORS policy. This means that you cannot make requests to other domains, unless the server you are making the request to allows it. This is a security feature of the browser, and cannot be disabled. If the browser did not enforce this, Python script running in your browser could make requests to any server, and steal your data, or perform actions on your behalf.

To make requests to another domain without acting on your behalf, we provide a proxy service. This service will forward your request to the other domain, and send the response back to your browser. This way, the other domain only sees the proxy server, and not your browser. This is a secure way to make requests to other domains.

This does mean that our servers see the requests you make, so you should be aware of this if you are using sensitive data. However, we do not log the requests, and we do not store the data that is sent through the proxy server.

When not to use PyCafe

When any of the above limitations are a deal breaker for you, you might want to switch to a traditional server-based solution. A very convenient service for Python applications is Ploomber.

;;