When using a local web server, you must protect your API from unauthorized access. CSRF attacks (opens new window) can be a major problem if API is not protected in an adequate matter. pywebview generates a session-unique token that is exposed both to Python
webview.token and DOM
window.pywebview.token. See Flask app (opens new window) for an example.