When using a local web server, you must protect your API from unauthorized access. CSRF attacks can be a major problem if API is not protected in an adequate matter. pywebview generates a session-unique token that is exposed both to Python
webview.token and DOM
window.pywebview.token. See Flask app for an example.