Alexander and Tom have already given great answers, but I want to confirm from the Observable side that we do not log or save anything you put into Inputs.
“What gets sent to Observable and what doesn’t” comes up a lot, and we’d love to figure out how to make it clearer within the product. The big distinction is that the contents of the gray-background code editor are saved to Observable servers, and the white-background page (the output of that code) runs entirely on the user’s computer. Here’s my rough attempt at a diagram:
As for your specific use case, Tom has been doing a ton of interesting work in that area, so there may be no better answer than his!
Here’s an example where our coworker Visnu includes a utility (to convert a username/password to a database connection URL) that only runs locally in the user’s browser, with the explicit caveat: “You should be wary of any form on the internet prompting you for a password! Feel free to inspect this code to ensure nothing nefarious is happening.”
I’m no security expert, so here I have to balance my excitement about the possibilities of the notebook medium against the generally prudential advice not to ask users to enter credentials anywhere other than a single clear secure sanctioned login page.
Is it a read-only API? Are all the calls idempotent? Could fiddling with a cell (in the playful mindset of someone exploring docs and examples) potentially do something destructive? Would the user understand that if they loaded more code on the page (e.g. adding a cell requiring a library), it could potentially access their credentials? Would they be able to distinguish a safe notebook from a malicious one?
Without knowing your API, I guess my advice is probably to include mock responses (e.g. from a file attachment or loaded from a static JSON somewhere) so that readers can explore the real syntax and schemas in a safe, harmless, playful sandbox.