A potential sensitive data is being exposed in the source code. It can compromise the security of application/user. It is recommended to encrypt this data. Anyone who has access to the source code can use sensitive data. The source code can be widely shared in an enterprise environment, and is certainly shared in open source. Also hardcoding data makes it difficult to change the password for the operational side.
It is recommended to put sensitive values either in a separate (uncommitted, gitignored) configuration file, or pull them in from environment variables. The first is easier if you're self-hosting; the latter is the norm if you use e.g. Heroku or similar platform that deploys from a repository.
username = "james"
token = "auenfejadldadjakf"
import os
username = os.getenv("username")
token = os.environ.get("secret_key", "default_key") # getting value from env variable. No issue.