Authentication & Security in FastAPI (JWT + OAuth2)

 

Introduction

In real-world applications, not all APIs should be public.You need authentication and security to:

  • Protect user data 
  • Restrict access
  • Verify identity

In this blog, we’ll implement JWT Authentication in FastAPI.The most commonly used method in modern APIs.

What is Authentication?

Authentication is the process of verifying who the user is.

Example:

  • Login with username & password
  • Server verifies credentials
  • Returns a token

What is JWT?

JWT (JSON Web Token) is a secure token used for authentication.

It contains:

  • Header
  • Payload (user data)
  • Signature

Example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...


Step 1: Install Dependencies
pip install python-jose passlib[bcrypt]
  • python-jose → JWT handling

  • passlib → Password hashing

Step 2: Password Hashing
from passlib.context import CryptContext

pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")

def hash_password(password: str):
    return pwd_context.hash(password)

def verify_password(plain, hashed):
    return pwd_context.verify(plain, hashed)

Step 3: Create JWT Token
from jose import jwt
from datetime import datetime, timedelta

SECRET_KEY = "your_secret_key"
ALGORITHM = "HS256"

def create_access_token(data: dict):
    to_encode = data.copy()
    expire = datetime.utcnow() + timedelta(minutes=30)
    to_encode.update({"exp": expire})
    return jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)


Step 4: Fake User Database
fake_user = {
    "username": "admin",
    "password": hash_password("1234")
}


Step 5: Login Route
from fastapi import FastAPI, HTTPException

app = FastAPI()

@app.post("/login")
def login(username: str, password: str):
    if username != fake_user["username"] or not verify_password(password, fake_user["password"]):
        raise HTTPException(status_code=401, detail="Invalid credentials")
    
    token = create_access_token({"sub": username})
    return {"access_token": token, "token_type": "bearer"}
Step 6: Verify Token (Dependency)
from fastapi import Depends
from fastapi.security import OAuth2PasswordBearer

oauth2_scheme = OAuth2PasswordBearer(tokenUrl="login")

def get_current_user(token: str = Depends(oauth2_scheme)):
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
        return payload["sub"]
    except:
        raise HTTPException(status_code=401, detail="Invalid token")
Step 6: Verify Token (Dependency)
from fastapi import Depends
from fastapi.security import OAuth2PasswordBearer

oauth2_scheme = OAuth2PasswordBearer(tokenUrl="login")

def get_current_user(token: str = Depends(oauth2_scheme)):
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
        return payload["sub"]
    except:
        raise HTTPException(status_code=401, detail="Invalid token")
How It Works
  1. User logs in → gets JWT token

  2. Sends token in request header

  3. FastAPI verifies token

  4. Grants access to protected routes

Example Request Header
Authorization: Bearer <your_token>

Common Mistakes
1. Storing plain passwords
2. Using weak secret keys
3. Not setting token expiry
4. Not protecting sensitive routes
Best Practices
1. Always hash passwords
2. Use environment variables for secrets
3. Set token expiration
4. Use HTTPS in production
Key Takeaways
  • JWT is widely used for API authentication

  • FastAPI provides built-in OAuth2 support

  • Passwords must be hashed securely

  • Dependencies help protect routes


Comments

Post a Comment

Popular posts from this blog

Database Integration in FastAPI (SQLAlchemy CRUD)

  Introduction So far, we’ve built APIs without storing data.But real-world applications need a database to: Store user data. Manage products. Persist application state. In this blog, we’ll connect FastAPI with a database using SQLAlchemy and perform CRUD operations . What is SQLAlchemy? SQLAlchemy is a powerful Python ORM (Object Relational Mapper) that allows you to: Interact with databases using Python code. Avoid writing raw SQL queries. Work with models instead of tables. Step 1: Install Dependencies pip install sqlalchemy (For SQLite, no extra driver needed) Project Structure Update app/ ├── main.py ├── database/ │ ├── connection.py ├── models/ │ ├── item.py ├── schemas/ │ ├── item.py ├── routes/ │ ├── item.py Step 2: Database Connection app/database/connection.py from sqlalchemy import create_engine from sqlalchemy . orm import sessionmaker , declarative_base DATABASE_URL = "sqlite:///./test.db" engine = create_engine ( DAT...
Read more

Middleware & CORS in FastAPI

  Introduction As your API grows, you may need to: Log requests Modify responses Handle cross-origin requests This is where Middleware and CORS (Cross-Origin Resource Sharing) come into play.They help control how requests and responses flow through your application. What is Middleware? Middleware is a function that runs: Before a request reaches your route After a response is returned Think of it as a pipeline layer between client and server. Request Flow with Middleware Client → Middleware → Route → Middleware → Response Creating Custom Middleware from fastapi import FastAPI , Request import time app = FastAPI () @ app . middleware ( "http" ) async def log_requests ( request : Request , call_next ): start_time = time . time() response = await call_next ( request ) process_time = time . time() - start_time print ( f"Request: { request . url} | Time: { process_time } " ) return response What This Middle...
Read more

Python Data Handling

Python Data Handling for Beginners In Python, data handling means storing, changing, and using data in different ways. In this post, you will learn: Lists Tuples Dictionaries Sets String Methods Type Conversion 1. Python Lists :Lists store many values in one variable.                fruits = ["apple", "banana", "mango"]                                                                       Method                          Use                                            append()          ...
Read more