How do you implement authentication (OAuth2/JWT)?

Question

Accepted Answer

FastAPI provides built-in tools (`OAuth2PasswordBearer`, security utilities) for implementing authentication, commonly using **OAuth2 password flow with JWT tokens**. The pattern combines token issuance (login) with a dependency that validates the token on protected routes.

## Hashing passwords and issuing a JWT on login

```python
from passlib.context import CryptContext
from jose import jwt
from datetime import datetime, timedelta

pwd = CryptContext(schemes=["bcrypt"])    # secure password hashing

@app.post("/login")
def login(form: OAuth2PasswordRequestForm = Depends()):
    user = get_user(form.username)
    if not user or not pwd.verify(form.password, user.hashed_password):  # constant-time check
        raise HTTPException(401, "Invalid credentials")
    # issue a signed JWT containing the user identity + expiry
    token = jwt.encode(
        {"sub": user.username, "exp": datetime.utcnow() + timedelta(minutes=30)},
        SECRET_KEY, algorithm="HS256",
    )
    return {"access_token": token, "token_type": "bearer"}
```

Passwords are **hashed** (bcrypt) — never stored plaintext. On valid login, a **JWT** is issued: a signed token carrying the user's identity and an expiry.

## Validating the token on protected routes (a dependency)

```python
from fastapi.security import OAuth2PasswordBearer

oauth2_scheme = OAuth2PasswordBearer(tokenUrl="login")   # extracts the Bearer token

def get_current_user(token: str = Depends(oauth2_scheme)):
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=["HS256"])   # verify signature + expiry
        username = payload.get("sub")
    except JWTError:
        raise HTTPException(401, "Invalid token")
    user = get_user(username)
    if not user:
        raise HTTPException(401, "User not found")
    return user

@app.get("/me")
def read_me(user: User = Depends(get_current_user)):     # PROTECTED — requires a valid token
    return user
```

A `get_current_user` dependency extracts and **verifies** the JWT (signature + expiry), loads the user, and is injected into protected endpoints — any route depending on it requires authentication.

## Authorization (roles/scopes)

```python
def require_admin(user: User = Depends(get_current_user)):
    if not user.is_admin:
        raise HTTPException(403, "Forbidden")     # authorization check
    return user
# OAuth2 SCOPES provide fine-grained permission control
```

## Why it matters

Authentication is essential and **security-critical** — nearly every real API needs to protect routes, and getting auth wrong creates serious vulnerabilities.

Understanding FastAPI's approach is important: it provides the building blocks (`OAuth2PasswordBearer`, security utilities) for the standard **OAuth2-password-flow-with-JWT** pattern, which elegantly leverages FastAPI's strengths — a login endpoint issues a signed token, and a **`get_current_user` dependency** validates it, cleanly protecting any route that depends on it (the idiomatic FastAPI auth pattern).

Several aspects are critical to get right: **hashing passwords** (bcrypt, never plaintext, with constant-time verification), **signing and verifying JWTs** correctly (signature + expiry validation), distinguishing **authentication** (who you are) from **authorization** (what you can do, via role/scope checks), and keeping the secret key safe.

Knowing how to implement this pattern securely — token issuance, the validation dependency, and authorization — is fundamental senior-level knowledge for building secure FastAPI applications, since auth is both ubiquitous and a frequent source of dangerous mistakes when implemented incorrectly.