62 posts on engineering, architecture, and technical craft.
A breaking API change that 'only' affects 5% of tenants still breaks real businesses. Without versioning, you can never evolve your API. Here is how to version a multi-tenant FastAPI backend with per-tenant version pinning, deprecation workflows, and contract testing.
12 min readAn N+1 query that takes 50ms with 10 rows takes 5 seconds with 1000. A memory leak that grows 1MB/hour OOMs in 3 days. Here is how to profile, detect, and load test a multi-tenant Python backend before production tells you first.
14 min readTheory without deployment is fiction. This capstone assembles all 22 prior patterns into a deployed, monitored, incident-ready multi-tenant Python backend — from Docker Compose to runbooks to your first production incident.
22 min readAuthentication and authorization are two different problems that most tutorials conflate. Here is the mental model, threat landscape, and FastAPI security toolkit you need before writing a single line of auth code.
9 min readAPI keys are the most misused auth mechanism in production. Here is how to generate, scope, rotate, and rate-limit API keys in FastAPI — with the patterns that separate toy projects from production systems.
9 min readJWTs eliminate session storage but introduce revocation challenges. Here is how to build access tokens, refresh tokens, and token rotation in FastAPI — with the security pitfalls that tutorials never mention.
10 min readPassword hashing is not security — it is one layer. Here is how to build registration, login, session management, and brute-force protection in FastAPI without the mistakes that lead to credential breaches.
12 min readOAuth 2.0 is not authentication — it is authorization. Here are the four grant types, why PKCE is now mandatory, and how to implement the authorization code flow in FastAPI with working code and sequence diagrams.
9 min readOAuth 2.0 does not tell you who the user is. OpenID Connect adds the identity layer. Here is how to implement Google SSO, validate ID tokens, and understand when OIDC beats SAML.
9 min readAuthentication answers who. Authorization answers what. Here are three authorization models — RBAC, ABAC, and ReBAC — implemented as FastAPI dependencies with decision flows, comparison tables, and production patterns.
10 min read