14 posts
FastAPI's Depends() handles per-request wiring. dependency-injector handles everything else — configuration, singletons, factories, and a declarative container that makes your entire object graph visible in one file.
15 min readAuthentication and authorization are two different problems that most tutorials conflate. Here is the mental model, threat landscape, and FastAPI security toolkit you need before writing a single line of auth code.
9 min readAPI keys are the most misused auth mechanism in production. Here is how to generate, scope, rotate, and rate-limit API keys in FastAPI — with the patterns that separate toy projects from production systems.
9 min readJWTs eliminate session storage but introduce revocation challenges. Here is how to build access tokens, refresh tokens, and token rotation in FastAPI — with the security pitfalls that tutorials never mention.
10 min readPassword hashing is not security — it is one layer. Here is how to build registration, login, session management, and brute-force protection in FastAPI without the mistakes that lead to credential breaches.
12 min readOAuth 2.0 is not authentication — it is authorization. Here are the four grant types, why PKCE is now mandatory, and how to implement the authorization code flow in FastAPI with working code and sequence diagrams.
9 min readOAuth 2.0 does not tell you who the user is. OpenID Connect adds the identity layer. Here is how to implement Google SSO, validate ID tokens, and understand when OIDC beats SAML.
9 min readAuthentication answers who. Authorization answers what. Here are three authorization models — RBAC, ABAC, and ReBAC — implemented as FastAPI dependencies with decision flows, comparison tables, and production patterns.
10 min readEight authentication and authorization methods, one decision tree. Here is the comparison matrix, production combination patterns, and pre-launch security checklist that turns auth knowledge into shipping decisions.
11 min readMost Python backend projects start clean and become unmaintainable. Here is the folder layout and naming convention that keeps a FastAPI + SQLAlchemy codebase navigable at any size.
7 min readScattered try/except blocks and generic 500 errors signal a system that was not designed. Here is how to define domain exceptions, translate them to HTTP responses, and give your API clients errors they can act on.
7 min readRepositories fetch data. API routes handle HTTP. Business logic belongs in neither. The Service Layer is the missing middle that keeps both clean and testable.
7 min readFastAPI's Depends() is the most underused tool in the framework. Here is how to use it to wire repositories, services, and authentication into your route handlers with no global state and no service locator pattern.
7 min readUnit tests, integration tests, and API tests — each has a role in a Python backend. Here is a complete testing strategy for a FastAPI + SQLAlchemy project, showing what to test at each layer and how the patterns from this series make testing effortless.
10 min read