In the previous article, we explored the concepts of Authentication and Authorization.
We learned that:
Understanding the concepts is important, but real-world applications require actual implementation.
If you've ever used Gmail, LinkedIn, GitHub, or ChatGPT, you've already used authentication systems countless times.
You enter your username and password, the application verifies your identity, and you gain access to protected resources.
But how does this actually work behind the scenes?
In this article, we'll build a complete JWT Authentication system using FastAPI.
If you haven't read the previous article, check it out first:
Imagine building an AI-powered learning platform.
Without authentication:
Clearly, this is a security problem.
Applications need a way to:
This is where JWT Authentication comes in.
JWT stands for JSON Web Token.
A JWT is a secure token that contains information about a user.
Instead of sending a username and password with every request, the user sends a token.
Typical flow:
Register User
↓
Login
↓
Verify Credentials
↓
Generate JWT Token
↓
Access Protected Routes
pip install python-jose passlib[bcrypt]
We'll use:
passlib
for password hashingpython-jose
for JWT token generation and verificationStoring passwords in plain text is extremely dangerous.
Never do this:
users = {
"rahul": "password123"
}
If the database is compromised, every user's password becomes visible.
Instead, we store a hashed version.
from passlib.context import CryptContext
pwd_context = CryptContext(
schemes=["bcrypt"],
deprecated="auto"
)
CryptContext
manages password hashing algorithms.
In this example:
schemes=["bcrypt"]
we tell FastAPI to use the bcrypt hashing algorithm.
hashed_password = pwd_context.hash("password123")
print(hashed_password)
Output:
$2b$12$.....
Notice that the original password is no longer visible.
When the user logs in:
pwd_context.verify(
"password123",
hashed_password
)
returns:
True
This allows us to verify passwords without storing them in plain text.
Let's create a simple registration endpoint.
from fastapi import FastAPI
app = FastAPI()
users = {}
@app.post("/register")
def register(username: str, password: str):
hashed_password = pwd_context.hash(password)
users[username] = hashed_password
return {"message": "User registered successfully"}
Now let's verify credentials.
@app.post("/login")
def login(username: str, password: str):
stored_password = users.get(username)
if not stored_password:
return {"message": "User not found"}
if not pwd_context.verify(password, stored_password):
return {"message": "Invalid credentials"}
return {"message": "Login successful"}
At this point, users can log in successfully.
However, they still need to send their username and password with every request.
JWT solves this problem.
from jose import jwt
from datetime import datetime, timedelta
SECRET_KEY = "mysecretkey"
ALGORITHM = "HS256"
The secret key is used to sign tokens.
If someone modifies the token, the signature becomes invalid.
def create_access_token(data: dict):
to_encode = data.copy()
expire = datetime.utcnow() + timedelta(minutes=30)
to_encode.update({"exp": expire})
encoded_jwt = jwt.encode(
to_encode,
SECRET_KEY,
algorithm=ALGORITHM
)
return encoded_jwt
python
@app.post("/login")
def login(username: str, password: str):
stored_password = users.get(username)
if not stored_password:
return {"message": "User not found"}
if not pwd_context.verify(password, stored_password):
return {"message": "Invalid credentials"}
token = create_access_token(
{"sub": username}
)
return {
"access_token": token,
"token_type": "bearer"
}
Successful login now returns:
{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"token_type": "bearer"
}
Now we can protect routes.
@app.get("/profile")
def get_profile():
return {
"message": "Protected profile data"
}
Currently anyone can access it.
In production applications, FastAPI verifies the JWT token before allowing access.
We'll implement complete route protection in the next article.
For now, focus on understanding:
These form the foundation of every authentication system.
Register User
↓
Hash Password
↓
Store Hash
↓
Login
↓
Verify Password
↓
Generate JWT
↓
Access Protected Routes
Today we built the core components of JWT Authentication:
A user can now register, log in, and receive a signed JWT token.
However, generating a token is only half the story.
The next step is learning how to validate tokens and protect routes using FastAPI dependencies.
In the next article, we'll implement JWT-based route protection and begin exploring Role-Based Access Control (RBAC).