FastAPI for AI Engineers - Part 6: JWT Authentication in FastAPI

A developer demonstrates how to implement JWT authentication in FastAPI for AI applications, covering password hashing with bcrypt and token generation using python-jose. The tutorial includes registration and login endpoints, emphasizing secure credential storage and token-based access control.

In the previous article, we explored the concepts of Authentication and Authorization. We learned that: Understanding the concepts is important, but real-world applications require actual implementation. If you've ever used Gmail, LinkedIn, GitHub, or ChatGPT, you've already used authentication systems countless times. You enter your username and password, the application verifies your identity, and you gain access to protected resources. But how does this actually work behind the scenes? In this article, we'll build a complete JWT Authentication system using FastAPI. If you haven't read the previous article, check it out first: Imagine building an AI-powered learning platform. Without authentication: Clearly, this is a security problem. Applications need a way to: This is where JWT Authentication comes in. JWT stands for JSON Web Token . A JWT is a secure token that contains information about a user. Instead of sending a username and password with every request, the user sends a token. Typical flow: Register User ↓ Login ↓ Verify Credentials ↓ Generate JWT Token ↓ Access Protected Routes pip install python-jose passlib bcrypt We'll use: passlib for password hashing python-jose for JWT token generation and verificationStoring passwords in plain text is extremely dangerous. Never do this: users = { "rahul": "password123" } If the database is compromised, every user's password becomes visible. Instead, we store a hashed version. python from passlib.context import CryptContext pwd context = CryptContext schemes= "bcrypt" , deprecated="auto" CryptContext manages password hashing algorithms. In this example: schemes= "bcrypt" we tell FastAPI to use the bcrypt hashing algorithm. hashed password = pwd context.hash "password123" print hashed password Output: $2b$12$..... Notice that the original password is no longer visible. When the user logs in: pwd context.verify "password123", hashed password returns: True This allows us to verify passwords without storing them in plain text. Let's create a simple registration endpoint. python from fastapi import FastAPI app = FastAPI users = {} @app.post "/register" def register username: str, password: str : hashed password = pwd context.hash password users username = hashed password return {"message": "User registered successfully"} Now let's verify credentials. python @app.post "/login" def login username: str, password: str : stored password = users.get username if not stored password: return {"message": "User not found"} if not pwd context.verify password, stored password : return {"message": "Invalid credentials"} return {"message": "Login successful"} At this point, users can log in successfully. However, they still need to send their username and password with every request. JWT solves this problem. python from jose import jwt from datetime import datetime, timedelta SECRET KEY = "mysecretkey" ALGORITHM = "HS256" The secret key is used to sign tokens. If someone modifies the token, the signature becomes invalid. python def create access token data: dict : to encode = data.copy expire = datetime.utcnow + timedelta minutes=30 to encode.update {"exp": expire} encoded jwt = jwt.encode to encode, SECRET KEY, algorithm=ALGORITHM return encoded jwt python @app.post "/login" def login username: str, password: str : stored password = users.get username if not stored password: return {"message": "User not found"} if not pwd context.verify password, stored password : return {"message": "Invalid credentials"} token = create access token {"sub": username} return { "access token": token, "token type": "bearer" } Successful login now returns: { "access token": "eyJhbGciOiJIUzI1NiIs...", "token type": "bearer" } Now we can protect routes. python @app.get "/profile" def get profile : return { "message": "Protected profile data" } Currently anyone can access it. In production applications, FastAPI verifies the JWT token before allowing access. We'll implement complete route protection in the next article. For now, focus on understanding: These form the foundation of every authentication system. Register User ↓ Hash Password ↓ Store Hash ↓ Login ↓ Verify Password ↓ Generate JWT ↓ Access Protected Routes Today we built the core components of JWT Authentication: A user can now register, log in, and receive a signed JWT token. However, generating a token is only half the story. The next step is learning how to validate tokens and protect routes using FastAPI dependencies. In the next article, we'll implement JWT-based route protection and begin exploring Role-Based Access Control RBAC .