DEV Community: Praise Ordu The latest articles on DEV Community by Praise Ordu (@praiseordu). https://dev.to/praiseordu https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3900587%2Fb8933e9a-0518-4b56-aaac-6183d9c89eaa.png DEV Community: Praise Ordu https://dev.to/praiseordu en How I Orchestrated a Multi-Tenant Travel & Media Stack on an Azure + Supabase Foundation Praise Ordu Wed, 03 Jun 2026 20:04:20 +0000 https://dev.to/praiseordu/how-i-orchestrated-a-multi-tenant-travel-media-stack-on-an-azure-supabase-foundation-1097 https://dev.to/praiseordu/how-i-orchestrated-a-multi-tenant-travel-media-stack-on-an-azure-supabase-foundation-1097 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fow38kdwtf9oyq1bit2yw.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fow38kdwtf9oyq1bit2yw.jpg" alt=" " width="625" height="389"></a></p> <p>Most "startup architectures" are bloated by default. We are conditioned to think that building high-concurrency travel logistics (Hermex Travels) or real-time media premiere networks (Watchroom) requires massive enterprise infrastructure spend from day one.</p> <p>I decided to prove the opposite: you can build enterprise-grade performance by treating your architecture like a capital-efficiency puzzle. Here is the technical breakdown of how I built two production-ready platforms using Azure Web Apps, Supabase, and FastAPI.</p> <h2> 1. The Core Modern Stack: Next.js + FastAPI + Supabase </h2> <p>Instead of deploying a heavy, monolithic instance, I decomposed the application to leverage specialized infrastructure. By decoupling the frontend, compute, and data layers, I ensure that each component scales independently without creating performance or financial bottlenecks.</p> <h3> The Frontend: Next.js &amp; Tailwind CSS </h3> <p>Edge Delivery: The frontend is built using Next.js and Tailwind CSS. It is deployed on a global edge network to ensure that user interface delivery is instantaneous, static assets are aggressively cached, and the client-side experience feels sub-millisecond.</p> <h3> The Compute Layer: FastAPI on Azure Web Apps </h3> <p>The Engine: The entire backend is built on FastAPI and Python, running inside Azure App Service (Web Apps). FastAPI is explicitly chosen for its native support for asynchronous programming (async/await), meaning a single lightweight container can handle thousands of concurrent operations without breaking a sweat.</p> <h3> Production Routing: </h3> <p>Azure Web Apps provides the managed environment needed to run our containerized Python backend seamlessly. This handles automated deployment pipelines, robust logging, and direct scalability under production loads without the DevOps overhead of managing raw virtual machines.</p> <h3> The Data Layer: Supabase (PostgreSQL) </h3> <p>Relational Backbone: All structured data, user records, and relational schemas live inside Supabase (PostgreSQL). Instead of letting the backend code do the heavy lifting for data filtering, I lean heavily on PostgreSQL's advanced indexing capabilities.</p> <h3> Row-Level Security (RLS) for Multi-Tenancy:### </h3> <p>To isolate tenant data securely across applications, I use native Supabase Row-Level Security (RLS). This shifts the authentication and authorization enforcement straight to the database engine. If a malicious client tries to bypass the FastAPI layer, the database itself completely rejects unauthorized data requests, keeping our security tight with zero extra code overhead.</p> <h2> 2. Industry-Specific Deep Dives </h2> <p>This foundational stack is incredibly versatile. I applied this exact architectural blueprint to solve two vastly different engineering problems.</p> <h3> Hermex Travels: </h3> <p>High-Compliance Travel &amp; Visa Intelligence<br> The Challenge: Processing volatile visa requirements, document checklists, and cross-border flight data without paying thousands of dollars for bloated legacy data orchestration suites.</p> <h3> The Execution: </h3> <p>The FastAPI backend on Azure Web Apps handles complex operations, interfacing with lightweight travel APIs and transforming unstructured visa intelligence data into deterministic data structures. HERSSA, the platform's specialized conversational AI travel engine, queries these optimized Supabase PostgreSQL datasets to give real-time compliance feedback with sub-second latency.</p> <h3> Watchroom: Low-Latency Synchronized Media Premieres </h3> <p>The Challenge: Syncing video playback across thousands of concurrent, geographically dispersed users without burning through thousands of dollars on enterprise video streaming suites.</p> <h3> The Execution: </h3> <p>Raw media assets are segmented into HLS streams, stored securely, and distributed via Azure CDN to wipe out expensive data egress fees and bypass premium streaming networks. The synchronization loop—tracking play, pause, and timestamp states across thousands of connected fans—is managed by the FastAPI backend, utilizing optimized state broadcasts to ensure everyone watches the premiere together in real time.</p> <h2> 3. AI as the Lead Systems Architect </h2> <p>Operating as a solo technical founder means you have to automate the role of a senior engineering team. I use an iterative prompt framework to turn advanced LLMs into an elite systems architect for this specific Azure + Supabase ecosystem.</p> <p>When I need to optimize data pipelines or debug asynchronous concurrency bugs, I don't guess—I prompt with extreme precision:</p> <p><strong><em>"Act as an Expert Cloud Solutions Architect specializing in FastAPI and Supabase. Optimize the following asynchronous Python route running on an Azure Web App consumption plan. Ensure database connection pooling is maximized, memory allocation is minimized to prevent container recycling, and Supabase RLS policies are structured for maximum query planner efficiency."</em></strong></p> <p>This operational discipline allows a single developer to write, test, and ship optimized code at the pace of an entire development agency.</p> <h2> 4. Subsidizing Growth with the Startup Ecosystem </h2> <p>The final piece of the puzzle isn't technical—it is financial. Building on enterprise rails like Azure can become expensive if you pay retail prices.</p> <p>Because my ventures are backed by the Microsoft for Startups Founders Hub, I secured access to significant Azure cloud credits. The real engineering trick here is keeping the infrastructure modular: because the backend is containerized for Azure Web Apps and decoupled from the Supabase database layer, I retain full mobility. If the cloud credit landscape shifts, the architecture can be remeasured and redeployed across cloud boundaries in a matter of hours.</p> <h2> The Bootstrapper's Conclusion </h2> <p>Engineering excellence is not about how much money you can spend on your infrastructure; it's about how much value you can extract out of a single unit of computing power. By pairing the raw compute performance of FastAPI on Azure Web Apps with the robust data engine of Supabase, you can scale a global tech platform from absolutely anywhere.</p> <p>If you want to see the exact schema layouts, API connection patterns, and the master tool registry I used to build these platforms, I am open-sourcing the technical blueprints in a dedicated repository for my upcoming book, <strong><em>The $100 Founder</em></strong>.</p> <div class="crayons-card c-embed text-styles text-styles--secondary"> <div class="c-embed__content"> <div class="c-embed__body flex items-center justify-between"> <a href="https://hermextravels.github.io/100dollarfounder/" rel="noopener noreferrer" class="c-link fw-bold flex items-center"> <span class="mr-2">hermextravels.github.io</span> </a> </div> </div> </div> ai fastapi azure webdev 5 Critical Security Vulnerabilities in Python APIs (and How to Fix Them in Production) Praise Ordu Mon, 27 Apr 2026 18:46:47 +0000 https://dev.to/praiseordu/5-critical-security-vulnerabilities-in-python-apis-and-how-to-fix-them-in-production-1gh2 https://dev.to/praiseordu/5-critical-security-vulnerabilities-in-python-apis-and-how-to-fix-them-in-production-1gh2 <h4> Introduction </h4> <p>Most API security issues are not caused by complex attacks they come from simple mistakes made during development.</p> <p>These issues are not theoretical they are some of the most common vulnerabilities seen in production APIs.</p> <p>In production systems, especially backend-heavy platforms, these vulnerabilities can lead to:</p> <ul> <li>data leaks</li> <li>unauthorized access</li> <li>system abuse</li> </ul> <p>In this article, I’ll break down five critical security vulnerabilities commonly found in Python APIs—and how to fix them using production-ready practices.</p> <h5> 1. Missing or Weak Authentication </h5> <h6> Problem </h6> <p>Many APIs either:</p> <ul> <li>don’t enforce authentication</li> <li>or rely on weak token validation</li> </ul> <p>This allows unauthorized users to access protected endpoints.</p> <h6> Fix: Use Proper JWT Validation </h6> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">import</span> <span class="n">jwt</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">HTTPException</span> <span class="n">SECRET</span> <span class="o">=</span> <span class="sh">"</span><span class="s">secure-key</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">verify_token</span><span class="p">(</span><span class="n">token</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="k">return</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">SECRET</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">])</span> <span class="k">except</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Unauthorized</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h5> 2. No Rate Limiting (API Abuse Risk) </h5> <p>A single missing rate limit on an authentication endpoint can lead to account compromise at scale.</p> <h6> Problem </h6> <p>Without rate limiting:</p> <ul> <li>attackers can flood endpoints</li> <li>brute-force attacks become possible</li> </ul> <h6> Fix: Add Rate Limiting </h6> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">slowapi</span> <span class="kn">import</span> <span class="n">Limiter</span> <span class="kn">from</span> <span class="n">slowapi.util</span> <span class="kn">import</span> <span class="n">get_remote_address</span> <span class="n">limiter</span> <span class="o">=</span> <span class="nc">Limiter</span><span class="p">(</span><span class="n">key_func</span><span class="o">=</span><span class="n">get_remote_address</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/login</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@limiter.limit</span><span class="p">(</span><span class="sh">"</span><span class="s">5/minute</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">login</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">protected</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <h5> 3. Exposing Sensitive Data in Responses </h5> <h6> Problem </h6> <p>APIs sometimes return:</p> <ul> <li>internal IDs</li> <li>debug information</li> <li>system details</li> </ul> <p>This can help attackers map your system.</p> <h6> Fix </h6> <ul> <li>sanitize responses</li> <li>never expose internal structures</li> <li>use strict response schemas</li> </ul> <h5> 4. No Input Validation </h5> <h6> Problem </h6> <p>Unvalidated input leads to:</p> <ul> <li>injection attacks</li> <li>system crashes</li> <li>unpredictable behavior</li> </ul> <h6> Fix </h6> <p>Use strict validation (e.g., Pydantic in FastAPI):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">pydantic</span> <span class="kn">import</span> <span class="n">BaseModel</span> <span class="k">class</span> <span class="nc">UserInput</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">username</span><span class="p">:</span> <span class="nb">str</span> <span class="n">age</span><span class="p">:</span> <span class="nb">int</span> </code></pre> </div> <h5> 5. Long-Lived Tokens </h5> <h6> Problem </h6> <p>Tokens that never expire:</p> <ul> <li>can be reused indefinitely</li> <li>increase risk if leaked</li> </ul> <h6> Fix: Use Short-Lived Tokens </h6> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">import</span> <span class="n">time</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">"</span><span class="s">exp</span><span class="sh">"</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">+</span> <span class="mi">900</span> <span class="c1"># 15 minutes </span><span class="p">}</span> </code></pre> </div> <h4> Production Security Checklist </h4> <ul> <li>Enforce authentication on all protected routes</li> <li>Implement rate limiting</li> <li>Validate all inputs</li> <li>Avoid exposing internal data</li> <li>Use short-lived tokens</li> </ul> <h4> Conclusion </h4> <p>Most API vulnerabilities are preventable.</p> <p>Security is not something you add later—it must be part of your system design from the beginning.</p> <p>By addressing these common issues, you significantly reduce the risk of attacks and build a more resilient backend system.</p> security cybersecurity python api How to Build a Production-Ready Secure Python API (JWT, Rate Limiting, and Caching) Praise Ordu Mon, 27 Apr 2026 18:18:28 +0000 https://dev.to/praiseordu/how-to-build-a-production-ready-secure-python-api-jwt-rate-limiting-and-caching-2md1 https://dev.to/praiseordu/how-to-build-a-production-ready-secure-python-api-jwt-rate-limiting-and-caching-2md1 <h4> Introduction </h4> <p>Most Python APIs work perfectly in development—and fail in production.</p> <p>The issue is rarely functionality. It’s missing security and resilience layers:</p> <ul> <li>no authentication control</li> <li>no rate limiting</li> <li>excessive database load</li> </ul> <p>In this guide, I’ll walk through how to design a production-ready Python API using:</p> <ul> <li>JWT authentication</li> <li>rate limiting</li> <li>caching</li> </ul> <p>This is the same approach used in real backend systems where stability and security matter.</p> <h4> Architecture Overview </h4> <p>A production API should include:</p> <ul> <li>Authentication layer → controls access</li> <li>Rate limiting layer → prevents abuse</li> <li>Caching layer → improves performance</li> <li>Stateless design → enables scaling</li> </ul> <p>We’ll implement each step</p> <p>Step 1: Setting Up JWT Authentication</p> <p>JWT allows stateless authentication—critical for scalable systems.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Depends</span><span class="p">,</span> <span class="n">HTTPException</span> <span class="kn">from</span> <span class="n">fastapi.security</span> <span class="kn">import</span> <span class="n">HTTPBearer</span> <span class="kn">import</span> <span class="n">jwt</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">security</span> <span class="o">=</span> <span class="nc">HTTPBearer</span><span class="p">()</span> <span class="n">SECRET</span> <span class="o">=</span> <span class="sh">"</span><span class="s">your-secret-key</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">verify_token</span><span class="p">(</span><span class="n">token</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">SECRET</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">])</span> <span class="k">return</span> <span class="n">payload</span> <span class="k">except</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Invalid token</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h4> Step 2: Protecting API Endpoints </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/secure</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">secure_route</span><span class="p">(</span><span class="n">credentials</span><span class="o">=</span><span class="nc">Depends</span><span class="p">(</span><span class="n">security</span><span class="p">)):</span> <span class="n">token</span> <span class="o">=</span> <span class="n">credentials</span><span class="p">.</span><span class="n">credentials</span> <span class="n">user</span> <span class="o">=</span> <span class="nf">verify_token</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">User </span><span class="si">{</span><span class="n">user</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> authenticated</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <p>At this point, only valid users can access the endpoint.</p> <h4> Step 3: Adding Rate Limiting </h4> <p>Authentication alone is not enough—APIs must handle abuse.</p> <p>In production systems, missing rate limiting and authentication layers often leads to API abuse and service instability.</p> <p>For example, login endpoints without rate limiting are common targets for brute-force attacks.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">slowapi</span> <span class="kn">import</span> <span class="n">Limiter</span> <span class="kn">from</span> <span class="n">slowapi.util</span> <span class="kn">import</span> <span class="n">get_remote_address</span> <span class="n">limiter</span> <span class="o">=</span> <span class="nc">Limiter</span><span class="p">(</span><span class="n">key_func</span><span class="o">=</span><span class="n">get_remote_address</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/secure</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@limiter.limit</span><span class="p">(</span><span class="sh">"</span><span class="s">10/minute</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">secure_route</span><span class="p">(</span><span class="n">credentials</span><span class="o">=</span><span class="nc">Depends</span><span class="p">(</span><span class="n">security</span><span class="p">)):</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Access granted</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <p>This prevents:</p> <ul> <li>brute-force attacks</li> <li>request flooding</li> <li>unnecessary load</li> </ul> <h4> Step 4: Introducing Caching </h4> <p>Frequent database calls slow down systems.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">import</span> <span class="n">redis</span> <span class="n">cache</span> <span class="o">=</span> <span class="n">redis</span><span class="p">.</span><span class="nc">Redis</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="sh">"</span><span class="s">localhost</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">6379</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_data</span><span class="p">(</span><span class="n">key</span><span class="p">):</span> <span class="n">cached</span> <span class="o">=</span> <span class="n">cache</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="k">if</span> <span class="n">cached</span><span class="p">:</span> <span class="k">return</span> <span class="n">cached</span> <span class="c1"># simulate database call </span> <span class="n">data</span> <span class="o">=</span> <span class="sh">"</span><span class="s">fresh_data</span><span class="sh">"</span> <span class="n">cache</span><span class="p">.</span><span class="nf">setex</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="mi">60</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> <span class="k">return</span> <span class="n">data</span> </code></pre> </div> <p>Caching:</p> <ul> <li>reduces latency</li> <li>improves scalability</li> <li>protects your database</li> </ul> <h4> Production Considerations </h4> <p>To make this truly production-ready:</p> <ul> <li>Use short-lived JWT tokens (5–15 minutes)</li> <li>Store secrets securely (not in code)</li> <li>Log failed authentication attempts</li> <li>Use distributed caching in large systems</li> </ul> <h4> Conclusion </h4> <p>A production API is not defined by its endpoints, but by how well it handles abuse, failure, and scale.</p> <p>By combining:</p> <ul> <li>authentication</li> <li>rate limiting</li> <li>caching</li> </ul> <p>you create a backend system that is secure, scalable, and reliable.</p> python security api backend How I Built a Scalable and Secure Streaming Backend with Python (Production Lessons) Praise Ordu Mon, 27 Apr 2026 14:17:47 +0000 https://dev.to/praiseordu/how-i-built-a-scalable-and-secure-streaming-backend-with-python-production-lessons-4oi0 https://dev.to/praiseordu/how-i-built-a-scalable-and-secure-streaming-backend-with-python-production-lessons-4oi0 <h5> Author: Praise Ordu </h5> <h5> Founder &amp; CEO, Hermex / Watchroom (Streaming Platform Project) </h5> <h3> Introduction </h3> <p>When I started building a streaming platform, I assumed video delivery would be the hardest part.</p> <p>It wasn’t.</p> <p>The real challenge was designing a backend system that could:</p> <ul> <li>handle concurrent users without crashing</li> <li>deliver content efficiently under load</li> <li>enforce secure access to media</li> <li>remain stable in real-world conditions</li> </ul> <p>This is not a theoretical guide. It is based on real implementation experience building Watchroom, a streaming platform focused on scalable and secure media delivery.</p> <p>In this article, I’ll break down how I built a scalable and secure streaming backend using Python—and the architectural decisions that made it work in production.</p> <h4> The Problem: Why Most Streaming Backends Fail </h4> <p>A naive implementation usually looks like this:</p> <ul> <li>videos served directly from the backend</li> <li>no caching layer</li> <li>no background processing</li> <li>weak or no access control</li> </ul> <p>This setup works in development—but fails quickly in production:</p> <ul> <li>high latency</li> <li>server overload</li> <li>poor playback experience</li> <li>security vulnerabilities</li> </ul> <p>To solve this, I had to rethink the architecture from the ground up while building Watchroom.</p> <h3> High-Level Architecture </h3> <p>The system was designed with clear separation of concerns:</p> <ol> <li>API Layer (FastAPI)</li> </ol> <ul> <li>Handles authentication</li> <li>Manages user sessions</li> <li>Generates secure access to content</li> </ul> <ol> <li>Storage + CDN Layer</li> </ol> <ul> <li>Video files stored in object storage</li> <li>Delivered via CDN (not from backend servers)</li> </ul> <ol> <li>Background Workers (Celery + Redis)</li> </ol> <ul> <li>Video processing</li> <li>Thumbnail generation</li> <li>asynchronous tasks</li> </ul> <ol> <li>Database (PostgreSQL)</li> </ol> <ul> <li>user data</li> <li>video metadata</li> <li>access logs</li> </ul> <ol> <li>Caching Layer (Redis)</li> </ol> <ul> <li>reduces database load</li> <li>speeds up frequent queries</li> </ul> <p>This architecture was implemented while building Watchroom, where scalability and reliability were critical requirements.</p> <p>Key Decision #1: Never Serve Video from Your Backend</p> <p>Serving large media files directly from your API is one of the fastest ways to break your system.</p> <p>Initially, I tried serving media directly from the backend, which caused severe latency under load. Moving to a CDN-based approach fixed this.</p> <p>Instead:</p> <ul> <li>store files in object storage</li> <li>deliver via CDN</li> <li>let the backend handle only control logic</li> </ul> <p>This single decision dramatically improved:</p> <ul> <li>scalability</li> <li>performance</li> <li>cost efficiency</li> </ul> <p>Securing Video Access with Signed Tokens</p> <p>One major challenge in Watchroom was preventing unauthorized sharing of video links.</p> <p>The solution was to generate short-lived signed access tokens.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">import</span> <span class="n">time</span> <span class="kn">import</span> <span class="n">jwt</span> <span class="n">SECRET</span> <span class="o">=</span> <span class="sh">"</span><span class="s">your-secret-key</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">generate_signed_url</span><span class="p">(</span><span class="n">video_id</span><span class="p">):</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">video_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">video_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">exp</span><span class="sh">"</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">+</span> <span class="mi">300</span> <span class="c1"># expires in 5 minutes </span> <span class="p">}</span> <span class="n">token</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="n">SECRET</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">https://cdn.example.com/video/</span><span class="si">{</span><span class="n">video_id</span><span class="si">}</span><span class="s">?token=</span><span class="si">{</span><span class="n">token</span><span class="si">}</span><span class="sh">"</span> </code></pre> </div> <p>This ensures:</p> <ul> <li>links expire quickly</li> <li>users cannot reuse or share access indefinitely</li> <li>content remains protected</li> </ul> <h3> Adding API Security with JWT Authentication </h3> <p>To protect backend endpoints, I implemented JWT-based authentication.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Depends</span><span class="p">,</span> <span class="n">HTTPException</span> <span class="kn">from</span> <span class="n">fastapi.security</span> <span class="kn">import</span> <span class="n">HTTPBearer</span> <span class="kn">import</span> <span class="n">jwt</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">security</span> <span class="o">=</span> <span class="nc">HTTPBearer</span><span class="p">()</span> <span class="n">SECRET</span> <span class="o">=</span> <span class="sh">"</span><span class="s">your-secret-key</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">verify_token</span><span class="p">(</span><span class="n">token</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">SECRET</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">])</span> <span class="k">return</span> <span class="n">payload</span> <span class="k">except</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Invalid token</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/secure-data</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">secure_data</span><span class="p">(</span><span class="n">credentials</span><span class="o">=</span><span class="nc">Depends</span><span class="p">(</span><span class="n">security</span><span class="p">)):</span> <span class="n">token</span> <span class="o">=</span> <span class="n">credentials</span><span class="p">.</span><span class="n">credentials</span> <span class="n">user</span> <span class="o">=</span> <span class="nf">verify_token</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Hello </span><span class="si">{</span><span class="n">user</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <h3> Preventing Abuse with Rate Limiting </h3> <p>Even with authentication, APIs can be abused without limits.</p> <p>Rate limiting helps control traffic and prevent overload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">slowapi</span> <span class="kn">import</span> <span class="n">Limiter</span> <span class="kn">from</span> <span class="n">slowapi.util</span> <span class="kn">import</span> <span class="n">get_remote_address</span> <span class="n">limiter</span> <span class="o">=</span> <span class="nc">Limiter</span><span class="p">(</span><span class="n">key_func</span><span class="o">=</span><span class="n">get_remote_address</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/secure-data</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@limiter.limit</span><span class="p">(</span><span class="sh">"</span><span class="s">10/minute</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">secure_data</span><span class="p">(</span><span class="n">credentials</span><span class="o">=</span><span class="nc">Depends</span><span class="p">(</span><span class="n">security</span><span class="p">)):</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Protected endpoint</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <h3> Scaling the System </h3> <p>To ensure Watchroom could handle real users, I implemented:</p> <ol> <li>Caching (Redis)</li> </ol> <ul> <li>reduced repeated database queries</li> <li>improved response times</li> </ul> <ol> <li>Background Processing</li> </ol> <p>Using Celery workers for:</p> <ul> <li>video encoding</li> <li>heavy processing tasks</li> </ul> <p>This kept the API fast and responsive.</p> <ol> <li>Horizontal Scaling</li> </ol> <p>Instead of a single server:</p> <ul> <li>multiple API instances</li> <li>behind a load balancer</li> </ul> <p>This allowed the system to scale under increasing load.</p> <h3> Real Challenges and Fixes </h3> <ol> <li>Latency Issues</li> </ol> <p>Initial responses were slow.<br> Fix: caching + query optimization</p> <ol> <li>Unauthorized Access Risks</li> </ol> <p>Users could potentially share links.<br> Fix: signed URLs with expiration</p> <ol> <li>System Overload Under Traffic</li> </ol> <p>The system failed during load testing.<br> Fix: queue-based processing + scaling</p> <h3> Production Lessons Learned </h3> <ul> <li>Never serve large files from your backend</li> <li>Always use short-lived tokens for access control</li> <li>Rate limiting is essential, not optional</li> <li>Background workers prevent system bottlenecks</li> <li>Design for scale from day one</li> </ul> <h3> Conclusion </h3> <p>Building a streaming backend is less about writing code and more about making the right architectural decisions.</p> <p>Python is fully capable of handling this when combined with:</p> <ul> <li>proper system design</li> <li>security best practices</li> <li>scalable infrastructure</li> </ul> <p>At peak testing, the system handled 8000+ concurrent users before introducing caching and background processing.</p> <p>These lessons come directly from building Watchroom, where real production constraints forced these architectural decisions.</p> <p>If you’re building a streaming platform, focus on:</p> <ul> <li>separation of concerns</li> <li>secure access patterns</li> <li>performance under real-world conditions</li> </ul> <p>That is what separates a demo system from a production-ready platform.</p> backenddevelopment security programming database