In the previous article, we explored the concepts of Authentication and Authorization.
We learned that:
- Authentication answers "Who are you?"
- Authorization answers "What are you allowed to do?"
Understanding the concepts is important, but real-world applications require actual implementation.
If you've ever used Gmail, LinkedIn, GitHub, or ChatGPT, you've already used authentication systems countless times.
You enter your username and password, the application verifies your identity, and you gain access to protected resources.
But how does this actually work behind the scenes?
In this article, we'll build a complete JWT Authentication system using FastAPI.
If you haven't read the previous article, check it out first:
Why Do We Need Authentication?
Imagine building an AI-powered learning platform.
Without authentication:
- Anyone could access any user's profile
- Anyone could view another student's progress
- Anyone could modify data belonging to other users
Clearly, this is a security problem.
Applications need a way to:
- Verify user identity
- Protect sensitive resources
- Allow users to stay logged in
This is where JWT Authentication comes in.
What is JWT?
JWT stands for JSON Web Token.
A JWT is a secure token that contains information about a user.
Instead of sending a username and password with every request, the user sends a token.
Typical flow:
Register User
↓
Login
↓
Verify Credentials
↓
Generate JWT Token
↓
Access Protected Routes
Installing Required Packages
pip install python-jose passlib[bcrypt]
We'll use:
-
passlibfor password hashing -
python-josefor JWT token generation and verification
Step 1: Hashing Passwords
Storing passwords in plain text is extremely dangerous.
Never do this:
users = {
"rahul": "password123"
}
If the database is compromised, every user's password becomes visible.
Instead, we store a hashed version.
Creating a Password Hasher
from passlib.context import CryptContext
pwd_context = CryptContext(
schemes=["bcrypt"],
deprecated="auto"
)
What is CryptContext?
CryptContext manages password hashing algorithms.
In this example:
schemes=["bcrypt"]
we tell FastAPI to use the bcrypt hashing algorithm.
Hashing a Password
hashed_password = pwd_context.hash("password123")
print(hashed_password)
Output:
$2b$12$.....
Notice that the original password is no longer visible.
Verifying Passwords
When the user logs in:
pwd_context.verify(
"password123",
hashed_password
)
returns:
True
This allows us to verify passwords without storing them in plain text.
Step 2: User Registration
Let's create a simple registration endpoint.
from fastapi import FastAPI
app = FastAPI()
users = {}
@app.post("/register")
def register(username: str, password: str):
hashed_password = pwd_context.hash(password)
users[username] = hashed_password
return {"message": "User registered successfully"}
What happens here?
- User submits username and password
- Password is hashed
- Hash is stored instead of the original password
Step 3: User Login
Now let's verify credentials.
@app.post("/login")
def login(username: str, password: str):
stored_password = users.get(username)
if not stored_password:
return {"message": "User not found"}
if not pwd_context.verify(password, stored_password):
return {"message": "Invalid credentials"}
return {"message": "Login successful"}
At this point, users can log in successfully.
However, they still need to send their username and password with every request.
JWT solves this problem.
Step 4: Creating a JWT Token
from jose import jwt
from datetime import datetime, timedelta
SECRET_KEY = "mysecretkey"
ALGORITHM = "HS256"
Why do we need a secret key?
The secret key is used to sign tokens.
If someone modifies the token, the signature becomes invalid.
Generate Token Function
def create_access_token(data: dict):
to_encode = data.copy()
expire = datetime.utcnow() + timedelta(minutes=30)
to_encode.update({"exp": expire})
encoded_jwt = jwt.encode(
to_encode,
SECRET_KEY,
algorithm=ALGORITHM
)
return encoded_jwt
What does this function do?
- Copies user data
- Adds an expiry time
- Creates a signed JWT token
- Returns the token
Step 5: Generate Token During Login
@app.post("/login")
def login(username: str, password: str):
stored_password = users.get(username)
if not stored_password:
return {"message": "User not found"}
if not pwd_context.verify(password, stored_password):
return {"message": "Invalid credentials"}
token = create_access_token(
{"sub": username}
)
return {
"access_token": token,
"token_type": "bearer"
}
Successful login now returns:
{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"token_type": "bearer"
}
Step 6: Protected Route
Now we can protect routes.
@app.get("/profile")
def get_profile():
return {
"message": "Protected profile data"
}
Currently anyone can access it.
In production applications, FastAPI verifies the JWT token before allowing access.
We'll implement complete route protection in the next article.
For now, focus on understanding:
- Registration
- Password Hashing
- Password Verification
- JWT Generation
These form the foundation of every authentication system.
Authentication Flow Recap
Register User
↓
Hash Password
↓
Store Hash
↓
Login
↓
Verify Password
↓
Generate JWT
↓
Access Protected Routes
Final Thoughts
Today we built the core components of JWT Authentication:
- User Registration
- Password Hashing
- Password Verification
- JWT Token Generation
A user can now register, log in, and receive a signed JWT token.
However, generating a token is only half the story.
The next step is learning how to validate tokens and protect routes using FastAPI dependencies.
In the next article, we'll implement JWT-based route protection and begin exploring Role-Based Access Control (RBAC).
Top comments (0)