0
0
FastAPIframework~20 mins

API key authentication in FastAPI - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
API Key Authentication Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What is the output when a valid API key is provided?

Consider this FastAPI endpoint that requires an API key for access. What will the endpoint return if the correct API key is sent in the header?

FastAPI
from fastapi import FastAPI, Security, HTTPException
from fastapi.security.api_key import APIKeyHeader

app = FastAPI()
API_KEY = "secret123"
api_key_header = APIKeyHeader(name="X-API-Key")

@app.get("/secure-data")
async def secure_data(api_key: str = Security(api_key_header)):
    if api_key == API_KEY:
        return {"message": "Access granted"}
    else:
        raise HTTPException(status_code=403, detail="Invalid API Key")
AHTTP 401 Unauthorized error
B{"detail": "Invalid API Key"}
C{"message": "Access granted"}
DHTTP 404 Not Found error
Attempts:
2 left
💡 Hint

Think about what the function returns when the API key matches the expected value.

📝 Syntax
intermediate
2:00remaining
Which option causes a syntax error in API key dependency declaration?

Which of the following API key dependency declarations in FastAPI will cause a syntax error?

FastAPI
from fastapi.security.api_key import APIKeyHeader

# Assume API_KEY_HEADER_NAME = "X-API-Key"
Aapi_key_header = APIKeyHeader(name='X-API-Key')
Bapi_key_header = APIKeyHeader(name=API_KEY_HEADER_NAME)
Capi_key_header = APIKeyHeader(name="X-API-Key")
Dapi_key_header = APIKeyHeader(name=)
Attempts:
2 left
💡 Hint

Look for incomplete or missing arguments in function calls.

state_output
advanced
2:00remaining
What is the response status code when no API key is sent?

Given this FastAPI endpoint using APIKeyHeader, what HTTP status code will the client receive if the request omits the API key header?

FastAPI
from fastapi import FastAPI, Security
from fastapi.security.api_key import APIKeyHeader

app = FastAPI()
api_key_header = APIKeyHeader(name="X-API-Key")

@app.get("/data")
async def get_data(api_key: str = Security(api_key_header)):
    return {"data": "secret info"}
A403 Forbidden
B401 Unauthorized
C422 Unprocessable Entity
D200 OK
Attempts:
2 left
💡 Hint

Think about how FastAPI's Security dependencies behave when required headers are missing.

🔧 Debug
advanced
2:00remaining
Why does this FastAPI API key check always raise 403 even with correct key?

Examine the code below. Even when the correct API key is sent, the endpoint always raises a 403 error. What is the cause?

FastAPI
from fastapi import FastAPI, Security, HTTPException
from fastapi.security.api_key import APIKeyHeader

app = FastAPI()
API_KEY = "secret123"
api_key_header = APIKeyHeader(name="X-API-Key")

@app.get("/check")
async def check_key(api_key: str = Security(api_key_header)):
    if api_key is API_KEY:
        return {"status": "valid"}
    else:
        raise HTTPException(status_code=403, detail="Invalid API Key")
AUsing 'is' instead of '==' for string comparison causes the logic to fail.
BAPIKeyHeader does not extract the header correctly without alias.
CThe API_KEY variable is not defined properly.
DThe endpoint path is missing a leading slash.
Attempts:
2 left
💡 Hint

Check how string comparison works in Python.

🧠 Conceptual
expert
3:00remaining
Which option best describes the security risk of exposing API keys in client-side code?

Why is it a bad idea to include API keys directly in frontend JavaScript code that runs in browsers?

AAPI keys in client code can be easily seen and stolen by anyone using browser developer tools.
BAPI keys in client code improve security by making them harder to guess.
CAPI keys in client code are encrypted by browsers, so they are safe.
DAPI keys in client code automatically expire after one use, so no risk exists.
Attempts:
2 left
💡 Hint

Think about what users can do with browser developer tools.