FastAPIframework~30 mins

API key authentication in FastAPI - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

API Key Authentication with FastAPI

📖 Scenario: You are building a simple web API that only allows access to users who provide a valid API key. This is like having a secret password that clients must send with their requests to use your service.

🎯 Goal: Create a FastAPI application that checks for a specific API key in the request headers and only allows access if the key is correct.

📋 What You'll Learn

Create a FastAPI app instance called app

Define a constant API key string called API_KEY with value "secret123"

Create a dependency function called verify_api_key that reads the X-API-Key header

Raise an HTTP 401 error if the API key is missing or incorrect

Create a GET endpoint /protected that uses the verify_api_key dependency

Return a JSON message {"message": "Access granted"} when the API key is valid

💡 Why This Matters

🌍 Real World

API key authentication is a simple way to secure APIs so only authorized users or applications can access them. Many public and private APIs use this method.

💼 Career

Understanding how to implement API key authentication is important for backend developers and API designers to protect services and control access.

Progress0 / 4 steps

Create FastAPI app and API key constant

Import FastAPI from fastapi. Create a FastAPI app instance called app. Define a constant string API_KEY with the value "secret123".

FastAPI

from fastapi import FastAPI

# Your code here

Need a hint?

Remember to import FastAPI and create the app instance first. Then define the API_KEY variable exactly as shown.

Create API key verification dependency

Import Header and HTTPException from fastapi. Define a function called verify_api_key that takes a parameter x_api_key from the header X-API-Key using Header(). Inside the function, raise HTTPException(status_code=401, detail="Invalid or missing API Key") if x_api_key is missing or not equal to API_KEY.

FastAPI

from fastapi import FastAPI, Header, HTTPException

app = FastAPI()
API_KEY = "secret123"

# Your code here

Need a hint?

Use Header() to read the X-API-Key header. Check if it matches API_KEY. Raise HTTPException with status 401 if not.

Create protected GET endpoint using dependency

Import Depends from fastapi. Create a GET endpoint /protected using @app.get("/protected"). Add a parameter api_key with type None and default value Depends(verify_api_key) to enforce the API key check. Return a dictionary {"message": "Access granted"} from the endpoint.

FastAPI

from fastapi import FastAPI, Header, HTTPException, Depends

app = FastAPI()
API_KEY = "secret123"

def verify_api_key(x_api_key: str | None = Header(default=None)):
    if x_api_key != API_KEY:
        raise HTTPException(status_code=401, detail="Invalid or missing API Key")

# Your code here

Need a hint?

Use Depends(verify_api_key) in the endpoint parameter to require the API key check before running the endpoint code.

Add final app run guard for local testing

Add the standard Python check if __name__ == "__main__" at the bottom. Inside it, import uvicorn and run uvicorn.run(app, host="127.0.0.1", port=8000) to start the server locally.

FastAPI

from fastapi import FastAPI, Header, HTTPException, Depends

app = FastAPI()
API_KEY = "secret123"

def verify_api_key(x_api_key: str | None = Header(default=None)):
    if x_api_key != API_KEY:
        raise HTTPException(status_code=401, detail="Invalid or missing API Key")

@app.get("/protected")
def protected(api_key: None = Depends(verify_api_key)):
    return {"message": "Access granted"}

# Your code here

Need a hint?

This lets you run the FastAPI app locally by running the script directly.