Bird
Raised Fist0
FastAPIframework~20 mins

Bearer token handling in FastAPI - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Bearer Token Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What is the output when a valid bearer token is provided?

Consider this FastAPI endpoint that requires a bearer token for access. What will be the response if the token is valid?

FastAPI
from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials

app = FastAPI()
security = HTTPBearer()

@app.get("/secure-data")
async def secure_data(credentials: HTTPAuthorizationCredentials = Depends(security)):
    if credentials.scheme != "Bearer" or credentials.credentials != "validtoken123":
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token")
    return {"message": "Access granted"}
A{"message": "Access granted"}
B{"detail": "Invalid token"}
CHTTPException with status code 403
DEmpty response with status code 200
Attempts:
2 left
💡 Hint

Check the condition that validates the token and what the function returns if the token matches.

📝 Syntax
intermediate
1:30remaining
Which option correctly extracts the bearer token from the Authorization header?

Given a FastAPI dependency to extract a bearer token, which code snippet correctly retrieves the token string?

FastAPI
from fastapi import Depends
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials

security = HTTPBearer()

def get_token(credentials: HTTPAuthorizationCredentials = Depends(security)):
    # Extract token here
    pass
Areturn credentials.credentials
Breturn credentials.token
Creturn credentials.auth
Dreturn credentials.scheme
Attempts:
2 left
💡 Hint

Look at the attributes of HTTPAuthorizationCredentials to find the token string.

🔧 Debug
advanced
2:30remaining
Why does this FastAPI endpoint always raise 401 Unauthorized even with a valid token?

Review the code below. The endpoint should accept a bearer token 'secrettoken' but always returns 401 Unauthorized. What is the cause?

FastAPI
from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials

app = FastAPI()
security = HTTPBearer()

@app.get("/data")
async def get_data(credentials: HTTPAuthorizationCredentials = Depends(security)):
    if credentials.scheme != "Bearer" or credentials.credentials != "secrettoken":
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Unauthorized")
    return {"data": "secret info"}
AHTTPBearer() is not imported correctly
BThe scheme comparison is case-sensitive; 'bearer' should be 'Bearer'
CThe token string 'secrettoken' is incorrect
DDepends() is missing in the function parameter
Attempts:
2 left
💡 Hint

Check the exact string used to compare the scheme in the Authorization header.

state_output
advanced
2:00remaining
What is the response when no Authorization header is sent?

Given this FastAPI endpoint using HTTPBearer, what response does the client receive if the Authorization header is missing?

FastAPI
from fastapi import FastAPI, Depends
from fastapi.security import HTTPBearer

app = FastAPI()
security = HTTPBearer()

@app.get("/info")
async def info(credentials = Depends(security)):
    return {"token": credentials.credentials}
AHTTP 403 Forbidden error
BHTTP 200 OK with token value None
CEmpty JSON response {}
DHTTP 401 Unauthorized error
Attempts:
2 left
💡 Hint

Consider how HTTPBearer behaves when no Authorization header is provided.

🧠 Conceptual
expert
3:00remaining
Which statement best describes the role of HTTPBearer in FastAPI?

Choose the most accurate description of what HTTPBearer does in FastAPI applications.

AIt automatically authenticates the user and sets user info in the request context
BIt extracts and validates the bearer token from the Authorization header and raises 401 if missing or invalid
CIt only extracts the bearer token from the Authorization header but does not validate it
DIt encrypts the bearer token before sending it to the server
Attempts:
2 left
💡 Hint

Think about whether HTTPBearer checks token correctness or just extracts it.

Practice

(1/5)
1. What is the main purpose of using a Bearer token in FastAPI?
easy
A. To serve static files efficiently
B. To format JSON responses automatically
C. To speed up database queries
D. To securely identify and authorize API requests

Solution

  1. Step 1: Understand Bearer token role

    Bearer tokens are used to prove the client has permission to access protected routes.

  2. Step 2: Identify purpose in FastAPI

    FastAPI uses Bearer tokens to check authorization before allowing access to API endpoints.

  3. Final Answer:

    To securely identify and authorize API requests -> Option D

  4. Quick Check:

    Bearer token = Authorization [OK]
Hint: Bearer tokens are for security and access control [OK]
Common Mistakes:
  • Confusing token with response formatting
  • Thinking token speeds up database
  • Assuming token serves static files
2. Which FastAPI class is used to extract a Bearer token from the Authorization header?
easy
A. OAuth2PasswordBearer
B. HTTPBasicCredentials
C. OAuth2PasswordRequestForm
D. APIKeyHeader

Solution

  1. Step 1: Recall FastAPI token extraction classes

    OAuth2PasswordBearer is designed to read Bearer tokens from the Authorization header.

  2. Step 2: Match class to Bearer token usage

    OAuth2PasswordRequestForm is for form data, HTTPBasicCredentials is for basic auth, APIKeyHeader is for API keys, so only OAuth2PasswordBearer fits Bearer tokens.

  3. Final Answer:

    OAuth2PasswordBearer -> Option A

  4. Quick Check:

    Bearer token extractor = OAuth2PasswordBearer [OK]
Hint: Bearer token uses OAuth2PasswordBearer class [OK]
Common Mistakes:
  • Using OAuth2PasswordRequestForm for token extraction
  • Confusing basic auth with Bearer token
  • Choosing APIKeyHeader for Bearer tokens
3. Given this FastAPI dependency: 
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")

@app.get("/users/me")
async def read_users_me(token: str = Depends(oauth2_scheme)):
    return {"token": token}
What will be the output if the client sends a request with header Authorization: Bearer abc123?
medium
A. {"token": "Bearer abc123"}
B. HTTP 401 Unauthorized error
C. {"token": "abc123"}
D. {"token": null}

Solution

  1. Step 1: Understand OAuth2PasswordBearer behavior

    This class extracts only the token string after 'Bearer ' from the Authorization header.

  2. Step 2: Analyze the returned value

    The function returns a JSON with the token string, so it will return {"token": "abc123"}.

  3. Final Answer:

    {"token": "abc123"} -> Option C

  4. Quick Check:

    Bearer token string extracted = "abc123" [OK]
Hint: OAuth2PasswordBearer strips 'Bearer ' prefix automatically [OK]
Common Mistakes:
  • Expecting full 'Bearer abc123' string returned
  • Assuming 401 error without token validation
  • Thinking token is null if present
4. What is wrong with this FastAPI code snippet for Bearer token validation? 
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")

@app.get("/items/")
async def read_items(token: str = Depends(oauth2_scheme)):
    if token == None:
        raise HTTPException(status_code=401, detail="Invalid token")
    return {"token": token}
medium
A. The token check should use 'if not token' instead of 'if token == None'
B. OAuth2PasswordBearer does not extract tokens from headers
C. The route path should not end with a slash
D. HTTPException requires a status_code of 403 for invalid tokens

Solution

  1. Step 1: Check token validation logic

    OAuth2PasswordBearer returns a string or raises an error if missing; token is never None but can be empty or missing.

  2. Step 2: Correct token presence check

    Using 'if not token' is safer to catch empty strings or missing tokens rather than 'token == None'.

  3. Final Answer:

    The token check should use 'if not token' instead of 'if token == None' -> Option A

  4. Quick Check:

    Token presence check = 'if not token' [OK]
Hint: Check token presence with 'if not token' for safety [OK]
Common Mistakes:
  • Using 'token == None' which misses empty strings
  • Thinking OAuth2PasswordBearer doesn't extract tokens
  • Confusing HTTP status codes for auth errors
5. You want to protect a FastAPI route so only requests with the exact Bearer token "secret123" are allowed. Which code snippet correctly implements this?
hard
A. async def protected_route(token: str = Depends(oauth2_scheme)): if token == None: return {"message": "Access granted"} raise HTTPException(status_code=401, detail="Unauthorized")
B. async def protected_route(token: str = Depends(oauth2_scheme)): if token != "secret123": raise HTTPException(status_code=401, detail="Unauthorized") return {"message": "Access granted"}
C. async def protected_route(token: str): if token == "secret123": return {"message": "Access granted"} raise HTTPException(status_code=403, detail="Forbidden")
D. async def protected_route(token: str = Depends(oauth2_scheme)): if token == "Bearer secret123": return {"message": "Access granted"} raise HTTPException(status_code=401, detail="Unauthorized")

Solution

  1. Step 1: Use OAuth2PasswordBearer dependency

    We must use Depends(oauth2_scheme) to extract the token from the Authorization header.

  2. Step 2: Check token value correctly

    The token string is just the token without 'Bearer ' prefix, so compare directly to "secret123" and raise 401 if not matching.

  3. Final Answer:

    async def protected_route(token: str = Depends(oauth2_scheme)): if token != "secret123": raise HTTPException(status_code=401, detail="Unauthorized") return {"message": "Access granted"} -> Option B

  4. Quick Check:

    Compare token string directly to "secret123" [OK]
Hint: Compare token string directly, no 'Bearer ' prefix included [OK]
Common Mistakes:
  • Comparing token to 'Bearer secret123' including prefix
  • Not using Depends(oauth2_scheme) to get token
  • Returning access granted when token is None