Bird
Raised Fist0
FastAPIframework~20 mins

JWT token verification in FastAPI - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
JWT Verification Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What is the output of this FastAPI JWT verification snippet?
Consider this FastAPI endpoint that verifies a JWT token passed in the Authorization header. What will be the response if the token is expired?
FastAPI
from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
import jwt

app = FastAPI()
security = HTTPBearer()
SECRET_KEY = "mysecret"

async def verify_token(credentials: HTTPAuthorizationCredentials = Depends(security)):
    try:
        payload = jwt.decode(credentials.credentials, SECRET_KEY, algorithms=["HS256"])
        return payload
    except jwt.ExpiredSignatureError:
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Token expired")

@app.get("/protected")
async def protected_route(payload=Depends(verify_token)):
    return {"user": payload["sub"]}
A{"detail": "Token expired"} with status 401
B{"user": "sub"} with status 200
C500 Internal Server Error
D{"detail": "Invalid token"} with status 401
Attempts:
2 left
💡 Hint
Think about what happens when jwt.decode raises ExpiredSignatureError.
📝 Syntax
intermediate
1:30remaining
Which option correctly decodes a JWT token in FastAPI?
You want to decode a JWT token string using PyJWT in FastAPI. Which code snippet correctly decodes the token with the HS256 algorithm and a secret key?
Apayload = jwt.decode(token, SECRET_KEY, algorithms=["HS256"])
Bpayload = jwt.decode(token, algorithms=["HS256"], key=SECRET_KEY)
Cpayload = jwt.decode(token, SECRET_KEY)
Dpayload = jwt.decode(token, key=SECRET_KEY)
Attempts:
2 left
💡 Hint
Check the PyJWT decode function signature for required parameters.
🔧 Debug
advanced
2:30remaining
Why does this FastAPI JWT verification code raise a 500 error instead of 401?
Given this code snippet, why does the server return a 500 Internal Server Error instead of a 401 Unauthorized when the token is invalid?
FastAPI
from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
import jwt

app = FastAPI()
security = HTTPBearer()
SECRET_KEY = "secret"

async def verify_token(credentials: HTTPAuthorizationCredentials = Depends(security)):
    try:
        payload = jwt.decode(credentials.credentials, SECRET_KEY, algorithms=["HS256"])
        return payload
    except jwt.InvalidTokenError:
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token")

@app.get("/secure")
async def secure_route(payload=Depends(verify_token)):
    return {"user": payload["sub"]}
ABecause the SECRET_KEY is incorrect, causing decode to fail silently
BBecause the HTTPBearer dependency raises an exception before verify_token runs
CBecause jwt.InvalidTokenError is not the base exception for all JWT errors, some errors are uncaught causing 500
DBecause the code does not catch jwt.ExpiredSignatureError separately, causing unhandled exceptions
Attempts:
2 left
💡 Hint
Consider which exceptions jwt.decode can raise and which are caught.
state_output
advanced
2:00remaining
What is the value of 'user' returned by this FastAPI JWT endpoint?
Given this JWT payload and FastAPI endpoint, what will be the value of 'user' in the JSON response?
FastAPI
import jwt
from fastapi import FastAPI, Depends
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials

app = FastAPI()
security = HTTPBearer()
SECRET_KEY = "key"

# JWT token payload example: {"sub": "alice", "role": "admin"}

async def verify_token(credentials: HTTPAuthorizationCredentials = Depends(security)):
    payload = jwt.decode(credentials.credentials, SECRET_KEY, algorithms=["HS256"])
    return payload

@app.get("/user")
async def get_user(payload=Depends(verify_token)):
    return {"user": payload.get("sub", "anonymous")}
ANone
B"admin"
C"alice"
D"anonymous"
Attempts:
2 left
💡 Hint
Look at how the 'sub' field is accessed in the payload.
🧠 Conceptual
expert
3:00remaining
Which statement best explains JWT token verification in FastAPI?
Select the option that correctly describes how JWT token verification should be implemented in a FastAPI app to ensure secure access to protected routes.
ADecode the JWT token on the client side and send the decoded payload to the server to avoid server-side verification.
BUse a dependency that extracts the token from the Authorization header, decodes it with a secret key and algorithm, handles exceptions for expired or invalid tokens, and returns the payload for route use.
CStore the JWT token in a global variable and check it manually in each route handler without using dependencies.
DSkip token verification and rely on HTTPS encryption to secure the API endpoints.
Attempts:
2 left
💡 Hint
Think about best practices for secure token verification in FastAPI.

Practice

(1/5)
1. What is the main purpose of JWT token verification in a FastAPI application?
easy
A. To check if the user token is valid and trusted
B. To encrypt the user's password
C. To store user data in the database
D. To generate HTML pages dynamically

Solution

  1. Step 1: Understand JWT token role

    JWT tokens are used to prove a user's identity securely.

  2. Step 2: Identify verification purpose

    Verification checks if the token is valid and trusted before allowing access.

  3. Final Answer:

    To check if the user token is valid and trusted -> Option A

  4. Quick Check:

    JWT verification = check token validity [OK]
Hint: JWT verification means confirming token is valid [OK]
Common Mistakes:
  • Confusing verification with encryption
  • Thinking JWT stores user data permanently
  • Mixing token verification with UI rendering
2. Which FastAPI dependency is commonly used to extract and verify a JWT token from the request header?
easy
A. Depends()
B. Form()
C. RequestBody()
D. OAuth2PasswordBearer

Solution

  1. Step 1: Identify FastAPI dependency for JWT

    OAuth2PasswordBearer is designed to extract bearer tokens from headers.

  2. Step 2: Confirm usage for JWT verification

    This dependency helps get the token string to verify it in your code.

  3. Final Answer:

    OAuth2PasswordBearer -> Option D

  4. Quick Check:

    OAuth2PasswordBearer extracts JWT token [OK]
Hint: OAuth2PasswordBearer extracts token from header [OK]
Common Mistakes:
  • Using Depends() alone without OAuth2PasswordBearer
  • Confusing Form() with header token extraction
  • Using RequestBody() which reads body, not headers
3. Given this FastAPI code snippet, what will happen if the JWT token is invalid? 
async def get_current_user(token: str = Depends(oauth2_scheme)):
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
    except JWTError:
        raise HTTPException(status_code=401, detail="Invalid token")
    return payload
medium
A. The function returns the payload even if token is invalid
B. The server crashes with an unhandled exception
C. An HTTP 401 error is raised with 'Invalid token' message
D. The token is ignored and user is treated as anonymous

Solution

  1. Step 1: Analyze try-except block

    If jwt.decode fails, it raises JWTError which is caught by except.

  2. Step 2: Check except block behavior

    It raises HTTPException with status 401 and message 'Invalid token'.

  3. Final Answer:

    An HTTP 401 error is raised with 'Invalid token' message -> Option C

  4. Quick Check:

    Invalid token triggers HTTP 401 error [OK]
Hint: Invalid JWT triggers HTTPException 401 [OK]
Common Mistakes:
  • Assuming function returns payload on invalid token
  • Thinking server crashes without handling error
  • Believing token is ignored silently
4. Identify the error in this FastAPI JWT verification code: 
from fastapi import Depends, HTTPException
from jose import jwt, JWTError

def verify_token(token: str):
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
    except:
        HTTPException(status_code=401, detail="Invalid token")
    return payload
medium
A. HTTPException is raised but not returned or raised properly
B. Missing import for HTTPException
C. jwt.decode is called with wrong parameters
D. The function should not return payload

Solution

  1. Step 1: Check exception handling

    HTTPException is created but not raised or returned, so error is ignored.

  2. Step 2: Correct usage of HTTPException

    Must use 'raise HTTPException(...)' to properly stop execution and send error.

  3. Final Answer:

    HTTPException is raised but not returned or raised properly -> Option A

  4. Quick Check:

    Use 'raise' keyword with HTTPException [OK]
Hint: Always 'raise' HTTPException to trigger error [OK]
Common Mistakes:
  • Forgetting 'raise' before HTTPException
  • Catching too broad exceptions without logging
  • Returning payload even on error
5. How can you protect a FastAPI route so that only requests with a valid JWT token can access it?
hard
A. Check the token manually inside the route function without dependencies
B. Use a dependency that verifies the JWT token and include it in the route
C. Add a middleware that ignores JWT tokens
D. Use a global variable to store token validity

Solution

  1. Step 1: Understand FastAPI dependencies

    Dependencies can run code before route logic and reject invalid requests.

  2. Step 2: Use dependency to verify JWT

    Including a JWT verification dependency ensures only valid tokens allow access.

  3. Final Answer:

    Use a dependency that verifies the JWT token and include it in the route -> Option B

  4. Quick Check:

    Dependency verifies JWT before route runs [OK]
Hint: Protect routes with JWT verification dependency [OK]
Common Mistakes:
  • Checking token inside route instead of dependency
  • Ignoring token verification in middleware
  • Using global variables for token state