Concept Flow - Protected routes
Client sends request
Check for auth token
Reject request
Validate token
Allow access
Return protected data
The server checks if the client request has a valid token before allowing access to protected data.
0
0
Protected routes in FastAPI - Step-by-Step Execution
Execution Sample
FastAPI
from fastapi import FastAPI, Depends, HTTPException, status from fastapi.security import OAuth2PasswordBearer app = FastAPI() oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token") async def get_current_user(token: str = Depends(oauth2_scheme)): if token != "validtoken": raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token") return {"user": "alice"} @app.get("/protected") async def protected_route(current_user: dict = Depends(get_current_user)): return {"message": f"Hello {current_user['user']}"}
This code protects the /protected route by requiring a valid token to access it.
Execution Table
| Step | Action | Token Present? | Token Valid? | Result | Response |
|---|---|---|---|---|---|
| 1 | Client requests /protected without token | No | N/A | Reject request | 401 Unauthorized |
| 2 | Client requests /protected with token='invalidtoken' | Yes | No | Reject request | 401 Unauthorized |
| 3 | Client requests /protected with token='validtoken' | Yes | Yes | Allow access | {"message": "Hello alice"} |
💡 Requests without a valid token are rejected with 401 Unauthorized.
Variable Tracker
| Variable | Start | Request 1 | Request 2 | Request 3 |
|---|---|---|---|---|
| token | None | None | invalidtoken | validtoken |
| current_user | None | None | None | {"user": "alice"} |
Key Moments - 3 Insights
Why does the request without a token get rejected immediately?
Because the OAuth2PasswordBearer dependency expects a token. Without it, the route dependency fails and returns 401 as shown in execution_table step 1.
What happens if the token is present but invalid?
The get_current_user function raises HTTPException with status 401, rejecting the request as seen in execution_table step 2.
How does the route know the current user?
The token is validated in get_current_user, which returns user info. This is passed to the route via Depends, shown in execution_table step 3.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the response when the token is missing?
💡 Hint
Check execution_table row 1 under Response column.
At which step does the token get validated as correct?
💡 Hint
Look at execution_table Token Valid? column.
If the token was 'validtoken' but get_current_user returned None, what would happen?
💡 Hint
get_current_user succeeds (no exception raised), passing None to the route. Route accesses current_user['user'] causing TypeError/KeyError, resulting in 500 Internal Server Error.
Concept Snapshot
Protected routes require a valid token to access. Use OAuth2PasswordBearer to extract token. Validate token in a dependency function. Raise HTTPException(401) if invalid. Pass user info to route via Depends. Return protected data only if authorized.
Full Transcript
Protected routes in FastAPI work by checking if the client sends a valid token with their request. The OAuth2PasswordBearer dependency extracts the token from the request. Then, a function like get_current_user validates this token. If the token is missing or invalid, the function raises an HTTPException with status 401, which stops the request and returns an unauthorized error. If the token is valid, the function returns user information, which the route uses to allow access and return protected data. This process ensures only authorized users can access certain routes.