FastAPI Reference

FastAPI is built on Starlette (ASGI) and Pydantic, offering native async/await support for high concurrency, automatic OpenAPI (Swagger) and ReDoc documentation generated from type annotations, and request/response validation via Pydantic at zero extra cost. Flask is synchronous by default and has no built-in validation or docs. Django REST Framework has more features out of the box but is heavier and not natively async.

Depends() tells FastAPI to call the provided function and inject its return value as the parameter. For database sessions, use a generator function with yield: the code before yield runs before the route handler, the yield value is injected, and the code after yield runs as cleanup (e.g., closing the session). Dependencies can depend on other dependencies, creating a tree that FastAPI resolves automatically. Class instances work too — define __init__ parameters and FastAPI will inject them from query params.

When a FastAPI route declares a parameter with a Pydantic BaseModel type, FastAPI automatically reads the request body, parses it as JSON, validates each field against the model's type annotations and Field() constraints, and returns a 422 Unprocessable Entity error with detailed messages if validation fails. Use Field(min_length=1, max_length=100) for string constraints, Field(gt=0) for numeric ranges, and @field_validator for custom validation logic.

Install python-jose and passlib. Define an OAuth2PasswordBearer with the token URL. Create a get_current_user dependency that accepts a token string from Depends(oauth2_scheme), decodes it with jwt.decode(), and returns the user or raises HTTPException(401). Protect routes by adding Depends(get_current_user) as a parameter. Return tokens from a POST /token endpoint that verifies credentials and calls jwt.encode() with an expiry.

The response_model parameter in a route decorator specifies the Pydantic model used to serialize and filter the response, regardless of what the route function actually returns. FastAPI will serialize the return value using only the fields defined in response_model, automatically excluding internal fields like passwords or database IDs you do not want to expose. Use response_model=list[Item] to return a list, and response_model_exclude_unset=True to omit unset optional fields.

Declare a BackgroundTasks parameter in your route handler. FastAPI injects it automatically. Call bg.add_task(func, arg1, arg2) to schedule a function to run after the HTTP response is sent. The background task runs in the same process/thread pool as the server, so it is suitable for lightweight tasks like sending emails or logging. For heavy CPU-bound tasks, use Celery or a separate worker process instead.

Use the @app.websocket("/ws") decorator with a WebSocket parameter. Call await ws.accept() to complete the handshake, then use await ws.receive_text() or receive_bytes() to read messages and await ws.send_text() or send_json() to respond. Handle WebSocketDisconnect exceptions to clean up when the client disconnects. For broadcasting to multiple clients, maintain a list of active WebSocket connections.

Import CORSMiddleware from fastapi.middleware.cors and call app.add_middleware(CORSMiddleware, allow_origins=["https://yourfrontend.com"], allow_credentials=True, allow_methods=["*"], allow_headers=["*"]). Use allow_origins=["*"] only in development. For production, specify exact origins. The middleware adds Access-Control-Allow-Origin headers to responses and handles CORS preflight OPTIONS requests automatically.