Tech Tutorial - February 28 2026 053007

Welcome to today’s deep‑dive tutorial! In the next few minutes you’ll learn how to spin up a production‑ready RESTful API using FastAPI, Pydantic, and Docker. We’ll walk through everything from environment setup to secure JWT authentication, and finish with a quick guide to cloud deployment. By the end, you’ll have a fully functional service you can extend for real‑world projects.

Why FastAPI Is a Game‑Changer

FastAPI has surged in popularity because it combines the speed of Node.js with the developer friendliness of Flask. Built on top of Starlette, it offers asynchronous request handling out of the box, which translates to lower latency under heavy load. Moreover, its tight integration with Pydantic means data validation and serialization are declarative and type‑safe.

Another hidden gem is its automatic OpenAPI documentation. As soon as you define an endpoint, Swagger UI and ReDoc appear without any extra configuration. This makes onboarding new team members and external partners a breeze, turning your API into a self‑documenting contract.

Setting Up the Development Environment

Before writing any code, let’s prepare a clean, reproducible workspace. Using venv isolates dependencies, while Docker guarantees the same runtime across machines.

• Install Python 3.11 or newer.
• Run python -m venv .venv && source .venv/bin/activate to create a virtual environment.
• Upgrade pip and install FastAPI and Uvicorn: pip install --upgrade pip && pip install fastapi uvicorn[standard] pydantic.
• Optionally, install black and ruff for code formatting and linting.

Once the environment is ready, create a project folder named fastapi_tutorial with the following layout:

fastapi_tutorial/
├── app/
│   ├── __init__.py
│   ├── main.py
│   ├── models.py
│   ├── schemas.py
│   └── crud.py
├── Dockerfile
├── requirements.txt
└── README.md

Defining Data Models with Pydantic

Pydantic models act as both request validators and response serializers. By declaring fields with Python type hints, you get runtime checks for free, and any validation errors are automatically turned into clear HTTP 422 responses.

Let’s model a simple Item that could represent a product in an e‑commerce catalog.

# app/schemas.py
from pydantic import BaseModel, Field
from typing import Optional

class ItemBase(BaseModel):
    name: str = Field(..., min_length=1, max_length=100, description="Human‑readable name")
    description: Optional[str] = Field(None, max_length=300)
    price: float = Field(..., gt=0, description="Price in USD")
    in_stock: bool = Field(default=True)

class ItemCreate(ItemBase):
    pass  # Inherits everything; useful for future extensions

class ItemUpdate(BaseModel):
    name: Optional[str] = None
    description: Optional[str] = None
    price: Optional[float] = None
    in_stock: Optional[bool] = None

class ItemResponse(ItemBase):
    id: int

    class Config:
        orm_mode = True

Notice the use of Field to embed validation rules and helpful metadata. The orm_mode flag tells Pydantic it can read data from ORM objects, a pattern we’ll exploit later when integrating with a database.

Implementing CRUD Endpoints

With models in place, the next step is to expose Create, Read, Update, and Delete operations. FastAPI’s routing syntax is concise, and the async nature of the handlers ensures the server can handle many simultaneous connections.

# app/main.py
from fastapi import FastAPI, HTTPException, Depends, status
from typing import List
from . import schemas, crud

app = FastAPI(title="FastAPI Tutorial API", version="0.1.0")

@app.post("/items/", response_model=schemas.ItemResponse, status_code=status.HTTP_201_CREATED)
async def create_item(item: schemas.ItemCreate):
    db_item = await crud.create_item(item)
    return db_item

@app.get("/items/", response_model=List[schemas.ItemResponse])
async def list_items(skip: int = 0, limit: int = 10):
    items = await crud.get_items(skip=skip, limit=limit)
    return items

@app.get("/items/{item_id}", response_model=schemas.ItemResponse)
async def get_item(item_id: int):
    item = await crud.get_item(item_id)
    if not item:
        raise HTTPException(status_code=404, detail="Item not found")
    return item

@app.put("/items/{item_id}", response_model=schemas.ItemResponse)
async def update_item(item_id: int, item: schemas.ItemUpdate):
    updated = await crud.update_item(item_id, item)
    if not updated:
        raise HTTPException(status_code=404, detail="Item not found")
    return updated

@app.delete("/items/{item_id}", status_code=status.HTTP_204_NO_CONTENT)
async def delete_item(item_id: int):
    success = await crud.delete_item(item_id)
    if not success:
        raise HTTPException(status_code=404, detail="Item not found")
    return None

Each route delegates the heavy lifting to a crud module. This separation keeps the API layer thin and testable.

CRUD Logic with In‑Memory Store (for demo)

While production systems would use a relational database, a quick in‑memory dictionary lets us focus on the FastAPI mechanics.

# app/crud.py
from typing import List, Optional
from . import schemas

# Simulated DB
_fake_db: dict[int, schemas.ItemResponse] = {}
_next_id = 1

async def create_item(item: schemas.ItemCreate) -> schemas.ItemResponse:
    global _next_id
    db_item = schemas.ItemResponse(id=_next_id, **item.dict())
    _fake_db[_next_id] = db_item
    _next_id += 1
    return db_item

async def get_items(skip: int = 0, limit: int = 10) -> List[schemas.ItemResponse]:
    items = list(_fake_db.values())[skip : skip + limit]
    return items

async def get_item(item_id: int) -> Optional[schemas.ItemResponse]:
    return _fake_db.get(item_id)

async def update_item(item_id: int, item: schemas.ItemUpdate) -> Optional[schemas.ItemResponse]:
    stored = _fake_db.get(item_id)
    if not stored:
        return None
    updated_data = stored.dict()
    update_fields = item.dict(exclude_unset=True)
    updated_data.update(update_fields)
    updated = schemas.ItemResponse(**updated_data)
    _fake_db[item_id] = updated
    return updated

async def delete_item(item_id: int) -> bool:
    return _fake_db.pop(item_id, None) is not None

Even with this mock store, you can test the full request/response cycle using tools like httpie or the built‑in Swagger UI at /docs.

Securing the API with JWT Authentication

Public APIs are great for demos, but real applications need robust authentication. JSON Web Tokens (JWT) provide a stateless, scalable way to verify users without persisting sessions.

First, install the required library:

pip install python-jose[cryptography] passlib[bcrypt]

We’ll create a minimal user model, password hashing utilities, and token generation helpers.

# app/models.py
from pydantic import BaseModel

class User(BaseModel):
    username: str
    hashed_password: str
    disabled: bool = False

# app/auth.py
from datetime import datetime, timedelta
from typing import Optional
from jose import JWTError, jwt
from passlib.context import CryptContext

SECRET_KEY = "a_very_secret_key_change_me"
ALGORITHM = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES = 30

pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")

def verify_password(plain: str, hashed: str) -> bool:
    return pwd_context.verify(plain, hashed)

def get_password_hash(password: str) -> str:
    return pwd_context.hash(password)

def create_access_token(data: dict, expires_delta: Optional[timedelta] = None):
    to_encode = data.copy()
    expire = datetime.utcnow() + (expires_delta or timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES))
    to_encode.update({"exp": expire})
    return jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)

Now, integrate the auth flow into FastAPI routes. The following snippet shows a token endpoint and a dependency that extracts the current user from the Authorization header.

# app/main.py (additions)
from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
from .auth import verify_password, get_password_hash, create_access_token
from .models import User

oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")

# In‑memory user store for demo
_fake_users = {
    "alice": User(username="alice", hashed_password=get_password_hash("wonderland")),
    "bob": User(username="bob", hashed_password=get_password_hash("builder")),
}

def authenticate_user(username: str, password: str) -> Optional[User]:
    user = _fake_users.get(username)
    if not user or not verify_password(password, user.hashed_password):
        return None
    return user

@app.post("/token")
async def login(form_data: OAuth2PasswordRequestForm = Depends()):
    user = authenticate_user(form_data.username, form_data.password)
    if not user:
        raise HTTPException(status_code=401, detail="Incorrect credentials")
    access_token = create_access_token(data={"sub": user.username})
    return {"access_token": access_token, "token_type": "bearer"}

async def get_current_user(token: str = Depends(oauth2_scheme)) -> User:
    credentials_exception = HTTPException(status_code=401, detail="Could not validate credentials")
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
        username: str = payload.get("sub")
        if username is None:
            raise credentials_exception
    except JWTError:
        raise credentials_exception
    user = _fake_users.get(username)
    if user is None:
        raise credentials_exception
    return user

Secure the CRUD routes by adding Depends(get_current_user) to the function signatures. This forces a valid JWT before any operation proceeds.

Containerizing the Application with Docker

Docker ensures that the API runs identically on every host, from your laptop to a Kubernetes pod. We’ll create a lightweight multi‑stage build using python:3.11-slim as the base.

# Dockerfile
FROM python:3.11-slim AS builder

WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

FROM python:3.11-slim
WORKDIR /app
COPY --from=builder /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
COPY . .

EXPOSE 8000
CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]

Build and run the container with a single command:

docker build -t fastapi-demo . && docker run -p 8000:8000 fastapi-demo

Visit http://localhost:8000/docs to verify the API is up and Swagger UI is serving correctly inside the container.

Deploying to a Cloud Provider (AWS Elastic Beanstalk Example)

Once Dockerized, deployment becomes a matter of pushing the image to a registry and pointing your platform to it. AWS Elastic Beanstalk supports Docker out of the box, making the process painless.

1. Create an ECR repository: aws ecr create-repository --repository-name fastapi-demo.
2. Authenticate Docker to ECR: aws ecr get-login-password | docker login --username AWS --password-stdin <account-id>.dkr.ecr.<region>.amazonaws.com.
3. Tag and push the image: docker tag fastapi-demo:latest <account-id>.dkr.ecr.<region>.amazonaws.com/fastapi-demo:latest && docker push <account-id>.dkr.ecr.<region>.amazonaws.com/fastapi-demo:latest.
4. In the Elastic Beanstalk console, create a new application and select “Docker” as the platform. Provide the ECR image URL.
5. Configure environment variables (e.g., SECRET_KEY) in the EB console, then launch.

After a few minutes, Elastic Beanstalk provisions an EC2 instance, attaches a load balancer, and serves your API at a public URL. The same image can be reused for Kubernetes, Azure App Service, or Google Cloud Run with minimal tweaks.

Real‑World Use Cases

E‑commerce Catalog Service: The CRUD endpoints we built map directly to product management dashboards. Coupled with JWT auth, only authorized staff can modify inventory.

IoT Device Registry: FastAPI’s async nature shines when handling thousands of telemetry uploads per second. The same pattern can be extended to ingest sensor data and store it in TimescaleDB.

Internal Microservice Gateway: By exposing a clean OpenAPI spec, other teams can consume the service without needing to understand its internal implementation, fostering a contract‑first architecture.

Pro Tip: When moving from the in‑memory store to a real database, replace the _fake_db dict with SQLAlchemy Core or ORM models. Keep the crud layer thin; each function should accept Pydantic schemas and return them, letting SQLAlchemy handle the conversion via orm_mode.

Testing the API

Automated testing guarantees that future changes won’t break existing contracts. FastAPI ships with TestClient, which runs the app in memory without a live server.

# tests/test_items.py
from fastapi.testclient import TestClient
from app.main import app

client = TestClient(app)

def test_create_item():
    response = client.post(
        "/items/",
        json={"name": "Widget", "price": 9.99},
        headers={"Authorization": "Bearer <valid_token>"},
    )
    assert response.status_code == 201
    data = response.json()
    assert data["name"] == "Widget"
    assert "id" in data

def test_get_item_not_found():
    response = client.get("/items/999")
    assert response.status_code == 404

Run the suite with pytest -q. Adding coverage tools (e.g., coverage.py) helps you spot untested branches, especially around authentication edge cases.

Performance Monitoring and Observability

FastAPI integrates seamlessly with Prometheus and OpenTelemetry. Adding a simple middleware can expose request latency, error rates, and custom business metrics.