A production-ready RESTful API built with Python and FastAPI, featuring JWT-based authentication, role-based access control, and PostgreSQL integration.
- JWT Authentication — Secure token-based login with access & refresh tokens
- User Registration & Login — Full auth flow with hashed passwords (bcrypt)
- Role-Based Access Control — Admin and standard user roles
- Protected Routes — Middleware-guarded endpoints
- PostgreSQL Integration — SQLAlchemy ORM with Alembic migrations
- Input Validation — Pydantic schemas for all request/response models
- Auto-generated Docs — Interactive Swagger UI at
/docs - Rate Limiting — Prevent abuse on auth endpoints
- Docker Support — Containerized for easy deployment
rest-api-auth/
├── app/
│ ├── main.py # App entry point
│ ├── config.py # Environment config
│ ├── database.py # DB connection & session
│ ├── models/
│ │ └── user.py # SQLAlchemy models
│ ├── schemas/
│ │ └── user.py # Pydantic schemas
│ ├── routers/
│ │ ├── auth.py # /auth endpoints
│ │ └── users.py # /users endpoints
│ └── utils/
│ ├── auth.py # JWT helpers
│ └── hashing.py # Password hashing
├── alembic/ # DB migrations
├── tests/ # Unit & integration tests
├── .env.example # Environment variable template
├── docker-compose.yml
├── Dockerfile
└── requirements.txt
- Python 3.11+
- PostgreSQL 15+
- (Optional) Docker & Docker Compose
git clone https://github.com/YOUR_USERNAME/rest-api-auth.git
cd rest-api-authpython -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activatepip install -r requirements.txtcp .env.example .envEdit .env with your values:
DATABASE_URL=postgresql://user:password@localhost:5432/authdb
SECRET_KEY=your-super-secret-key
ALGORITHM=HS256
ACCESS_TOKEN_EXPIRE_MINUTES=30
REFRESH_TOKEN_EXPIRE_DAYS=7alembic upgrade headuvicorn app.main:app --reloadThe API will be running at http://localhost:8000
docker-compose up --buildThis starts both the FastAPI app and a PostgreSQL container automatically.
| Method | Endpoint | Description |
|---|---|---|
POST |
/auth/register |
Register a new user |
POST |
/auth/login |
Login and receive tokens |
POST |
/auth/refresh |
Refresh access token |
POST |
/auth/logout |
Invalidate refresh token |
| Method | Endpoint | Description | Auth Required |
|---|---|---|---|
GET |
/users/me |
Get current user profile | ✅ |
PUT |
/users/me |
Update current user | ✅ |
GET |
/users/ |
List all users (admin only) | ✅ Admin |
DELETE |
/users/{id} |
Delete a user (admin only) | ✅ Admin |
Register a user:
curl -X POST http://localhost:8000/auth/register \
-H "Content-Type: application/json" \
-d '{"email": "user@example.com", "password": "securepassword"}'Login:
curl -X POST http://localhost:8000/auth/login \
-H "Content-Type: application/json" \
-d '{"email": "user@example.com", "password": "securepassword"}'Access a protected route:
curl http://localhost:8000/users/me \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"pytest tests/ -v| Layer | Technology |
|---|---|
| Framework | FastAPI |
| Language | Python 3.11 |
| Database | PostgreSQL |
| ORM | SQLAlchemy |
| Migrations | Alembic |
| Auth | JWT (python-jose) |
| Password Hashing | bcrypt (passlib) |
| Validation | Pydantic v2 |
| Server | Uvicorn |
| Testing | Pytest |
| Containerization | Docker |
This project is licensed under the MIT License. See LICENSE for details.