OAuth2

Building a FastAPI backend that works on your local machine is one thing; building one that survives the rigors of production is quite another. Most tutorials show you how to throw everything into a single `main.py` file and call it a day. That approach is a recipe for disaster. As your codebase grows, it becomes an unmaintainable knot of logic that is nearly impossible to test or extend. To move beyond the basics, you must adopt patterns that emphasize modularity, separation of concerns, and robust infrastructure. Organize Your Project with APIRouter When you start a project, it's easy to keep every endpoint in one file. It's convenient, until it's not. Once you have items, users, and automations all fighting for space in the same script, readability vanishes. The solution is the APIRouter mechanism. Think of it as a way to create mini-applications that you later stitch together into the main app. By grouping related endpoints into separate router files, you gain immediate clarity. For instance, an `items_router` can handle everything under the `/items` prefix, while an `automations_router` handles `/automations`. This isn't just about aesthetics; it allows you to apply different middleware or dependencies to specific groups of routes without polluting the rest of your system. In your main file, you simply use `app.include_router()` to register these modules. It keeps the entry point of your application clean and focused on high-level configuration. Decouple Business Logic from Routing A common mistake in FastAPI development is writing heavy database queries or complex logic directly inside the endpoint function. This creates a tight coupling between the transport layer (HTTP) and your business logic. If you ever want to trigger those same actions from a command-line interface or a background task, you're stuck copy-pasting code. Instead, move your operations into dedicated service functions. Your endpoint should be a thin wrapper that handles the request, calls a service function, and returns a response. I recommend using Pydantic models for data validation and SQLAlchemy for database interactions, but keep them at arm's length. Your service functions should ideally accept simple Python objects or IDs and return domain models. This makes unit testing significantly easier because you can test the logic in isolation without spinning up a full uvicorn server. Adopt Infrastructure as Code Early Deployment shouldn't be an afterthought. Many developers wait until the app is "finished" to think about how it will run in the cloud, only to realize their dependencies or environment variables are a mess. I prefer a "scaffolding first" approach. Before writing the core features, set up your Docker container and a basic CI/CD pipeline. Using an Infrastructure as Code (IaC) tool like Pulumi changes the game. It allows you to define your cloud resources using Python instead of static YAML files. This is incredibly powerful for dynamic workflows. For example, if you need to run untrusted automation code, you can use Pulumi to dynamically spin up a serverless sandbox, execute the code, and destroy the environment immediately after. This level of automation ensures your production environment is reproducible and keeps your backend secure from side-effect-heavy tasks. Secure Your Endpoints with Rate Limiting Production apis face threats that local dev environments don't: abuse and brute-force attacks. While OAuth2 and API keys are vital for authentication, they don't stop a legitimate user from accidentally (or intentionally) flooding your server with thousands of requests. FastAPI doesn't include built-in rate limiting, so you need a tool like slowapi. Implementing a rate limiter allows you to set specific thresholds, such as one request per second for sensitive endpoints like item creation, while allowing higher limits for read-only operations. It typically identifies users by their IP address using a `get_remote_address` helper. Integrating this early prevents your database from being overwhelmed and ensures that your service remains available for everyone, even when one client goes rogue. Building for production is about anticipating growth and protecting your resources. By splitting your routes, isolating your logic, automating your infrastructure, and limiting access, you move from a prototype to a professional-grade backend.