FastAPI has become one of the most actively adopted Python web frameworks on the planet — and for good reason. It combines ASGI-native async support, automatic OpenAPI documentation, and Pydantic-powered validation into a framework that the official documentation describes as delivering developer speed increases of 200% to 300% compared to older approaches. This guide covers how FastAPI actually works from the inside, including what changed in version 0.135.1, how to structure a real project, and the patterns that separate hobby projects from production-grade APIs.
When Sebastián Ramírez released FastAPI in 2018, Python's standard approach to building web APIs was either Flask (a synchronous WSGI framework) or Django REST Framework (powerful but verbose). Neither was built natively for async Python. FastAPI changed that calculus by building on top of Starlette, a lightweight ASGI toolkit, and combining it with Pydantic for data validation. The result was a framework that could take advantage of Python's async/await syntax without requiring developers to manage event loops manually. As of March 2026, the framework has surpassed 78,000 GitHub stars and its latest release is version 0.135.1, which ships with significant performance improvements to JSON serialization.
What FastAPI Is and Where It Came From
FastAPI is a web framework specifically designed for building HTTP-based service APIs. The official documentation describes it as "fast (high-performance), web framework for building APIs with Python based on standard Python type hints." That description is more precise than it sounds. The framework does not try to be a general-purpose web framework in the way Django does — it targets API development explicitly, and every design decision flows from that constraint.
The framework rests on two dependencies. Starlette handles the HTTP request/response cycle, routing, middleware, and WebSocket support. Pydantic handles data validation, serialization, and schema generation. FastAPI sits as a layer above both, connecting type annotations on your function parameters directly to Pydantic models and Starlette routes. That connection is what makes the framework feel almost magical when you first encounter it: annotate a parameter with a type, and FastAPI handles parsing, validating, and documenting that parameter automatically.
"FastAPI has completely changed how we think about backend systems. It's not just about making development easier — it's about building systems that can keep up with the insane speed of today's digital world." — Richard Martinez, CTO at Tech Innovations, via Nucamp (February 2025)
FastAPI is fully compatible with the OpenAPI specification (previously called Swagger) and JSON Schema. Every endpoint you declare is automatically reflected in interactive documentation available at /docs (Swagger UI) and /redoc (ReDoc). This is not an add-on or plugin — it is generated live from your type annotations and has no runtime overhead beyond the initial startup scan.
As of FastAPI 0.115 and later, Python 3.8 is no longer supported. The minimum supported version is Python 3.9. Python 3.14 support was added in a recent release. If you are running an older Python version, install a pinned older FastAPI version (0.124.4 is the last release that supports Python 3.8).
The ASGI Architecture and Why It Makes FastAPI Fast
The single most important technical fact about FastAPI is that it is an ASGI application. ASGI stands for Asynchronous Server Gateway Interface, and it is the successor to the older WSGI standard. Understanding the difference matters if you want to reason about FastAPI's performance characteristics rather than just accepting benchmark numbers at face value.
WSGI, which Flask and Django use by default, is synchronous. A WSGI server handles one request at a time per worker process. If that request involves waiting — for a database query, an external HTTP call, a file read — the worker sits idle until the wait completes. To handle concurrent traffic, WSGI servers spawn many worker processes, which consumes significant memory.
ASGI is fundamentally different. An ASGI server like Uvicorn runs an event loop. When an async handler hits a wait point (declared with await), the event loop suspends that coroutine and processes other requests in the meantime. A single Uvicorn worker can handle thousands of concurrent connections because it never blocks — it just switches between coroutines whenever one is waiting on I/O.
TechEmpower benchmarks, which are widely cited in the Python community, show FastAPI processing in the range of 15,000 to 20,000 requests per second on identical hardware, compared to Flask's typical ceiling of 2,000 to 3,000. The gap is most dramatic for I/O-bound workloads: database queries, calls to external APIs, file operations. For pure CPU work with no waiting, the advantage narrows, because async concurrency does not help when a thread is actively computing rather than waiting.
FastAPI lets you define endpoints with either def or async def. Using def on a synchronous endpoint is safe — FastAPI runs it in a thread pool so it does not block the event loop. But if your handler awaits a database call or external service, use async def to get the full concurrency benefit.
The standard installation command for FastAPI now uses the [standard] extra, which pulls in Uvicorn and the FastAPI CLI together:
pip install "fastapi[standard]"The older fastapi-slim package has been deprecated as of recent releases. The project now recommends installing either fastapi or fastapi[standard] exclusively. Once installed, you can start a development server with:
fastapi dev main.pyThe fastapi dev command uses Uvicorn under the hood with hot reload enabled. For production you would use fastapi run, or run Uvicorn directly with uvicorn main:app --workers 4.
Pydantic Integration and Automatic Validation
Pydantic is the engine behind FastAPI's data validation, and understanding their relationship is essential. FastAPI requires Pydantic v2, having formally deprecated support for Pydantic v1 in recent releases (Pydantic v1 support will be removed entirely in a future FastAPI version, and the Pydantic team has already stopped supporting v1 for Python 3.14+).
A Pydantic model is a Python class that inherits from BaseModel. You declare fields as class attributes with type annotations. Pydantic enforces those types at instantiation time and raises a ValidationError if the input does not match. FastAPI connects incoming request bodies to these models automatically: declare a parameter typed as a Pydantic model, and FastAPI parses the JSON body, validates it, and hands you a fully typed Python object.
from fastapi import FastAPI
from pydantic import BaseModel, Field, EmailStr
from typing import Optional
app = FastAPI()
class UserCreate(BaseModel):
username: str = Field(..., min_length=3, max_length=50)
email: EmailStr
password: str = Field(..., min_length=8)
is_active: Optional[bool] = True
class UserResponse(BaseModel):
id: int
username: str
email: str
model_config = {"from_attributes": True}
@app.post("/users/", response_model=UserResponse, status_code=201)
async def create_user(user: UserCreate):
# In a real app, save to database here
return {"id": 1, "username": user.username, "email": user.email}Several things happen automatically in this example. FastAPI reads the UserCreate model's schema and expects an incoming JSON body matching those fields. If username is missing or shorter than three characters, FastAPI returns a structured 422 Unprocessable Entity response before your function ever runs. The response_model=UserResponse parameter tells FastAPI to filter the output through UserResponse, which means even if your internal logic produces a database object with a password field, the response will not include it. That filtering is enforced at the serialization layer automatically.
In version 0.135.1, a significant performance improvement was merged: when there is a Pydantic return type or response_model, FastAPI now serializes JSON responses using Pydantic's Rust-backed serialization. According to the official release notes, this results in a 2x or greater performance increase for JSON responses. This change required no code changes from application developers — it is a drop-in improvement that applies automatically when you use typed response models.
Also in version 0.135.1, ORJSONResponse and UJSONResponse were deprecated. These response classes used third-party JSON libraries for faster serialization, but the Pydantic-in-Rust serialization now achieves comparable or better speeds without the extra dependency. If your codebase uses either of these classes, you can safely remove them and rely on the default response serializer.
Pydantic v2 also introduces stricter validation by default. Fields annotated as int no longer silently coerce the string "5" to 5 in strict mode. For API development this is usually what you want — it catches client-side bugs early rather than silently accepting malformed data.
Dependency Injection: The System Most Developers Underuse
FastAPI's dependency injection system is one of its most powerful features and the one that is most commonly used only at a surface level. It is worth understanding in detail because it changes how you architect an entire application, not just individual endpoints.
A dependency in FastAPI is any callable that the framework can call and whose return value is passed to your endpoint function. The canonical form uses Depends():
from fastapi import FastAPI, Depends, HTTPException, status
from typing import Annotated
app = FastAPI()
# A simple dependency that could validate a token
def verify_api_key(x_api_key: str = Header(...)):
if x_api_key != "secret-key":
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="Invalid API key"
)
return x_api_key
@app.get("/protected/")
async def protected_route(api_key: Annotated[str, Depends(verify_api_key)]):
return {"message": "You are authorized", "key": api_key}Dependencies can themselves declare dependencies. FastAPI resolves the entire dependency graph before calling your endpoint, and it caches each dependency's result within a single request by default. This means if two endpoints both depend on get_current_user, the user lookup only executes once per request even if other dependencies also depend on it.
The practical power of this system becomes clear when you use it for database sessions. Rather than managing connection lifecycle inside every endpoint, you declare a generator dependency:
from sqlalchemy.ext.asyncio import AsyncSession, create_async_engine, async_sessionmaker
from fastapi import Depends
from typing import AsyncGenerator
DATABASE_URL = "postgresql+asyncpg://user:password@localhost/dbname"
engine = create_async_engine(DATABASE_URL)
AsyncSessionLocal = async_sessionmaker(engine, expire_on_commit=False)
async def get_db() -> AsyncGenerator[AsyncSession, None]:
async with AsyncSessionLocal() as session:
try:
yield session
await session.commit()
except Exception:
await session.rollback()
raise
finally:
await session.close()
@app.get("/items/{item_id}")
async def read_item(item_id: int, db: AsyncSession = Depends(get_db)):
result = await db.execute(select(Item).where(Item.id == item_id))
item = result.scalar_one_or_none()
if item is None:
raise HTTPException(status_code=404, detail="Item not found")
return itemThe generator pattern using yield is key here. Everything before the yield runs before your endpoint. Everything after yield runs as cleanup after the response is sent. FastAPI guarantees that cleanup code runs even if the endpoint raises an exception. This gives you automatic transaction management and connection pooling with no boilerplate inside your endpoint functions.
Class-based dependencies are another pattern worth knowing. When a dependency needs to be configured with parameters, using a class with __call__ lets you create parametrized dependency factories:
class PaginationParams:
def __init__(self, skip: int = 0, limit: int = Query(default=20, le=100)):
self.skip = skip
self.limit = limit
@app.get("/items/")
async def list_items(
pagination: Annotated[PaginationParams, Depends(PaginationParams)],
db: AsyncSession = Depends(get_db)
):
result = await db.execute(
select(Item).offset(pagination.skip).limit(pagination.limit)
)
return result.scalars().all()Routing, Path Parameters, and Request Bodies
FastAPI supports the full set of HTTP methods through decorators: @app.get(), @app.post(), @app.put(), @app.patch(), @app.delete(), and @app.options(). Path parameters are declared by placing them in curly braces in the path string and matching them by name to function parameters:
from fastapi import FastAPI, Path, Query
from typing import Optional
app = FastAPI()
@app.get("/users/{user_id}/posts/{post_id}")
async def get_user_post(
user_id: int = Path(..., gt=0, description="The ID of the user"),
post_id: int = Path(..., gt=0),
include_comments: Optional[bool] = Query(default=False)
):
return {
"user_id": user_id,
"post_id": post_id,
"include_comments": include_comments
}The Path() and Query() functions are not just metadata. They carry validation constraints. gt=0 means "greater than zero" and will produce a 422 response before your handler executes if a non-positive integer is passed. These constraints are also reflected in the generated OpenAPI schema, so your documentation automatically shows that user_id must be a positive integer.
For larger applications, the APIRouter class mirrors FastAPI's interface but produces a mountable router object rather than a full application. Routers can carry a prefix, tags, and default dependencies that apply to every route in the router:
# routers/users.py
from fastapi import APIRouter, Depends
from .dependencies import get_current_active_user
router = APIRouter(
prefix="/users",
tags=["users"],
dependencies=[Depends(get_current_active_user)]
)
@router.get("/me")
async def read_current_user(current_user = Depends(get_current_active_user)):
return current_user
@router.get("/{user_id}")
async def read_user(user_id: int):
return {"user_id": user_id}
# main.py
from fastapi import FastAPI
from .routers import users, items
app = FastAPI()
app.include_router(users.router)
app.include_router(items.router)Background tasks are another routing-level feature that sees heavy use. FastAPI can execute a function after returning an HTTP response, which is useful for operations like sending an email confirmation or writing to a log store:
from fastapi import BackgroundTasks
def send_welcome_email(email: str, username: str):
# This runs after the response is sent
print(f"Sending welcome email to {email} for {username}")
@app.post("/register/")
async def register_user(user: UserCreate, background_tasks: BackgroundTasks):
new_user = create_user_in_db(user)
background_tasks.add_task(send_welcome_email, user.email, user.username)
return {"message": "Registration successful"}Wikipedia's FastAPI article notes that background tasks "allow the API to immediately respond to user requests while simultaneously processing non-critical or time-consuming operations." This keeps your response times low even when the surrounding work is expensive.
Security, OAuth2, and JWT Authentication
FastAPI ships with built-in utilities for common authentication patterns. The fastapi.security module includes OAuth2PasswordBearer, OAuth2PasswordRequestForm, HTTP Basic, API key headers, and API key cookies. These are not full implementations — they are dependency-compatible extractors that parse the relevant credential from the request and hand it to your verification logic.
The typical JWT authentication pattern combines OAuth2PasswordBearer with a token verification dependency:
from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
from jose import JWTError, jwt
from passlib.context import CryptContext
from datetime import datetime, timedelta, timezone
from pydantic import BaseModel
SECRET_KEY = "your-secret-key-stored-in-env"
ALGORITHM = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES = 30
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")
app = FastAPI()
class Token(BaseModel):
access_token: str
token_type: str
def create_access_token(data: dict, expires_delta: timedelta | None = None):
to_encode = data.copy()
expire = datetime.now(timezone.utc) + (expires_delta or timedelta(minutes=15))
to_encode.update({"exp": expire})
return jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
async def get_current_user(token: str = Depends(oauth2_scheme)):
credentials_exception = HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Could not validate credentials",
headers={"WWW-Authenticate": "Bearer"},
)
try:
payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
username: str = payload.get("sub")
if username is None:
raise credentials_exception
except JWTError:
raise credentials_exception
return username
@app.post("/token", response_model=Token)
async def login(form_data: OAuth2PasswordRequestForm = Depends()):
# Verify user against your database here
access_token = create_access_token(
data={"sub": form_data.username},
expires_delta=timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
)
return Token(access_token=access_token, token_type="bearer")
@app.get("/users/me")
async def read_users_me(current_user: str = Depends(get_current_user)):
return {"username": current_user}Never store SECRET_KEY or database credentials directly in source code. Use environment variables or a secrets manager. FastAPI integrates cleanly with pydantic-settings, which reads from .env files and environment variables while still giving you Pydantic's type validation on your configuration values.
CORS (Cross-Origin Resource Sharing) is handled through Starlette's CORSMiddleware, which FastAPI exposes directly via app.add_middleware(). For WebSocket support, FastAPI mirrors the familiar path decorator pattern with @app.websocket(), accepting a WebSocket object that supports await ws.receive_text() and await ws.send_text() natively.
What Changed in FastAPI 0.115 Through 0.135.1
Several significant changes have been made across the recent release series. Understanding them matters if you are upgrading an existing project or starting a new one in early 2026.
Python 3.8 dropped, Python 3.14 added. FastAPI 0.115 removed Python 3.8 from the test matrix and upgraded internal syntax to Python 3.9+. A later release added explicit support for Python 3.14 and confirmed compatibility with Pydantic 2.12.0. If you pin FastAPI in your requirements and have a Python 3.8 runtime, the package manager will refuse to install the latest version and will cap at 0.124.4.
Pydantic v1 deprecated. Mixed Pydantic v1 and v2 models in the same app are now technically supported via from pydantic.v1 import BaseModel, but this was added specifically to help remaining Pydantic v1 users migrate, not to encourage continued v1 use. The release notes state explicitly that Pydantic v1 support is deprecated and will be removed in a future version.
Rust-backed JSON serialization. When a response model or return type annotation is present, FastAPI now serializes through Pydantic's Rust implementation. The release notes describe the result as "2x (or more) performance increase for JSON responses." This applies automatically; no code changes are needed.
Content-Type enforcement added. FastAPI now checks by default that JSON requests carry a valid Content-Type header. Requests without application/json (or a compatible value) are rejected before your handler runs. If you have legacy clients that omit the header, you can disable this with strict_content_type=False on the app instance.
ORJSONResponse and UJSONResponse deprecated. These response classes, which previously offered faster serialization via third-party libraries, are now deprecated. The Pydantic-in-Rust path achieves equivalent or superior performance, making the additional dependencies unnecessary.
fastapi-slim dropped. The fastapi-slim package is no longer maintained. The project now recommends either fastapi (no optional dependencies) or fastapi[standard] (includes Uvicorn and FastAPI CLI).
Server-Sent Events and streaming documentation added. Recent releases added official documentation for Server-Sent Events (SSE), streaming responses, and JSON Lines streaming. These patterns were already possible using Starlette primitives, but they now have first-class documentation in the FastAPI docs under "Stream Data" and "Stream JSON Lines."
PEP 695 TypeAliasType support. FastAPI now correctly handles Python 3.12's new type alias syntax (type Vector = list[float]), so you can use modern Python typing features in your Pydantic models and path operation signatures without workarounds.
Structuring a Production FastAPI Project
Putting everything in main.py works for tutorials and does not work for production. The structure that most experienced teams settle on separates concerns cleanly while keeping imports straightforward:
myapi/
app/
__init__.py
main.py # FastAPI app instance, middleware, startup/shutdown
routers/
__init__.py
users.py # User endpoints
items.py # Item endpoints
schemas/
__init__.py
user.py # Pydantic request/response models
item.py
services/
__init__.py
user_service.py # Business logic
item_service.py
models/
__init__.py
user.py # SQLAlchemy ORM models
item.py
core/
__init__.py
config.py # Settings (pydantic-settings)
security.py # Auth utilities
database.py # Engine and session factory
tests/
test_users.py
test_items.py
.env
requirements.txt
pyproject.tomlThe core/config.py module uses pydantic-settings to load environment variables:
from pydantic_settings import BaseSettings
class Settings(BaseSettings):
database_url: str
secret_key: str
access_token_expire_minutes: int = 30
cors_origins: list[str] = ["http://localhost:3000"]
model_config = {"env_file": ".env"}
settings = Settings()For testing, FastAPI provides TestClient (a synchronous test client built on HTTPX) and supports async test clients for fully async test suites. Dependency overrides are the recommended way to swap real dependencies for test stubs:
from fastapi.testclient import TestClient
from app.main import app
from app.core.database import get_db
def override_get_db():
# Return a test database session
yield test_db_session
app.dependency_overrides[get_db] = override_get_db
client = TestClient(app)
def test_read_item():
response = client.get("/items/1")
assert response.status_code == 200
assert response.json()["id"] == 1Lifespan events (startup and shutdown logic) are handled in modern FastAPI via the lifespan parameter, which accepts an async context manager:
from contextlib import asynccontextmanager
from fastapi import FastAPI
@asynccontextmanager
async def lifespan(app: FastAPI):
# Startup: initialize database connection pool, load ML model, etc.
await startup_database()
yield
# Shutdown: close connections cleanly
await shutdown_database()
app = FastAPI(lifespan=lifespan)The older @app.on_event("startup") decorator still works but is considered legacy. The lifespan approach is cleaner because it makes the relationship between startup and shutdown logic explicit and avoids the ambiguity of scattered event handlers.
FastAPI Cloud, the managed deployment platform built and operated by the FastAPI team, entered general availability in late 2025. It supports fastapi deploy as a single CLI command that packages and deploys your application to a managed environment. If you are prototyping or need a fast path to deployment without configuring infrastructure, it is worth evaluating alongside container-based deployments on platforms like Fly.io, Railway, or Cloud Run.
Key Takeaways
- ASGI is the foundation of FastAPI's performance advantage. The framework's ability to handle thousands of concurrent connections without blocking comes from Uvicorn's event loop, not from FastAPI itself. If your endpoint uses synchronous blocking code (like a non-async database driver), you do not get the concurrency benefit. Use async-compatible libraries (asyncpg, aiohttp, motor) throughout your stack.
- Pydantic v2 is now mandatory, and its Rust-backed serialization doubles JSON response throughput. If you are migrating from an older project that used Pydantic v1 or ORJSONResponse, update your models to use Pydantic v2's
model_configsyntax and remove the deprecated response classes. The performance improvement is automatic once you use typed response models. - The dependency injection system is not just for database sessions. Use it for configuration, authentication, pagination, rate limiting, logging context, and any resource that needs cleanup after the request completes. Generator dependencies with
yieldguarantee cleanup even in the presence of exceptions. - Structure your project from day one with separate routers, schemas, services, and models. FastAPI's
APIRoutermakes this easy, and the separation between Pydantic schemas and SQLAlchemy ORM models is not boilerplate — it is what lets you control exactly what data leaves your API and prevents accidental exposure of internal fields. - Use
lifespanfor startup and shutdown logic, anddependency_overridesfor testing. Both patterns are idiomatic in modern FastAPI and produce cleaner, more testable code than the olderon_eventapproach or monkeypatching dependencies.
FastAPI occupies a position in the Python ecosystem that is difficult to argue against for new API projects in 2026. Its reliance on standard Python type hints means the same annotations that drive validation also drive editor autocomplete, the OpenAPI schema, and Pydantic serialization. There is no parallel configuration to maintain. The performance ceiling is high enough to match Node.js and Go for most I/O-bound workloads, and the developer ergonomics are exceptional. The combination of Pydantic v2 validation, Rust-backed JSON serialization, a mature dependency injection system, and automatic interactive documentation makes it the clearest choice for building Python APIs today — whether that is a three-endpoint internal tool or a multi-service production platform handling millions of requests per day.
Sources: FastAPI Official Release Notes; FastAPI on PyPI; FastAPI, Wikipedia; FastAPI Official Documentation; TechEmpower Framework Benchmarks (via Strapi.io, November 2025).