Authentication Tokens and Third-Party Integration in Web Applications
Postman endpoints testing by Fiona Githaiga

Authentication Tokens and Third-Party Integration in Web Applications


Authentication is a critical component of web and API security, ensuring that users and services can securely access resources. Various authentication mechanisms exist, including session-based authentication, JSON Web Tokens (JWT), OAuth-based authentication, and API keys. In this article, we explore different authentication token types and demonstrate how to integrate third-party authentication providers such as Google and GitHub using FastAPI.

Types of Authentication Tokens

1. Session Tokens

Session tokens are created upon user login and stored on the server. They maintain user authentication for a specific duration and are usually implemented using HTTP cookies.

Access codebase here!!

Implementing Session Authentication in FastAPI

from fastapi import FastAPI, Request
from fastapi.responses import JSONResponse

app = FastAPI()
sessions = {}  # Temporary session storage"/login")
async def login(request: Request):
    user_id = "user123"
    session_token = "session_token_example"
    sessions[session_token] = user_id
    response = JSONResponse(content={"message": "Logged in"})
    response.set_cookie(key="session_token", value=session_token, httponly=True)
    return response

2. JSON Web Tokens (JWT)

JWT is a stateless authentication mechanism that encodes user data into a compact, self-contained token. It is widely used in modern APIs and microservices.

Example: Generating a JWT Token in FastAPI

from datetime import datetime, timedelta
from jose import JWTError, jwt

SECRET_KEY = "your_secret_key"

def create_jwt_token(data: dict, expires_delta: timedelta):
    to_encode = data.copy()
    expire = datetime.utcnow() + expires_delta
    to_encode.update({"exp": expire})
    return jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)

# Creating an access token
access_token = create_jwt_token({"sub": "user123"}, timedelta(minutes=60))

3. OAuth Tokens (Third-Party Authentication)

OAuth is an authorization framework that allows users to log in using third-party providers such as Google, GitHub, and Facebook. The OAuth process involves redirecting users to the provider's authentication page and obtaining an access token upon successful login.

How to Generate OAuth Keys for Google and GitHub

Google OAuth Credentials

  1. Go to the Google Cloud Console.
  2. Create a new project or select an existing one.
  3. Navigate to APIs & Services > Credentials.
  4. Click Create Credentials > OAuth Client ID.
  5. Configure the OAuth consent screen and set the application type (Web Application).
  6. Set the Authorized Redirect URI to your callback endpoint (e.g., https://localhost:8000/auth/google/callback).
  7. Copy the Client ID and Client Secret.

GitHub OAuth Credentials

  1. Go to the GitHub Developer Settings.
  2. Click New OAuth App.
  3. Provide an application name and homepage URL.
  4. Set the Authorization Callback URL (e.g., https://localhost:8000/auth/github/callback).
  5. Click Register application and copy the Client ID and Client Secret.

Example: Google OAuth Authentication with FastAPI

from fastapi import APIRouter, Request
from starlette.responses import RedirectResponse
from authlib.integrations.starlette_client import OAuth
import os

router = APIRouter()
oauth = OAuth()
    client_kwargs={"scope": "openid email profile"},

async def google_login(request: Request):
    redirect_uri = "https://localhost:8000/auth/google/callback"
    return await, redirect_uri)

async def google_callback(request: Request):
    token = await
    user_info = token.get("userinfo")
    return {"access_token": token["access_token"], "user": user_info}

4. Refresh Tokens

Refresh tokens allow users to obtain new access tokens without re-entering credentials. They are useful for maintaining long-lived sessions while improving security.

Example: Refresh Token Implementation

from datetime import timedelta

def create_refresh_token(data: dict):
    return create_jwt_token(data, expires_delta=timedelta(days=7))

5. API Keys

API keys are commonly used for securing public APIs. They are sent in request headers and provide a simple way to authenticate requests without managing user sessions.

Example: Securing an API Route with an API Key

from fastapi import Depends, HTTPException, Header

API_KEY = "your_api_key"

def verify_api_key(x_api_key: str = Header(None)):
    if x_api_key != API_KEY:
        raise HTTPException(status_code=403, detail="Invalid API Key")

@app.get("/protected-route", dependencies=[Depends(verify_api_key)])
async def protected_route():
    return {"message": "Access granted"}

Understanding Callback URLs in OAuth

A callback URL is the endpoint where an OAuth provider sends the authentication response after a user logs in. It is crucial for exchanging the authorization code for an access token.

Example OAuth Flow:

  1. The user clicks "Sign in with Google" → Redirects to Google.
  2. Google authenticates the user and redirects to:
  3. The application extracts the code and exchanges it for an access token.

Choosing the Right Token Type


Authentication tokens play a crucial role in securing applications. Whether using JWT for API authentication, OAuth for third-party logins, or API keys for public access, selecting the right approach depends on your security and usability needs. FastAPI makes it simple to implement robust authentication mechanisms, ensuring a seamless and secure user experience.

Victor Asuquo

I build real world AI Products ?? ? Machine Learning Engineer ? Deep Learning ? Computer Vision ? NLP ? Fast API ? Docker ? AWS? GCP? AI Software Engineer

2 周

Very helpful


Fiona Githaiga的更多文章
