馃挱 Protect API docs behind authentication? 路 Issue #364 路 tiangol... =================================================================== !https://github.com/tiangolo/fastapi/issues/364 Date: December 12, 2023 Protect API docs behind authentication? 路 Issue #364 路 fastapi/fastapi Basic Question Does FastAPI provide a method for implementing authentication middleware or similar on the docs themselves (e.g. to protect access to /docs and /redoc)? Additional context My company... GitHub 路 github.com [1] You can protect your fastapi docs behind auth so that not only can certain roles not run certain routes, but they cannot even see the docs at all. This way no one that shouldn't be poking around can even discover routes they shouldn't be using. Here is the soluteion provided by [@kennylajara](https://github.com/kennylajara) ``` python from fastapi import FastAPI from fastapi.openapi.docs import get_redoc_html, get_swagger_ui_html from fastapi.openapi.utils import get_openapi import secrets from fastapi import Depends, FastAPI, HTTPException, status from fastapi.security import HTTPBasic, HTTPBasicCredentials app = FastAPI( title="FastAPI", version="0.1.0", docs_url=None, redoc_url=None, openapi_url = None, ) security = HTTPBasic() def get_current_username(credentials: HTTPBasicCredentials = Depends(security)): correct_username = secrets.compare_digest(credentials.username, "user") correct_password = secrets.compare_digest(credentials.password, "password") if not (correct_username and correct_password): raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Incorrect email or password", headers={"WWW-Authenticate": "Basic"}, ) return credentials.username @app.get("/docs", include_in_schema=False) async def get_swagger_documentation(username: str = Depends(get_current_username)): return get_swagger_ui_html(openapi_url="/openapi.json", title="docs") @app.get("/redoc", include_in_schema=False) async def get_redoc_documentation(username: str = Depends(get_current_username)): return get_redoc_html(openapi_url="/openapi.json", title="docs") @app.get("/openapi.json", include_in_schema=False) async def openapi(username: str = Depends(get_current_username)): return get_openapi(title=app.title, version=app.version, routes=app.routes ``` !!! note This post is a thought [2]. It's a short note that I make about someone else's content online #thoughts [3] References: [1]: https://github.com/tiangolo/fastapi/issues/364 [2]: /thoughts/ [3]: /tags/thoughts/