Scribd
Upload
29 views2 pages

Fastapi Tiangolo Com How To Conditional Openapi

This document discusses how to conditionally configure OpenAPI documentation in FastAPI depending on the environment. It recommends securing an API through authentication, authorization and encryption rather than hiding documentation. It provides an example of setting an environment variable to disable OpenAPI and documentation URLs in production by setting the "openapi_url" to an empty string.

Uploaded by

sohel.shaikh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
29 views2 pages

Fastapi Tiangolo Com How To Conditional Openapi

This document discusses how to conditionally configure OpenAPI documentation in FastAPI depending on the environment. It recommends securing an API through authentication, authorization and encryption rather than hiding documentation. It provides an example of setting an environment variable to disable OpenAPI and documentation URLs in production by setting the "openapi_url" to an empty string.

Uploaded by

sohel.shaikh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

FastAPI

FastAPI Learn How To - Recipes

Conditional OpenAPI

If you needed to, you could use settings and environment variables to con몭gure OpenAPI conditionally depending
on the environment, and even disable it entirely.

About security, APIs, and docs


Hiding your documentation user interfaces in production shouldn't be the way to protect your API.

That doesn't add any extra security to your API, the path operations will still be available where they are.

If there's a security 몭aw in your code, it will still exist.

Hiding the documentation just makes it more di몭cult to understand how to interact with your API, and could
make it more di몭cult for you to debug it in production. It could be considered simply a form of
Security through obscurity [↪].

If you want to secure your API, there are several better things you can do, for example:

Make sure you have well de몭ned Pydantic models for your request bodies and responses.

Con몭gure any required permissions and roles using dependencies.

Never store plaintext passwords, only password hashes.

Implement and use well-known cryptographic tools, like Passlib and JWT tokens, etc.

Add more granular permission controls with OAuth2 scopes where needed.

...etc.

Nevertheless, you might have a very speci몭c use case where you really need to disable the API docs for some
environment (e.g. for production) or depending on con몭gurations from environment variables.

Conditional OpenAPI from settings and env vars


You can easily use the same Pydantic settings to con몭gure your generated OpenAPI and the docs UIs.

For example:

from fastapi import FastAPI


from pydantic_settings import BaseSettings

class Settings(BaseSettings):
openapi_url: str = "∕openapi.json"

settings = Settings()

app = FastAPI(openapi_url=settings.openapi_url)
app = FastAPI(openapi_url=settings.openapi_url)

@app.get("∕")
def root():
return {"message": "Hello World"}

Here we declare the setting openapi_url with the same default of "∕openapi.json".

And then we use it when creating the FastAPI app.

Then you could disable OpenAPI (including the UI docs) by setting the environment variable OPENAPI_URL to the
empty string, like:

$ OPENAPI_URL= uvicorn main:app

<span style="color: green;">INFO<∕span>: Uvicorn running on http:∕∕127.0.0.1:8000 (Press CTRL+C to quit)

Then if you go to the URLs at ∕openapi.json, ∕docs, or ∕redoc you will just get a 404 Not Found error like:

{
"detail": "Not Found"
}

Made with Material for MkDocs Insiders

You might also like