This project is a secure FastAPI-based RESTful API that implements access and refresh token authentication using the client credentials model. It features JWT-based stateless access tokens and Redis-backed refresh tokens.
- Access token (JWT): Valid for 6 hours, stateless
- Refresh token (UUID): Valid for 24 hours, securely stored in Redis
- Client authentication: Requires valid
client_idandclient_secret - Token refresh endpoint
- Fast, extensible, and ready for production use
- FastAPI — Web framework
- Redis — Token storage and expiration
- python-jose — JWT encoding/decoding
- Uvicorn — ASGI server
Send your client_id and client_secret as form data.
curl -X POST http://localhost:8000/login \
-F client_id=client123 \
-F client_secret=secretABC
Response:
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refresh_token": "c1891b5a-7e0c-4dc7-bf99-8a79e4cb2f5d"
}
Send the client_id and refresh_token to get a new access token.
curl -X POST http://localhost:8000/refresh \
-F client_id=client123 \
-F refresh_token=c1891b5a-7e0c-4dc7-bf99-8a79e4cb2f5d
This API uses a secure, standards-aligned method for managing user sessions through access tokens and refresh tokens. Below is a breakdown of how and why these two token types are handled differently.
| Token Type | Format | Stored in Redis | Verifiable Offline | Expiry Duration | Purpose |
|---|---|---|---|---|---|
| Access Token | JWT | No | Yes | 6 hours | Lightweight, stateless authentication |
| Refresh Token | UUID | Yes | No | 24 hours | Stateful, revocable session persistence |
- Stateless: Contains all required claims (e.g.,
client_id,exp) and is self-verifiable. - No server storage: Ideal for microservices or distributed architectures.
- Short-lived: Limits damage if compromised.
- Stored in Redis: Allows easy expiration, revocation, and single-use enforcement.
- Longer lifespan: Maintains persistent sessions across access token expirations.
- Not guessable: Random UUID string ensures secure issuance.