FastAPI Patterns

Async Traps

• Mixing sync database drivers (psycopg2, PyMySQL) in async endpoints blocks the event loop — use async drivers (asyncpg, aiomysql) or run sync code in run_in_executor
• time.sleep() in async endpoints blocks everything — use await asyncio.sleep() instead
• CPU-bound work in async endpoints starves other requests — offload to ProcessPoolExecutor or background workers
• Async endpoints calling sync functions that do I/O still block — the entire call chain must be async

Pydantic Validation

• Default values in models become shared mutable state: items: list = [] shares the same list across requests — use Field(default_factory=list)
• Optional[str] doesn't make a field optional in the request — add = None or use Field(default=None)
• Pydantic v2 uses model_validate() not parse_obj(), and model_dump() not .dict() — v1 methods are deprecated
• Use Annotated[str, Field(min_length=1)] for reusable validated types instead of repeating constraints

Dependency Injection

• Dependencies run on every request by default — use lru_cache on expensive dependencies or cache in app.state for singletons
• Depends() without an argument reuses the type hint as the dependency — clean but can confuse readers
• Nested dependencies form a DAG — if A depends on B and C, and both B and C depend on D, D runs once (cached per-request)
• yield dependencies for cleanup (DB sessions, file handles) — code after yield runs even if the endpoint raises

Lifespan and Startup

• @app.on_event("startup") is deprecated — use lifespan async context manager
• Store shared resources (DB pool, HTTP client) in app.state during lifespan, not as global variables
• Lifespan runs once per worker process — with 4 Uvicorn workers you get 4 DB pools

from contextlib import asynccontextmanager
@asynccontextmanager
async def lifespan(app):
    app.state.db = await create_pool()
    yield
    await app.state.db.close()
app = FastAPI(lifespan=lifespan)

Request/Response

• Return dict from endpoints, not Pydantic models directly — FastAPI handles serialization and it's faster
• Use status_code=201 on POST endpoints returning created resources — 200 is the default but semantically wrong
• Response with media_type="text/plain" for non-JSON responses — returning a string still gets JSON-encoded otherwise
• Set response_model_exclude_unset=True to omit None fields from response — cleaner API output

Error Handling

• raise HTTPException(status_code=404) — don't return Response objects for errors, it bypasses middleware
• Custom exception handlers with @app.exception_handler(CustomError) — but remember they don't catch HTTPException
• Use detail= for user-facing messages, log the actual error separately — don't leak stack traces

Background Tasks

• BackgroundTasks runs after the response is sent but still in the same process — not suitable for long-running jobs
• Tasks execute sequentially in order added — don't assume parallelism
• If a background task fails, the client never knows — add your own error handling and alerting

Security

• OAuth2PasswordBearer is for documentation only — it doesn't validate tokens, you must implement that in the dependency
• CORS middleware must come after exception handlers in middleware order — or errors won't have CORS headers
• Depends(get_current_user) in path operation, not in router — dependencies on routers affect all routes including health checks

Testing

• TestClient runs sync even for async endpoints — use httpx.AsyncClient with ASGITransport for true async testing
• Override dependencies with app.dependency_overrides[get_db] = mock_db — cleaner than monkeypatching
• TestClient context manager ensures lifespan runs — without with TestClient(app) as client: startup/shutdown hooks don't fire