---
title: "💭 Protect API docs behind authentication? · Issue #364 · tiangol..."
description: "!https://github.com/tiangolo/fastapi/issues/364"
date: 2023-12-12
published: true
tags:
  - webdev
  - fastapi
  - thought
template: link
---


<div class="embed-card embed-card-external">
  <a href="https://github.com/tiangolo/fastapi/issues/364" class="embed-card-link" target="_blank" rel="noopener noreferrer">
    <div class="embed-card-image">
      <img src="https://opengraph.githubassets.com/b867fb9776e4a95c5c39ea30ce3a89c2454b35f707b592c2c087eb669b4cb40e/fastapi/fastapi/issues/364" alt="Protect API docs behind authentication? · Issue #364 · fastapi/fastapi — Basic Question Does FastAPI provide a method for implementing authentication middleware or similar on the docs themselves (e.g. to protect access to /docs and /redoc)? Additional context My company..." loading="lazy">
    </div>
    <div class="embed-card-content">
      <div class="embed-card-title">Protect API docs behind authentication? · Issue #364 · fastapi/fastapi</div>
      <div class="embed-card-description">Basic Question Does FastAPI provide a method for implementing authentication middleware or similar on the docs themselves (e.g. to protect access to /docs and /redoc)? Additional context My company...</div>
      <div class="embed-card-meta">GitHub &middot; github.com</div>
    </div>
  </a>
</div>


You can protect your fastapi docs behind auth so that not only can certain roles not run certain routes, but they cannot even see the docs at all.  This way no one that shouldn't be poking around can even discover routes they shouldn't be using.


Here is the soluteion provided by [@kennylajara](https://github.com/kennylajara)

``` python
from fastapi import FastAPI

from fastapi.openapi.docs import get_redoc_html, get_swagger_ui_html
from fastapi.openapi.utils import get_openapi

import secrets

from fastapi import Depends, FastAPI, HTTPException, status
from fastapi.security import HTTPBasic, HTTPBasicCredentials

app = FastAPI(
    title="FastAPI",
    version="0.1.0",
    docs_url=None,
    redoc_url=None,
    openapi_url = None,
)

security = HTTPBasic()


def get_current_username(credentials: HTTPBasicCredentials = Depends(security)):
    correct_username = secrets.compare_digest(credentials.username, "user")
    correct_password = secrets.compare_digest(credentials.password, "password")
    if not (correct_username and correct_password):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Incorrect email or password",
            headers={"WWW-Authenticate": "Basic"},
        )
    return credentials.username


@app.get("/docs", include_in_schema=False)
async def get_swagger_documentation(username: str = Depends(get_current_username)):
    return get_swagger_ui_html(openapi_url="/openapi.json", title="docs")


@app.get("/redoc", include_in_schema=False)
async def get_redoc_documentation(username: str = Depends(get_current_username)):
    return get_redoc_html(openapi_url="/openapi.json", title="docs")


@app.get("/openapi.json", include_in_schema=False)
async def openapi(username: str = Depends(get_current_username)):
    return get_openapi(title=app.title, version=app.version, routes=app.routes
```

!!! note

    This post is a <a href="/thoughts/" class="wikilink" data-title="Thoughts" data-description="These are generally my thoughts on a web page or some sort of url, except a rare few don&#39;t have a link. These are dual published off of my..." data-date="2024-04-01">thought</a>. It's a short note that I make
    about someone else's content online <a href="/tags/thoughts/" class="hashtag-tag" data-tag="thoughts" data-count=2 data-reading-time=3 data-reading-time-text="3 minutes">#thoughts</a>