Dependency Injection
FastAPI Depends composes per-request providers for settings, databases, and auth.
Recipe
Quick-reference recipe card - copy-paste ready.
from collections.abc import Generator
from fastapi import Depends, FastAPI
app = FastAPI()
def get_db() -> Generator[dict, None, None]:
db = {"items": []}
yield db
@app.get("/items")
def list_items(db: dict = Depends(get_db)):
return db["items"]When to reach for this:
- Share DB sessions
- Compose auth dependencies
- Override providers in tests
Working Example
from fastapi import Depends, FastAPI, Header, HTTPException
app = FastAPI()
def get_settings():
return {"api_key": "dev"}
def verify(x_api_key: str | None = Header(default=None), settings=Depends(get_settings)):
if x_api_key != settings["api_key"]:
raise HTTPException(401)
@app.get("/secure", dependencies=[Depends(verify)])
def secure() -> dict[str, str]:
return {"ok": "true"}What this demonstrates:
- Sub-dependencies
- Route-level dependencies
- Header-based auth gate
Deep Dive
How It Works
- Dependencies resolve once per request and cache by callable identity.
yielddependencies run teardown after the response.- Use
app.dependency_overridesin tests.
Gotchas
- Boundary validation skipped - Invalid data reaches persistence layers.. Fix: Validate with Pydantic or framework forms at the edge..
- Leaking stack traces - Clients see internal errors.. Fix: Map exceptions to stable HTTP responses..
- Blocking async event loops - Workers stall under concurrent load.. Fix: Use async drivers or threadpool wrappers..
- Secrets in source control - Credentials leak via git history.. Fix: Load secrets from env or a vault at runtime..
- Missing observability - Incidents are hard to debug.. Fix: Add structured logs, metrics, and request IDs..
Alternatives
| Alternative | Use When | Don't Use When |
|---|---|---|
| Alternate framework in this cookbook | Team standard or existing monolith | Greenfield API with different constraints |
| Managed BaaS | CRUD-only MVP | Custom auth, workflows, or compliance needs |
| gRPC | Internal high-performance RPC | Public HTTP clients and browser access |
FAQs
When should I adopt FastAPI dependency injection?
Use it when the patterns and trade-offs on this page match your API or data boundary.
What is the top production mistake with FastAPI dependency injection?
Skipping validation, timeouts, or explicit error contracts at the HTTP edge.
How do I test FastAPI dependency injection?
Use the framework test client, override dependencies, and assert status plus JSON shape.
Does FastAPI dependency injection work with Python 3.14?
Yes - examples target Python 3.14 with pinned framework versions from the stack footer.
How does FastAPI dependency injection relate to Pydantic 2?
Validate and serialize at boundaries; keep services working with typed domain objects.
Sync or async?
Prefer async routes when I/O dominates; keep CPU work small or offload to workers.
Where should business logic live?
Thin handlers; services own rules; repositories own queries.
How do I document APIs?
Publish OpenAPI or schema docs that match response models in code.
How do I handle versioning?
Explicit URL or header versioning with deprecation windows - avoid silent breaks.
What should I read next?
Follow the Related links for the next layer of depth in this section.
How do I stay secure?
Authenticate callers, authorize per resource, rate-limit, and never log secrets.
Performance first step?
Measure DB and upstream latency before swapping frameworks.
Related
- FastAPI Basics - Core routes and models
- Dependency Injection - Per-request providers
- Testing FastAPI - Test client patterns
- Deploying FastAPI - Production serving
Stack versions: This page was written for Python 3.14.0 (stable 3.14, maintenance 3.13), FastAPI 0.115+, Django 5.2, Flask 3.1, Pydantic 2, PyTorch 2.6+, pandas 2.2+, Polars 1.x, ruff 0.9+, and uv 0.6+.