FastAPI Production Checklist

API Shape

• Define request and response models with Pydantic.
• Version externally consumed endpoints.
• Keep route handlers thin; move domain logic into services.
• Return consistent error shapes.
• Add health and readiness endpoints.

Configuration

• Read config from environment variables or a typed settings layer.
• Never hardcode credentials, endpoints, or tokens.
• Separate local, preview, staging, and production settings.
• Validate required config at startup.

Security

• Use dependency-based authentication and authorization.
• Apply least-privilege service accounts.
• Keep secrets in a managed secret store.
• Set CORS explicitly.
• Avoid logging tokens, request bodies with sensitive data, or private user data.

Reliability

• Add timeouts to outbound calls.
• Use retries only for idempotent operations.
• Apply request size limits where appropriate.
• Move long-running work to queues or background workers.
• Use structured errors and trace IDs.

Observability

• Emit structured logs.
• Add request latency, error rate, and dependency metrics.
• Capture exceptions in a Sentry-style system.
• Add dashboard links to the runbook, not to public notes.
• Document the first three debugging queries an on-call engineer should run.

Deployment

• Use a small, reproducible Docker image.
• Run as a non-root user.
• Add CI checks for formatting, type checks, tests, and image build.
• Keep database migrations explicit.
• Verify rollback steps before the launch becomes urgent.

from fastapi import FastAPI

app = FastAPI(title="service-name")


@app.get("/healthz")
def healthz() -> dict[str, str]:
    return {"status": "ok"}