LangChain Tutorial (Python): adding authentication for intermediate developers

This tutorial shows you how to add authentication to a LangChain-powered Python app so only approved users can call your chain. You need this when your chain is exposed through an API, internal tool, or chat interface and you want to block anonymous access before any model call happens.

What You'll Need

• •Python 3.10+
• •langchain
• •langchain-openai
• •fastapi
• •uvicorn
• •python-dotenv
• •An OpenAI API key
• •A simple auth token for testing, such as a bearer token in an environment variable
• •Basic familiarity with LangChain chains and FastAPI routes

Install the packages:

pip install langchain langchain-openai fastapi uvicorn python-dotenv

Step-by-Step

1. •Start with a minimal LangChain chain. This example uses a prompt and OpenAI chat model, and it will be wrapped behind an authenticated API in the next steps.

from langchain_openai import ChatOpenAI
from langchain_core.prompts import ChatPromptTemplate

prompt = ChatPromptTemplate.from_messages(
    [
        ("system", "You are a concise assistant."),
        ("user", "{question}"),
    ]
)

llm = ChatOpenAI(model="gpt-4o-mini", temperature=0)
chain = prompt | llm

2. •Add environment-based configuration for your API key and auth token. In production, these values should come from your secret manager, not hardcoded into the app.

import os
from dotenv import load_dotenv

load_dotenv()

OPENAI_API_KEY = os.environ["OPENAI_API_KEY"]
API_AUTH_TOKEN = os.environ["API_AUTH_TOKEN"]

os.environ["OPENAI_API_KEY"] = OPENAI_API_KEY

3. •Create a FastAPI dependency that validates the caller’s bearer token before the request reaches LangChain. This keeps authentication at the edge and prevents unauthenticated traffic from consuming tokens or model time.

from fastapi import Depends, FastAPI, HTTPException, status
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer

app = FastAPI()
security = HTTPBearer()

def require_auth(
    credentials: HTTPAuthorizationCredentials = Depends(security),
) -> str:
    if credentials.scheme.lower() != "bearer":
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED)

    if credentials.credentials != API_AUTH_TOKEN:
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)

    return credentials.credentials

4. •Expose the chain through a protected endpoint. The route accepts a question, checks auth first, then calls LangChain only after the token is validated.

from pydantic import BaseModel

class QueryRequest(BaseModel):
    question: str

@app.post("/ask")
async def ask(
    payload: QueryRequest,
    _: str = Depends(require_auth),
):
    result = await chain.ainvoke({"question": payload.question})
    return {"answer": result.content}

5. •Run the app and test both unauthorized and authorized requests. This verifies that your auth gate works before any model invocation happens.

# save as app.py, then run:
# uvicorn app:app --reload

# unauthorized example:
# curl -X POST http://127.0.0.1:8000/ask \
#   -H "Content-Type: application/json" \
#   -d '{"question":"What is LangChain?"}'
#
# authorized example:
# curl -X POST http://127.0.0.1:8000/ask \
#   -H "Content-Type: application/json" \
#   -H "Authorization: Bearer your-secret-token" \
#   -d '{"question":"What is LangChain?"}'

Testing It

First, send a request without an Authorization header. You should get a 401 Unauthorized response from FastAPI before the chain runs.

Next, send a request with the wrong bearer token. That should return 403 Forbidden, which means your app recognized the caller but did not trust them.

Finally, send a request with the correct token and confirm you get a JSON response containing answer. If you want extra confidence, add logging around require_auth() and verify no log line appears for rejected requests beyond the auth failure itself.

Next Steps

• •Replace the static bearer token with JWT validation against your identity provider.
• •Add per-user authorization rules so different users can access different chains or tools.
• •Move from route-level auth to middleware if you need consistent protection across multiple endpoints.

Keep learning

• •The complete AI Agents Roadmap — my full 8-step breakdown
• •Free: The AI Agent Starter Kit — PDF checklist + starter code
• •Work with me — I build AI for banks and insurance companies

By Cyprian Aarons, AI Consultant at Topiax.