Intermediate

Session cookies work fine for traditional web apps, but modern REST APIs and microservices need a stateless authentication mechanism — one where the server does not store session state and any service in the cluster can verify a token independently. JSON Web Tokens (JWTs) are the standard answer. A JWT is a base64-encoded JSON payload with a cryptographic signature that any server can verify without hitting a database.

The PyJWT library is the most widely used Python implementation of the JWT standard (RFC 7519). It is used internally by AWS SDK, GitHub Actions, and dozens of popular frameworks. In this article you will learm to create signed tokens with HS256 and RS256, validate claims like expiry and audience, implement refresh token rotation, and wire JWTs into a FastAPI dependency.

PyJWT Quick Example: Issue and Verify in 10 Lines

# quick_jwt.py
import jwt, datetime

SECRET = "my-256-bit-secret"
payload = {
    "sub": "user_42",
    "exp": datetime.datetime.now(datetime.UTC) + datetime.timedelta(hours=1)
}

token = jwt.encode(payload, SECRET, algorithm="HS256")
print(f"Token: {token[:50]}...")

decoded = jwt.decode(token, SECRET, algorithms=["HS256"])
print(f"Subject: {decoded['sub']}")

Output:
Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIi...
Subject: user_42

Installing PyJWT

pip install PyJWT

# For RSA/EC algorithm support, install the cryptography extra:
pip install "PyJWT[cryptography]"

python -c "import jwt; print(jwt.__version__)"

Output:
2.8.0

Standard Claims and Expiry

JWTs have registered claim names defined by RFC 7519. PyJWT validates them automatically during decoding:

# jwt_claims.py
import jwt, datetime

SECRET = "production-secret-min-32-chars-long"

def create_access_token(user_id: str, roles: list) -> str:
    now = datetime.datetime.now(datetime.UTC)
    payload = {
        # Registered claims (RFC 7519)
        "iss": "https://api.myapp.com",     # Issuer
        "sub": user_id,                      # Subject (user identifier)
        "aud": "myapp-frontend",             # Audience
        "exp": now + datetime.timedelta(minutes=15),  # Expiry
        "iat": now,                          # Issued At
        "jti": f"{user_id}-{now.timestamp()}",  # JWT ID (unique per token)
        # Custom claims
        "roles": roles,
        "tier": "premium"
    }
    return jwt.encode(payload, SECRET, algorithm="HS256")

def verify_access_token(token: str) -> dict:
    return jwt.decode(
        token,
        SECRET,
        algorithms=["HS256"],
        audience="myapp-frontend",           # Must match aud claim
        options={"require": ["exp", "iat", "sub", "iss"]}
    )

token = create_access_token("user_42", ["read", "write"])
claims = verify_access_token(token)
print(f"User: {claims['sub']}, Roles: {claims['roles']}, Tier: {claims['tier']}")

# Test expiry
import time
expired_payload = {
    "sub": "user_1",
    "exp": datetime.datetime.now(datetime.UTC) - datetime.timedelta(seconds=1)
}
expired_token = jwt.encode(expired_payload, SECRET, algorithm="HS256")
try:
    jwt.decode(expired_token, SECRET, algorithms=["HS256"])
except jwt.ExpiredSignatureError as e:
    print(f"Rejected: {e}")

Output:
User: user_42, Roles: ['read', 'write'], Tier: premium
Rejected: Signature has expired.

RS256: Asymmetric JWT for Microservices

In a microservice architecture, each service needs to verify tokens independently without sharing a secret. RS256 lets a central auth service sign with its private key, and all other services verify with the public key:

# rs256_jwt.py
import jwt
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
import datetime

# Generate RSA key pair (in production: load from file/secret manager)
private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
public_key = private_key.public_key()

# Auth service: sign with private key
payload = {
    "sub": "service_account_7",
    "scope": "billing:read orders:write",
    "exp": datetime.datetime.now(datetime.UTC) + datetime.timedelta(hours=1),
    "iss": "https://auth.myapp.com"
}
token = jwt.encode(payload, private_key, algorithm="RS256")
print(f"RS256 token length: {len(token)} chars")

# Any microservice: verify with public key only (no private key needed)
decoded = jwt.decode(
    token,
    public_key,
    algorithms=["RS256"],
    options={"verify_aud": False}
)
print(f"Verified service: {decoded['sub']}, scope: {decoded['scope']}")

# Serialize public key to PEM for distribution
pem = public_key.public_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PublicFormat.SubjectPublicKeyInfo
)
# Load back from PEM and verify again
loaded_pubkey = serialization.load_pem_public_key(pem)
decoded2 = jwt.decode(token, loaded_pubkey, algorithms=["RS256"], options={"verify_aud": False})
print(f"PEM round-trip OK: {decoded2['sub']}")

Output:
RS256 token length: 472 chars
Verified service: service_account_7, scope: billing:read orders:write
PEM round-trip OK: service_account_7

Access and Refresh Token Pattern

Short-lived access tokens (15 minutes) with long-lived refresh tokens (7 days) are the standard pattern for secure stateless authentication:

# token_pair.py
import jwt, datetime, secrets

SECRET = "your-secret-key-min-32-chars"
REFRESH_SECRET = "different-refresh-secret-min-32-chars"

def issue_token_pair(user_id: str) -> dict:
    now = datetime.datetime.now(datetime.UTC)
    access_token = jwt.encode({
        "sub": user_id,
        "type": "access",
        "exp": now + datetime.timedelta(minutes=15),
        "iat": now
    }, SECRET, algorithm="HS256")

    refresh_token = jwt.encode({
        "sub": user_id,
        "type": "refresh",
        "jti": secrets.token_hex(16),  # Unique ID for revocation
        "exp": now + datetime.timedelta(days=7),
        "iat": now
    }, REFRESH_SECRET, algorithm="HS256")

    return {"access_token": access_token, "refresh_token": refresh_token}

def refresh_access_token(refresh_token: str) -> str:
    payload = jwt.decode(refresh_token, REFRESH_SECRET, algorithms=["HS256"])
    if payload.get("type") != "refresh":
        raise ValueError("Not a refresh token")
    # In production: check jti against a revocation list in Redis
    now = datetime.datetime.now(datetime.UTC)
    return jwt.encode({
        "sub": payload["sub"],
        "type": "access",
        "exp": now + datetime.timedelta(minutes=15),
        "iat": now
    }, SECRET, algorithm="HS256")

tokens = issue_token_pair("user_42")
print(f"Access token (first 40 chars): {tokens['access_token'][:40]}...")

new_access = refresh_access_token(tokens["refresh_token"])
decoded = jwt.decode(new_access, SECRET, algorithms=["HS256"])
print(f"Refreshed token for: {decoded['sub']}, expires in 15 min")

Output:
Access token (first 40 chars): eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIi...
Refreshed token for: user_42, expires in 15 min

Frequently Asked Questions

How long should my HS256 secret be?

At least 32 characters (256 bits) for HS256, and 64 characters for HS512. Use secrets.token_hex(32) to generate a cryptographically random 64-character hex secret. Short or dictionary-word secrets are vulnerable to offline brute-force attacks — an attacker who captures a token can try millions of secrets per second without hitting your server.

Where should I store JWTs on the client side?

For browser apps, httpOnly cookies are more secure than localStorage because JavaScript cannot read httpOnly cookies, preventing XSS attacks from stealing tokens. For mobile apps and server-to-server calls, storing in memory or secure device storage is fine. Never store tokens in localStorage if the site runs any third-party JavaScript. For refresh tokens specifically, httpOnly + Secure + SameSite=Strict cookies are the recommended pattern.

How do I revoke a JWT before it expires?

JWTs are stateless by design — the server does not store them, so you cannot “delete” one. The standard approaches are: keep access tokens very short-lived (15 minutes or less) so revocation is rarely needed; maintain a Redis blocklist of revoked jti values checked on each request; or use opaque tokens for security-critical resources and only use JWTs for low-risk claims. The blocklist approach reintroduces some statefulness but is still much lighter than full session storage.

What is the “none” algorithm attack?

Early JWT libraries accepted tokens with "alg": "none" — meaning no signature — allowing attackers to forge any payload. PyJWT is safe by default: you must explicitly list allowed algorithms in jwt.decode(), and none is never allowed unless you pass algorithms=["none"] explicitly. Always pass the algorithms parameter and never include "none" in it. Similarly, never pass the encoded token’s header algorithm as the allowed algorithm — always hardcode the expected algorithm on the server.

How do I use PyJWT with FastAPI?

Create a dependency that reads the Authorization: Bearer <token> header, calls jwt.decode(), and either returns the claims dict or raises HTTPException(401) on failure. Use Depends(verify_token) in any route that requires authentication. FastAPI’s dependency injection system handles the rest — the dependency runs before the route handler, and any exception it raises short-circuits the request.

Conclusion

PyJWT makes stateless authentication straightforward in Python. For single-service APIs, HS256 with a 32+ character secret and 15-minute expiry is simple and secure. For microservices where multiple independent services need to verify tokens, RS256 lets you distribute the public key freely while keeping the signing key private. In both cases, always specify algorithms explicitly in jwt.decode(), always validate exp and iss, and use short-lived access tokens with refresh token rotation for production systems. The jti claim combined with a Redis blocklist gives you revocation capability when you need it without abandoning the stateless model entirely.

Related Articles

• How To Use Python cryptography for Encryption and Decryption
• How To Use Python FastAPI to Build a REST API
• How To Use Python secrets for Secure Random Generation

Intermediate

Storing passwords in plaintext, sending API keys over unencrypted channels, or using home-grown XOR “encryption” are among the most common causes of data breaches. The Python cryptography library exists precisely to make doing the right thing easy. Built on top of OpenSSL and maintained by the Python Cryptographic Authority (PyCA), it provides both a high-level “recipes” layer for common tasks and a low-level “hazmat” layer for specialists who need direct cipher access.

This article focuses on the recipes layer, which handles all the hard parts — key generation, IV selection, authentication tags — so you can encrypt and decrypt data correctly without a PhD in applied cryptography. We will cover Fernet symmetric encryption for simplicity, AES-GCM for performance-critical authenticated encryption, and RSA asymmetric encryption for key exchange and digital signatures.

Cryptography Quick Example: Fernet in 10 Lines

# quick_fernet.py
from cryptography.fernet import Fernet

key = Fernet.generate_key()          # 32-byte URL-safe base64 key
f = Fernet(key)

plaintext = b"Secret API credentials: sk-abc123"
token = f.encrypt(plaintext)
print(f"Encrypted: {token[:40]}...")

decrypted = f.decrypt(token)
print(f"Decrypted: {decrypted.decode()}")

Output:
Encrypted: gAAAAABl8x2...
Decrypted: Secret API credentials: sk-abc123

Fernet uses AES-128-CBC + HMAC-SHA256 under the hood and always produces authenticated ciphertext — if anyone tampers with the token, decryption raises InvalidToken rather than silently returning garbage.

Installing the cryptography Library

pip install cryptography

python -c "import cryptography; print(cryptography.__version__)"

Output:
42.0.5

Fernet: Symmetric Encryption Made Simple

Fernet is the right choice when both the encryptor and decryptor share a secret key — encrypting files at rest, protecting database fields, or securing configuration secrets.

# fernet_demo.py
from cryptography.fernet import Fernet, MultiFernet
import os, base64

# --- Key generation and storage ---
key = Fernet.generate_key()
print(f"Key (store this securely): {key.decode()}")

# Save key to file (in production: use a secret manager)
with open('/tmp/fernet.key', 'wb') as kf:
    kf.write(key)

# Load key from file
with open('/tmp/fernet.key', 'rb') as kf:
    loaded_key = kf.read()

f = Fernet(loaded_key)

# --- Encrypt and decrypt ---
data = b"Database password: s3cret_p@ssw0rd"
token = f.encrypt(data)
print(f"Token length: {len(token)} bytes")

recovered = f.decrypt(token)
assert recovered == data
print(f"Round-trip OK: {recovered.decode()}")

# --- TTL: token expires after N seconds ---
import time
short_lived = f.encrypt_at_time(b"Temporary token", int(time.time()))
try:
    f.decrypt_at_time(short_lived, ttl=1, current_time=int(time.time()) + 5)
except Exception as e:
    print(f"Expired token: {type(e).__name__}")

# --- Key rotation with MultiFernet ---
old_key = Fernet.generate_key()
new_key = Fernet.generate_key()
mf = MultiFernet([Fernet(new_key), Fernet(old_key)])

old_token = Fernet(old_key).encrypt(b"Encrypted with old key")
rotated = mf.rotate(old_token)     # re-encrypts with new_key
print(f"Rotation OK: {mf.decrypt(rotated)}")

Output:
Key (store this securely): bXluWHh4...
Token length: 120 bytes
Round-trip OK: Database password: s3cret_p@ssw0rd
Expired token: InvalidSignature
Rotation OK: b'Encrypted with old key'

AES-GCM: Authenticated Encryption for Performance

When you need more control — streaming large files, custom nonce sizes, or AEAD with associated data — use AES-256-GCM from the hazmat layer directly:

# aes_gcm_demo.py
import os
from cryptography.hazmat.primitives.ciphers.aead import AESGCM

# Generate a 256-bit key
key = AESGCM.generate_key(bit_length=256)
aesgcm = AESGCM(key)

# Nonce MUST be unique per encryption — never reuse with the same key
nonce = os.urandom(12)   # 96-bit nonce is standard for GCM

plaintext = b"Sensitive medical record #12345"
aad = b"patient_id:12345"  # Additional Authenticated Data (not encrypted, but authenticated)

ciphertext = aesgcm.encrypt(nonce, plaintext, aad)
print(f"Ciphertext+tag length: {len(ciphertext)} bytes (plaintext was {len(plaintext)})")

# Decrypt — must provide same nonce and aad
recovered = aesgcm.decrypt(nonce, ciphertext, aad)
print(f"Decrypted: {recovered.decode()}")

# Tamper test: modifying ciphertext raises InvalidTag
import copy
tampered = bytearray(ciphertext)
tampered[0] ^= 0xFF
try:
    aesgcm.decrypt(nonce, bytes(tampered), aad)
except Exception as e:
    print(f"Tamper detected: {type(e).__name__}")

Output:
Ciphertext+tag length: 47 bytes (plaintext was 31)
Decrypted: Sensitive medical record #12345
Tamper detected: InvalidTag

The 16-byte difference between plaintext and ciphertext length is the GCM authentication tag. AES-GCM is significantly faster than AES-CBC because it can be parallelised and is hardware-accelerated on any modern CPU with AES-NI instructions.

RSA Asymmetric Encryption and Signatures

RSA solves the key distribution problem: the public key can be shared freely, and only the private key holder can decrypt or sign:

# rsa_demo.py
from cryptography.hazmat.primitives.asymmetric import rsa, padding
from cryptography.hazmat.primitives import hashes, serialization

# --- Key generation ---
private_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048
)
public_key = private_key.public_key()

# --- Serialize keys to PEM ---
pem_private = private_key.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.PKCS8,
    encryption_algorithm=serialization.BestAvailableEncryption(b"passphrase")
)
pem_public = public_key.public_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PublicFormat.SubjectPublicKeyInfo
)

# --- Encrypt with public key, decrypt with private key ---
message = b"Symmetric key: " + b"\x8f\xa2" * 16  # e.g. an AES key
ciphertext = public_key.encrypt(
    message,
    padding.OAEP(
        mgf=padding.MGF1(algorithm=hashes.SHA256()),
        algorithm=hashes.SHA256(),
        label=None
    )
)
print(f"RSA ciphertext length: {len(ciphertext)} bytes")

decrypted = private_key.decrypt(
    ciphertext,
    padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()),
                 algorithm=hashes.SHA256(), label=None)
)
assert decrypted == message
print("RSA encrypt/decrypt: OK")

# --- Sign with private key, verify with public key ---
document = b"Invoice #1234: $5000 due 2026-06-01"
signature = private_key.sign(
    document,
    padding.PSS(mgf=padding.MGF1(hashes.SHA256()),
                salt_length=padding.PSS.MAX_LENGTH),
    hashes.SHA256()
)
print(f"Signature length: {len(signature)} bytes")

public_key.verify(
    signature, document,
    padding.PSS(mgf=padding.MGF1(hashes.SHA256()),
                salt_length=padding.PSS.MAX_LENGTH),
    hashes.SHA256()
)
print("Signature verified: OK")

Output:
RSA ciphertext length: 256 bytes
RSA encrypt/decrypt: OK
Signature length: 256 bytes
Signature verified: OK

Frequently Asked Questions

When should I use Fernet vs AES-GCM directly?

Use Fernet for most application-level encryption — it handles nonce generation, key derivation format, and authentication automatically, and its base64 output is easy to store in databases or environment variables. Use AES-GCM directly when you need to stream large files without loading them entirely into memory, when you need to integrate with a specific wire protocol that expects raw bytes, or when you need custom AEAD associated data patterns. Both use authenticated encryption and are equally secure in terms of the underlying algorithms.

Should I use cryptography for password hashing?

No — use bcrypt, argon2-cffi, or passlib for passwords. The cryptography library is designed for encrypting data, not for password storage. Password hashing requires deliberately slow key derivation functions that resist brute-force attacks. Encrypting a password with Fernet is wrong because if the key leaks, all passwords are immediately exposed — a proper hash is irreversible. The library does include PBKDF2HMAC and scrypt for key derivation from passwords (e.g., deriving a Fernet key from a passphrase), which is different from storing hashed passwords.

Where should I store encryption keys?

Never hardcode keys in source code or commit them to version control. In development, use environment variables or .env files excluded from git. In production, use a dedicated secret manager: AWS Secrets Manager, HashiCorp Vault, Google Cloud Secret Manager, or Azure Key Vault. For the highest security tier, use a Hardware Security Module (HSM) or cloud KMS where the key never leaves the hardware boundary. The cryptography library integrates with PKCS#11 HSMs via the hazmat layer.

How do I encrypt large files with RSA?

RSA cannot encrypt data larger than its key size minus padding overhead (about 190 bytes for a 2048-bit key with OAEP). The standard approach is hybrid encryption: generate a random AES-256 key, encrypt the file with AES-GCM, then encrypt the AES key with RSA. The recipient decrypts the RSA-wrapped AES key with their private key, then uses that AES key to decrypt the file. This combines RSA’s key distribution advantages with AES-GCM’s performance — the same pattern used by TLS, PGP, and SSH.

How do I rotate encryption keys without downtime?

For Fernet, use MultiFernet: create a new key, put it first in the list with the old key second, then call mf.rotate(old_token) on all existing ciphertext. New encryptions use the first key automatically. Once all tokens are rotated, remove the old key from the list. For AES-GCM, the same principle applies: store a key version with each ciphertext, maintain a mapping of version to key, and migrate data lazily on read or in a background job.

Conclusion

The cryptography library makes correct encryption practical in Python. For most use cases, start with Fernet — it chooses secure defaults, prevents nonce reuse, and produces tokens that are easy to store. When you need streaming, AEAD with associated data, or hardware acceleration, use AES-256-GCM from the hazmat layer. For key exchange and digital signatures, use RSA with OAEP padding for encryption and PSS padding for signatures — never use the older PKCS1v15 padding for new code.

The three non-negotiable rules are: always use authenticated encryption (Fernet and AES-GCM both satisfy this), never reuse a nonce with the same key, and store keys outside your application code in a secret manager or environment variable. With these rules in place, the cryptography library handles the rest.

Related Articles

• How To Use PyJWT for JSON Web Tokens in Python
• How To Use Python hashlib for Hashing and Checksums
• How To Use Python secrets for Secure Random Generation

Intermediate

REST APIs built on HTTP and JSON are everywhere, but they come with trade-offs: verbose payloads, loose contracts, and no built-in streaming. When services need to talk to each other at high throughput — hundreds of thousands of calls per second with tight latency budgets — gRPC is the industry answer. Used by Google, Netflix, and Cloudflare, gRPC combines Protocol Buffers for compact binary serialization with HTTP/2 for multiplexed connections and native bidirectional streaming.

The grpcio Python package brings the full gRPC runtime to Python. You define services in a .proto schema file, run a code generator, and get strongly-typed client and server stubs automatically. The contract lives in the schema, not in documentation that can drift out of sync. If you change the proto file, the generated code changes with it — no more “the client sends a string but the server expects an int” bugs.

This article covers the complete gRPC workflow in Python: writing a .proto service definition, generating Python stubs, building a server, writing a client, and implementing all four RPC types — unary, server-streaming, client-streaming, and bidirectional streaming.

gRPC Quick Example: Hello Service in 30 Lines

The fastest way to see gRPC in action is a minimal hello service. You need three files: the schema, the server, and the client:

# hello.proto
syntax = "proto3";
package hello;

service Greeter {
  rpc SayHello (HelloRequest) returns (HelloReply);
}

message HelloRequest { string name = 1; }
message HelloReply   { string message = 1; }

# Generate Python stubs (run once after changing the .proto)
pip install grpcio grpcio-tools
python -m grpc_tools.protoc -I. --python_out=. --grpc_python_out=. hello.proto
# Creates: hello_pb2.py  hello_pb2_grpc.py

# server.py
import grpc
from concurrent import futures
import hello_pb2
import hello_pb2_grpc

class GreeterServicer(hello_pb2_grpc.GreeterServicer):
    def SayHello(self, request, context):
        return hello_pb2.HelloReply(message=f"Hello, {request.name}!")

server = grpc.server(futures.ThreadPoolExecutor(max_workers=10))
hello_pb2_grpc.add_GreeterServicer_to_server(GreeterServicer(), server)
server.add_insecure_port('[::]:50051')
server.start()
print("Server started on :50051")
server.wait_for_termination()

# client.py
import grpc
import hello_pb2
import hello_pb2_grpc

with grpc.insecure_channel('localhost:50051') as channel:
    stub = hello_pb2_grpc.GreeterStub(channel)
    response = stub.SayHello(hello_pb2.HelloRequest(name="World"))
    print(f"Server replied: {response.message}")

Output:
Server replied: Hello, World!

Three files, zero JSON parsing, zero URL routing. The schema enforces the contract at compile time rather than at runtime.

Installing grpcio

Install both the runtime and the code generation tools:

pip install grpcio grpcio-tools

# Verify
python -c "import grpc; print(grpc.__version__)"

Output:
1.62.1

grpcio is the runtime — servers, channels, and interceptors. grpcio-tools bundles the protoc compiler with the Python gRPC plugin so you can generate stubs without installing a separate C++ toolchain.

Writing a Protocol Buffers Service Definition

The .proto file is the source of truth for your service. It defines the service methods and the request/response message types. Here is a more realistic example — a currency conversion service:

# finance.proto
syntax = "proto3";
package finance;

service CurrencyConverter {
  // Unary: one request, one response
  rpc Convert (ConvertRequest) returns (ConvertReply);

  // Server streaming: one request, stream of rate updates
  rpc WatchRates (WatchRequest) returns (stream RateUpdate);

  // Client streaming: stream of amounts, one summary response
  rpc BatchConvert (stream ConvertRequest) returns (BatchReply);

  // Bidirectional streaming: real-time conversion feed
  rpc LiveConvert (stream ConvertRequest) returns (stream ConvertReply);
}

message ConvertRequest {
  string from_currency = 1;   // e.g. "USD"
  string to_currency   = 2;   // e.g. "EUR"
  double amount        = 3;
}

message ConvertReply {
  double converted_amount = 1;
  double rate             = 2;
  string timestamp        = 3;
}

message WatchRequest {
  string base_currency = 1;
  repeated string target_currencies = 2;
}

message RateUpdate {
  string currency = 1;
  double rate     = 2;
}

message BatchReply {
  double total_converted = 1;
  int32  count           = 2;
}

# Generate stubs
python -m grpc_tools.protoc -I. --python_out=. --grpc_python_out=. finance.proto
# Creates: finance_pb2.py  finance_pb2_grpc.py

Field numbers (the = 1, = 2 after field names) are used in the binary encoding — they must be unique within a message and should never be reused once deployed. Adding new fields with new numbers is backward-compatible; removing or renumbering fields breaks existing clients.

The Four gRPC RPC Types

gRPC defines four communication patterns. Here is a complete server implementing all four for the finance service:

# finance_server.py
import grpc
import time
import random
from concurrent import futures
import finance_pb2
import finance_pb2_grpc

# Simulated exchange rates
RATES = {
    ('USD', 'EUR'): 0.92, ('USD', 'GBP'): 0.79, ('USD', 'JPY'): 149.5,
    ('EUR', 'USD'): 1.09, ('GBP', 'USD'): 1.27, ('JPY', 'USD'): 0.0067,
}

def get_rate(frm, to):
    if frm == to:
        return 1.0
    return RATES.get((frm, to), 1.0) * (1 + random.uniform(-0.002, 0.002))

class CurrencyConverterServicer(finance_pb2_grpc.CurrencyConverterServicer):

    # --- Unary RPC ---
    def Convert(self, request, context):
        rate = get_rate(request.from_currency, request.to_currency)
        return finance_pb2.ConvertReply(
            converted_amount=request.amount * rate,
            rate=rate,
            timestamp=str(time.time())
        )

    # --- Server Streaming RPC ---
    def WatchRates(self, request, context):
        """Stream rate updates every second until client cancels."""
        while not context.is_active() is False:
            for target in request.target_currencies:
                rate = get_rate(request.base_currency, target)
                yield finance_pb2.RateUpdate(currency=target, rate=rate)
            time.sleep(1.0)
            if not context.is_active():
                break

    # --- Client Streaming RPC ---
    def BatchConvert(self, request_iterator, context):
        total = 0.0
        count = 0
        for req in request_iterator:
            rate = get_rate(req.from_currency, req.to_currency)
            total += req.amount * rate
            count += 1
        return finance_pb2.BatchReply(total_converted=total, count=count)

    # --- Bidirectional Streaming RPC ---
    def LiveConvert(self, request_iterator, context):
        for req in request_iterator:
            rate = get_rate(req.from_currency, req.to_currency)
            yield finance_pb2.ConvertReply(
                converted_amount=req.amount * rate,
                rate=rate,
                timestamp=str(time.time())
            )

def serve():
    server = grpc.server(futures.ThreadPoolExecutor(max_workers=10))
    finance_pb2_grpc.add_CurrencyConverterServicer_to_server(
        CurrencyConverterServicer(), server
    )
    server.add_insecure_port('[::]:50051')
    server.start()
    print("Finance gRPC server running on :50051")
    server.wait_for_termination()

if __name__ == '__main__':
    serve()

Writing the gRPC Client

The generated stub class handles all the serialization. Each of the four RPC types gets a corresponding client pattern:

# finance_client.py
import grpc
import finance_pb2
import finance_pb2_grpc

def run():
    with grpc.insecure_channel('localhost:50051') as channel:
        stub = finance_pb2_grpc.CurrencyConverterStub(channel)

        # 1. Unary call
        reply = stub.Convert(finance_pb2.ConvertRequest(
            from_currency='USD', to_currency='EUR', amount=100.0
        ))
        print(f"Unary: $100 USD = €{reply.converted_amount:.2f} EUR (rate: {reply.rate:.4f})")

        # 2. Server streaming: receive 5 rate updates then cancel
        watch_req = finance_pb2.WatchRequest(
            base_currency='USD',
            target_currencies=['EUR', 'GBP', 'JPY']
        )
        update_count = 0
        for update in stub.WatchRates(watch_req):
            print(f"Rate update: USD/{update.currency} = {update.rate:.4f}")
            update_count += 1
            if update_count >= 6:
                break

        # 3. Client streaming: send a batch of conversions
        def batch_requests():
            pairs = [('USD','EUR',100), ('USD','GBP',250), ('EUR','USD',80)]
            for frm, to, amt in pairs:
                yield finance_pb2.ConvertRequest(
                    from_currency=frm, to_currency=to, amount=amt
                )
        batch_reply = stub.BatchConvert(batch_requests())
        print(f"Batch: {batch_reply.count} conversions, total = {batch_reply.total_converted:.2f}")

        # 4. Bidirectional streaming
        def live_requests():
            for amount in [50, 100, 200]:
                yield finance_pb2.ConvertRequest(
                    from_currency='USD', to_currency='JPY', amount=amount
                )
        for reply in stub.LiveConvert(live_requests()):
            print(f"Live: ${reply.converted_amount:.2f} JPY at rate {reply.rate:.2f}")

if __name__ == '__main__':
    run()

Output:
Unary: $100 USD = €92.14 EUR (rate: 0.9214)
Rate update: USD/EUR = 0.9198
Rate update: USD/GBP = 0.7893
Rate update: USD/JPY = 149.82
Rate update: USD/EUR = 0.9207
Rate update: USD/GBP = 0.7901
Rate update: USD/JPY = 149.71
Batch: 3 conversions, total = 412.37
Live: $7479.50 JPY at rate 149.59
Live: $14955.00 JPY at rate 149.55
Live: $29942.00 JPY at rate 149.71

Error Handling and Status Codes

gRPC has a rich set of status codes that map to HTTP/2 status semantics. Use context.abort() on the server to return a typed error, and catch grpc.RpcError on the client:

# Error handling patterns
import grpc
import finance_pb2
import finance_pb2_grpc

# Server side: abort with a status code
def Convert(self, request, context):
    supported = {'USD', 'EUR', 'GBP', 'JPY'}
    if request.from_currency not in supported:
        context.abort(
            grpc.StatusCode.INVALID_ARGUMENT,
            f"Unsupported currency: {request.from_currency}"
        )
    if request.amount <= 0:
        context.abort(
            grpc.StatusCode.OUT_OF_RANGE,
            f"Amount must be positive, got: {request.amount}"
        )
    rate = get_rate(request.from_currency, request.to_currency)
    return finance_pb2.ConvertReply(converted_amount=request.amount * rate, rate=rate)

# Client side: catch RpcError
with grpc.insecure_channel('localhost:50051') as channel:
    stub = finance_pb2_grpc.CurrencyConverterStub(channel)
    try:
        reply = stub.Convert(finance_pb2.ConvertRequest(
            from_currency='BTC', to_currency='EUR', amount=1.0
        ))
    except grpc.RpcError as e:
        print(f"gRPC error: {e.code()} — {e.details()}")
        # Output: gRPC error: StatusCode.INVALID_ARGUMENT — Unsupported currency: BTC

Frequently Asked Questions

When should I use gRPC instead of REST?

Use gRPC when you control both client and server (internal microservices), when you need high-throughput low-latency calls, when you want a strict schema that fails fast on contract violations, or when you need streaming. REST is better for public APIs consumed by browsers and third parties — the JSON format is universally readable and HTTP/1.1 works everywhere. Many systems use REST at the edge and gRPC internally.

How do I evolve a proto schema without breaking clients?

Add new fields with new field numbers — older clients simply ignore them. Never remove or renumber existing fields once deployed. Never change the type of an existing field. Rename fields freely (the wire format uses field numbers, not names). If you need to remove a field, mark it as reserved so future developers cannot accidentally reuse the number. Use semantic versioning in the package name (e.g., package finance.v2) for breaking changes.

Can I use gRPC with Python async/await?

Yes — grpcio ships grpc.aio, an asyncio-native implementation. Replace grpc.server() with grpc.aio.server(), replace grpc.insecure_channel() with grpc.aio.insecure_channel(), and add async/await to your servicer methods. The grpc.aio module is production-ready as of grpcio 1.32 and is the recommended approach for new services using asyncio frameworks like FastAPI or Starlette.

How do I add TLS to a gRPC server?

Replace add_insecure_port with add_secure_port and pass a grpc.ssl_server_credentials() object constructed from your certificate and key files. On the client side, replace grpc.insecure_channel() with grpc.secure_channel('host:443', grpc.ssl_channel_credentials()). For mutual TLS (mTLS), pass both root certificates and client cert/key to grpc.ssl_channel_credentials(). In Kubernetes environments, service meshes like Istio handle mTLS transparently without application code changes.

How do I test a gRPC service without writing a client?

Install grpcio-reflection and enable server reflection, then use grpcurl (a command-line tool like curl for gRPC) or Postman (which supports gRPC natively). Alternatively, use grpc_tools.protoc to generate a Python test client, or write unit tests using the grpc.testing utilities that let you call servicer methods directly without a running server.

Conclusion

gRPC turns service-to-service communication into a typed function call. The .proto schema defines the contract, grpc_tools.protoc generates the boilerplate, and grpcio handles the HTTP/2 transport, multiplexing, and serialization. In this article we covered the four RPC types — unary, server streaming, client streaming, and bidirectional streaming — along with typed error handling using grpc.StatusCode. The key rules are: never change field numbers in deployed schemas, always use context.abort() for typed server errors, and catch grpc.RpcError on the client side.

For production use, add TLS via grpc.ssl_server_credentials(), enable server reflection for debugging, add a health check service via grpcio-health-checking, and consider the grpc.aio asyncio API if your service is built around async Python frameworks. When you need to expose a gRPC backend to browsers or mobile clients, grpc-gateway or Envoy proxy can translate REST/JSON calls to gRPC automatically at the edge.

Related Articles

• How To Use Python FastAPI to Build a REST API
• How To Use Python kafka-python for Event Streaming
• How To Use Pydantic for Data Validation in Python