Forem: Tortoise The latest articles on Forem by Tortoise (@tortoise62). https://forem.com/tortoise62 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3897460%2Ff4f45c66-b4af-4d47-91db-d9e20a9b903f.png Forem: Tortoise https://forem.com/tortoise62 en How to Add Authentication to a SvelteKit SPA Tortoise Mon, 27 Apr 2026 13:50:32 +0000 https://forem.com/tortoise62/how-to-add-authentication-to-a-sveltekit-spa-fpi https://forem.com/tortoise62/how-to-add-authentication-to-a-sveltekit-spa-fpi <p><em>Originally published at <a href="https://turtledev.io/blog/how-to-add-authentication-to-sveltekit-spa" rel="noopener noreferrer">turtledev.io</a></em></p> <p>Building on our <a href="https://dev.to/tortoise62/how-to-build-a-sveltekit-spa-with-fastapi-backend-4p59">previous tutorial</a> where we created a SvelteKit SPA with a FastAPI backend, let's add authentication to our application.</p> <blockquote> <p><strong>Building a production app?</strong> Check out <a href="https://fastsvelte.dev" rel="noopener noreferrer">FastSvelte</a> — a production-ready FastAPI + SvelteKit starter with authentication, payments, and more built-in.</p> </blockquote> <p>This tutorial demonstrates a minimal authentication implementation for learning purposes, covering:</p> <ul> <li>HTTP-only cookie-based sessions</li> <li>Reactive auth state management with Svelte 5 runes</li> <li>Protected routes with automatic redirects</li> <li>Optimized auth checks with caching</li> </ul> <blockquote> <p><strong>Note:</strong> This is a tutorial project for learning concepts. For production applications, use solutions like <a href="https://fastsvelte.dev" rel="noopener noreferrer">FastSvelte</a>, Auth.js, Lucia, or your backend framework's authentication library.</p> </blockquote> <h2> Prerequisites </h2> <ul> <li>Completed the <a href="https://turtledev.io/blog/how-to-build-sveltekit-spa-with-fastapi-backend" rel="noopener noreferrer">SvelteKit SPA with FastAPI tutorial</a> or have a similar setup</li> <li>Basic understanding of SvelteKit and FastAPI</li> <li>Familiarity with Svelte 5 runes (<code>$state</code>, <code>$effect</code>)</li> </ul> <h2> Authentication Flow </h2> <p>Our authentication system uses HTTP-only cookies for secure session management. Here's how the complete flow works:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────┐ │ LOGIN FLOW │ └─────────────────────────────────────────────────────────────────────┘ Browser SvelteKit Frontend FastAPI Backend │ │ │ │ 1. Enter credentials │ │ │ ──────────────────────────&gt; │ │ │ │ │ │ │ 2. POST /auth/login │ │ │ {email, password} │ │ │ ──────────────────────────&gt; │ │ │ │ │ │ │ 3. Validate │ │ │ credentials │ │ │ │ │ 4. Set-Cookie: session=xxx │ │ │ (HTTP-only, SameSite) │ │ │ &lt;────────────────────────── │ │ │ │ │ 5. Cookie stored │ │ │ &lt;────────────────────────── │ │ │ (inaccessible to JS) │ │ │ │ │ │ 6. Redirect to /welcome │ │ │ &lt;────────────────────────── │ │ │ │ │ </code></pre> </div> <p><strong>Step-by-step breakdown:</strong></p> <ol> <li>User enters their email and password in the login form</li> <li>Frontend sends credentials to the backend's <code>/auth/login</code> endpoint</li> <li>Backend validates the credentials against the user database (in-memory for this tutorial)</li> <li>Backend creates a session token and sends it back as an HTTP-only cookie</li> <li>Browser automatically stores the cookie (JavaScript cannot access it due to <code>httponly</code> flag)</li> <li>Frontend redirects the user to the dashboard/welcome page </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────┐ │ AUTHENTICATED REQUEST │ └─────────────────────────────────────────────────────────────────────┘ Browser SvelteKit Frontend FastAPI Backend │ │ │ │ 1. Navigate to /todos │ │ │ ──────────────────────────&gt; │ │ │ │ │ │ │ 2. GET /users/me │ │ │ Cookie: session=xxx │ │ │ ──────────────────────────&gt; │ │ │ │ │ │ │ 3. Validate │ │ │ session │ │ │ │ │ 4. {id, email, ...} │ │ │ &lt;────────────────────────── │ │ │ │ │ 5. Update auth store │ │ │ &lt;────────────────────────── │ │ │ │ │ │ 6. GET /todos │ │ │ Cookie: session=xxx │ │ │ ─────────────────────────────────────────────────────────&gt; │ │ │ │ │ │ │ 7. Validate │ │ │ session │ │ │ │ 8. Todo list data │ │ │ &lt;───────────────────────────────────────────────────────── │ │ │ │ </code></pre> </div> <h3> Key Security Features </h3> <p><strong>HTTP-only Cookies</strong>: Session tokens stored in HTTP-only cookies are completely inaccessible to JavaScript. First line of defense against XSS attacks.</p> <p><strong>SameSite Protection</strong>: <code>SameSite=Lax</code> during development. In production use <code>SameSite=Strict</code> for CSRF protection.</p> <p><strong>Credentials Configuration</strong>: Axios needs <code>withCredentials: true</code> to send cookies with cross-origin requests.</p> <p><strong>Session Validation on Every Request</strong>: Every protected endpoint validates the session cookie. Frontend auth state is only for UX — real security happens on the backend.</p> <h2> Backend Implementation </h2> <blockquote> <p><strong>Quick note:</strong> This backend is intentionally minimal. We're using in-memory storage, plain-text passwords, and other shortcuts you'd never use in production. The focus is the frontend auth implementation.</p> </blockquote> <p>Our backend does three key things:</p> <p><strong>1. Creates sessions when users log in</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/auth/login</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">login</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">LoginRequest</span><span class="p">,</span> <span class="n">response</span><span class="p">:</span> <span class="n">Response</span><span class="p">):</span> <span class="n">user_data</span> <span class="o">=</span> <span class="n">MOCK_USERS</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">email</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user_data</span> <span class="ow">or</span> <span class="n">user_data</span><span class="p">[</span><span class="sh">"</span><span class="s">password</span><span class="sh">"</span><span class="p">]</span> <span class="o">!=</span> <span class="n">request</span><span class="p">.</span><span class="n">password</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Invalid credentials</span><span class="sh">"</span><span class="p">)</span> <span class="n">token</span> <span class="o">=</span> <span class="nf">create_session</span><span class="p">(</span><span class="n">user_data</span><span class="p">[</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">])</span> <span class="nf">set_session_cookie</span><span class="p">(</span><span class="n">response</span><span class="p">,</span> <span class="n">token</span><span class="p">)</span> <span class="k">return</span> <span class="nc">LoginSuccess</span><span class="p">(</span><span class="n">user_id</span><span class="o">=</span><span class="n">user_data</span><span class="p">[</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">],</span> <span class="n">email</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">email</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">create_session</span><span class="p">(</span><span class="n">user_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">token</span> <span class="o">=</span> <span class="n">secrets</span><span class="p">.</span><span class="nf">token_urlsafe</span><span class="p">(</span><span class="mi">32</span><span class="p">)</span> <span class="n">sessions</span><span class="p">[</span><span class="n">token</span><span class="p">]</span> <span class="o">=</span> <span class="n">user_id</span> <span class="k">return</span> <span class="n">token</span> </code></pre> </div> <p><code>secrets.token_urlsafe(32)</code> generates a cryptographically secure token. Never use <code>random</code> or <code>uuid</code> for session tokens.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">set_session_cookie</span><span class="p">(</span><span class="n">response</span><span class="p">:</span> <span class="n">Response</span><span class="p">,</span> <span class="n">token</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">response</span><span class="p">.</span><span class="nf">set_cookie</span><span class="p">(</span> <span class="n">key</span><span class="o">=</span><span class="sh">"</span><span class="s">session</span><span class="sh">"</span><span class="p">,</span> <span class="n">value</span><span class="o">=</span><span class="n">token</span><span class="p">,</span> <span class="n">httponly</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">secure</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="c1"># Set to True in production with HTTPS </span> <span class="n">samesite</span><span class="o">=</span><span class="sh">"</span><span class="s">lax</span><span class="sh">"</span><span class="p">,</span> <span class="n">max_age</span><span class="o">=</span><span class="mi">3600</span><span class="p">,</span> <span class="n">path</span><span class="o">=</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span> <span class="p">)</span> </code></pre> </div> <p><strong>2. Validates sessions on protected endpoints</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/todos</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">list_todos</span><span class="p">(</span><span class="n">user</span><span class="p">:</span> <span class="n">User</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_current_user</span><span class="p">)):</span> <span class="k">return</span> <span class="nf">list</span><span class="p">(</span><span class="n">todos</span><span class="p">.</span><span class="nf">values</span><span class="p">())</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">get_current_user</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">User</span><span class="p">:</span> <span class="n">token</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">session</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">token</span> <span class="ow">or</span> <span class="n">token</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">sessions</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Not authenticated</span><span class="sh">"</span><span class="p">)</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">sessions</span><span class="p">[</span><span class="n">token</span><span class="p">]</span> <span class="c1"># Look up user from database and return User object </span> <span class="c1"># ... </span></code></pre> </div> <p><strong>3. Clears sessions on logout</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/auth/logout</span><span class="sh">"</span><span class="p">,</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">204</span><span class="p">)</span> <span class="k">def</span> <span class="nf">logout</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">response</span><span class="p">:</span> <span class="n">Response</span><span class="p">,</span> <span class="n">user</span><span class="p">:</span> <span class="n">User</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_current_user</span><span class="p">)):</span> <span class="n">token</span> <span class="o">=</span> <span class="nf">get_session_token</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="k">if</span> <span class="n">token</span><span class="p">:</span> <span class="nf">invalidate_session</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="nf">clear_session_cookie</span><span class="p">(</span><span class="n">response</span><span class="p">)</span> </code></pre> </div> <p>CORS configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">app</span><span class="p">.</span><span class="nf">add_middleware</span><span class="p">(</span> <span class="n">CORSMiddleware</span><span class="p">,</span> <span class="n">allow_origins</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">http://localhost:5173</span><span class="sh">"</span><span class="p">],</span> <span class="n">allow_credentials</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="c1"># Critical: allows cookies </span> <span class="n">allow_methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="n">allow_headers</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> </code></pre> </div> <p><code>allow_credentials=True</code> is essential. Without it, the browser won't send or receive cookies in cross-origin requests.</p> <h2> Frontend Implementation </h2> <h3> Step 1: Configure Axios to Send Cookies </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/api/axios-config.ts</span> <span class="k">import</span> <span class="nx">axios</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">axios</span><span class="dl">'</span><span class="p">;</span> <span class="nx">axios</span><span class="p">.</span><span class="nx">defaults</span><span class="p">.</span><span class="nx">withCredentials</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> </code></pre> </div> <p>Import this in <code>+layout.ts</code> so it runs before anything else:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// routes/+layout.ts</span> <span class="k">import</span> <span class="dl">'</span><span class="s1">$lib/api/axios-config</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">csr</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">ssr</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">prerender</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> </code></pre> </div> <h3> Step 2: Build a Reactive Auth Store </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/auth/auth.svelte.ts</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">User</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/api/gen/model</span><span class="dl">'</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">AuthStore</span> <span class="p">{</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">$state</span><span class="o">&lt;</span><span class="nx">User</span> <span class="o">|</span> <span class="kc">null</span><span class="o">&gt;</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nx">isLoading</span> <span class="o">=</span> <span class="nf">$state</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="kd">get</span> <span class="nf">isAuthenticated</span><span class="p">():</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">user</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="nf">setUser</span><span class="p">(</span><span class="nx">user</span><span class="p">:</span> <span class="nx">User</span> <span class="o">|</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">user</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">isLoading</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="nf">clear</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">isLoading</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">authStore</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AuthStore</span><span class="p">();</span> </code></pre> </div> <p>The <code>$state</code> rune makes <code>user</code> and <code>isLoading</code> reactive. Any component that reads them automatically updates when they change. No subscriptions, no boilerplate.</p> <h3> Step 3: Session Validation with Smart Caching </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/auth/session.ts</span> <span class="kd">const</span> <span class="nx">api</span> <span class="o">=</span> <span class="nf">getFastAPI</span><span class="p">();</span> <span class="kd">let</span> <span class="nx">lastSuccessfulCheck</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">AUTH_CHECK_EXPIRES_MS</span> <span class="o">=</span> <span class="mi">20000</span><span class="p">;</span> <span class="c1">// 20 seconds</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">ensureAuthenticated</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">now</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">authStore</span><span class="p">.</span><span class="nx">isAuthenticated</span> <span class="o">&amp;&amp;</span> <span class="nx">now</span> <span class="o">-</span> <span class="nx">lastSuccessfulCheck</span> <span class="o">&lt;</span> <span class="nx">AUTH_CHECK_EXPIRES_MS</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">authStore</span><span class="p">.</span><span class="nx">isAuthenticated</span><span class="p">)</span> <span class="p">{</span> <span class="nx">authStore</span><span class="p">.</span><span class="nf">setLoading</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">api</span><span class="p">.</span><span class="nf">getCurrentUser</span><span class="p">();</span> <span class="nx">authStore</span><span class="p">.</span><span class="nf">setUser</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">data</span><span class="p">);</span> <span class="nx">lastSuccessfulCheck</span> <span class="o">=</span> <span class="nx">now</span><span class="p">;</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">authStore</span><span class="p">.</span><span class="nf">clear</span><span class="p">();</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">;</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>About the 20-second cache:</strong> This is a performance optimization to avoid hammering <code>/users/me</code>, not your session expiry. Your actual session might last 30-60 minutes on the backend. The backend still validates the session on every API call.</p> </blockquote> <h3> Step 4: Protect Routes with a Layout </h3> <div class="highlight js-code-highlight"> <pre class="highlight svelte"><code><span class="c">&lt;!-- routes/(protected)/+layout.svelte --&gt;</span> <span class="nt">&lt;script </span><span class="na">lang=</span><span class="s">"ts"</span><span class="nt">&gt;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">onMount</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">svelte</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ensureAuthenticated</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/auth/session</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">authStore</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/auth/auth.svelte</span><span class="dl">'</span><span class="p">;</span> <span class="kd">let</span> <span class="p">{</span> <span class="nx">children</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">$props</span><span class="p">();</span> <span class="nf">onMount</span><span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">ensureAuthenticated</span><span class="p">();</span> <span class="p">});</span> <span class="nt">&lt;/script&gt;</span> <span class="si">{</span><span class="k">#if</span> <span class="nx">authStore</span><span class="p">.</span><span class="nx">isLoading</span><span class="si">}</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"loading"</span><span class="nt">&gt;</span>Loading...<span class="nt">&lt;/div&gt;</span> <span class="si">{</span><span class="k">:else</span> <span class="k">if</span> <span class="nx">authStore</span><span class="p">.</span><span class="nx">isAuthenticated</span><span class="si">}</span> <span class="si">{</span><span class="p">@</span><span class="nd">render</span> <span class="nf">children</span><span class="p">()</span><span class="si">}</span> <span class="si">{</span><span class="p">:</span><span class="k">else</span><span class="si">}</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"loading"</span><span class="nt">&gt;</span>Redirecting to login...<span class="nt">&lt;/div&gt;</span> <span class="si">{</span><span class="k">/if</span><span class="si">}</span> </code></pre> </div> <p>Any route inside the <code>(protected)</code> folder automatically requires authentication:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>routes/ (protected)/ +layout.svelte ← Auth check happens here todos/ +page.svelte ← Automatically protected profile/ +page.svelte ← Automatically protected login/ +page.svelte ← Public route </code></pre> </div> <h3> Step 5: Logout </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">logout</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">api</span><span class="p">.</span><span class="nf">logout</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Logout failed:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="nx">authStore</span><span class="p">.</span><span class="nf">clear</span><span class="p">();</span> <span class="nx">lastSuccessfulCheck</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nf">goto</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Even if the API call fails, local state clears and the user gets redirected. They can't stay on a protected page without re-authenticating.</p> <h2> Wrapping Up </h2> <p>You now have a working authentication system for your SvelteKit SPA:</p> <ul> <li>HTTP-only cookie-based sessions</li> <li>Reactive auth store with Svelte 5 runes</li> <li>Smart caching to reduce backend calls</li> <li>Protected routes via layouts</li> <li>Clean login and logout flows</li> </ul> <p>Source code: <a href="https://github.com/TurtleDevIO/sveltekit-spa-authentication" rel="noopener noreferrer">GitHub</a></p> <p><strong>See also:</strong> <a href="https://turtledev.io/blog/fastapi-tutorial-1-project-setup-crud-api" rel="noopener noreferrer">Full-stack FastAPI Tutorial 1: Project Setup &amp; Tooling</a></p> <p>This covers the fundamentals. Production apps need password reset, email verification, OAuth, and RBAC. If you want all of that without building it from scratch, check out <a href="https://fastsvelte.dev" rel="noopener noreferrer">FastSvelte</a> — a SvelteKit + FastAPI starter kit with auth, Stripe billing, multi-tenancy, and more already wired up.</p> <p>Smooth coding!</p> svelte fastapi webdev tutorial How to Build a SvelteKit SPA with FastAPI Backend Tortoise Sun, 26 Apr 2026 13:44:33 +0000 https://forem.com/tortoise62/how-to-build-a-sveltekit-spa-with-fastapi-backend-4p59 https://forem.com/tortoise62/how-to-build-a-sveltekit-spa-with-fastapi-backend-4p59 <p><em>Originally published at <a href="https://turtledev.io/blog/how-to-build-sveltekit-spa-with-fastapi-backend" rel="noopener noreferrer">turtledev.io</a></em></p> <p>In my <a href="https://dev.to/tortoise62/why-i-switched-from-sveltekit-ssr-to-spa-fastapi-242m">previous post</a>, I talked about why I moved from SvelteKit SSR to a Svelte SPA + FastAPI architecture. Today, I want to show you my setup with a simple project.</p> <p>We'll build a simple <strong>todo list app</strong> to demonstrate how the frontend and backend communicate, and how to write less and type-safe code by using <strong>Orval</strong> to auto-generate TypeScript API clients from FastAPI's OpenAPI specs.</p> <blockquote> <p><strong>Building a production app?</strong> Check out <a href="https://fastsvelte.dev" rel="noopener noreferrer">FastSvelte</a> - a production-ready FastAPI + SvelteKit starter with authentication, payments, and more built-in.</p> </blockquote> <h2> Project Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>todo-app/ ├── backend/ # FastAPI Python backend │ ├── main.py # FastAPI app │ ├── models.py # Pydantic models │ └── requirements.txt │ └── frontend/ # SvelteKit SPA ├── src/ │ ├── routes/ # Pages │ └── lib/ # API client &amp; components └── package.json </code></pre> </div> <h2> Backend: FastAPI Setup </h2> <p>Create a <code>backend</code> directory and set up a virtual environment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>backend python3 <span class="nt">-m</span> venv .venv <span class="nb">source</span> .venv/bin/activate <span class="c"># On Windows: .venv\Scripts\activate</span> </code></pre> </div> <h3> requirements.in </h3> <p>We'll use <code>pip-compile</code> from <code>pip-tools</code> to manage dependencies:</p> <ol> <li> <strong>Simple dependency specification</strong>: List only your direct dependencies without worrying about version pins</li> <li> <strong>Clear dependency tree</strong>: The generated <code>requirements.txt</code> shows direct vs transitive dependencies</li> <li> <strong>Reproducible builds</strong>: All versions are pinned for consistent installations</li> <li> <strong>Easy updates</strong>: Run <code>pip-compile</code> again to update to latest compatible versions </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>fastapi uvicorn[standard] pydantic </code></pre> </div> <h3> Install pip-tools and compile dependencies </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>pip-tools pip-compile requirements.in pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt </code></pre> </div> <h3> models.py </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># backend/models.py </span><span class="kn">from</span> <span class="n">pydantic</span> <span class="kn">import</span> <span class="n">BaseModel</span> <span class="k">class</span> <span class="nc">TodoCreate</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">title</span><span class="p">:</span> <span class="nb">str</span> <span class="n">completed</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">=</span> <span class="bp">False</span> <span class="k">class</span> <span class="nc">TodoUpdate</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">title</span><span class="p">:</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">completed</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">|</span> <span class="bp">None</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">class</span> <span class="nc">Todo</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="nb">id</span><span class="p">:</span> <span class="nb">int</span> <span class="n">title</span><span class="p">:</span> <span class="nb">str</span> <span class="n">completed</span><span class="p">:</span> <span class="nb">bool</span> </code></pre> </div> <h3> main.py </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># backend/main.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">HTTPException</span> <span class="kn">from</span> <span class="n">fastapi.middleware.cors</span> <span class="kn">import</span> <span class="n">CORSMiddleware</span> <span class="kn">from</span> <span class="n">models</span> <span class="kn">import</span> <span class="n">Todo</span><span class="p">,</span> <span class="n">TodoCreate</span><span class="p">,</span> <span class="n">TodoUpdate</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">app</span><span class="p">.</span><span class="nf">add_middleware</span><span class="p">(</span> <span class="n">CORSMiddleware</span><span class="p">,</span> <span class="n">allow_origins</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">http://localhost:5173</span><span class="sh">"</span><span class="p">],</span> <span class="c1"># Vite dev server </span> <span class="n">allow_credentials</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">allow_methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="n">allow_headers</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="n">todos</span><span class="p">:</span> <span class="nb">dict</span><span class="p">[</span><span class="nb">int</span><span class="p">,</span> <span class="n">Todo</span><span class="p">]</span> <span class="o">=</span> <span class="p">{}</span> <span class="n">next_id</span> <span class="o">=</span> <span class="mi">1</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/todos</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="nb">list</span><span class="p">[</span><span class="n">Todo</span><span class="p">],</span> <span class="n">operation_id</span><span class="o">=</span><span class="sh">"</span><span class="s">listTodos</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">list_todos</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Get all todos</span><span class="sh">"""</span> <span class="k">return</span> <span class="nf">list</span><span class="p">(</span><span class="n">todos</span><span class="p">.</span><span class="nf">values</span><span class="p">())</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/todos</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">Todo</span><span class="p">,</span> <span class="n">operation_id</span><span class="o">=</span><span class="sh">"</span><span class="s">createTodo</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">create_todo</span><span class="p">(</span><span class="n">todo_data</span><span class="p">:</span> <span class="n">TodoCreate</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Create a new todo</span><span class="sh">"""</span> <span class="k">global</span> <span class="n">next_id</span> <span class="n">todo</span> <span class="o">=</span> <span class="nc">Todo</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="n">next_id</span><span class="p">,</span> <span class="n">title</span><span class="o">=</span><span class="n">todo_data</span><span class="p">.</span><span class="n">title</span><span class="p">,</span> <span class="n">completed</span><span class="o">=</span><span class="n">todo_data</span><span class="p">.</span><span class="n">completed</span><span class="p">)</span> <span class="n">todos</span><span class="p">[</span><span class="n">next_id</span><span class="p">]</span> <span class="o">=</span> <span class="n">todo</span> <span class="n">next_id</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">return</span> <span class="n">todo</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/todos/{todo_id}</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">Todo</span><span class="p">,</span> <span class="n">operation_id</span><span class="o">=</span><span class="sh">"</span><span class="s">getTodo</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_todo</span><span class="p">(</span><span class="n">todo_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Get a specific todo</span><span class="sh">"""</span> <span class="k">if</span> <span class="n">todo_id</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">todos</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">404</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Todo not found</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">todos</span><span class="p">[</span><span class="n">todo_id</span><span class="p">]</span> <span class="nd">@app.put</span><span class="p">(</span><span class="sh">"</span><span class="s">/todos/{todo_id}</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">Todo</span><span class="p">,</span> <span class="n">operation_id</span><span class="o">=</span><span class="sh">"</span><span class="s">updateTodo</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">update_todo</span><span class="p">(</span><span class="n">todo_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">todo_data</span><span class="p">:</span> <span class="n">TodoUpdate</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Update a todo</span><span class="sh">"""</span> <span class="k">if</span> <span class="n">todo_id</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">todos</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">404</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Todo not found</span><span class="sh">"</span><span class="p">)</span> <span class="n">todo</span> <span class="o">=</span> <span class="n">todos</span><span class="p">[</span><span class="n">todo_id</span><span class="p">]</span> <span class="k">if</span> <span class="n">todo_data</span><span class="p">.</span><span class="n">title</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span> <span class="n">todo</span><span class="p">.</span><span class="n">title</span> <span class="o">=</span> <span class="n">todo_data</span><span class="p">.</span><span class="n">title</span> <span class="k">if</span> <span class="n">todo_data</span><span class="p">.</span><span class="n">completed</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span> <span class="n">todo</span><span class="p">.</span><span class="n">completed</span> <span class="o">=</span> <span class="n">todo_data</span><span class="p">.</span><span class="n">completed</span> <span class="k">return</span> <span class="n">todo</span> <span class="nd">@app.delete</span><span class="p">(</span><span class="sh">"</span><span class="s">/todos/{todo_id}</span><span class="sh">"</span><span class="p">,</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">204</span><span class="p">,</span> <span class="n">operation_id</span><span class="o">=</span><span class="sh">"</span><span class="s">deleteTodo</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">delete_todo</span><span class="p">(</span><span class="n">todo_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Delete a todo</span><span class="sh">"""</span> <span class="k">if</span> <span class="n">todo_id</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">todos</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">404</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Todo not found</span><span class="sh">"</span><span class="p">)</span> <span class="k">del</span> <span class="n">todos</span><span class="p">[</span><span class="n">todo_id</span><span class="p">]</span> </code></pre> </div> <p>Notice the <code>operation_id</code> on each route. This tells FastAPI to use clean names like <code>listTodos</code> in the OpenAPI spec instead of auto-generated ones like <code>list_todos_todos_get</code>. Orval will use these as TypeScript function names.</p> <h3> Start the backend </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>uvicorn main:app <span class="nt">--reload</span> </code></pre> </div> <p>API running at <code>http://localhost:8000</code>. Docs at <code>http://localhost:8000/docs</code>.</p> <h3> Test the API </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a todo</span> curl <span class="nt">-X</span> POST http://localhost:8000/todos <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"title": "Learn FastAPI", "completed": false}'</span> <span class="c"># List all todos</span> curl http://localhost:8000/todos <span class="c"># Update a todo</span> curl <span class="nt">-X</span> PUT http://localhost:8000/todos/1 <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"completed": true}'</span> <span class="c"># Delete a todo</span> curl <span class="nt">-X</span> DELETE http://localhost:8000/todos/1 </code></pre> </div> <p>The OpenAPI spec is at <code>http://localhost:8000/openapi.json</code> — this is what Orval will use to generate the TypeScript client.</p> <h2> Frontend: SvelteKit SPA </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx sv create frontend </code></pre> </div> <p>Select: SvelteKit minimal, TypeScript, prettier, npm.</p> <h3> Configure as SPA </h3> <p>Create <code>src/routes/+layout.ts</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">csr</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="c1">// Enable client-side rendering</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">ssr</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="c1">// Disable server-side rendering</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">prerender</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="c1">// Disable prerendering</span> </code></pre> </div> <h3> Install Dependencies </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>axios npm <span class="nb">install</span> <span class="nt">-D</span> orval </code></pre> </div> <h3> Setup Auto-Generated API Client </h3> <p>Create <code>orval.config.cjs</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="na">default</span><span class="p">:</span> <span class="p">{</span> <span class="na">input</span><span class="p">:</span> <span class="p">{</span> <span class="na">target</span><span class="p">:</span> <span class="dl">'</span><span class="s1">http://localhost:8000/openapi.json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">output</span><span class="p">:</span> <span class="p">{</span> <span class="na">target</span><span class="p">:</span> <span class="dl">'</span><span class="s1">./src/lib/api/gen</span><span class="dl">'</span><span class="p">,</span> <span class="na">schemas</span><span class="p">:</span> <span class="dl">'</span><span class="s1">./src/lib/api/gen/model</span><span class="dl">'</span><span class="p">,</span> <span class="na">client</span><span class="p">:</span> <span class="dl">'</span><span class="s1">axios</span><span class="dl">'</span><span class="p">,</span> <span class="na">mode</span><span class="p">:</span> <span class="dl">'</span><span class="s1">split</span><span class="dl">'</span><span class="p">,</span> <span class="na">clean</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">baseUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">http://localhost:8000</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <p>Add a generate script to <code>package.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"generate"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npx orval --config orval.config.cjs"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Generate TypeScript Client </h3> <p>With your backend running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run generate </code></pre> </div> <p>This creates <code>src/lib/api/gen/</code> with fully typed functions for all your endpoints.</p> <h3> Build the UI </h3> <p>Create <code>src/routes/+page.svelte</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight svelte"><code><span class="nt">&lt;script </span><span class="na">lang=</span><span class="s">"ts"</span><span class="nt">&gt;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">onMount</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">svelte</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getFastAPI</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/api/gen/fastAPI</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">type</span> <span class="p">{</span> <span class="nx">Todo</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/api/gen/model</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">api</span> <span class="o">=</span> <span class="nf">getFastAPI</span><span class="p">();</span> <span class="kd">let</span> <span class="nx">todos</span> <span class="o">=</span> <span class="nx">$state</span><span class="o">&lt;</span><span class="nx">Todo</span><span class="p">[]</span><span class="o">&gt;</span><span class="p">([]);</span> <span class="kd">let</span> <span class="nx">newTodoTitle</span> <span class="o">=</span> <span class="nf">$state</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">loading</span> <span class="o">=</span> <span class="nf">$state</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">loadTodos</span><span class="p">()</span> <span class="p">{</span> <span class="nx">loading</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">api</span><span class="p">.</span><span class="nf">listTodos</span><span class="p">();</span> <span class="nx">todos</span> <span class="o">=</span> <span class="nx">response</span><span class="p">.</span><span class="nx">data</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to load todos:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="nx">loading</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">addTodo</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">newTodoTitle</span><span class="p">.</span><span class="nf">trim</span><span class="p">())</span> <span class="k">return</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">api</span><span class="p">.</span><span class="nf">createTodo</span><span class="p">({</span> <span class="na">title</span><span class="p">:</span> <span class="nx">newTodoTitle</span><span class="p">,</span> <span class="na">completed</span><span class="p">:</span> <span class="kc">false</span> <span class="p">});</span> <span class="nx">todos</span> <span class="o">=</span> <span class="p">[...</span><span class="nx">todos</span><span class="p">,</span> <span class="nx">response</span><span class="p">.</span><span class="nx">data</span><span class="p">];</span> <span class="nx">newTodoTitle</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to create todo:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">toggleTodo</span><span class="p">(</span><span class="nx">todo</span><span class="p">:</span> <span class="nx">Todo</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">api</span><span class="p">.</span><span class="nf">updateTodo</span><span class="p">(</span><span class="nx">todo</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="p">{</span> <span class="na">completed</span><span class="p">:</span> <span class="o">!</span><span class="nx">todo</span><span class="p">.</span><span class="nx">completed</span> <span class="p">});</span> <span class="nx">todos</span> <span class="o">=</span> <span class="nx">todos</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">t</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">t</span><span class="p">.</span><span class="nx">id</span> <span class="o">===</span> <span class="nx">todo</span><span class="p">.</span><span class="nx">id</span> <span class="p">?</span> <span class="nx">response</span><span class="p">.</span><span class="nx">data</span> <span class="p">:</span> <span class="nx">t</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to update todo:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">removeTodo</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="nx">number</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">api</span><span class="p">.</span><span class="nf">deleteTodo</span><span class="p">(</span><span class="nx">id</span><span class="p">);</span> <span class="nx">todos</span> <span class="o">=</span> <span class="nx">todos</span><span class="p">.</span><span class="nf">filter</span><span class="p">((</span><span class="nx">t</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">t</span><span class="p">.</span><span class="nx">id</span> <span class="o">!==</span> <span class="nx">id</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to delete todo:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">onMount</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">loadTodos</span><span class="p">();</span> <span class="p">});</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"container"</span><span class="nt">&gt;</span> <span class="nt">&lt;h1&gt;</span>Todo List<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"add-todo"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">bind:value=</span><span class="si">{</span><span class="nx">newTodoTitle</span><span class="si">}</span> <span class="na">placeholder=</span><span class="s">"What needs to be done?"</span> <span class="na">onkeydown=</span><span class="si">{</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">e</span><span class="p">.</span><span class="nx">key</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">Enter</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nf">addTodo</span><span class="p">()</span><span class="si">}</span> <span class="nt">/&gt;</span> <span class="nt">&lt;button</span> <span class="na">onclick=</span><span class="si">{</span><span class="nx">addTodo</span><span class="si">}</span><span class="nt">&gt;</span>Add<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="si">{</span><span class="k">#if</span> <span class="nx">loading</span><span class="si">}</span> <span class="nt">&lt;p&gt;</span>Loading...<span class="nt">&lt;/p&gt;</span> <span class="si">{</span><span class="k">:else</span> <span class="k">if</span> <span class="nx">todos</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="si">}</span> <span class="nt">&lt;p</span> <span class="na">class=</span><span class="s">"empty"</span><span class="nt">&gt;</span>No todos yet. Add one above!<span class="nt">&lt;/p&gt;</span> <span class="si">{</span><span class="p">:</span><span class="k">else</span><span class="si">}</span> <span class="nt">&lt;ul</span> <span class="na">class=</span><span class="s">"todo-list"</span><span class="nt">&gt;</span> <span class="si">{</span><span class="k">#each</span> <span class="nx">todos</span> <span class="k">as</span> <span class="nf">todo </span><span class="p">(</span><span class="nx">todo</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span><span class="si">}</span> <span class="nt">&lt;li</span> <span class="na">class:completed=</span><span class="si">{</span><span class="nx">todo</span><span class="p">.</span><span class="nx">completed</span><span class="si">}</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"checkbox"</span> <span class="na">checked=</span><span class="si">{</span><span class="nx">todo</span><span class="p">.</span><span class="nx">completed</span><span class="si">}</span> <span class="na">onchange=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">toggleTodo</span><span class="p">(</span><span class="nx">todo</span><span class="p">)</span><span class="si">}</span> <span class="nt">/&gt;</span> <span class="nt">&lt;span&gt;</span><span class="si">{</span><span class="nx">todo</span><span class="p">.</span><span class="nx">title</span><span class="si">}</span><span class="nt">&lt;/span&gt;</span> <span class="nt">&lt;button</span> <span class="na">class=</span><span class="s">"delete"</span> <span class="na">onclick=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">removeTodo</span><span class="p">(</span><span class="nx">todo</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span><span class="si">}</span><span class="nt">&gt;</span>×<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/li&gt;</span> <span class="si">{</span><span class="k">/each</span><span class="si">}</span> <span class="nt">&lt;/ul&gt;</span> <span class="si">{</span><span class="k">/if</span><span class="si">}</span> <span class="nt">&lt;/div&gt;</span> </code></pre> </div> <h3> Start the frontend </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run dev </code></pre> </div> <p>App running at <code>http://localhost:5173</code>.</p> <h2> Updating the API </h2> <p>When you add a field to a model:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">TodoCreate</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">title</span><span class="p">:</span> <span class="nb">str</span> <span class="n">completed</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">=</span> <span class="bp">False</span> <span class="n">priority</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">medium</span><span class="sh">"</span> <span class="c1"># New field! </span></code></pre> </div> <p>Just regenerate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run generate </code></pre> </div> <p>TypeScript will immediately show errors wherever you need to update the frontend. No manual type syncing.</p> <h2> What We Built </h2> <ul> <li>FastAPI backend with CRUD endpoints</li> <li>SvelteKit SPA frontend</li> <li>Auto-generated TypeScript API client from OpenAPI spec</li> <li>Fully functional todo app with end-to-end type safety</li> </ul> <p>Source code: <a href="https://github.com/TurtleDevIO/svelte-spa-fastapi-tutorial" rel="noopener noreferrer">GitHub</a></p> <p><strong>Next:</strong> <a href="https://turtledev.io/blog/how-to-add-authentication-to-sveltekit-spa" rel="noopener noreferrer">How to Add Authentication to a SvelteKit SPA</a></p> <p><strong>See also:</strong> <a href="https://turtledev.io/blog/fastapi-tutorial-1-project-setup-crud-api" rel="noopener noreferrer">Full-stack FastAPI Tutorial 1: Project Setup &amp; Tooling</a></p> <p>If you want a production-ready version with authentication, multi-tenancy, and Stripe already wired up, check out <a href="https://fastsvelte.dev" rel="noopener noreferrer">FastSvelte</a>.</p> <p>Smooth coding!</p> svelte fastapi webdev tutorial Why I Switched from SvelteKit SSR to SPA + FastAPI Tortoise Sat, 25 Apr 2026 13:16:30 +0000 https://forem.com/tortoise62/why-i-switched-from-sveltekit-ssr-to-spa-fastapi-242m https://forem.com/tortoise62/why-i-switched-from-sveltekit-ssr-to-spa-fastapi-242m <p><em>Originally published at <a href="https://turtledev.io/blog/why-i-switched-from-sveltekit-ssr-to-spa-fastapi" rel="noopener noreferrer">turtledev.io</a></em></p> <p>Hi, I'm <a href="https://www.linkedin.com/in/hrzafer" rel="noopener noreferrer">Harun</a>, a software engineer who's been building SaaS products for the past few years.</p> <p>I come from a backend background. To get into frontend development, I tried several frameworks (Angular, Vue, and React) but Svelte was the only framework I could understand just by looking at examples. It clicked immediately. Since then I've been using Svelte for everything including this <a href="https://github.com/TurtleDevIO/turtledev.io" rel="noopener noreferrer">static blog</a>.</p> <p>SvelteKit is the natural next step: routing, SSR, full-stack features out of the box. But its default model is SSR, and there's a lot less content out there on using it as a pure SPA. So I went with SSR, same as everyone in the React world goes with Next.js.</p> <p>Most of my projects also needed AI and ML, which meant a Python backend. So I ended up with two backends: one for SSR, one for the actual logic, both hitting the same database and talking to each other. That got messy fast.</p> <p>The dev experience wasn't great either:</p> <ul> <li>Pages were slow, especially on Vercel. Cold starts on serverless functions didn't help.</li> <li>Every request that touched Python had an extra hop through the SSR layer.</li> <li>Backend logic kept bleeding into the frontend where it didn't belong.</li> </ul> <p>Honestly, I don't remember the exact moment it clicked. At some point I just got tired of the two-backend setup and started looking for a way out. Being a backend developer at heart probably played a role. The idea of owning a clean API and treating the frontend as a thin presentation layer grew in my mind, and eventually I gave it a try.</p> <h2> After Switching to SPA + FastAPI </h2> <p>Once I switched, the improvement was immediate.</p> <p>Pages loaded instantly, navigation was smooth, no more cold start delays. More importantly, the architecture finally made sense. The backend did the heavy lifting, the frontend just consumed the API and rendered. DB writes, OAuth, AI calls, Stripe integration, all in the backend where they belonged.</p> <p>The other big win was independent deploys. Frontend and backend shipped on their own schedules. Hotfix a UI bug? Redeploy the SPA without touching the backend. Update the schema? The frontend didn't care until you told it to.</p> <p>You do need two pipelines instead of one, but with GitHub Actions it takes maybe 30 minutes to set up, and AI tools are pretty good at generating the YAML anyway.</p> <blockquote> <p><strong>Building a production app?</strong> Check out <a href="https://fastsvelte.dev" rel="noopener noreferrer">FastSvelte</a> - a production-ready FastAPI + SvelteKit starter with authentication, payments, and more built-in.</p> </blockquote> <h2> When SEO Doesn't Matter </h2> <p>One of the main selling points of SSR is <strong>SEO</strong>. But for a <strong>SaaS dashboard</strong>, SEO doesn't really matter.</p> <p>Your authenticated app isn't being crawled by Google anyway. SEO matters for your marketing site, landing pages, and blog posts, not your user dashboard.</p> <p>And for those, a <strong>separate SvelteKit app</strong> with <strong>static generation</strong> gives you way more flexibility and blazing speed. In one of the AI startups I worked at, the landing page was built with WordPress and no one from the dev team was responsible for it — it was the marketing team's job. I highly recommend separating your marketing site from the actual SaaS app. Host the landing page on <em>mysaas.com</em> and the app on <em>app.mysaas.com</em>.</p> <h2> Why Vercel Pushes SSR </h2> <p>Vercel's business model is built around <strong>serverless rendering</strong>, not static hosting. SSR keeps apps running on their infrastructure continuously, which means more usage and more billing. It's not a bad thing. It just means SSR fits <em>their</em> model, not necessarily <em>yours</em>.</p> <p>If your app doesn't need SEO and runs mostly behind login, <strong>static + API</strong> is cheaper, faster, and simpler to scale.</p> <h2> The Hosting Reality </h2> <p>Another advantage often mentioned about SSR is deploying everything to one place (Vercel, Netlify, etc.). But I needed a Python backend anyway for AI tasks, so I had to host that somewhere. The first thought was serverless functions (AWS Lambda, Azure Functions). I've had many years of experience with both. They're great for small tasks, especially jobs that run periodically or can tolerate some delay. But for a real web API, they start to show their limitations.</p> <ol> <li> <strong>Cold starts</strong>: solvable by pinging your API periodically, but yet another thing to maintain.</li> <li> <strong>Deployment complexity</strong>: AWS Lambda requires packaging your code and dependencies, setting up IAM roles, and configuring API Gateway. Azure Functions are easier but still require some setup.</li> <li> <strong>Web frameworks</strong>: when building a web API you really feel the need for a proper framework, but most aren't designed to run in serverless environments. I've tried AWS Lambda Powertools in the past — it's nowhere near FastAPI or Flask.</li> </ol> <p>So I decided to <strong>dockerize the backend</strong> and host it on <strong>Azure Container Apps</strong>. It turned out to be a perfect middle ground:</p> <ul> <li>Around <strong>$10/month</strong> for a small app with 1 replica running at all times. Much cheaper if you set min replicas to <code>0</code>, but that brings cold starts back. For production, I recommend at least <code>1</code>.</li> <li> <strong>Auto-scales</strong> when traffic grows.</li> <li>The <strong>free tier</strong> is generous: 180,000 vCPU-seconds, 360,000 GiB-seconds, and 2 million requests/month. More than enough for an early-stage SaaS.</li> </ul> <p>Since I was already on Azure, I tried <strong>Azure Static Web Apps</strong> for the SPA frontend. Fast, simple, and <strong>free</strong>: 100 GB bandwidth, 3 custom domains, seamless CI/CD with GitHub.</p> <p>For the database, you can use the <strong>free Postgres instance on Vercel</strong>. Or keep your frontend + DB on Vercel and your backend on Azure. This flexibility is exactly what I love about separating concerns.</p> <h2> Bonus: How to Get Azure Credits </h2> <p>If you have a startup, you can get <strong>free Azure credits</strong> through the <a href="https://www.microsoft.com/startups" rel="noopener noreferrer">Microsoft for Startups Founders Hub</a> program. Most startups are eligible for at least $5,000 in credits. I got $25,000, which covers hosting costs for the first year or two.</p> <h2> Bonus: Client Code Generation </h2> <p>With FastAPI's OpenAPI spec, you can generate API client code automatically with <strong><a href="https://orval.dev" rel="noopener noreferrer">Orval</a></strong> (TypeScript) or OpenAPI Generator. Whenever you update the backend API, just regenerate the client and the frontend stays in sync. No more writing fetch wrappers manually — typed functions for every endpoint.</p> <blockquote> <p><strong>Building a production app?</strong> Check out <a href="https://fastsvelte.dev" rel="noopener noreferrer">FastSvelte</a> - a production-ready FastAPI + SvelteKit starter with authentication, payments, and more built-in.</p> </blockquote> <h2> What's Next </h2> <ul> <li><a href="https://turtledev.io/blog/how-to-build-sveltekit-spa-with-fastapi-backend" rel="noopener noreferrer">How to Build a SvelteKit SPA with FastAPI Backend</a></li> <li><a href="https://turtledev.io/blog/how-to-add-authentication-to-sveltekit-spa" rel="noopener noreferrer">How to Add Authentication to a SvelteKit SPA</a></li> </ul> <p><strong>See also:</strong> <a href="https://turtledev.io/blog/fastapi-tutorial-1-project-setup-crud-api" rel="noopener noreferrer">Full-stack FastAPI Tutorial 1: Project Setup &amp; Tooling</a></p> <p>Smooth coding!</p> svelte fastapi webdev architecture