On kwai, I am currently working on an application that coaches can use to manage trainings. The frontend is a single page application and uses the REST API's of the backend to retrieve the trainings. How can I indicate the trainings of the currently logged in coach?

How do I know that a coach is logged in? The access and refresh token are stored in cookies. That access token is currently valid for 1 hour. How do I check if the access token is still valid? And if not, how can I generate a new access token?

When the frontend application is active and an API is called which returns a 401, it will try to generate a new token and retry the API. This is implemented with wretch.

When a user opens the application for the first time it calls a validate API. This API will check the access token and renew it if needed. Now kwai knows that somebody is logged in with a valid token. But how does it know that the user is a coach?

The frontend assets generated by vite are also served by the same FastAPI server. Each application has an endpoint that uses a jinja2 template to return HTML. This template will add all scripts and css that is generated by vite. This works because vite generates a manifest file that contains all the files that are needed to run the frontend application. In kwai a ViteDependency is created that uses the manifest file to return the generated files.

Instead of using the validate API, the application endpoint can use dependencies to check if the user is logged in. The check_login dependency checks the tokens, renews them if needed, and creates or updates the cookies that are used to store the tokens. Now another problem pops up. A Cookie dependency uses the cookie from the request. It doesn't know that the cookie was already updated for the next response. This can be solved by using the request state and creating a new dependency.

def use_access_token(request: Request) -> str | None:
    """Use access token from memory if it exists, otherwise try to get it from the cookie."""
    access_token = getattr(request.state, COOKIE_ACCESS_TOKEN, None)
    if access_token is None:
        access_token = request.cookies.get(COOKIE_ACCESS_TOKEN, None)
    return access_token

The use_access_token can be used as dependency and replaces the Cookie dependency for an access token.

When the access token changes, it will also be stored in the request state:

    setattr(request.state, COOKIE_ACCESS_TOKEN, encoded_access_token)

And instead of using Cookie as dependency, use use_access_token:

async def get_current_user(
    access_token: Annotated[str | None, Depends(use_access_token)] = None,
) -> UserEntity: ...

Now the application endpoint knows that a user is logged in and can use another dependency to check if that user is a coach. If so, it will add the public uuid of the coach to the __KWAI__  javascript object. This way the frontend code will know that the user is a coach.

To avoid leaking user id's, kwai uses public and private uuids. The unique id of a user is private and will never be shown on a page.

Last but not least, when you return another response then the one that was injected by FastAPI, make sure you copy the headers of this response to your response! It was very hard to find out that the TemplateResponse wasn't sending the new cookies to the client...

Blog roll

Python

• Real Python - SOLID Design Principles

Others

• Danish head of government IT (left) hands over the first "microsoft-free" computer to the head of Danish Traffic control, December 2025
• GitHub - Charging for self-hosted runners?
• Waterfox browser goes AI-free, targets the Firefox faithful
• Guthib
• Google's Agentic AI wipes user's entire HDD without permission in catastrophic failure