Lesson Complete!

What you built

You added two endpoints to your API:

• POST /register: accepts an email and password, hashes the password, stores the user, and returns the user's identifier and email
• POST /login: verifies the credentials and returns a JWT token with a 30-minute expiry

You also created the UserCreate model — a Pydantic model that keeps the request body separate from the User database model. The client never sets id or password_hash directly.

What comes next

Registration and login work, but the expense endpoints are still wide open. Any request succeeds without a token. Lesson 3 adds get_current_user as a dependency to every expense endpoint, so only authenticated users can access them.