Lesson Complete!

What you built

You updated the entire test suite to work with authenticated endpoints. Two helper functions — register_user and auth_header — handle the repetitive work of creating accounts and getting tokens. Every existing test now passes again, and you added four new tests:

• Registration: verifies that the API returns the user's email and identifier, but never the password
• Duplicate email: confirms that registering twice with the same email returns 400
• Wrong password: confirms that invalid credentials return 401
• Data isolation: proves that two users each see only their own expenses

The full journey

Look at what you built across four courses:

• Course 1: Built a REST API from scratch with FastAPI — endpoints for creating, reading, updating, and deleting expenses
• Course 2: Added a test suite, logging middleware, and global error handling
• Course 3: Replaced JSON file storage with a real SQLite database using SQLModel
• Course 4: Secured the API with password hashing, JWT tokens, and per-user data isolation

Your expense tracker API now handles user registration, login, token-based authentication, database storage, input validation, error handling, and a comprehensive test suite. That is a production-ready foundation.

What comes next

You have several paths forward from here:

• Docker and deployment: package your API into a container and deploy it to a cloud server so anyone can use it
• Authorization: add roles and permissions so admin users can view all expenses while regular users see only their own
• Build a frontend: create a web interface that calls your API, turning it into a complete application

Each of these builds directly on the API you already have. The hard part — a working, tested, authenticated backend — is done.