# Microservices and API Design Crash Course for Data Science Assessments

**Date Created:** 25 January 2026

This notebook covers microservices architecture, Docker Compose setup, REST API design principles, and Python web frameworks (FastAPI and Flask) commonly encountered in data science and ML engineering interviews.

---

## Table of Contents

1. [Introduction to Microservices](#1-introduction-to-microservices)
2. [Microservices vs Monolithic Architecture](#2-microservices-vs-monolithic-architecture)
3. [Common Microservices Patterns](#3-common-microservices-patterns)
4. [Docker and Docker Compose](#4-docker-and-docker-compose)
5. [REST API Fundamentals](#5-rest-api-fundamentals)
6. [HTTP Methods and Status Codes](#6-http-methods-and-status-codes)
7. [API Authentication Methods](#7-api-authentication-methods)
8. [API Design Best Practices](#8-api-design-best-practices)
9. [Flask Basics](#9-flask-basics)
10. [FastAPI Basics](#10-fastapi-basics)
11. [Practical Examples](#11-practical-examples)
12. [Practice Questions](#12-practice-questions)

---

## 1. Introduction to Microservices

**Microservices** is an architectural style where applications are built as a collection of small, independent, and loosely coupled services that communicate over a network. Each service handles a specific business functionality and can be developed, deployed, and scaled independently.

### 1.1 Key Principles

- **Single Responsibility**: Each service does one thing well
- **Loose Coupling**: Services are independent; changes don't cascade
- **High Cohesion**: Related functionality grouped together
- **Decentralised Data Management**: Each service owns its data
- **Design for Failure**: Assume services will fail; build resilience

### 1.2 Benefits

- Independent deployment and scaling
- Technology flexibility (use best tool for each service)
- Faster development cycles
- Fault isolation
- Easier to understand individual services
- Better team autonomy

---

## 2. Microservices vs Monolithic Architecture

| Aspect | Monolithic | Microservices |
|--------|-----------|---------------|
| Structure | Single deployable unit | Multiple independent services |
| Scaling | Scale entire application | Scale individual services |
| Development | Single codebase, one team | Multiple codebases, distributed teams |
| Deployment | Deploy everything together | Deploy services independently |
| Technology | One technology stack | Polyglot (different languages/frameworks) |
| Failure Impact | Failure affects entire app | Failure isolated to one service |
| Database | Shared database | Database per service |
| Complexity | Simple to develop initially | Complex infrastructure |

### 2.1 When to Use Microservices

**Use microservices when:**
- Large teams working on different features
- Need to scale components independently
- Different parts have different resource requirements
- Want technology flexibility

**Stick with monolith when:**
- Small team or early-stage project
- Simple domain with few features
- Don't have DevOps expertise
- Latency is critical (inter-service communication adds overhead)

---

## 3. Common Microservices Patterns

### 3.1 API Gateway Pattern

An **API Gateway** acts as a single entry point for all client requests. It routes requests to appropriate microservices, handles authentication, rate limiting, and can aggregate responses.

```
Client -> [API Gateway] -> Service A
                       -> Service B
                       -> Service C
```

**Benefits:**
- Single entry point for clients
- Cross-cutting concerns (auth, logging, rate limiting) in one place
- Protocol translation
- Response aggregation

### 3.2 Service Discovery Pattern

In dynamic environments, services need to find each other. **Service discovery** maintains a registry of available services and their locations.

**Types:**
- **Client-side discovery**: Client queries registry, chooses instance (e.g., Netflix Eureka)
- **Server-side discovery**: Load balancer queries registry (e.g., AWS ALB)

```
Service A -> [Service Registry] -> Gets Service B location -> Service B
```

### 3.3 Circuit Breaker Pattern

The **Circuit Breaker** prevents cascading failures by stopping requests to a failing service. It operates in three states:

1. **Closed**: Normal operation; requests flow through; failures are counted
2. **Open**: Threshold exceeded; requests fail immediately (fast-fail)
3. **Half-Open**: After timeout, allows test requests to check if service recovered

In [1]:
import time
from typing import Callable, Any


class CircuitBreakerError(Exception):
    """Raised when circuit breaker is open."""
    pass


class CircuitBreaker:
    """Simple circuit breaker implementation.
    
    Args:
        failure_threshold: Number of failures before opening circuit.
        recovery_timeout: Seconds to wait before attempting recovery.
    """
    
    def __init__(self, failure_threshold: int = 5, recovery_timeout: int = 30):
        self.failure_threshold = failure_threshold
        self.recovery_timeout = recovery_timeout
        self.failure_count = 0
        self.state = "CLOSED"
        self.last_failure_time: float | None = None
    
    def call(self, func: Callable[[], Any]) -> Any:
        """Execute function with circuit breaker protection.
        
        Args:
            func: Callable to execute.
            
        Returns:
            Result of the function call.
            
        Raises:
            CircuitBreakerError: When circuit is open.
        """
        if self.state == "OPEN":
            if self.last_failure_time and time.time() - self.last_failure_time > self.recovery_timeout:
                self.state = "HALF_OPEN"
            else:
                raise CircuitBreakerError("Circuit is open")
        
        try:
            result = func()
            self._on_success()
            return result
        except Exception as e:
            self._on_failure()
            raise
    
    def _on_success(self) -> None:
        self.failure_count = 0
        self.state = "CLOSED"
    
    def _on_failure(self) -> None:
        self.failure_count += 1
        self.last_failure_time = time.time()
        if self.failure_count >= self.failure_threshold:
            self.state = "OPEN"


# Demonstrate circuit breaker
cb = CircuitBreaker(failure_threshold=3, recovery_timeout=5)

def unreliable_service():
    """Simulates an unreliable service that always fails."""
    raise ConnectionError("Service unavailable")

# Trigger failures to open the circuit
for i in range(4):
    try:
        cb.call(unreliable_service)
    except CircuitBreakerError as e:
        print(f"Attempt {i+1}: Circuit breaker triggered - {e}")
    except ConnectionError as e:
        print(f"Attempt {i+1}: Service failed - {e}")
    print(f"  Circuit state: {cb.state}, Failures: {cb.failure_count}")

Attempt 1: Service failed - Service unavailable
  Circuit state: CLOSED, Failures: 1
Attempt 2: Service failed - Service unavailable
  Circuit state: CLOSED, Failures: 2
Attempt 3: Service failed - Service unavailable
  Circuit state: OPEN, Failures: 3
Attempt 4: Circuit breaker triggered - Circuit is open
  Circuit state: OPEN, Failures: 3


---

## 4. Docker and Docker Compose

**Docker** packages applications into containers with all dependencies. **Docker Compose** defines and runs multi-container applications using a YAML file.

### 4.1 Basic Docker Compose Structure

```yaml
version: '3.8'

services:
  api-gateway:
    build: ./gateway
    ports:
      - "8080:8080"
    depends_on:
      - user-service
    environment:
      - USER_SERVICE_URL=http://user-service:5000
    networks:
      - microservices-net

  user-service:
    build: ./user-service
    ports:
      - "5000:5000"
    environment:
      - DATABASE_URL=postgresql://postgres:password@user-db:5432/users
    depends_on:
      - user-db
    networks:
      - microservices-net
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:5000/health"]
      interval: 30s
      timeout: 10s
      retries: 3

  user-db:
    image: postgres:15
    environment:
      - POSTGRES_DB=users
      - POSTGRES_PASSWORD=password
    volumes:
      - user-data:/var/lib/postgresql/data
    networks:
      - microservices-net

networks:
  microservices-net:
    driver: bridge

volumes:
  user-data:
```

### 4.2 Key Configuration Options

| Option | Description | Example |
|--------|-------------|--------|
| `build` | Build from Dockerfile | `build: ./service-dir` |
| `image` | Use pre-built image | `image: postgres:15` |
| `ports` | Map host:container ports | `ports: ["8080:8080"]` |
| `environment` | Set environment variables | `environment: [DB_URL=...]` |
| `depends_on` | Service startup order | `depends_on: [db]` |
| `volumes` | Persistent storage | `volumes: [data:/app/data]` |
| `networks` | Custom networks | `networks: [app-net]` |
| `healthcheck` | Container health monitoring | `test: ["CMD", "curl", ...]` |

### 4.3 Networking Between Containers

- Containers on the same network communicate via **service names as hostnames**
- Use custom networks to isolate service groups
- Example: `http://user-service:5000` (service name, not IP)

### 4.4 Volume Types

- **Named volumes**: Docker-managed, persistent across container restarts
- **Bind mounts**: Map host directory to container (for development)
- **tmpfs**: In-memory storage (for sensitive data)

---

## 5. REST API Fundamentals

**REST** (Representational State Transfer) is an architectural style for designing networked applications.

### 5.1 REST Constraints

1. **Client-Server**: Separation of concerns; client handles UI, server handles data
2. **Stateless**: Each request contains all information needed; no session state on server
3. **Cacheable**: Responses must define themselves as cacheable or non-cacheable
4. **Uniform Interface**: Standardised way to interact with resources
5. **Layered System**: Client cannot tell if connected directly to server
6. **Code on Demand** (optional): Server can extend client functionality

### 5.2 Resources and URIs

In REST, everything is a **resource** identified by a **URI** (Uniform Resource Identifier).

```
GET  /users           # Collection of users
GET  /users/123       # Single user (resource)
GET  /users/123/orders  # User's orders (sub-resource)
```

---

## 6. HTTP Methods and Status Codes

### 6.1 HTTP Methods

| Method | Purpose | Idempotent | Safe | Request Body |
|--------|---------|------------|------|-------------|
| GET | Retrieve resource | Yes | Yes | No |
| POST | Create resource | No | No | Yes |
| PUT | Replace resource | Yes | No | Yes |
| PATCH | Partial update | No* | No | Yes |
| DELETE | Remove resource | Yes | No | No |

- **Idempotent**: Same request produces same result (can safely retry)
- **Safe**: Does not modify resources

### 6.2 HTTP Status Codes

#### 2xx Success
| Code | Name | Usage |
|------|------|-------|
| 200 | OK | Successful GET, PUT, PATCH |
| 201 | Created | Successful POST (include Location header) |
| 202 | Accepted | Async processing started |
| 204 | No Content | Successful DELETE (no response body) |

#### 4xx Client Errors
| Code | Name | Usage |
|------|------|-------|
| 400 | Bad Request | Invalid request syntax or parameters |
| 401 | Unauthorised | Authentication required/failed |
| 403 | Forbidden | Authenticated but not authorised |
| 404 | Not Found | Resource doesn't exist |
| 409 | Conflict | Request conflicts with current state |
| 422 | Unprocessable Entity | Valid syntax but semantic errors |
| 429 | Too Many Requests | Rate limit exceeded |

#### 5xx Server Errors
| Code | Name | Usage |
|------|------|-------|
| 500 | Internal Server Error | Generic server error |
| 502 | Bad Gateway | Invalid response from upstream |
| 503 | Service Unavailable | Server temporarily unavailable |
| 504 | Gateway Timeout | Upstream server timeout |

In [2]:
# HTTP Status Code Reference

HTTP_STATUS_CODES = {
    # 2xx Success
    200: ("OK", "Request succeeded"),
    201: ("Created", "Resource created successfully"),
    204: ("No Content", "Request succeeded, no content to return"),
    
    # 4xx Client Errors
    400: ("Bad Request", "Invalid request syntax or parameters"),
    401: ("Unauthorised", "Authentication required or failed"),
    403: ("Forbidden", "Authenticated but not authorised"),
    404: ("Not Found", "Resource does not exist"),
    409: ("Conflict", "Request conflicts with current state"),
    422: ("Unprocessable Entity", "Valid syntax but semantic errors"),
    429: ("Too Many Requests", "Rate limit exceeded"),
    
    # 5xx Server Errors
    500: ("Internal Server Error", "Generic server error"),
    502: ("Bad Gateway", "Invalid response from upstream"),
    503: ("Service Unavailable", "Server temporarily unavailable"),
}

def explain_status_code(code: int) -> str:
    """Get explanation for HTTP status code.
    
    Args:
        code: HTTP status code.
        
    Returns:
        Human-readable explanation.
    """
    if code in HTTP_STATUS_CODES:
        name, description = HTTP_STATUS_CODES[code]
        return f"{code} {name}: {description}"
    return f"{code}: Unknown status code"

# Test common codes
test_codes = [200, 201, 400, 401, 403, 404, 500]
for code in test_codes:
    print(explain_status_code(code))

200 OK: Request succeeded
201 Created: Resource created successfully
400 Bad Request: Invalid request syntax or parameters
401 Unauthorised: Authentication required or failed
403 Forbidden: Authenticated but not authorised
404 Not Found: Resource does not exist
500 Internal Server Error: Generic server error


---

## 7. API Authentication Methods

### 7.1 API Keys

Simple string tokens for identifying applications.

```http
GET /api/users
X-API-Key: abc123def456
```

**Pros:** Simple to implement  
**Cons:** No expiration, identifies app not user

### 7.2 JWT (JSON Web Tokens)

Self-contained tokens with encoded claims.

```http
GET /api/users
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
```

**Structure:** `header.payload.signature`

```json
// Payload example
{
  "sub": "user123",
  "name": "Alice",
  "role": "admin",
  "exp": 1735084800
}
```

**Pros:** Stateless, contains user info, expirable  
**Cons:** Cannot revoke without blocklist, size overhead

### 7.3 OAuth 2.0

Delegated authorisation framework for third-party access.

**Authorisation Code Flow:**
1. User redirected to auth server
2. User authenticates and grants permissions
3. Auth server returns authorisation code
4. App exchanges code for access token
5. App uses token to access API

### 7.4 Comparison

| Method | Use Case |
|--------|----------|
| API Keys | Server-to-server, simple apps |
| JWT | Stateless auth, microservices |
| OAuth 2.0 | Third-party access, user delegation |

In [3]:
import base64
import json
import hashlib
import hmac
from datetime import datetime, timedelta, timezone


def create_simple_jwt(payload: dict, secret: str) -> str:
    """Create a simple JWT token (for demonstration only).
    
    Args:
        payload: Data to encode in the token.
        secret: Secret key for signing.
        
    Returns:
        JWT token string.
        
    Note:
        Use a proper library like PyJWT in production.
    """
    header = {"alg": "HS256", "typ": "JWT"}
    
    def b64_encode(data: dict) -> str:
        json_bytes = json.dumps(data, separators=(',', ':')).encode()
        return base64.urlsafe_b64encode(json_bytes).rstrip(b'=').decode()
    
    header_b64 = b64_encode(header)
    payload_b64 = b64_encode(payload)
    
    message = f"{header_b64}.{payload_b64}"
    signature = hmac.new(
        secret.encode(), 
        message.encode(), 
        hashlib.sha256
    ).digest()
    signature_b64 = base64.urlsafe_b64encode(signature).rstrip(b'=').decode()
    
    return f"{message}.{signature_b64}"


def decode_jwt_payload(token: str) -> dict:
    """Decode JWT payload (without verification).
    
    Args:
        token: JWT token string.
        
    Returns:
        Decoded payload dictionary.
    """
    parts = token.split('.')
    if len(parts) != 3:
        raise ValueError("Invalid JWT format")
    
    payload_b64 = parts[1]
    padding = 4 - len(payload_b64) % 4
    if padding != 4:
        payload_b64 += '=' * padding
    
    payload_json = base64.urlsafe_b64decode(payload_b64)
    return json.loads(payload_json)


# Demonstrate JWT creation and decoding
secret_key = "my-secret-key"
user_payload = {
    "sub": "user_123",
    "name": "Alice Smith",
    "role": "admin",
    "exp": int((datetime.now(timezone.utc) + timedelta(hours=1)).timestamp())
}

token = create_simple_jwt(user_payload, secret_key)
print(f"JWT Token: {token[:50]}...")
print(f"\nDecoded Payload: {decode_jwt_payload(token)}")

JWT Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c...

Decoded Payload: {'sub': 'user_123', 'name': 'Alice Smith', 'role': 'admin', 'exp': 1769356785}


---

## 8. API Design Best Practices

### 8.1 RESTful Endpoint Naming

**Rules:**
1. Use **nouns**, not verbs (HTTP method provides the verb)
2. Use **plural** nouns for collections
3. Use **lowercase** with hyphens for multi-word
4. **Hierarchical** structure for relationships
5. **Avoid** file extensions in URLs

```python
# Good
GET  /users                 # List users
GET  /users/123             # Get user 123
GET  /users/123/orders      # User's orders
POST /users                 # Create user
PUT  /users/123             # Update user
DELETE /users/123           # Delete user

# Bad
GET  /getUsers              # Verb in URL
GET  /user                  # Singular
GET  /users/123/getOrders   # Verb in URL
POST /createUser            # Verb in URL
```

### 8.2 API Versioning

| Strategy | Example | Pros | Cons |
|----------|---------|------|------|
| URI Path | `/v1/users` | Clear, easy to implement | URL changes |
| Query Parameter | `/users?version=1` | Optional versioning | Easy to miss |
| Header | `API-Version: 1` | Clean URLs | Hidden, harder to test |

**Recommendation:** URI versioning is most common and explicit.

### 8.3 Error Response Structure

```json
{
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Invalid request parameters",
    "details": [
      {"field": "email", "message": "Invalid email format"},
      {"field": "age", "message": "Must be a positive integer"}
    ],
    "request_id": "req_abc123"
  }
}
```

### 8.4 Pagination

**Offset-based** (simple but slow for large offsets):
```
GET /users?page=3&per_page=20
GET /users?offset=40&limit=20
```

**Cursor-based** (efficient for large datasets):
```
GET /users?cursor=eyJpZCI6MTAwfQ==&limit=20
```

### 8.5 Rate Limiting Headers

```http
X-RateLimit-Limit: 100        # Max requests per window
X-RateLimit-Remaining: 45     # Requests left
X-RateLimit-Reset: 1705312800 # Unix timestamp when window resets
Retry-After: 60               # Seconds to wait (when limited)
```

In [4]:
from dataclasses import dataclass, field
from typing import Any


@dataclass
class APIError:
    """Standardised API error response.
    
    Attributes:
        code: Machine-readable error code.
        message: Human-readable error message.
        status_code: HTTP status code.
        details: Additional error details.
        request_id: Unique request identifier for debugging.
    """
    code: str
    message: str
    status_code: int = 400
    details: list[dict[str, Any]] = field(default_factory=list)
    request_id: str | None = None
    
    def to_dict(self) -> dict:
        """Convert to dictionary for JSON response."""
        error_dict = {
            "error": {
                "code": self.code,
                "message": self.message,
            }
        }
        if self.details:
            error_dict["error"]["details"] = self.details
        if self.request_id:
            error_dict["error"]["request_id"] = self.request_id
        return error_dict


@dataclass
class PaginatedResponse:
    """Standardised paginated API response.
    
    Attributes:
        data: List of items.
        total: Total number of items.
        page: Current page number.
        per_page: Items per page.
        base_url: Base URL for generating links.
    """
    data: list
    total: int
    page: int
    per_page: int
    base_url: str = "/items"
    
    @property
    def total_pages(self) -> int:
        return (self.total + self.per_page - 1) // self.per_page
    
    def to_dict(self) -> dict:
        """Convert to dictionary for JSON response."""
        links = {"self": f"{self.base_url}?page={self.page}"}
        links["first"] = f"{self.base_url}?page=1"
        links["last"] = f"{self.base_url}?page={self.total_pages}"
        if self.page > 1:
            links["prev"] = f"{self.base_url}?page={self.page - 1}"
        if self.page < self.total_pages:
            links["next"] = f"{self.base_url}?page={self.page + 1}"
        
        return {
            "data": self.data,
            "pagination": {
                "total": self.total,
                "page": self.page,
                "per_page": self.per_page,
                "total_pages": self.total_pages,
                "links": links
            }
        }


# Demonstrate error response
validation_error = APIError(
    code="VALIDATION_ERROR",
    message="Invalid request parameters",
    status_code=422,
    details=[
        {"field": "email", "message": "Invalid email format"},
        {"field": "age", "message": "Must be positive"}
    ],
    request_id="req_abc123"
)
print("Error Response:")
print(json.dumps(validation_error.to_dict(), indent=2))

# Demonstrate paginated response
print("\nPaginated Response:")
paginated = PaginatedResponse(
    data=[{"id": i, "name": f"Item {i}"} for i in range(1, 4)],
    total=100,
    page=3,
    per_page=3,
    base_url="/items"
)
print(json.dumps(paginated.to_dict(), indent=2))

Error Response:
{
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Invalid request parameters",
    "details": [
      {
        "field": "email",
        "message": "Invalid email format"
      },
      {
        "field": "age",
        "message": "Must be positive"
      }
    ],
    "request_id": "req_abc123"
  }
}

Paginated Response:
{
  "data": [
    {
      "id": 1,
      "name": "Item 1"
    },
    {
      "id": 2,
      "name": "Item 2"
    },
    {
      "id": 3,
      "name": "Item 3"
    }
  ],
  "pagination": {
    "total": 100,
    "page": 3,
    "per_page": 3,
    "total_pages": 34,
    "links": {
      "self": "/items?page=3",
      "first": "/items?page=1",
      "last": "/items?page=34",
      "prev": "/items?page=2",
      "next": "/items?page=4"
    }
  }
}


---

## 9. Flask Basics

**Flask** is a lightweight WSGI (synchronous) web framework. It's simple and flexible, making it great for small to medium applications.

### 9.1 Basic Application Structure

```python
from flask import Flask, request, jsonify
from functools import wraps

app = Flask(__name__)

# Simple route
@app.route('/health')
def health_check():
    return jsonify({"status": "healthy"})

# Route with path parameter
@app.route('/users/<int:user_id>', methods=['GET'])
def get_user(user_id):
    user = find_user(user_id)
    if not user:
        return jsonify({"error": "User not found"}), 404
    return jsonify(user)

# POST route with request body
@app.route('/users', methods=['POST'])
def create_user():
    data = request.get_json()
    if not data.get('email'):
        return jsonify({"error": "Email required"}), 400
    user = create_user_in_db(data)
    return jsonify(user), 201

if __name__ == '__main__':
    app.run(debug=True)
```

### 9.2 Middleware Pattern (Decorators)

```python
def require_auth(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        token = request.headers.get('Authorization')
        if not token:
            return jsonify({"error": "Unauthorised"}), 401
        # Verify token...
        return f(*args, **kwargs)
    return decorated

@app.route('/protected')
@require_auth
def protected_route():
    return jsonify({"data": "secret"})
```

### 9.3 Request/Response Lifecycle

```python
from flask import g
import time

@app.before_request
def before_request():
    g.start_time = time.time()

@app.after_request
def after_request(response):
    duration = time.time() - g.start_time
    response.headers['X-Response-Time'] = str(duration)
    return response

@app.errorhandler(500)
def internal_error(error):
    return jsonify({"error": "Internal server error"}), 500
```

---

## 10. FastAPI Basics

**FastAPI** is a modern ASGI (asynchronous) web framework with automatic validation, type hints, and auto-generated documentation.

### 10.1 Basic Application Structure

```python
from fastapi import FastAPI, HTTPException, Depends, Header
from pydantic import BaseModel, EmailStr
from typing import Optional, List

app = FastAPI(title="User API", version="1.0.0")

# Pydantic models for validation
class UserCreate(BaseModel):
    name: str
    email: EmailStr
    age: Optional[int] = None

class UserResponse(BaseModel):
    id: int
    name: str
    email: str
    
    class Config:
        from_attributes = True  # Enable ORM mode

# GET with path parameter
@app.get("/users/{user_id}", response_model=UserResponse)
async def get_user(user_id: int):
    user = await find_user(user_id)
    if not user:
        raise HTTPException(status_code=404, detail="User not found")
    return user

# POST with automatic validation
@app.post("/users", response_model=UserResponse, status_code=201)
async def create_user(user: UserCreate):
    return await create_user_in_db(user)
```

### 10.2 Dependency Injection

```python
from fastapi import Depends
from sqlalchemy.orm import Session

# Database session dependency
def get_db():
    db = SessionLocal()
    try:
        yield db
    finally:
        db.close()

# Auth dependency
async def get_current_user(
    token: str = Depends(oauth2_scheme),
    db: Session = Depends(get_db)
):
    user = await authenticate_user(token, db)
    if not user:
        raise HTTPException(status_code=401)
    return user

# Use in endpoint
@app.get("/me")
async def read_me(
    current_user: User = Depends(get_current_user),
    db: Session = Depends(get_db)
):
    return current_user
```

### 10.3 Middleware

```python
from fastapi import Request
import time

@app.middleware("http")
async def add_process_time_header(request: Request, call_next):
    start_time = time.time()
    response = await call_next(request)
    process_time = time.time() - start_time
    response.headers["X-Process-Time"] = str(process_time)
    return response
```

### 10.4 Flask vs FastAPI Comparison

| Aspect | Flask | FastAPI |
|--------|-------|--------|
| Type | WSGI (synchronous) | ASGI (asynchronous) |
| Performance | ~2-4k req/sec | ~15-20k req/sec |
| Type Hints | Optional | Required |
| Validation | Manual/extensions | Automatic (Pydantic) |
| Documentation | Manual | Auto-generated (OpenAPI) |
| Async Support | Limited | Native |
| Learning Curve | Lower | Moderate |

In [5]:
# Simulating Flask-like and FastAPI-like patterns
# (Without actually running servers)

from dataclasses import dataclass
from typing import Callable, Any
import re


class SimpleRouter:
    """Simple router demonstrating API framework concepts.
    
    This demonstrates routing, parameter extraction, and middleware
    concepts used in Flask and FastAPI.
    """
    
    def __init__(self):
        self.routes: dict[tuple[str, str], Callable] = {}
        self.middleware: list[Callable] = []
    
    def route(self, path: str, method: str = "GET"):
        """Decorator to register a route handler."""
        def decorator(func: Callable) -> Callable:
            self.routes[(method, path)] = func
            return func
        return decorator
    
    def add_middleware(self, middleware: Callable):
        """Add middleware function."""
        self.middleware.append(middleware)
    
    def handle_request(self, method: str, path: str, **kwargs) -> dict:
        """Simulate handling a request."""
        request_context = {"method": method, "path": path, "params": kwargs}
        
        for mw in self.middleware:
            result = mw(request_context)
            if result is not None:
                return result
        
        for (route_method, route_path), handler in self.routes.items():
            if route_method == method:
                path_pattern = re.sub(r'<(\w+)>', r'(?P<\1>[^/]+)', route_path)
                match = re.match(f"^{path_pattern}$", path)
                if match:
                    params = {**match.groupdict(), **kwargs}
                    return handler(**params)
        
        return {"error": "Not Found", "status": 404}


# Create router and define routes
router = SimpleRouter()

# Simulated database
users_db = {
    "1": {"id": 1, "name": "Alice", "email": "alice@example.com"},
    "2": {"id": 2, "name": "Bob", "email": "bob@example.com"},
}

@router.route("/health")
def health_check():
    return {"status": "healthy"}

@router.route("/users/<user_id>")
def get_user(user_id: str):
    if user_id in users_db:
        return users_db[user_id]
    return {"error": "User not found", "status": 404}

@router.route("/users", method="POST")
def create_user(name: str = None, email: str = None):
    if not name or not email:
        return {"error": "Name and email required", "status": 400}
    new_id = str(len(users_db) + 1)
    users_db[new_id] = {"id": int(new_id), "name": name, "email": email}
    return {**users_db[new_id], "status": 201}

# Test the router
print("GET /health:")
print(router.handle_request("GET", "/health"))

print("\nGET /users/1:")
print(router.handle_request("GET", "/users/1"))

print("\nGET /users/999:")
print(router.handle_request("GET", "/users/999"))

print("\nPOST /users:")
print(router.handle_request("POST", "/users", name="Charlie", email="charlie@example.com"))

GET /health:
{'status': 'healthy'}

GET /users/1:
{'id': 1, 'name': 'Alice', 'email': 'alice@example.com'}

GET /users/999:
{'error': 'User not found', 'status': 404}

POST /users:
{'id': 3, 'name': 'Charlie', 'email': 'charlie@example.com', 'status': 201}


---

## 11. Practical Examples

### 11.1 Complete ML Model API Structure

A typical structure for serving an ML model via API:

```
ml-api/
├── docker-compose.yml
├── Dockerfile
├── requirements.txt
├── app/
│   ├── __init__.py
│   ├── main.py           # FastAPI app
│   ├── config.py         # Settings
│   ├── models/
│   │   ├── __init__.py
│   │   └── schemas.py    # Pydantic models
│   ├── routers/
│   │   ├── __init__.py
│   │   └── predict.py    # Prediction endpoints
│   └── services/
│       ├── __init__.py
│       └── ml_model.py   # Model loading/inference
└── models/
    └── model.pkl         # Trained model
```

### 11.2 Docker Compose for ML Service

```yaml
version: '3.8'

services:
  ml-api:
    build: .
    ports:
      - "8000:8000"
    volumes:
      - ./models:/app/models:ro
    environment:
      - MODEL_PATH=/app/models/model.pkl
      - LOG_LEVEL=INFO
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
      interval: 30s
      timeout: 10s
      retries: 3
    deploy:
      resources:
        limits:
          memory: 2G
        reservations:
          memory: 1G

  redis:
    image: redis:7-alpine
    ports:
      - "6379:6379"
```

In [6]:
# Example: ML Model API Schemas and Service

from dataclasses import dataclass
from typing import Optional
import numpy as np


@dataclass
class PredictionRequest:
    """Request schema for ML prediction.
    
    Attributes:
        features: List of feature values.
        model_version: Optional model version to use.
    """
    features: list[float]
    model_version: Optional[str] = "latest"


@dataclass
class PredictionResponse:
    """Response schema for ML prediction.
    
    Attributes:
        prediction: Model prediction.
        probability: Prediction probability (if classification).
        model_version: Model version used.
        request_id: Unique request identifier.
    """
    prediction: float | int | str
    probability: Optional[float] = None
    model_version: str = "1.0.0"
    request_id: str = ""


class MockMLModel:
    """Mock ML model for demonstration.
    
    In production, this would load and use a real trained model.
    """
    
    def __init__(self, version: str = "1.0.0"):
        self.version = version
        self.is_loaded = False
    
    def load(self, model_path: str = None) -> None:
        """Load model from disk."""
        print(f"Loading model v{self.version}...")
        self.is_loaded = True
    
    def predict(self, features: list[float]) -> tuple[int, float]:
        """Make prediction.
        
        Args:
            features: Input features.
            
        Returns:
            Tuple of (prediction, probability).
        """
        if not self.is_loaded:
            raise RuntimeError("Model not loaded")
        
        feature_array = np.array(features)
        mock_score = 1 / (1 + np.exp(-feature_array.mean()))
        prediction = 1 if mock_score > 0.5 else 0
        return prediction, float(mock_score)


class PredictionService:
    """Service layer for handling predictions."""
    
    def __init__(self):
        self.model = MockMLModel()
        self.request_count = 0
    
    def initialise(self) -> None:
        """Initialise the service (load model)."""
        self.model.load()
    
    def predict(self, request: PredictionRequest) -> PredictionResponse:
        """Process prediction request.
        
        Args:
            request: Prediction request.
            
        Returns:
            Prediction response.
        """
        self.request_count += 1
        request_id = f"req_{self.request_count:06d}"
        
        prediction, probability = self.model.predict(request.features)
        
        return PredictionResponse(
            prediction=prediction,
            probability=probability,
            model_version=self.model.version,
            request_id=request_id
        )


# Demonstrate the service
service = PredictionService()
service.initialise()

# Make predictions
test_requests = [
    PredictionRequest(features=[0.5, 1.2, -0.3, 0.8]),
    PredictionRequest(features=[-1.0, -0.5, -2.0, -1.5]),
    PredictionRequest(features=[2.0, 1.5, 3.0, 2.5]),
]

print("\nPrediction Results:")
print("-" * 60)
for req in test_requests:
    response = service.predict(req)
    print(f"Request ID: {response.request_id}")
    print(f"  Features: {req.features}")
    print(f"  Prediction: {response.prediction}")
    print(f"  Probability: {response.probability:.4f}")
    print()

Loading model v1.0.0...

Prediction Results:
------------------------------------------------------------
Request ID: req_000001
  Features: [0.5, 1.2, -0.3, 0.8]
  Prediction: 1
  Probability: 0.6341

Request ID: req_000002
  Features: [-1.0, -0.5, -2.0, -1.5]
  Prediction: 0
  Probability: 0.2227

Request ID: req_000003
  Features: [2.0, 1.5, 3.0, 2.5]
  Prediction: 1
  Probability: 0.9047



---

## 12. Practice Questions

### 12.1 Theory Questions

**Question 1: Microservices vs Monolith** - What are the key differences between microservices and monolithic architecture? When would you choose one over the other?

<details>
<summary>Click to reveal solution</summary>

**Key Differences:**
- **Deployment**: Monolith deploys as single unit; microservices deploy independently
- **Scaling**: Monolith scales entire app; microservices scale individual services
- **Technology**: Monolith uses one stack; microservices can be polyglot
- **Failure**: Monolith failures cascade; microservices failures are isolated

**Choose Microservices when:** Large teams, need independent scaling, want technology flexibility

**Choose Monolith when:** Small team, simple domain, limited DevOps resources
</details>

---

**Question 2: Circuit Breaker Pattern** - Explain the Circuit Breaker pattern. What are its three states?

<details>
<summary>Click to reveal solution</summary>

Prevents cascading failures by stopping requests to a failing service.

**Three States:**
1. **Closed**: Normal operation; failures counted
2. **Open**: Threshold exceeded; requests fail immediately
3. **Half-Open**: After timeout, allows test requests
</details>

---

**Question 3: HTTP Status Codes** - When would you return 401 vs 403? What about 400 vs 422?

<details>
<summary>Click to reveal solution</summary>

- **401**: Authentication required ("who are you?")
- **403**: Authenticated but not authorised ("you can't do this")
- **400**: Malformed syntax, invalid JSON
- **422**: Valid syntax but semantic errors (e.g., invalid email format)
</details>

---

**Question 4: JWT vs OAuth** - Compare JWT and OAuth 2.0. When would you use each?

<details>
<summary>Click to reveal solution</summary>

- **JWT**: Stateless tokens with encoded claims. Use for internal microservices.
- **OAuth 2.0**: Delegated authorisation framework. Use for third-party integrations.

Note: OAuth access tokens are often JWTs.
</details>

---

**Question 5: API Gateway Benefits** - What are the benefits of using an API Gateway?

<details>
<summary>Click to reveal solution</summary>

Single entry point, centralised auth/logging/rate limiting, protocol translation, response aggregation, load balancing, caching, security (hide internal topology).
</details>

---

### 12.2 Coding Questions

**Coding Question 1: Rate Limiter**

Implement a `RateLimiter` class that limits requests using a sliding window approach. It should:
- Accept `max_requests` and `window_seconds` in the constructor
- Have an `allow_request(client_id: str) -> bool` method that returns `True` if the request is allowed
- Track requests per client independently

```python
# Test your implementation:
limiter = RateLimiter(max_requests=3, window_seconds=10)
print(limiter.allow_request("client_1"))  # True
print(limiter.allow_request("client_1"))  # True
print(limiter.allow_request("client_1"))  # True
print(limiter.allow_request("client_1"))  # False (exceeded limit)
print(limiter.allow_request("client_2"))  # True (different client)
```

In [None]:
# Your solution here


<details>
<summary>Click to reveal solution</summary>

```python
import time
from collections import defaultdict


class RateLimiter:
    """Sliding window rate limiter.
    
    Args:
        max_requests: Maximum requests allowed per window.
        window_seconds: Time window in seconds.
    """
    
    def __init__(self, max_requests: int, window_seconds: int):
        self.max_requests = max_requests
        self.window_seconds = window_seconds
        self.requests: dict[str, list[float]] = defaultdict(list)
    
    def allow_request(self, client_id: str) -> bool:
        """Check if request is allowed for client.
        
        Args:
            client_id: Unique client identifier.
            
        Returns:
            True if request is allowed, False otherwise.
        """
        current_time = time.time()
        window_start = current_time - self.window_seconds
        
        # Remove expired timestamps
        self.requests[client_id] = [
            ts for ts in self.requests[client_id] if ts > window_start
        ]
        
        if len(self.requests[client_id]) < self.max_requests:
            self.requests[client_id].append(current_time)
            return True
        return False
```
</details>

---

**Coding Question 2: Request Validator**

Implement a `validate_user_request` function that validates user creation data and returns a standardised error response. The function should:
- Check that `name` is present and non-empty
- Check that `email` contains `@` and `.`
- Check that `age` (if provided) is a positive integer
- Return `None` if valid, or a dict with `{"errors": [{"field": ..., "message": ...}, ...]}` if invalid

```python
# Test your implementation:
print(validate_user_request({"name": "Alice", "email": "alice@example.com"}))  # None
print(validate_user_request({"name": "", "email": "invalid"}))  # {"errors": [...]}
print(validate_user_request({"name": "Bob", "email": "bob@test.com", "age": -5}))  # {"errors": [...]}
```

In [None]:
# Your solution here


<details>
<summary>Click to reveal solution</summary>

```python
def validate_user_request(data: dict) -> dict | None:
    """Validate user creation request data.
    
    Args:
        data: Request data dictionary.
        
    Returns:
        None if valid, error dict if invalid.
    """
    errors = []
    
    # Validate name
    name = data.get("name", "")
    if not name or not name.strip():
        errors.append({"field": "name", "message": "Name is required"})
    
    # Validate email
    email = data.get("email", "")
    if not email or "@" not in email or "." not in email:
        errors.append({"field": "email", "message": "Valid email is required"})
    
    # Validate age (optional)
    if "age" in data:
        age = data["age"]
        if not isinstance(age, int) or age <= 0:
            errors.append({"field": "age", "message": "Age must be a positive integer"})
    
    return {"errors": errors} if errors else None
```
</details>

---

**Coding Question 3: Retry with Exponential Backoff**

Implement a `retry_with_backoff` decorator that retries a function on failure with exponential backoff. It should:
- Accept `max_retries` and `base_delay` parameters
- Double the delay after each retry (exponential backoff)
- Re-raise the exception after all retries are exhausted

```python
# Test your implementation:
@retry_with_backoff(max_retries=3, base_delay=0.1)
def unreliable_function():
    import random
    if random.random() < 0.7:  # 70% chance of failure
        raise ConnectionError("Service unavailable")
    return "Success!"

# This will retry up to 3 times with delays of 0.1s, 0.2s, 0.4s
result = unreliable_function()
```

In [None]:
# Your solution here


<details>
<summary>Click to reveal solution</summary>

```python
import time
from functools import wraps
from typing import Callable, Any


def retry_with_backoff(max_retries: int = 3, base_delay: float = 1.0):
    """Decorator that retries function with exponential backoff.
    
    Args:
        max_retries: Maximum number of retry attempts.
        base_delay: Initial delay in seconds (doubles each retry).
        
    Returns:
        Decorated function.
    """
    def decorator(func: Callable) -> Callable:
        @wraps(func)
        def wrapper(*args, **kwargs) -> Any:
            last_exception = None
            delay = base_delay
            
            for attempt in range(max_retries + 1):
                try:
                    return func(*args, **kwargs)
                except Exception as e:
                    last_exception = e
                    if attempt < max_retries:
                        print(f"Attempt {attempt + 1} failed, retrying in {delay}s...")
                        time.sleep(delay)
                        delay *= 2  # Exponential backoff
            
            raise last_exception
        return wrapper
    return decorator
```
</details>

---

**Coding Question 4: Cursor-based Pagination**

Implement `encode_cursor` and `decode_cursor` functions for cursor-based pagination. The cursor should encode the last seen ID using base64.

```python
# Test your implementation:
cursor = encode_cursor({"last_id": 100, "direction": "next"})
print(f"Encoded: {cursor}")  # e.g., "eyJsYXN0X2lkIjogMTAwLCAiZGlyZWN0aW9uIjogIm5leHQifQ=="

decoded = decode_cursor(cursor)
print(f"Decoded: {decoded}")  # {"last_id": 100, "direction": "next"}
```

In [None]:
# Your solution here


<details>
<summary>Click to reveal solution</summary>

```python
import base64
import json


def encode_cursor(data: dict) -> str:
    """Encode pagination data into a cursor string.
    
    Args:
        data: Dictionary containing pagination state.
        
    Returns:
        Base64-encoded cursor string.
    """
    json_str = json.dumps(data)
    return base64.urlsafe_b64encode(json_str.encode()).decode()


def decode_cursor(cursor: str) -> dict:
    """Decode a cursor string back to pagination data.
    
    Args:
        cursor: Base64-encoded cursor string.
        
    Returns:
        Dictionary containing pagination state.
        
    Raises:
        ValueError: If cursor is invalid.
    """
    try:
        json_str = base64.urlsafe_b64decode(cursor.encode()).decode()
        return json.loads(json_str)
    except Exception as e:
        raise ValueError(f"Invalid cursor: {e}")
```
</details>

---

**Coding Question 5: Health Check Endpoint**

Implement a `HealthChecker` class that checks the health of multiple service dependencies and returns an aggregated health status. It should:
- Accept a dict of `{service_name: check_function}` where each check function returns `True` (healthy) or `False` (unhealthy)
- Have a `check_all() -> dict` method returning status for each service and overall health
- Overall status is `"healthy"` only if all services are healthy

```python
# Test your implementation:
def check_database():
    return True

def check_redis():
    return False

checker = HealthChecker({
    "database": check_database,
    "redis": check_redis,
})

print(checker.check_all())
# {"status": "unhealthy", "services": {"database": "healthy", "redis": "unhealthy"}}
```

In [None]:
# Your solution here


<details>
<summary>Click to reveal solution</summary>

```python
from typing import Callable


class HealthChecker:
    """Aggregated health checker for service dependencies.
    
    Args:
        checks: Dict mapping service name to health check function.
    """
    
    def __init__(self, checks: dict[str, Callable[[], bool]]):
        self.checks = checks
    
    def check_all(self) -> dict:
        """Check health of all registered services.
        
        Returns:
            Dict with overall status and individual service statuses.
        """
        services = {}
        all_healthy = True
        
        for name, check_func in self.checks.items():
            try:
                is_healthy = check_func()
            except Exception:
                is_healthy = False
            
            services[name] = "healthy" if is_healthy else "unhealthy"
            if not is_healthy:
                all_healthy = False
        
        return {
            "status": "healthy" if all_healthy else "unhealthy",
            "services": services
        }
```
</details>

---

## Summary

### Key Concepts

**Microservices:**
- Small, independent services with single responsibility
- Key patterns: API Gateway, Service Discovery, Circuit Breaker
- Trade-off: Flexibility vs infrastructure complexity

**Docker Compose:**
- Multi-container orchestration via YAML
- Services communicate via service names as hostnames
- Use volumes for persistence, networks for isolation

**REST APIs:**
- Stateless, resource-oriented architecture
- HTTP methods: GET (read), POST (create), PUT/PATCH (update), DELETE (remove)
- Status codes: 2xx success, 4xx client error, 5xx server error

**API Design:**
- Use nouns, plural, lowercase, hierarchical URIs
- Version via URI path (`/v1/`)
- Include error codes, messages, and request IDs
- Use cursor-based pagination for large datasets

**Python Frameworks:**
- Flask: Simple, synchronous, explicit
- FastAPI: Modern, async, automatic validation and docs

### Interview Tips

1. **Know the trade-offs**: Microservices vs monolith, JWT vs OAuth, offset vs cursor pagination
2. **Explain patterns**: Circuit breaker prevents cascading failures; API Gateway centralises cross-cutting concerns
3. **Design clean APIs**: Resource-oriented, proper status codes, consistent error responses
4. **Understand Docker networking**: Service names as hostnames, custom networks for isolation
5. **Compare frameworks**: Know when FastAPI's async and auto-validation are worth the trade-offs