Why did my FastAPI OpenAPI schema or validation break after upgrading?
A 3am runbook for FastAPI upgrades that suddenly break OpenAPI docs, auth schemes, or request validation. Evidence-backed by upstream issues/PRs. Last verified: 2026-02-06.
Top clusters
View all clusters →If you’re debugging an OpenAPI/validation incident, these are the fastest adjacent fix families.
Top Queries / Error Strings
Copy-paste these into logs/search when you’re triaging an OpenAPI/validation incident.
TL;DR Fix
- Upgrade FastAPI to a fixed release:
pip install -U "fastapi==0.128.2" - Pin dependency versions (FastAPI + Pydantic) so prod doesn’t drift between deploys.
- Mitigate OpenAPI outages: disable
/docs//openapi.jsonor serve a cached schema while you upgrade. - Validation bypass = incident: roll forward (or to known-good) immediately.
- Verify: OpenAPI returns 200, security schemes exist (not duplicated), computed fields show up, invalid inputs return 422.
1. What’s happening?
You upgraded FastAPI (often alongside Pydantic) and production breaks in one of these ways:
/openapi.jsonreturns 500 or Swagger UI fails to render.- Auth UI breaks: “Authorize” missing, padlocks gone, or OAuth2 schemes duplicated.
- Schema drift: component names change, computed fields disappear, unions/discriminators stop modeling correctly.
- Validation semantics change: headers/forms parse differently, or validators don’t run when you expect.
2. Why this breaks
This hub clusters upgrade regressions at the FastAPI ↔ Pydantic boundary (OpenAPI generation + request parsing).
FastAPI constructs OpenAPI by walking your route/dependency graph and asking Pydantic for schema pieces. With Pydantic v2, schema data often flows through TypeAdapter and core_schema. If FastAPI code paths don’t handle a new schema shape (computed fields, tagged unions, custom schemas, security dependencies), you can get missing metadata, schema drift, or crashes.
3. Am I affected?
If you match any row below, assume you’re affected until you verify.
| Symptom | Trigger | Introduced | First fixed release |
|---|---|---|---|
| Swagger UI “Authorize” missing / security schemes absent | Top-level app dependencies include OpenIdConnect/OAuth2 (a SecurityBase) |
0.120.3 (reported regression) |
0.128.2 (PR 14266) |
| OAuth2 security schemes duplicated | OAuth2 dependencies attached at router/route level | Unknown | 0.128.0 (PR 14459) |
| OpenAPI crashes on mixed computed-field routes | Some response models use Pydantic @computed_field, others don’t |
Unknown | 0.128.1 (PR 14453) |
Computed fields missing when separate_input_output_schemas=False |
You set FastAPI(..., separate_input_output_schemas=False) |
Unknown | 0.128.2 (PR 13207) |
| OpenAPI component names change unexpectedly | Clients/codegen assume stable component names | 0.119.0 (reported regression) |
0.128.0 (PR 14246) |
OpenAPI generation fails with arbitrary_types_allowed=True + custom schema |
Custom types + WithJsonSchema/TypeAdapter + arbitrary types |
Since 0.119.0 (reported) |
0.128.1 (PR 14482) |
Discriminated unions break in Annotated[..., Body(...)] |
Tagged unions + discriminator in request bodies | Unknown | 0.128.1 (PR 14512) |
Custom validators in Annotated don’t run as expected |
Validators like AfterValidator inside Annotated |
Unknown | 0.128.1 (PR 13442) |
| Form parsing regressions | Parsing forms into models or mixed form/body inputs | Unknown | 0.128.0 (PR 13537) |
allow_inf_nan=False not enforced |
Numeric query/body params rely on NaN/Inf rejection | Unknown | 0.128.1 (PR 11867) |
4. How to fix
Recommended fix: upgrade to a release that includes the upstream fixes.
pip install -U "fastapi==0.128.2"Show the diff
Representative upstream changes (semantic impact > line count):
A) SecurityBase dependencies included for OpenAPI security schemes (PR 14266):
@@ -248,6 +248,14 @@ def get_dependant(
endpoint_signature = get_typed_signature(call)
signature_params = endpoint_signature.parameters
+ if isinstance(call, SecurityBase):
+ use_scopes: List[str] = []
+ if isinstance(call, (OAuth2, OpenIdConnect)):B) Computed fields handled explicitly during schema generation (PR 14453 / PR 13207):
+def _has_computed_fields(field: ModelField) -> bool:
+ computed_fields = field._type_adapter.core_schema.get("schema", {}).get(
+ "computed_fields", []C) Form parsing: track body field aliases (PR 13537):
@@ -902,8 +902,9 @@ async def process_fn(
if value is not None:
values[field.alias] = value
+ field_aliases = {field.alias for field in body_fields}
for key, value in received_body.items():
- if key not in values:5. How to verify the fix
Expected: openapi_ok True.
python3 -c "import fastapi; print('FastAPI', fastapi.__version__)"
curl -fsS http://YOUR_APP_HOST:8000/openapi.json >/tmp/openapi.json
python3 -c "import json; s=json.load(open('/tmp/openapi.json')); print('openapi_ok', bool(s.get('components',{}).get('schemas')))"6. When NOT to use this fix
- You rely on exact old OpenAPI output for codegen. Diff schemas and roll out carefully.
- You patch
app.openapior depend on FastAPI internals. Re-validate overrides after upgrade. - You only need docs for humans. Disabling docs endpoints can be safer than rushing an upgrade.
7. Prevention
- Snapshot-test OpenAPI: fail CI on unexpected diffs (components + securitySchemes).
- Validation regression tests: assert “bad input ⇒ 422” for critical endpoints.
- Canary upgrades: alert on
/openapi.json5xx and sudden 4xx/422 rate changes. - Pin versions in production; upgrade intentionally.
Related failure patterns:
- Version mismatch — incompatible library versions (/pattern/version-mismatch/)
- Breaking change — output changes break clients (/pattern/breaking-change/)
- Timeout — OpenAPI failures look like timeouts (/pattern/timeout/)
- Performance — schema generation load spikes (/pattern/performance/)
- Race condition — schema cache + multi-worker quirks (/pattern/race-condition/)
SEO + schema output
Alternative question-style titles (for FAQ schema):
- Why does FastAPI
/openapi.jsoncrash after upgrading? - Why is Swagger UI missing “Authorize” in FastAPI after an upgrade?
- Why did my computed fields disappear from FastAPI OpenAPI?
- Why did my OpenAPI component names change in FastAPI?
- Why did request validation change after a FastAPI upgrade?
Meta description (155 chars): FastAPI upgrade broke OpenAPI or validation? Runbook to identify affected versions, apply safe fixes, and verify in prod.
Internal link suggestions (existing pages): /hub/pydantic/, /hub/requests/, /hub/urllib3/, /hub/celery/, /best-practices/fastapi/
FAQPage JSON-LD is embedded in the page header.
Trust signals
- Confidence score: 0.86 (inferred from merged PRs + reproducible minimal repros in local evidence pages)
- Did this fix it? Yes / No
- Last verified version/date: 2026-02-06 (inferred from local evidence pages)
Source links
Evidence: related fixes in this hub
Curated list (cluster evidence). If you’re debugging a specific symptom, start with the linked fix page.
- Header parameter and model handling does not work as expected (#13400)
- FastAPI app with `separate_input_output_schemas` disabled excludes computed fields on Pydantic models from OpenAPI (#14431)
- Component name regression in OpenAPI spec for v0.119.0 (#14247)
- 0.120.3 breaks `SecurityBase` based dependencies in OpenAPI (#14271)
- Discriminated Unions Break When Wrapped in Annotated[Union, Body(...)] in FastAPI 0.124.1+ (#14508)
- Since FastAPI 0.119.0, using `arbitrary_types_allowed=True` with custom types that define their serialization and JSON (#14483)
- OAuth2 security schemes duplicated in OpenAPI, with and without scopes, when used at the router level (#14454)
- Computed fields support breaks with mixed route types (#14467)