public Source(@Nullable String some) {}
                    @Nullable public String nonFinalField = null;
                    public String foo(@Nullable String bar) { return "some"; }
                }
            """,
            v2 = """
                public class Source {
                    public Source(String some) {}
                    public String nonFinalField = "some";

# OpenAPI Webhooks { #openapi-webhooks }

There are cases where you want to tell your API **users** that your app could call *their* app (sending a request) with some data, normally to **notify** of some type of **event**.

This means that instead of the normal process of your users sending requests to your API, it's **your API** (or your app) that could **send requests to their system** (to their API, their app).

This is normally called a **webhook**.

                fun Int.invoke(some: Int) {}
                operator fun Boolean.invoke(some: Int) {}

                fun String.invoke(some: Int) {}
                operator fun Long.invoke(some: Int) {}

                fun Float.invoke(some: Int) {}
                infix fun Byte.invoke(some: Int) {}

                interface Source {
                    infix fun String.plus(some: List<Int>): String

#### The time to answer helps the attackers { #the-time-to-answer-helps-the-attackers }

At that point, by noticing that the server took some microseconds longer to send the "Incorrect username or password" response, the attackers will know that they got _something_ right, some of the initial letters were right.

</div>

## Forbid Extra Headers { #forbid-extra-headers }

In some special use cases (probably not very common), you might want to **restrict** the headers that you want to receive.

You can use Pydantic's model configuration to `forbid` any `extra` fields:

{* ../../docs_src/header_param_models/tutorial002_an_py310.py hl[10] *}

If a client tries to send some **extra headers**, they will receive an **error** response.

import (
	"archive/tar"
	"bytes"
	"fmt"
	"io"
	"log"
	"os"
)

func Example_minimal() {
	// Create and add some files to the archive.
	var buf bytes.Buffer
	tw := tar.NewWriter(&buf)
	var files = []struct {
		Name, Body string
	}{
		{"readme.txt", "This archive contains some text files."},
		{"gopher.txt", "Gopher names:\nGeorge\nGeoffrey\nGonzo"},
		{"todo.txt", "Get animal handling license."},
	}

    with pytest.raises(WebSocketDisconnect):
        with client.websocket_connect("/items/bar/ws?token=some-token") as websocket:
            message = "Message one"
            websocket.send_text(message)
            data = websocket.receive_text()
            assert data == "Session cookie or query token value is: some-token"
            data = websocket.receive_text()

def test_route_converters_path():
    # Test path conversion
    response = client.get("/path/some/example")
    assert response.status_code == 200, response.text
    assert response.json() == {"path": "some/example"}


def test_route_converters_query():
    # Test query conversion
    response = client.get("/query", params={"param": "Qué tal!"})

    * A "token" is just a string with some content that we can use later to verify this user.
    * Normally, a token is set to expire after some time.
        * So, the user will have to log in again at some point later.
        * And if the token is stolen, the risk is less. It is not like a permanent key that will work forever (in most of the cases).

        * `implicit`
        * `clientCredentials`
        * `authorizationCode`
    * But there is one specific "flow" that can be perfectly used for handling authentication in the same application directly:
        * `password`: some next chapters will cover examples of this.
* `openIdConnect`: has a way to define how to discover OAuth2 authentication data automatically.