# OAuth2 with Password (and hashing), Bearer with JWT tokens

Now that we have all the security flow, let's make the application actually secure, using <abbr title="JSON Web Tokens">JWT</abbr> tokens and secure password hashing.

This code is something you can actually use in your application, save the password hashes in your database, etc.

We are going to start from where we left in the previous chapter and increment it.

## About JWT

gold:
  - url: https://cryptapi.io/
    title: "CryptAPI: Your easy to use, secure and privacy oriented payment gateway."
    img: https://fastapi.tiangolo.com/img/sponsors/cryptapi.svg
  - url: https://platform.sh/try-it-now/?utm_source=fastapi-signup&utm_medium=banner&utm_campaign=FastAPI-signup-June-2023
    title: "Build, run and scale your apps on a modern, reliable, and secure PaaS."
    img: https://fastapi.tiangolo.com/img/sponsors/platform-sh.png

    private final Prompter prompter;

    @Inject
    public ConsolePasswordPrompt(Prompter prompter) {
        this.prompter = prompter;
    }

    @Override
    public String description() {
        return "Secure console password prompt";
    }

    @Override
    public Optional<String> configTemplate() {
        return Optional.empty();
    }

    @Override

    </div>
  </div>
  <div id="announce-right" style="position: relative;">
    <div class="item">
      <a title="CryptAPI: Your easy to use, secure and privacy oriented payment gateway." style="display: block; position: relative;" href="https://cryptapi.io/" target="_blank">
        <span class="sponsor-badge">sponsor</span>

If you want to secure your API, there are several better things you can do, for example:

* Make sure you have well defined Pydantic models for your request bodies and responses.
* Configure any required permissions and roles using dependencies.

	github.com/prometheus/procfs v0.15.1
	github.com/puzpuzpuz/xsync/v3 v3.4.0
	github.com/rabbitmq/amqp091-go v1.10.0
	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475
	github.com/rs/cors v1.11.1
	github.com/secure-io/sio-go v0.3.1
	github.com/shirou/gopsutil/v3 v3.24.5
	github.com/tinylib/msgp v1.2.3-0.20241022140105-4558fbf3a223
	github.com/valyala/bytebufferpool v1.0.0
	github.com/xdg/scram v1.0.5
	github.com/zeebo/xxh3 v1.0.2

                    context.style.italic().bold().foreground(Colors.rgbColor("green")),
                    "Maven Encryption " + CLIReportingUtils.showVersionMinimal());
            context.addInHeader("Tool for secure password management on workstations.");
            context.addInHeader("This tool is part of Apache Maven 4 distribution.");
            context.addInHeader("");

            Thread executeThread = Thread.currentThread();

## Corps de la requête + paramètres de chemin et de requête

Vous pouvez aussi déclarer un **corps**, et des paramètres de **chemin** et de **requête** dans la même *opération de chemin*.

**FastAPI** saura reconnaître chacun d'entre eux et récupérer la bonne donnée au bon endroit.

{* ../../docs_src/body/tutorial004.py hl[18] *}

Les paramètres de la fonction seront reconnus comme tel :

On peut voir que **FastAPI** est capable de détecter que le paramètre de chemin `item_id` est un paramètre de chemin et que `q` n'en est pas un, c'est donc un paramètre de requête.

///

/// note

**FastAPI** saura que `q` est optionnel grâce au `=None`.

///

## `HTTPSRedirectMiddleware`

Enforces that all incoming requests must either be `https` or `wss`.

Any incoming request to `http` or `ws` will be redirected to the secure scheme instead.

{* ../../docs_src/advanced_middleware/tutorial001.py hl[2,6] *}

## `TrustedHostMiddleware`