Now that we have all the security flow, let's make the application actually secure, using <abbr title="JSON Web Tokens">JWT</abbr> tokens and secure password hashing.

This code is something you can actually use in your application, save the password hashes in your database, etc.

We are going to start from where we left in the previous chapter and increment it.

## About JWT

JWT means "JSON Web Tokens".

///

## Global view

First, let's quickly see the parts that change from the examples in the main **Tutorial - User Guide** for [OAuth2 with Password (and hashing), Bearer with JWT tokens](../../tutorial/security/oauth2-jwt.md){.internal-link target=_blank}. Now using OAuth2 scopes:

{* ../../docs_src/security/tutorial005_an_py310.py hl[5,9,13,47,65,106,108:116,122:125,129:135,140,156] *}

* Configure any required permissions and roles using dependencies.
* Never store plaintext passwords, only password hashes.
* Implement and use well-known cryptographic tools, like Passlib and JWT tokens, etc.
* Add more granular permission controls with OAuth2 scopes where needed.
* ...etc.

to-fastapi-and-vice-versa/ title: Tips on migrating from Flask to FastAPI and vice-versa - author: Ankit Anchlia author_link: https://linkedin.com/in/aanchlia21 link: https://hackernoon.com/explore-how-to-effectively-use-jwt-with-fastapi title: Explore How to Effectively Use JWT With FastAPI - author: Nicoló Lino author_link: https://www.nlino.com link: https://github.com/softwarebloat/python-tracing-demo title: Instrument FastAPI with OpenTelemetry tracing and visualize traces in Grafana Tempo....

/// tip | Dica

No próximo capítulo, você verá uma implementação realmente segura, com hash de senha e tokens <abbr title="JSON Web Tokens">JWT</abbr>.

Mas, por enquanto, vamos nos concentrar nos detalhes específicos de que precisamos.

///

//// tab | Python 3.10+

```Python hl_lines="87"
{!> ../../docs_src/security/tutorial003_an_py310.py!}

		// encountering this LDAP user.
		if _, ok := parentUserToCredsMap[cred.ParentUser]; !ok {
			// Try to find the ldapUsername for this
			// parentUser by extracting JWT claims
			var (
				jwtClaims *jwt.MapClaims
				err       error
			)

			if cred.SessionToken == "" {
				continue
			}

			if cred.IsServiceAccount() {

quarkus/integration-tests/smallrye-jwt-token-propagation/pom.xml
	quarkus/test-framework/security-jwt/pom.xml
	quarkus/test-framework/junit5/pom.xml
	quarkus/extensions/resteasy-classic/resteasy/runtime/pom.xml
	quarkus/extensions/resteasy-classic/resteasy-jackson/runtime/pom.xml
	quarkus/extensions/oidc-token-propagation/runtime/pom.xml
	quarkus/extensions/smallrye-jwt/runtime/pom.xml

                      description: List of cookie names from which JWT is expected.
                      items:
                        minLength: 1
                        type: string
                      type: array
                    fromHeaders:
                      description: List of header locations from which JWT is expected.
                      items:
                        properties:

- github.com/coreos/go-systemd: [95778df](https://github.com/coreos/go-systemd/tree/95778df)
- github.com/coreos/pkg: [399ea9e](https://github.com/coreos/pkg/tree/399ea9e)
- github.com/dgrijalva/jwt-go: [v3.2.0+incompatible](https://github.com/dgrijalva/jwt-go/tree/v3.2.0)
- github.com/dgryski/go-sip13: [e10d5fe](https://github.com/dgryski/go-sip13/tree/e10d5fe)
- github.com/fatih/color: [v1.7.0](https://github.com/fatih/color/tree/v1.7.0)

* A very powerful and easy to use **<abbr title="also known as components, resources, providers, services, injectables">Dependency Injection</abbr>** system.
* Security and authentication, including support for **OAuth2** with **JWT tokens** and **HTTP Basic** auth.
* More advanced (but equally easy) techniques for declaring **deeply nested JSON models** (thanks to Pydantic).