返回内容还应包含 `access_token` 字段，它是包含权限 Token 的字符串。

本例只是简单的演示，返回的 Token 就是 `username`，但这种方式极不安全。

!!! tip "提示"

    下一章介绍使用哈希密码和 <abbr title="JSON Web Tokens">JWT</abbr> Token 的真正安全机制。

    但现在，仅关注所需的特定细节。

```Python hl_lines="85"
{!../../../docs_src/security/tutorial003.py!}
```

!!! tip "提示"

    按规范的要求，应像本示例一样，返回带有 `access_token` 和 `token_type` 的 JSON 对象。

    But this example is still valid and it shows how to interact with the internal components.

We can also use this same approach to access the request body in an exception handler.

All we need to do is handle the request inside a `try`/`except` block:

```Python hl_lines="13  15"
{!../../../docs_src/custom_request_and_route/tutorial002.py!}
```

## 📨 🤝

📨 `token` 🔗 🔜 🎻 🎚.

⚫️ 🔜 ✔️ `token_type`. 👆 💼, 👥 ⚙️ "📨" 🤝, 🤝 🆎 🔜 "`bearer`".

& ⚫️ 🔜 ✔️ `access_token`, ⏮️ 🎻 ⚗ 👆 🔐 🤝.

👉 🙅 🖼, 👥 🔜 🍕 😟 & 📨 🎏 `username` 🤝.

!!! tip
    ⏭ 📃, 👆 🔜 👀 🎰 🔐 🛠️, ⏮️ 🔐 #️⃣ &amp; <abbr title="JSON Web Tokens">🥙</abbr> 🤝.

    ✋️ 🔜, ➡️ 🎯 🔛 🎯 ℹ 👥 💪.

def test_read_items():
    access_token = get_access_token(scope="me items")
    response = client.get(
        "/users/me/items/", headers={"Authorization": f"Bearer {access_token}"}
    )
    assert response.status_code == 200, response.text
    assert response.json() == [{"item_id": "Foo", "owner": "johndoe"}]


def test_read_system_status():
    access_token = get_access_token()
    response = client.get(

    assert get_password_hash("secretalice")


@needs_py39
def test_create_access_token():
    from docs_src.security.tutorial005_an_py39 import create_access_token

    access_token = create_access_token(data={"data": "foo"})
    assert access_token


@needs_py39
def test_token_no_sub(client: TestClient):
    response = client.get(
        "/users/me",

    assert get_password_hash("secretalice")


@needs_py310
def test_create_access_token():
    from docs_src.security.tutorial005_py310 import create_access_token

    access_token = create_access_token(data={"data": "foo"})
    assert access_token


@needs_py310
def test_token_no_sub(client: TestClient):
    response = client.get(
        "/users/me",

            headers={"WWW-Authenticate": "Bearer"},
        )
    access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
    access_token = create_access_token(
        data={"sub": user.username}, expires_delta=access_token_expires
    )
    return Token(access_token=access_token, token_type="bearer")


@app.get("/users/me/", response_model=User)

As only one process can be listening on this port, the process that would do it would be the **TLS Termination Proxy**.

The TLS Termination Proxy would have access to one or more **TLS certificates** (HTTPS certificates).

    assert get_password_hash("secretalice")


@needs_py310
def test_create_access_token():
    from docs_src.security.tutorial005_an_py310 import create_access_token

    access_token = create_access_token(data={"data": "foo"})
    assert access_token


@needs_py310
def test_token_no_sub(client: TestClient):
    response = client.get(
        "/users/me",

            headers={"WWW-Authenticate": "Bearer"},
        )
    access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
    access_token = create_access_token(
        data={"sub": user.username}, expires_delta=access_token_expires
    )
    return Token(access_token=access_token, token_type="bearer")


@app.get("/users/me/", response_model=User)
async def read_users_me(