| Version         | String  | Yes      | Value must be `2011-06-15`                                           |
| Token           | String  | Yes      | Token to be authenticated by identity plugin                         |
| RoleArn         | String  | Yes      | Must match the Role ARN generated for the identity plugin            |

Sergei Gavrilov <******@****.***> 1657207540 +0200

Sergei Gavrilov <******@****.***> 1657207540 +0200

Xiaopeng Han <******@****.***> 1686841337 +0800

Xiaopeng Han <******@****.***> 1686841337 +0800

Xiaopeng Han <******@****.***> 1686841337 +0800

!!! tip
    Here `tokenUrl="token"` refers to a relative URL `token` that we haven't created yet. As it's a relative URL, it's equivalent to `./token`.

    Because we are using a relative URL, if your API was located at `https://example.com/`, then it would refer to `https://example.com/token`. But if your API was located at `https://example.com/api/v1/`, then it would refer to `https://example.com/api/v1/token`.

But it's signed. So, when you receive a token that you emitted, you can verify that you actually emitted it.

That way, you can create a token with an expiration of, let's say, 1 week. And then when the user comes back the next day with the token, you know that user is still logged in to your system.

    ```Python hl_lines="25"
    {!> ../../../docs_src/security/tutorial002.py!}
    ```

## Den Benutzer holen

`get_current_user` wird eine von uns erstellte (gefakte) Hilfsfunktion verwenden, welche einen Token vom Typ `str` entgegennimmt und unser Pydantic-`User`-Modell zurückgibt:

=== "Python 3.10+"

    ```Python hl_lines="19-22  26-27"

## Return the token

The response of the `token` endpoint must be a JSON object.

It should have a `token_type`. In our case, as we are using "Bearer" tokens, the token type should be "`bearer`".

And it should have an `access_token`, with a string containing our access token.