final long totalHits = innerSearchHits.getTotalHits().value();
                            if (totalHits > 1) {
                                docMap.put(fessConfig.getQueryCollapseInnerHitsName() + "_count", totalHits);
                                final DocumentField bitsField = searchHit.getFields().get(fessConfig.getIndexFieldContentMinhashBits());

	},
	ErrAccountNotEligible: {
		Code:           "XMinioInvalidIAMCredentials",
		Description:    "The account key is not eligible for this operation",
		HTTPStatusCode: http.StatusForbidden,
	},
	ErrAdminServiceAccountNotFound: {
		Code:           "XMinioInvalidIAMCredentials",
		Description:    "The specified service account is not found",
		HTTPStatusCode: http.StatusNotFound,
	},
	ErrPostPolicyConditionInvalidFormat: {

import org.mockito.junit.jupiter.MockitoExtension;

import jcifs.smb1.dcerpc.rpc;
import jcifs.smb1.dcerpc.ndr.NdrBuffer;
import jcifs.smb1.dcerpc.ndr.NdrException;

/**
 * Comprehensive test suite for SMB1 samr (Security Account Manager Remote) protocol
 * Tests all message types, data structures, and constants
 */
@ExtendWith(MockitoExtension.class)
@DisplayName("SMB1 SAMR Protocol Test Suite")
class samrTest {

    @Mock

    private String decodeWideStringPointer(NdrBuffer buf) throws NdrException {
        int pointer = buf.dec_ndr_long();
        if (pointer == 0) {
            return null; // NULL pointer
        }

        int maxCount = buf.dec_ndr_long();
        int offset = buf.dec_ndr_long();
        int actualCount = buf.dec_ndr_long();

        if (actualCount <= 0) {
            return "";
        }

            assertEquals("S-1-5-10-20", unknown.getDomainName());
            assertEquals("30", unknown.getAccountName());

            // Domain type: domain name as-is, account name empty
            SID domain = new SID(buildSidT((byte) 1, ident, 10, 20), jcifs.SID.SID_TYPE_DOMAIN, "MYDOM", "ignored", false);
            assertEquals("MYDOM", domain.getDomainName());

        buffer.position(60);
        buffer.put((byte) 0x02); // AclRevision
        buffer.put((byte) 0x00); // Padding
        buffer.putShort((short) 8); // AclSize
        buffer.putShort((short) 0); // AceCount
        buffer.putShort((short) 0); // Padding

        return buffer.array();
    }

    /**
     * Helper method to set error code using reflection
     */

			if err != nil {
				return nil, err
			}

			// Set the parent of the temporary access key, this is useful
			// in obtaining service accounts by this cred.
			cred.ParentUser = lookupResult.NormDN

			// Set this value to LDAP groups, LDAP user can be part
			// of large number of groups
			cred.Groups = targetGroups

            domains.domains[0].name = new UnicodeString("TESTDOM", false);
            domains.domains[0].sid = new jcifs.dcerpc.rpc.sid_t();
            rpc.domains = domains;

            // Names: provide account names and types for each SID
            lsarpc.LsarTransNameArray names = new lsarpc.LsarTransNameArray();
            names.count = in.length;
            names.names = new lsarpc.LsarTranslatedName[in.length];

	if owner && !globalAPIConfig.permitRootAccess() {
		// We disable root access and its service accounts if asked for.
		return cred, owner, ErrAccessKeyDisabled
	}

	if _, ok := claims[policy.SessionPolicyName]; ok {
		owner = false
	}

	return cred, owner, ErrNone
}

And then, you could give that JWT token to a user (or bot), and they could use it to perform those actions (drive the car, or edit the blog post) without even needing to have an account, just with the JWT token your API generated for that.

Using these ideas, JWT can be used for way more sophisticated scenarios.