Hiding your documentation user interfaces in production *shouldn't* be the way to protect your API.

That doesn't add any extra security to your API, the *path operations* will still be available where they are.

If there's a security flaw in your code, it will still exist.

Like `item.model_dump(exclude_unset=True)`.

/// info

In Pydantic v1 the method was called `.dict()`, it was deprecated (but still supported) in Pydantic v2, and renamed to `.model_dump()`.

The examples here use `.dict()` for compatibility with Pydantic v1, but you should use `.model_dump()` instead if you can use Pydantic v2.

///

{* ../../docs_src/query_params_str_validations/tutorial002_an_py310.py hl[9] *}

Notice that the default value is still `None`, so the parameter is still optional.

But now, having `Query(max_length=50)` inside of `Annotated`, we are telling FastAPI that we want it to have **additional validation** for this value, we want it to have maximum 50 characters. 😎

/// tip

But it is still recommended to use the ideas above, using multiple classes, instead of these parameters.

This is because the JSON Schema generated in your app's OpenAPI (and the docs) will still be the one for the complete model, even if you use `response_model_include` or `response_model_exclude` to omit some attributes.

            assertTrue(successfulThreads.get() > 0, "At least some threads should complete successfully");

            // The rate limiter should still be functional after concurrent access
            assertTrue(concurrentLimiter.checkAttempt("finaluser", "192.168.3.1"),
                    "Rate limiter should still be functional after concurrent operations");

            // Verify that the rate limiter tracked some activity

   * response body is [closed][ResponseBody]. The recipient of the callback may consume the response
   * body on another thread.
   *
   * Note that transport-layer success (receiving a HTTP response code, headers and body) does not
   * necessarily indicate application-layer success: `response` may still indicate an unhappy HTTP
   * response code like 404 or 500.
   */

            // Refresh should not break anything
            orig.refresh();
            copy.refresh();

            // Both should still return null
            assertNull(orig.getSubject(), "Original should still return null after refresh");
            assertNull(copy.getSubject(), "Clone should still return null after refresh");
        }
    }

    @Test
    @DisplayName("renew: invokes getSubject and returns self")

    assertEquals(
        "next() should still return first element after peeking", "A", peekingIterator.next());

    assertEquals("Should be able to peek() at middle element", "B", peekingIterator.peek());
    assertEquals(
        "Should be able to peek() middle element multiple times", "B", peekingIterator.peek());
    assertEquals(
        "next() should still return middle element after peeking", "B", peekingIterator.next());

        auth.resetAuthenticationTimestamp();
        long afterReset = System.currentTimeMillis();

        // Should still not be expired
        assertFalse(auth.isExpired());

        // Wait for original TTL to pass
        Thread.sleep(600);

        // Should still not be expired because we reset
        assertFalse(auth.isExpired());

        // Wait for the full TTL since reset

When you return a `Response` directly its data is not validated, converted (serialized), or documented automatically.

But you can still document it as described in [Additional Responses in OpenAPI](additional-responses.md){.internal-link target=_blank}.