{!> ../../../docs_src/header_params/tutorial003.py!}
    ```

If you communicate with that *path operation* sending two HTTP headers like:

```
X-Token: foo
X-Token: bar
```

The response would be like:

```JSON
{
    "X-Token values": [
        "bar",
        "foo"
    ]
}
```

## Recap

## Explore Further

- [MinIO Client Complete Guide](https://min.io/docs/minio/linux/reference/minio-mc.html)
- [MinIO STS Quickstart Guide](https://min.io/docs/minio/linux/developers/security-token-service.html)
- [MinIO Admin Complete Guide](https://min.io/docs/minio/linux/reference/minio-mc-admin.html)

### Extended testing file

You could then update `test_main.py` with the extended tests:

```Python
{!> ../../../docs_src/app_testing/app_b/test_main.py!}
```

Whenever you need the client to pass information in the request and you don't know how to, you can search (Google) how to do it in `httpx`, or even how to do it with `requests`, as HTTPX's design is based on Requests' design.

Then you just do the same in your tests.

    pilotCertProvider: istiod
    sds:
      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
      # JWT is intended for the CA.
      token:
        aud: istio-ca
    sts:
      # The service port used by Security Token Service (STS) server to handle token exchange requests.

- MinIO then checks if there are any policies [explicitly associated](#managing-usergroup-access-policy) with the user or their groups.
- On finding at least one associated policy, MinIO generates temporary credentials for the user storing the list of groups in a cryptographically secure session token. The temporary access key, secret key and session token are returned to the user.

	token := getSessionToken(r)
	if token != "" && cred.AccessKey == "" {
		// x-amz-security-token is not allowed for anonymous access.
		return nil, ErrNoAccessKey
	}

	if token == "" && cred.IsTemp() && !cred.IsServiceAccount() {
		// Temporary credentials should always have x-amz-security-token
		return nil, ErrInvalidToken
	}

	if token != "" && !cred.IsTemp() {

  }

  @CheckForNull
  private TypeToken<? super T> boundAsSuperclass(Type bound) {
    TypeToken<?> token = of(bound);
    if (token.getRawType().isInterface()) {
      return null;
    }
    @SuppressWarnings("unchecked") // only upper bound of T is passed in.
    TypeToken<? super T> superclass = (TypeToken<? super T>) token;
    return superclass;
  }

  /**

## Return the token

The response of the `token` endpoint must be a JSON object.

It should have a `token_type`. In our case, as we are using "Bearer" tokens, the token type should be "`bearer`".

And it should have an `access_token`, with a string containing our access token.

	default:
		writeSTSErrorResponse(ctx, w, ErrSTSInvalidParameterValue, fmt.Errorf("Unsupported action %s", action))
		return
	}

	ctx = newContext(r, w, action)

	token := r.Form.Get(stsToken)
	if token == "" {
		token = r.Form.Get(stsWebIdentityToken)
	}

	accessToken := r.Form.Get(stsWebIdentityAccessToken)

	// RoleARN parameter processing: If a role ARN is given in the request, we

### Được hỗ trợ từ các trình soạn thảo


Toàn bộ framework được thiết kế để sử dụng dễ dàng và trực quan, toàn bộ quyết định đã được kiểm thử trên nhiều trình soạn thảo thậm chí trước khi bắt đầu quá trình phát triển, để chắc chắn trải nghiệm phát triển là tốt nhất.