For example, let's say you have 4 API endpoints (*path operations*):

* `/items/public/`
* `/items/private/`
* `/users/{user_id}/activate`
* `/items/pro/`

then you could add different permission requirements for each of them just with dependencies and sub-dependencies:

```mermaid
graph TB

			return fmt.Errorf("Initializing sub-systems stopped gracefully %w", ctx.Err())
		default:
		}

		// These messages only meant primarily for distributed setup, so only log during distributed setup.
		if globalIsDistErasure {
			logger.Info("Waiting for all MinIO sub-systems to be initialize...")
		}

		// Upon success migrating the config, initialize all sub-systems

Então, para evitar colisões de ID, ao criar o token JWT para o usuário, você poderia prefixar o valor da chave `sub`, por exemplo, com `username:`. Assim, neste exemplo, o valor de `sub` poderia ser: `username:johndoe`.

O importante a se lembrar é que a chave `sub` deve ter um identificador único em toda a aplicação e deve ser uma string.

## Testando

# ✅ 🇨🇻 - 🏺, ✳, 🎏

👆 💪 🗻 🇨🇻 🈸 👆 👀 ⏮️ [🎧 🈸 - 🗻](sub-applications.md){.internal-link target=_blank}, [⛅ 🗳](behind-a-proxy.md){.internal-link target=_blank}.

👈, 👆 💪 ⚙️ `WSGIMiddleware` & ⚙️ ⚫️ 🎁 👆 🇨🇻 🈸, 🖼, 🏺, ✳, ♒️.

## ⚙️ `WSGIMiddleware`

👆 💪 🗄 `WSGIMiddleware`.

⤴️ 🎁 🇨🇻 (✅ 🏺) 📱 ⏮️ 🛠️.

& ⤴️ 🗻 👈 🔽 ➡.

{* ../../docs_src/wsgi/tutorial001.py hl[2:3,22] *}

## ✅ ⚫️

		if err := newCtx.Err(); err == context.Canceled {
			return LockContext{ctx: ctx, cancel: func() {}}, err
		}
		return LockContext{ctx: ctx, cancel: func() {}}, OperationTimedOut{}
	}
	timeout.LogSuccess(UTCNow().Sub(start))
	return LockContext{ctx: newCtx, cancel: cancel}, nil
}

// Unlock - block until write lock is released.
func (di *distLockInstance) Unlock(lc LockContext) {
	if lc.cancel != nil {
		lc.cancel()
	}

{* ../../docs_src/behind_a_proxy/tutorial004.py hl[9] *}

and then it won't include it in the OpenAPI schema.

## Mounting a sub-application { #mounting-a-sub-application }

If you need to mount a sub-application (as described in [Sub Applications - Mounts](sub-applications.md){.internal-link target=_blank}) while also using a proxy with `root_path`, you can do it normally, as you would expect.

# network, which has the MTU of 1460,
# due to 40 bytes being reserved for GCP's internal usage.
# Note, an invalid sub-interface name will lead to an obscure error, e.g.:
# "The filename, directory name, or volume label syntax is incorrect."
# In such cases, check that the name of the sub-interface is valid:
# `netsh interface show interface`
RUN netsh interface ipv4 set subinterface \"vEthernet (Ethernet)\" mtu=1460 store=persistent

It might be useful, for example, to return custom headers or cookies.

## Return a `Response` { #return-a-response }

In fact, you can return any `Response` or any sub-class of it.

/// tip

`JSONResponse` itself is a sub-class of `Response`.

///

And when you return a `Response`, **FastAPI** will pass it directly.

    /**
     * A phase in the lifecycle.
     *
     * A phase is identified by its name. It also contains a list of plugins bound to that phase,
     * a list of {@link Link links}, and a list of sub-phases.  This forms a tree of phases.
     */
    interface Phase {

        // ======================
        // Maven defined phases
        // ======================
        String ALL = "all";

":["projecta","projectb"],"iat":1726558680,"iss":"http://127.0.0.1:5556/dex","name":"Dillon Harper","parent":"oCnAoSQFtdVQtKwrB73j","preferred_username":"dillon","roleArn":"arn:minio:iam:::role/nOybJqMNzNmroqEKq5D0","sa-policy":"inherited-policy","sub":"Cit1aWQ9ZGlsbG9uLG91"},"sessionPolicy":null,"status":"on","name":"","description":"","expiration":"1970-01-01T00:00:00Z"},"dillon-svcacct-1":{"parent":"oCnAoSQFtdVQtKwrB73j","accessKey":"dillon-svcacct-1","secretKey":"dillon-svcacct-1","groups":n...