# Security Tools

When you need to declare dependencies with OAuth2 scopes you use `Security()`.

But you still need to define what is the dependable, the callable that you pass as a parameter to `Depends()` or `Security()`.

There are multiple tools that you can use to create those dependables, and they get integrated into OpenAPI so they are shown in the automatic docs UI, they can be used by automatically generated clients and SDKs, etc.

 * use of HTML templating systems.
 *
 * @author Sven Mawson
 * @author David Beaumont
 * @since 15.0
 */
@GwtCompatible
public final class HtmlEscapers {
  /**
   * Returns an {@link Escaper} instance that escapes HTML metacharacters as specified by <a
   * href="http://www.w3.org/TR/html4/">HTML 4.01</a>. The resulting strings can be used both in
   * attribute values and in most elements' text contents, provided that the HTML

<img src="/img/tutorial/security/image10.png">

/// note | Not

`Authorization` header'ına dikkat edin; değeri `Bearer ` ile başlıyor.

///

## `scopes` ile İleri Seviye Kullanım { #advanced-usage-with-scopes }

OAuth2'nin "scopes" kavramı vardır.

Bunları kullanarak bir JWT token'a belirli bir izin seti ekleyebilirsiniz.

/**
 * Meta-annotation that marks other annotations as scope annotations.
 * <p>
 * Scopes define the lifecycle and visibility of objects in the dependency injection
 * system. Custom scope annotations should be annotated with {@code @Scope}.
 * <p>
 * Built-in scopes include:
 * <ul>
 *   <li>{@link Singleton} - One instance per container</li>

 * to be lightweight yet powerful, supporting various scopes of object lifecycle from
 * singleton instances to mojo-execution-scoped beans.
 * <p>
 * Key features include:
 * <ul>
 *   <li>Constructor, method, and field injection</li>
 *   <li>Qualifiers for distinguishing between beans of the same type</li>
 *   <li>Multiple scopes (Singleton, Session, and MojoExecution)</li>

from inline_snapshot import snapshot
from pydantic import BaseModel

app = FastAPI()

reusable_oauth2 = OAuth2(
    flows={
        "password": {
            "tokenUrl": "token",
            "scopes": {"read:users": "Read the users", "write:users": "Create users"},
        }
    }
)


class User(BaseModel):
    username: str


# Here we use string annotations to test them

from inline_snapshot import snapshot
from pydantic import BaseModel

app = FastAPI()

reusable_oauth2 = OAuth2(
    flows={
        "password": {
            "tokenUrl": "token",
            "scopes": {"read:users": "Read the users", "write:users": "Create users"},
        }
    },
    description="OAuth2 security scheme",
    auto_error=False,
)


class User(BaseModel):
    username: str

@app.websocket("/request-scope")
async def request_scope(websocket: WebSocket, session: SessionRequestDep) -> Any:
    await websocket.accept()
    await websocket.send_json({"is_open": session.open})


@app.websocket("/two-scopes")
async def get_stream_session(
    websocket: WebSocket,
    function_session: SessionFuncDep,
    request_session: SessionRequestDep,
) -> Any:
    await websocket.accept()
    await websocket.send_json(

import static org.eclipse.aether.impl.scope.BuildScopeQuery.union;

/**
 * Maven3 scope configurations. Configures scope manager to support Maven3 scopes.
 * <p>
 * This manager supports the old Maven 3 dependency scopes.
 *
 * @since 2.0.0
 * @deprecated since 4.0.0, use {@code maven-api-impl} jar instead
 */
@Deprecated(since = "4.0.0")

<img src="/img/tutorial/security/image10.png">

/// note | 注意

留意標頭 `Authorization`，其值是以 `Bearer ` 開頭。

///

## 進階用法：`scopes` { #advanced-usage-with-scopes }

OAuth2 有「scopes」的概念。

你可以用它們替 JWT 權杖加上一組特定的權限。

接著你可以把這個權杖直接交給某個使用者或第三方，讓他們在一組受限條件下與你的 API 互動。

你可以在之後的「進階使用者指南」學到如何使用它們，以及它們如何整合進 **FastAPI**。

## 小結 { #recap }