From 935bcfa657cd600834ae5b2c5929c1781cee813c Mon Sep 17 00:00:00 2001
From: oxqnd <kkinho04@catholic.ac.kr>
Date: Thu, 5 Jun 2025 19:26:48 +0900
Subject: [PATCH] docs: clarify that OAuth2 classes do not perform token
 validation

---
 fastapi/security/oauth2.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/fastapi/security/oauth2.py b/fastapi/security/oauth2.py
index 5ffad5986..1d0e721b9 100644
--- a/fastapi/security/oauth2.py
+++ b/fastapi/security/oauth2.py
@@ -393,6 +393,11 @@ class OAuth2PasswordBearer(OAuth2):
     OAuth2 flow for authentication using a bearer token obtained with a password.
     An instance of it would be used as a dependency.
 
+    Note:
+    This class does **not** perform token validation or decoding.
+    It only extracts the `Authorization` header and includes metadata in the OpenAPI docs.
+    You must handle actual token validation separately (e.g. signature and claims verification).
+
     Read more about it in the
     [FastAPI docs for Simple OAuth2 with Password and Bearer](https://fastapi.tiangolo.com/tutorial/security/simple-oauth2/).
     """
@@ -489,6 +494,11 @@ class OAuth2AuthorizationCodeBearer(OAuth2):
     """
     OAuth2 flow for authentication using a bearer token obtained with an OAuth2 code
     flow. An instance of it would be used as a dependency.
+
+    Note:
+    This class does **not** perform token validation or decoding.
+    It only extracts the `Authorization` header and includes metadata in the OpenAPI docs.
+    You must handle actual token validation separately (e.g. signature and claims verification).
     """
 
     def __init__(