You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
According to the official documentation, the current Swagger API standards only support authentication, not authorization.
For example, with API-Key authentication, we can define authentication policy with API-Key at the API or Operation level, but we cannot specify which API-Key can access a particular operation. How should we use API-Key for authorization?
openapi: 3.0.0
...
# 1) Define the key name and location
components:
securitySchemes:
ApiKeyAuth: # arbitrary name for the security scheme
type: apiKey
in: header # can be "header", "query" or "cookie"
name: X-API-KEY # name of the header, query parameter or cookie
# 2) Apply the API key globally to all operations
security:
- ApiKeyAuth: []
Can we allow specific api-keys which can access one api? From a security perspective, perhaps we can reference a secret or a configuration center in the spec for whitelisted API-Key discovery?
The text was updated successfully, but these errors were encountered:
According to the official documentation, the current Swagger API standards only support authentication, not authorization.
For example, with API-Key authentication, we can define authentication policy with API-Key at the API or Operation level, but we cannot specify which API-Key can access a particular operation. How should we use API-Key for authorization?
Can we allow specific api-keys which can access one api? From a security perspective, perhaps we can reference a secret or a configuration center in the spec for whitelisted API-Key discovery?
The text was updated successfully, but these errors were encountered: