You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: versions/3.1.1.md
+15-3
Original file line number
Diff line number
Diff line change
@@ -314,12 +314,22 @@ This is the root object of the [OpenAPI document](#openapi-description).
314
314
| <aname="oas-paths"></a>paths |[Paths Object](#paths-object)| The available paths and operations for the API. |
315
315
| <aname="oas-webhooks"></a>webhooks | Map[`string`, [Path Item Object](#path-item-object)]| The incoming webhooks that MAY be received as part of this API and that the API consumer MAY choose to implement. Closely related to the `callbacks` feature, this section describes requests initiated other than by an API call, for example by an out of band registration. The key name is a unique string to refer to each webhook, while the (optionally referenced) Path Item Object describes a request that may be initiated by the API provider and the expected responses. An [example](../examples/v3.1/webhook-example.yaml) is available. |
316
316
| <aname="oas-components"></a>components |[Components Object](#components-object)| An element to hold various schemas for the document. |
317
-
| <aname="oas-security"></a>security |[[Security Requirement Object](#security-requirement-object)]|A declaration of which security mechanisms can be used across the API. The list of values includes alternative security requirement objects that can be used. Only one of the security requirement objects need to be satisfied to authorize a request. Individual operations can override this definition. To make security optional, an empty security requirement (`{}`) can be included in the array. |
| <aname="oas-tags"></a>tags |[[Tag Object](#tag-object)]| A list of tags used by the document with additional metadata. The order of the tags can be used to reflect on their order by the parsing tools. Not all tags that are used by the [Operation Object](#operation-object) must be declared. The tags that are not declared MAY be organized randomly or based on the tools' logic. Each tag name in the list MUST be unique. |
This object MAY be extended with [Specification Extensions](#specification-extensions).
322
322
323
+
###### <aname="oas-security-field"></a>The `security` field
324
+
325
+
The `security` field describes how requests are authorized. If omitted, then requests are always authorized; otherwise, it is an array of security requirement objects, only one of which needs to be satisfied for the request to be authorized.
326
+
327
+
Because the empty [security requirement object](#security-requirement-object)`{}` will always authorize the request, it follows that `security: [{}]` means the same as omitting `security` entirely: namely, all requests are authorized.
328
+
329
+
If `security` is specified and empty (i.e. `security: []`), then the behaviour is undefined.
330
+
331
+
Individual operations [can override this field](#operation-security).
332
+
323
333
#### Info Object
324
334
325
335
The object provides metadata about the API.
@@ -967,7 +977,7 @@ Describes a single API operation on a path.
967
977
| <a name="operation-responses"></a>responses | [Responses Object](#responses-object) | The list of possible responses as they are returned from executing this operation. |
968
978
| <a name="operation-callbacks"></a>callbacks | Map[`string`, [Callback Object](#callback-object) \| [Reference Object](#reference-object)] | A map of possible out-of band callbacks related to the parent operation. The key is a unique identifier for the Callback Object. Each value in the map is a [Callback Object](#callback-object) that describes a request that may be initiated by the API provider and the expected responses. |
969
979
| <a name="operation-deprecated"></a>deprecated | `boolean` | Declares this operation to be deprecated. Consumers SHOULD refrain from usage of the declared operation. Default value is `false`. |
970
-
| <a name="operation-security"></a>security | [[Security Requirement Object](#security-requirement-object)] | A declaration of which security mechanisms can be used for this operation. The list of values includes alternative security requirement objects that can be used. Only one of the security requirement objects need to be satisfied to authorize a request. To make security optional, an empty security requirement (`{}`) can be included in the array. This definition overrides any declared top-level [`security`](#oas-security). To remove a top-level security declaration, an empty array can be used. |
980
+
| <a name="operation-security"></a>security | [[Security Requirement Object](#security-requirement-object)] | If present, then this overrides any [top-level `security` field](#oas-security) for this operation. See the definition of that field for details.
971
981
| <a name="operation-servers"></a>servers | [[Server Object](#server-object)] | An alternative `server` array to service this operation. If an alternative `server` object is specified at the Path Item Object or Root level, it will be overridden by this value. |
972
982
973
983
This object MAY be extended with [Specification Extensions](#specification-extensions).
@@ -3905,7 +3915,9 @@ The name used for each property MUST correspond to a security scheme declared in
3905
3915
Security Requirement Objects that contain multiple schemes require that all schemes MUST be satisfied for a request to be authorized.
3906
3916
This enables support for scenarios where multiple query parameters or HTTP headers are required to convey security information.
3907
3917
3908
-
When a list of Security Requirement Objects is defined on the [OpenAPI Object](#openapi-object) or [Operation Object](#operation-object), only one of the Security Requirement Objects in the list needs to be satisfied to authorize the request.
3918
+
When a non-empty list of Security Requirement Objects is defined on the [OpenAPI Object](#openapi-object) or [Operation Object](#operation-object), only one of the Security Requirement Objects in the list needs to be satisfied to authorize the request; see [the `security` field](#oas-security-field).
3919
+
3920
+
The empty Security Requirement Object (`{}`) will always be satisifed, therefore any `security` list of Security Requirement Objects that includes `{}` will authorize all requests.
0 commit comments