Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using an API Key & Secret for Swagger Security Scheme

Tags:

swagger

Swagger supports security of api key, but that seems to be limited to a single parameter.

Is there a way to define a set of parameters (key and secret) that are expected as parameters in a request?

Or is the only way just to skip the security scheme, and just add those parameters to every request?

like image 958
Tim Lytle Avatar asked Apr 23 '15 08:04

Tim Lytle


People also ask

What does an API key allow you to do?

API keys provide project authorization By identifying the calling project, you can use API keys to associate usage information with that project. API keys allow the Extensible Service Proxy (ESP) to reject calls from projects that haven't been granted access or enabled in the API.

Where do I put API key in URL?

A better approach is to pass it in header of request url. you can set user-key header in your code . For testing your request Url you can use Postman app in google chrome by setting user-key header to your api-key.

What is an API key example?

API Key Generation Since the API key itself is an identity by which to identify the application or the user, it needs to be unique, random and non-guessable. API keys that are generated must also use Alphanumeric and special characters. An example of such an API key is zaCELgL. 0imfnc8mVLWwsAawjYr4Rx-Af50DDqtlx .


1 Answers

Yes, OpenAPI (Swagger) 2.0 and 3.0 let you define multiple security definitions and mark an operation as requiring multiple securities, such as a pair of API keys.

In the following example, I'm defining two API keys, Key and SecretKey, both of which should be present in the headers of each request in order to get authenticated.

swagger: '2.0'
info:
  version: 0.0.0
  title: Simple API
securityDefinitions:
  key:
    type: apiKey
    in: header
    name: Key
  secret_key:
    type: apiKey
    in: header
    name: SecretKey

# Or if you use OpenAPI 3.0:
# components:
#   securitySchemes:
#     key:
#       type: apiKey
#       in: header
#       name: Key
#     secret_key:
#       type: apiKey
#       in: header
#       name: SecretKey

paths:
  /:
    get:
      # Both 'Key' and 'SecretKey' must be used together
      security:
        - key: []
          secret_key: []
      responses:
        200:
          description: OK

Note that this is different from

      security:
        - key: []
        - secret_key: []  # <-- Note the leading dash here

which means the endpoint expects either Key or SecretKey, but not both.

like image 151
Mohsen Avatar answered Sep 18 '22 20:09

Mohsen