Speakeasy Logo
Skip to Content

HTTP Security Scheme in OpenAPI

The http security scheme is one of the most commonly used schemes because it covers anything using the HTTP header Authorization. This is a big list, including auth schemes like HTTP Basic, HTTP Digest, and Bearer. The full list of supports auth schemes for type: http is outsourced to the IANA HTTP Authentication Scheme Registry .

Of that list, the most likely to be used for a modern API are:

HTTP Bearer

The Bearer security scheme allows passing a token, which could be a JWT, API token, access token, or anything else.

The Bearer security scheme is generally used for short-lived tokens granted to your API users through an additional login mechanism. Using a JWT allows for storing additional metadata within the token, which can be helpful for some use cases, such as storing scopes for permissions models.

The fields for a Bearer security scheme are as follows:

Field
Type
String
Required
Description
Type
String
Required
Description
Human-readable information. This may contain CommonMark syntax  to provide a rich description.
Type
String
Required
Description
Type
String
Required
Description
A hint to the client to identify how the bearer token is formatted. Bearer tokens are usually generated by an authorization server, so this information is primarily for documentation purposes.
Required
Description
Any number of extension fields can be added to the security scheme object to be used by tooling and vendors.

So for example, a JWT token might look like this:

HTTP Basic

The Basic security scheme is a simple authentication mechanism baked into the HTTP protocol that supports sending an Authorization header containing a base64 encoded username and password.

Basic is relatively simple mechanism to get started with, but risks leaking easy-to-decode passwords if used incorrectly. The example above is simply base64("user:password"), but can fool some developers into thinking its actually encrypted or secret.

Much like API keys, another issue with Basic is that it’s generally working with long-lived credentials, and if intercepted, these can be used by malicious actors until the credentials are revoked or expire.

For these reasons it is generally best to avoid HTTP Basic.

Since all APIs need to be accurately described (warts and all), here’s how to describe HTTP Basic in OpenAPI:

Field
Type
String
Required
Description
Type
String
Required
Description
Human-readable information. This may contain CommonMark syntax  to provide a rich description.
Type
String
Required
Description
Required
Description
Any number of extension fields can be added to the security scheme object to be used by tooling and vendors.

For example:

The description field can be used to warn developers about the risks of using Basic authentication, and to encourage them to use more secure alternatives like Bearer tokens or OAuth2.

HTTP Digest

The Digest security scheme is a more secure alternative to Basic authentication. Instead of sending the username and password in plain text, Digest authentication uses a challenge-response mechanism that hashes credentials with a nonce provided by the server. This helps protect against replay attacks and credential interception.

A typical Digest authentication request looks like this:

The fields for a Digest security scheme in OpenAPI are as follows:

Field
Type
String
Required
Description
Type
String
Required
Description
Human-readable information. This may contain CommonMark syntax  to provide a rich description.
Type
String
Required
Description
Required
Description
Any number of extension fields can be added to the security scheme object to be used by tooling and vendors.

For example:

Overlap with other security schemes

The HTTP security scheme overlaps with a few other more specific schemes.

The API Key security scheme is better suited for non-standard API keys using custom headers like Acme-API-Key, whereas HTTP security schemes are specifically designed for HTTP-based authentication methods using Authorization header.

There is also some overlap with OAuth2 and OpenID Connect security schemes. These may use bearer tokens, and they may use the JWT format, but they are more complex and involve additional flows and endpoints. The oauth2 and openidConnect security schemes are better suited for any APIs using the OAuth 2.0 and OpenID Connect protocols than trying to cover it with the http security scheme.

Unauthorized Response

As well as describing the security requirements, it also helps to describe what will happen when those requirements are not met. The 401 Unauthorized response can be returned for requests with missing security credentials, showing what the client can expect to see if this happens. This response includes the WWW-Authenticate header, which you may want to mention. As with other generic responses, the 401 response can be defined as a component in the responses section, and referenced with $ref to avoid repetition.

Learn more about describing responses.

Forbidden Response

The 403 Forbidden response can be returned for requests that are authenticated but not authorized to access the resource. This response can also include the WWW-Authenticate header, but it is not required.

As with the 401 response, the 403 response can be defined as a component in the responses section, and referenced with $ref to avoid repetition. This error is using the HTTP Problem Details format, which is a standard way to provide more information about the error.

Last updated on