Skip to main content



This rule belongs to the openapi-v3-apimatic-linting ruleset and states that:

APIs that require some form of authentication must define the security schemes used, in the global Components Object using the securitySchemes property and apply these security schemes to the endpoints that require authentication. This will ensure that the requests that require authentication are authenticated properly.

Maximum SeverityWarning
MessageNo security mechanism applied to the API.
Rule SystemSemantic
Broad CategoryOpenAPI Security Requirements
Products ImpactedAPI Transformer, Code Generation, Developer Experience Portal
Tagsopenapi3 openapi apimatic semantic linting security schemes security requirements scheme components

Suggested Fixes

  • Remove any Authorization header definitions from the operations and instead define the authentication mechanism using the OpenAPI's global security schemes. Then apply those schemes to operations as required.
  • When defining a security scheme globally assign a short but unique name for it.
  • Choose the appropriate security scheme type when defining a security scheme.
  • If your API does not require authentication, you can ignore this lint check or disable it.

For More Information