Skip to main content



This rule belongs to the openapi-v3-standards-linting ruleset and states that:

If you have defined a security scheme of type set as http you also need to provide a name of the HTTP Authorization scheme using the scheme property. The value of this HTTP security scheme should be registered in the IANA Authentication Scheme registry.

Maximum SeverityWarning
MessageUnregistered HTTP security scheme detected.
Rule SystemSemantic
Broad CategorySecurity Schemes
Products ImpactedAPI Transformer, Code Generation, Developer Experience Portal
Tagsopenapi3 openapi standards semantic linting security schemes security http iana

Suggested Fixes

  • Ensure that the scheme name you have mentioned in the scheme property is present in the IANA Authentication Scheme registry.
  • Ensure that the scheme name is not null or empty.
  • The IANA Authentication Scheme registry has the following scheme names registered: Basic, Bearer, Digest, HOBA, Mutual, Negotiate, OAuth, SCRAM-SHA-1, SCRAM-SHA-256, vapid.
  • Names are compared in a case-insensitive manner.

For More Information