Skip to main content



This rule belongs to the openapi-v3-standards-validation ruleset and states that:

In an OpenAPI v3.0.x document, the Security Requirement Object property value allows specifying scope values for OAuth 2.0 and OpenId Connect security schemes. For all other security scheme types (i.e. for type not set as oauth2 or openIdConnect), the property value must be set as an empty array.

Maximum SeverityError
MessageSecurity requirement value is not an empty array.
Rule SystemSemantic
Broad CategorySecurity Requirements
Products ImpactedAPI Transformer, Code Generation, Developer Experience Portal
Tagsopenapi3 openapi standards semantic validation scopes oauth 2.0 openid connect security schemes security requirement security

Suggested Fixes

  • Set the security requirement property value as an empty array i.e. remove any items included in the array.
  • If you want to add scope values in the array, make sure that the security scheme you are applying using the security requirement property is of type oauth2 or openIdConnect.
  • The array can only contain scope values for OAuth 2.0 and OpenId Connect security schemes and should not contain any other type of data.
  • Security roles specific data can only be added for OpenAPI 3.1.x documents.

For More Information