required-api-key-security-scheme-parameter-location
Overview
This rule belongs to the openapi-v3-standards-validation ruleset and states that:
If the security scheme type is API Key (i.e. type is set to apiKey), the Security Scheme Object must specify a location for the API Key parameter using the in property. Valid values for location include query, header and cookie.
| Property | Value |
|---|---|
| Enabled | Yes |
| Maximum Severity | Error |
| Message | Required in property in API key Security Scheme Object is missing. |
| Code | OPENAPI3STANDARDS_V413 |
| Type | Validation |
| Rule System | Semantic |
| Broad Category | Security Schemes |
| Products Impacted | API Transformer, Code Generation, Developer Experience Portal |
| Tags | openapi3 openapi standards semantic validation location api key type security scheme security |
Suggested Fixes
- Add missing
inproperty in the Security Scheme Object. - Make sure that the
inproperty is not null or empty. - Ensure that the
inproperty has one of the following values:query,headerandcookie - Choose a different security scheme type if API key location is not applicable in your API authentication's case.
For More Information
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.1.0.md#security-scheme-object
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md#security-scheme-object
- https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md#openapi-specification
- https://docs.apimatic.io/rulesets/overview/