Skip to main content



This rule belongs to the openapi-v3-standards-validation ruleset and states that:

For all flow types, the OAuth Flow Object must specify the available scopes for the OAuth2 security scheme token URL, using the scopes property.

Maximum SeverityError
MessageRequired scopes property in OAuth Flow Object is missing.
Rule SystemSemantic
Broad CategoryOAuth 2.0 Flows
Products ImpactedAPI Transformer, Code Generation, Developer Experience Portal
Tagsopenapi3 openapi standards semantic validation scopes oauth2 flows type security scheme security

Suggested Fixes

  • Add missing scopes property in the OAuth Flow Object.
  • Make sure that the scopes property is not set as null.
  • If you are unsure about the scopes to add, you can simply add the scopes property in the OAuth Flow Object and declare it as an empty object e.g. scopes: {}

For More Information