Skip to main content



This rule belongs to the openapi-v3-standards-validation ruleset and states that:

If the security scheme type is HTTP (i.e. type is set to http), the Security Scheme Object must specify a name of the HTTP Authorization scheme to be used in the Authorization header as defined in RFC7235, using the scheme property. The value of the scheme used should be registered in the IANA Authentication Scheme registry.

Maximum SeverityError
MessageRequired scheme property in HTTP Security Scheme Object is missing.
Rule SystemSemantic
Broad CategorySecurity Schemes
Products ImpactedAPI Transformer, Code Generation, Developer Experience Portal
Tagsopenapi3 openapi standards semantic validation scheme http type security scheme security

Suggested Fixes

  • Add missing scheme property in the Security Scheme Object.
  • Make sure that the scheme property is not null or empty.
  • Choose a different security scheme type if HTTP Authorization scheme name is not applicable in your API authentication's 'case.

For More Information