Skip to main content



This rule belongs to the openapi-v3-standards-validation ruleset and states that:

The location of the API key specified using property in of the Security Scheme Object must have only one of the following values: query, header, cookie. Other types are not supported nor allowed.

Maximum SeverityError
MessageInvalid location for API key found.
Rule SystemSemantic
Broad CategorySecurity Schemes
Products ImpactedAPI Transformer, Code Generation, Developer Experience Portal
Tagsopenapi3 openapi standards semantic validation location api key type security scheme security

Suggested Fixes

  • Value of API key location is compared in a case-sensitive manner.
  • Ensure that the API key location value matches exactly with the possible list of values and that there are no typos: query, header, cookie.
  • Ensure that the value for API key location is not null or empty.

For More Information