Skip to main content



This rule belongs to the openapi-v3-standards-validation ruleset and states that:

The type of the security scheme specified using property type of the Security Scheme Object must have only one of the following values: apiKey, http, oauth2, openIdConnect. Type mutualTLS can also be used but only for OpenAPI v3.1.x documents. Other types are not supported or allowed.

Maximum SeverityError
MessageInvalid type of security scheme found.
Rule SystemSemantic
Broad CategorySecurity Schemes
Products ImpactedAPI Transformer, Code Generation, Developer Experience Portal
Tagsopenapi3 openapi standards semantic validation type security scheme security

Suggested Fixes

  • Value of security scheme type is compared in a case-sensitive manner.
  • Ensure that the security scheme type value matches exactly with the possible list of values and that there are no typos: apiKey, http, oauth2, openIdConnect.
  • If you are using OpenAPI v3.1.x documents, you can also use the mutualTLS type.
  • Ensure that the value for security scheme type is not null or empty.

For More Information