Async API Security
Configure security schemes for async event APIs. Covers SASL authentication, OAuth2, X.509 certificates, encryption, and the OR/AND security requirements model.
Async APIs have distinct security requirements compared to REST and GraphQL. Message brokers use SASL mechanisms, mTLS certificates, and encryption rather than HTTP headers and cookies. NeoArc supports 13 security scheme types covering all common broker authentication patterns.
Security Scheme Types
Security Requirements Model
Security requirements follow an OR-of-AND pattern matching the AsyncAPI specification. Each inner array represents an AND group (all schemes must be satisfied). The outer array represents OR alternatives (any group is sufficient).
{
"defaultSecurityRequirements": [
[
{ "schemeId": "scram-sha-256" },
{ "schemeId": "oauth2", "scopes": ["events:publish"] }
],
[
{ "schemeId": "x509" }
]
]
}In this example, a client can authenticate by either:
- Providing both SCRAM-SHA-256 credentials and an OAuth2 token with
events:publishscope, or - Presenting a valid X.509 client certificate
SASL Authentication
SASL schemes are the primary authentication mechanism for Apache Kafka and other enterprise brokers.
OAuth2 for Async APIs
OAuth2 in async APIs typically uses the client credentials flow for service-to-service communication. Scopes control which topics a service can publish to or subscribe from.
Per-Operation Security
Individual operations can override the API-level default security requirements. This is useful when different operations require different authentication levels. For example, a publish operation might require OAuth2 with events:publish scope, while a subscribe operation requires events:subscribe.
Rename Propagation
When you rename a security scheme ID or an OAuth2 scope in the API definition editor, the change automatically cascades to all security requirement references across operations. This maintains consistency without manual find-and-replace.