Security Schemes

Configure API authentication with HTTP Bearer, API keys, OAuth2, OpenID Connect, and mutual TLS. Set default security and endpoint-specific overrides.

January 23, 2026

Security schemes define how consumers authenticate with your API. NeoArc supports five security scheme types, matching the OpenAPI 3.1 specification. Configure schemes at the API level and apply them globally or per-endpoint.

Security Scheme Types

NeoArc supports five authentication methods:

HTTP

Bearer tokens, Basic auth, Digest

API Key

Keys in headers, query parameters, or cookies

OAuth2

Full OAuth 2.0 flow support

OpenID Connect

OIDC discovery-based authentication

Mutual TLS

Client certificate authentication

Adding a Security Scheme

HTTP Security Scheme

For Bearer tokens, Basic authentication, or custom HTTP auth schemes.

API Key Security Scheme

For API keys passed in headers, query parameters, or cookies.

OAuth2 Security Scheme

For OAuth 2.0 authentication with multiple flow types.

OAuth2 Flow Types

Flow	Description	Use Case
Authorization Code	Standard web application flow with redirect	Web applications with server-side components
Client Credentials	Machine-to-machine authentication	Service-to-service communication
Password	Resource owner password credentials	Legacy systems (deprecated)
Implicit	Browser-based flow without server	Single-page apps (deprecated)

Flow Configuration

OpenID Connect Security Scheme

For OIDC-based authentication using discovery.

Mutual TLS Security Scheme

For client certificate authentication.

Security Requirements

Security requirements specify which schemes are needed to access endpoints. Requirements use logical operators:

Operator	Meaning	Example
AND	All listed schemes required together	Bearer token AND API key
OR	Any one of the listed options	Bearer token OR API key

Example: Require either Bearer token OR API key:

security:
  - bearerAuth: []   # Option 1: Bearer token
  - apiKeyAuth: []   # Option 2: API key

Default vs Endpoint Security

Scope Management

For OAuth2 and OIDC, scopes control access levels:

Example scopes for a user API:

Scope	Permission
users:read	View user profiles
users:write	Create and update users
users:delete	Delete users
admin	Full administrative access

Next Steps

Responses and Export

Document responses and export to OpenAPI

Learn more →

Getting Started with REST APIs

Fundamentals of authoring REST API documentation in NeoArc.

Learn more →