Security Schemes
Configure API authentication with HTTP Bearer, API keys, OAuth2, OpenID Connect, and mutual TLS. Set default security and endpoint-specific overrides.
Security schemes define how consumers authenticate with your API. NeoArc supports five security scheme types, matching the OpenAPI 3.1 specification. Configure schemes at the API level and apply them globally or per-endpoint.
Security Scheme Types
NeoArc supports five authentication methods:
Adding a Security Scheme
HTTP Security Scheme
For Bearer tokens, Basic authentication, or custom HTTP auth schemes.
API Key Security Scheme
For API keys passed in headers, query parameters, or cookies.
OAuth2 Security Scheme
For OAuth 2.0 authentication with multiple flow types.
OAuth2 Flow Types
Flow Configuration
OpenID Connect Security Scheme
For OIDC-based authentication using discovery.
Mutual TLS Security Scheme
For client certificate authentication.
Security Requirements
Security requirements specify which schemes are needed to access endpoints. Requirements use logical operators:
Example: Require either Bearer token OR API key:
security:
- bearerAuth: [] # Option 1: Bearer token
- apiKeyAuth: [] # Option 2: API keyDefault vs Endpoint Security
Scope Management
For OAuth2 and OIDC, scopes control access levels:
Example scopes for a user API: