Security schemes define how API consumers authenticate with your REST API. NeoArc supports all OpenAPI security scheme types.
Security Scheme Types
Supported security scheme types| Type | Description | Use Case |
|---|
| http | HTTP authentication (Bearer, Basic) | JWT tokens, simple auth |
| apiKey | API key in header, query, or cookie | Service-to-service, public APIs |
| oauth2 | OAuth 2.0 authentication flows | User-delegated access |
| openIdConnect | OpenID Connect discovery | Enterprise SSO |
| mutualTLS | Client certificate authentication | B2B integrations |
HTTP Security Scheme
HTTP authentication schemes| Scheme | Header Format | Notes |
|---|
| bearer | Authorization: Bearer {token} | Most common for JWTs |
| basic | Authorization: Basic {base64(user:pass)} | Simple but requires HTTPS |
| digest | Authorization: Digest {params} | Challenge-response mechanism |
HTTP scheme properties| Property | Description |
|---|
| scheme | HTTP authentication scheme (bearer, basic, digest) |
| bearerFormat | Format specification (e.g., JWT) for documentation |
API Key Security Scheme
API key scheme properties| Property | Description |
|---|
| name | Name of the header, query parameter, or cookie |
| in | Location: header, query, or cookie |
OAuth2 Security Scheme
OAuth2 flow properties| Property | Description |
|---|
| authorizationUrl | URL for user authorization |
| tokenUrl | URL for token exchange |
| refreshUrl | URL for token refresh |
| scopes | Available scopes with descriptions |
OpenID Connect Security Scheme
OpenID Connect properties| Property | Description |
|---|
| openIdConnectUrl | Discovery document URL (.well-known/openid-configuration) |
Mutual TLS Security Scheme
Applying Security
Security application options| Scope | Description |
|---|
| Default security | Applies to all endpoints unless overridden |
| Per-endpoint security | Override default for specific endpoints |
| Multiple schemes (AND) | All schemes required for access |
| Multiple schemes (OR) | Any scheme grants access |
