API Key authentication should allow scopes to be defined.
See original GitHub issueToday the scopes field on a security definition is only allowed on type=oauth
What is the reason to not allow scopes to be defined at an api key level?
For a good example of APIs that allow auth tokens to have scopes see GitHub’s personal access tokens (https://github.com/settings/tokens/new)
Why can’t I define an API and describe what scopes each endpoint needs/allows?
Issue Analytics
- State:
- Created 6 years ago
- Reactions:24
- Comments:8 (5 by maintainers)
Top Results From Across the Web
API Scopes - Auth0
An application can include any scope defined for an API in its request. Instead of allowing all available scopes to be requested, however,...
Read more >Search 101: What is an API key? How does it provide ... - Algolia
An API key is used to identify and securely authenticate and authorize a user who requests the services of an API.
Read more >API Keys - Swagger
Some APIs use API keys for authorization. An API key is a token that a client provides when making API calls. The key...
Read more >Permissions (Scopes) - Coinbase Cloud
Permissions, also known as scopes with OAuth2, allow you to specify fine grained access for your Sign in with Coinbase (OAuth2) applications and...
Read more >Authenticate using API keys - Google Cloud
... Google Cloud can help solve your toughest challenges. Learn more. Key benefits ... Authenticate using REST · Authenticate using API keys.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I don’t see any reason why it couldn’t be added to api key also. /cc @OAI/tdc
@MikeRalphson Just wanted to check in on the status of roles/scopes being added to non-OAuth security schemas. I see in the PR you referenced above the roles/scopes change was omitted https://github.com/OAI/OpenAPI-Specification/pull/1764#issuecomment-460964363
However in the big list of possibilities for 3.1, I see that the scopes on non-OAuth security schemes is checked off. Here is the PR for the change https://github.com/OAI/OpenAPI-Specification/pull/1829
Does this mean that the concept is approved for 3.1 but just needs refinement or is it potentially on the chopping block?