For either "Option 1" or "Option 2" above I expected that the apiKey would be used to authenticate calls to secure routes. Instead 'X-API-KEY' is absent from the headers and a "bad credentials" error is returned.
Option 1 results in an empty "Authorizers available" dialogue box when clicking on the lock icon for a path but I'd expect that dialogue to offer a place to put the "X-API-KEY". The main authorize box does offer the expected dialogue box but it is not applied when executing calls from the docs.
Option 2 results in the expected dialogue boxes but the apiKey is not applied to calls to routes.
When I exercise the api outside of swagger (e.g. http :8000/v1/categories X-API-KEY:58be92dd-61a9-4a27-8efa-b6a0e025439e) authentication functions properly. So, only within swagger is the header not being properly applied.
I noticed that the security schemes in openapi have, effectively, two names. The name of the security and the name of the header:
ApiKeyAuth: # arbitrary name for the security schemetype: apiKeyin: header # can be "header", "query" or "cookie"name: X-API-KEY # name of the header, query parameter or cookie
When the arbitraty name is "apiKey" the dialogue boxes in the docs function as expected.
To get the arbitrary name set in APIKeySecurityScheme the name attribute must be set to "apiKey" but that results in an incorrect header name.
The text was updated successfully, but these errors were encountered:
This stems from me misreading/misinterpreting the spec. I would like to keep using name to refer to the name of the security scheme so I'll have to come up with another keyword that works for the header/param name (maybe param_name?). What would make the most sense to you here?