You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If the user sends an invalid API key, should this request be accepted because security is optional, or rejected because the request is invalid according to the api_key security scheme?
When reading the specification to the letter, these schemes should be applied in an OR fashion, so the request should be accepted. However, from the user side, it probably makes more sense to alert them of the invalid API key and reject the request.
I don't believe OpenAPI has an opinion on the right response here. I would agree with you that a caller that sends an api key is likely to be intending it to be a valid key and would expect an error if it isn't valid. However, I don't think OpenAPI should make this choice for the API provider.
We're wondering how to handle the following specification in connexion.
If the user sends an invalid API key, should this request be accepted because security is optional, or rejected because the request is invalid according to the
api_key
security scheme?When reading the specification to the letter, these schemes should be applied in an OR fashion, so the request should be accepted. However, from the user side, it probably makes more sense to alert them of the invalid API key and reject the request.
Related: #1698
The text was updated successfully, but these errors were encountered: