

Define Security using extension

By default, the APIs and resources are protected via OAuth2 in the WSO2 API Microgateway.  You (API consumer) will need a valid OAuth2 access token (JWT or opaque) to invoke an API(s).  However, APIs can be exposed without any authentication using the swagger security scheme definition or OpenAPI extension x-wso2-application-security . This extension is supported in API level and resource level. The following is an example of how you can define security at the resource level of an API.

paths:
  "/pet/findByStatus":
    get:
      tags:
        - pet
      summary: Finds Pets by status
      description: Multiple status values can be provided with comma separated strings
      operationId: findPetsByStatus
      x-wso2-application-security: 
        security-types:
          - "oauth2"
          - "basic_auth"
          - "api_key"

Note

If you provided both swagger security types and x-wso2-application-security extension for a resource/ API then, the extension will override the swagger security schemes for the resource or API.

Top