AsyncAPI Logo
On this page

Operation security

Found an error? Have a suggestion?Edit this page on GitHub

The server security concept in AsyncAPI means that the security settings specified at the server level automatically apply to all operations across all channels. If you want to modify these default security settings for a particular operation, you need to specify the security details directly on that operation.

Add security

To accommodate such scenarios, the AsyncAPI document allows you to use the security field at the operation level. You can have multiple security schemes, but only one must be satisfied to authorize such an operation.

The diagram below describes how to implement reusable security schemes:

Operation section

Security information for an operation is defined using a Security Scheme at the operation level. You can reference a scheme from another location, such as components.securitySchemes, using the $ref keyword.

1operations:
2  sendAuthRevoke:
3    action: send
4    channel:
5      $ref: '#/channels/authRevoke'
6    security:
7      - type: oauth2
8        description: The oauth security descriptions
9        flows:
10          clientCredentials:
11            tokenUrl: 'https://example.com/api/oauth/dialog'
12            availableScopes:
13              'subscribe:auth_revocations': Scope required for authorization revocation topic
14        scopes:
15          - 'subscribe:auth_revocations'

The previous example, featuring the sendAuthRevoke operation in an AsyncAPI document, demonstrates the capabilities of a client application with an existing notification service. If a server has its own security requirements, this operation must also comply with those.

securitySchemes section

To reuse security schemes between operations, place them in components.securitySchemes and reference them via the $ref keyword in your operation:

1operations:
2  sendAuthRevoke:
3    action: send
4    channel:
5      $ref: '#/channels/authRevoke'
6    security:
7      - $ref: '#/components/securitySchemes/oauth'
8
9components:
10  securitySchemes:
11    oauth:
12       type: oauth2
13        description: The oauth security descriptions
14        flows:
15          clientCredentials:
16            tokenUrl: 'https://example.com/api/oauth/dialog'
17            availableScopes:
18              'subscribe:auth_revocations': Scope required for authorization revocation topic
19        scopes:
20          - 'subscribe:auth_revocations'

The previous code snippet shows the approach for reusing schema within multiple operations, even across multiple AsyncAPI documents.

Was this helpful?
Help us improve the docs by adding your contribution.
OR
Github:AsyncAPICreate Issue on GitHub