Describing authentication schemes

When using the swagger-ui frontend, it is possible to interact with the API described by your Swagger document. This interaction might require authentication, which you will have to describe in order to make swagger-ui work with it.

Security definitions

The first step that you have to do is add a SECURITY_DEFINITIONS setting to declare all authentication schemes supported by your API.

For example, the definition for a simple API accepting HTTP basic auth and Authorization header API tokens would be:

SWAGGER_SETTINGS = {
   'SECURITY_DEFINITIONS': {
      'Basic': {
            'type': 'basic'
      },
      'Bearer': {
            'type': 'apiKey',
            'name': 'Authorization',
            'in': 'header'
      }
   }
}

Security requirements

The second step is specifying, for each endpoint, which authentication mechanism can be used for interacting with it. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-requirement-object for details.

By default, a top-level security that accepts all the declared security definitions is generated. For the example above, that would be [{'Basic': []}, {'Bearer': []}]. This can be overriden using the SECURITY_REQUIREMENTS setting.

Operation-level overrides can be added using the security parameter of @swagger_auto_schema.