How to get api-key security schema working

[ahoehma]

May a stupid question but I can't find a docu or howto or something.

I have already this:

@Configuration
class OpenApiConfiguration {

  @Bean
  OpenAPI customOpenAPI(final CadWebServiceProperties properties) {
    return new OpenAPI()
        .components(
            new Components()
                .addSecuritySchemes("apiKey",
                    new SecurityScheme().type(APIKEY).in(In.HEADER).name(properties.authTokenHeaderName())));
  }

}

I can use the schema in swagger ui:

But then when I send requests ... the header is not in requests. I checked with chrome network console.

Where is the missing magic?

Kind regards
Andreas

[ydrozhdzhal]

We used something like this and it works:

`@Configuration
public class SwaggerConfiguration {

public static final String SEC_SCHEME_NAME = "Access Token";

@Bean
public OpenAPI openAPI() {
    return new OpenAPI()
        .components(new Components().addSecuritySchemes(SEC_SCHEME_NAME, securityScheme()))
        .addSecurityItem(new SecurityRequirement().addList(SEC_SCHEME_NAME));
}

private SecurityScheme securityScheme() {
    return new SecurityScheme()
            .type(SecurityScheme.Type.APIKEY)
            .in(SecurityScheme.In.HEADER)
            .name(AUTHORIZATION);
}

}`

[ahoehma]

I will re-test this asap.

[Raphasha27]

Configure api-key security in springdoc-openapi with a SecurityScheme bean:

import io.swagger.v3.oas.models.Components;
import io.swagger.v3.oas.models.OpenAPI;
import io.swagger.v3.oas.models.security.SecurityRequirement;
import io.swagger.v3.oas.models.security.SecurityScheme;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class OpenApiConfig {

    @Bean
    public OpenAPI customOpenAPI() {
        return new OpenAPI()
            .components(new Components()
                .addSecuritySchemes("ApiKey", new SecurityScheme()
                    .type(SecurityScheme.Type.APIKEY)
                    .in(SecurityScheme.In.HEADER)
                    .name("X-API-Key")
                    .description("API key for authentication")))
            .addSecurityItem(new SecurityRequirement().addList("ApiKey"));
    }
}

To apply it to specific endpoints only (not globally):

@Operation(security = { @SecurityRequirement(name = "ApiKey") })
@GetMapping("/secure")
public String secureEndpoint() {
    return "authenticated";
}

To exclude certain endpoints from requiring the API key:

springdoc:
  paths-to-exclude: /api/public/**
  # Or use @SecurityRequirement with empty list on public endpoints:
  # @Operation(security = {})

For header-based auth with a custom filter, ensure your security filter extracts the X-API-Key header and validates it before the request reaches the controller. The OpenAPI config just tells Swagger UI to show the API key input field and include it in requests.