Authentication
Authentication & security
Define how clients authenticate and how requests are secured in transit. This page is intentionally strict for external publication.
Current spec status
TODO – Requires Obita input: The OpenAPI file does not define
securitySchemes or global security. Add one of the following (or your internal standard):
- API Key (e.g.
X-Api-Key) - Bearer token (OAuth2 / JWT)
- HMAC signature scheme (timestamp + nonce + signature)
Recommended minimum (enterprise baseline)
| Area | Recommendation |
|---|---|
| Transport | HTTPS required; reject plain HTTP |
| Request ID | Return request_id header for support & audits (TODO in spec) |
| Replay protection | Use timestamp + nonce if signatures are used (TODO) |
| Idempotency | For create-like endpoints, support Idempotency-Key header (TODO) |
How to update the OpenAPI file
{
"components": {
"securitySchemes": {
"ApiKeyAuth": {
"type": "apiKey",
"in": "header",
"name": "X-Api-Key"
}
}
},
"security": [ { "ApiKeyAuth": [] } ]
}
The snippet above is a template. Replace with your official Obita authentication model.