API Key authentication should allow scopes to be defined.

[jakeswenson]

Today the scopes field on a security definition is only allowed on type=oauth
What is the reason to not allow scopes to be defined at an api key level?

For a good example of APIs that allow auth tokens to have scopes see GitHub's personal access tokens (https://github.com/settings/tokens/new)

Why can't I define an API and describe what scopes each endpoint needs/allows?

[jakeswenson]

Is there a better place to file an issue so as to get some traction on this?

[darrelmiller]

I don't see any reason why it couldn't be added to api key also. /cc @OAI/tdc

[MikeRalphson]

Please see #1393 (comment) (feel free to comment on either issue).

[MikeRalphson]

Any feedback on potential confusion in reusing the term scopes gratefully accepted...

[nickdnk]

Any news here? I just spent a decent amount of time figuring out that there was no way to do this for anything but OAuth, which I don't use.

[MikeRalphson]

See PR #1764 linked to above. We hope this will be included in OAS 3.1.0

[avanbrunt-cb]

@MikeRalphson Just wanted to check in on the status of roles/scopes being added to non-OAuth security schemas. I see in the PR you referenced above the roles/scopes change was omitted #1764 (comment)

However in the big list of possibilities for 3.1, I see that the scopes on non-OAuth security schemes is checked off. Here is the PR for the change #1829

Does this mean that the concept is approved for 3.1 but just needs refinement or is it potentially on the chopping block?

[MikeRalphson]

This is included in the imminent 3.1 release.