Skip to content

Enhancement: ergonomic API for OR security requirements (multiple SecurityRequirement entries) #283

Open
Open
Enhancement: ergonomic API for OR security requirements (multiple SecurityRequirement entries)#283
@kieled

Description

@kieled
kieled
opened on Feb 7, 2026

Problem

OpenAPI security requirements are an OR-list at the operation level:

  • security: [ { ApiKey: [] }, { BearerAuth: [] } ] means either ApiKey or BearerAuth

In practice it’s common to support multiple auth mechanisms during migrations (API key OR bearer JWT), or to have alternative schemes.

With aide’s current ergonomics (notably TransformOperation::security_requirement / security_requirement_scopes), it’s easy to accidentally model security as a single requirement object, and it’s not obvious how to express OR cleanly.

Related issues

  • How to require multiple securitySchemas? #25 is about requiring multiple schemes in a group / confusion around the schema shape, but this issue is specifically about providing an ergonomic way to express OR across security requirements.

Proposed solution

Add a helper API that makes OR explicit and hard to misuse, e.g.

  • op.security_requirement_or(["ApiKey", "BearerAuth"])
  • or a lower-level op.security_requirements(vec![SecurityRequirement::from("ApiKey"), SecurityRequirement::from("BearerAuth")])
  • or builder helpers on openapi::OpenApi / TransformOperation that mirror the OpenAPI structure.

Expected output (example)

security:
  - ApiKey: []
  - BearerAuth: []

Minimal example use-case

.api_route_with("/v1/foo", get(foo), |op| op, |op| {
    // would like an ergonomic way to express:
    // either API key or bearer token
    op /* .security_requirement_or(["ApiKey", "BearerAuth"]) */
})

Additional context

I searched issues for SecurityRequirement, anyOf security, OR security requirement, etc. and didn’t find a dedicated issue for this ergonomic gap.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions