API Security


Can somebody please explain how security in RAML works. All of the examples seem to relate to using OAuth. My API simply needs to get a token ensure that the token exists in the header for all subsequent requests. I can’t seem to find anything that covers how to do this.




Hi Carl,

you can define your security schemes globally like that:

  - simple_token:
      description: security token which has to be provided in the header
      type: x-simple_token
            description: |
              the security token you have to provide
            type: string
securedBy: [ simple_token ]


In this example you secure both resources by defining securedBy globally with simple_token which is your custom security schema (custom using the type x-{thenameofyourcustomschema}).

Does this answer your question?



There is another post in the forum talking about custom security schemes. Unfortunately, I was not able to put in the link. :confused:


Just to be clear, the securitySchemes and securedBy is mostly for documentation purposes correct? I am trying to undersand how something like the JAX-RS generator would use it (if it does?), or if this is primarily to help document resources that are implemented with security.


So far is primarily for documentation, indeed!


Hi, I defined the securedBy before the resources as you instructed. Now, how do I skip over a particular method of a resource? Thanks in advance!


@aravind08: have you seen the section of the RAML Spec related to “Applying Security Schemes”, particularly:

Applying a security scheme to a method overrides security schemes applied to the API and to resources having the method as a sibling.

Hope that answers your question.