CleanUtils

OpenAPI Security Scheme Linter

Lint OpenAPI security schemes, insecure server URLs, and operations without visible security requirements.

Also useful for: openapi security linter openapi auth checker swagger security linter api security scheme checker OpenAPI Security Scheme Linter

OpenAPI Security Scheme Linter

Runs in your browser. Inputs are not uploaded.
Input
Results 
Summary: 1 security scheme checked. 1 error, 1 warning, 1 note.

Stats
- Schemes: 1
- Operations: 1

Issues
- Critical: ApiKeyAuth apiKey scheme needs name and in.
- Warning: Server 1 uses http:// instead of https://.
- Note: GET /users has no operation or global security requirement.

Output
[ERROR] general: ApiKeyAuth apiKey scheme needs name and in.
[WARNING] general: Server 1 uses http:// instead of https://.
[INFO] general: GET /users has no operation or global security requirement.

OpenAPI Security Scheme Linter Example Run

Find missing auth declarations and insecure server URLs.

Sample inputs
{"openapi":"3.1.0","servers":[{"url":"http://api.example.com"}],"components":{"securitySchemes":{"ApiKeyAuth":{"type":"apiKey","in":"header"}}},"paths":{"/users":{"get":{"responses":{"200":{"description":"ok"}}}}}}

Generated result
Summary: 1 security scheme checked. 1 error, 1 warning, 1 note.

Stats
- Schemes: 1
- Operations: 1

Issues
- Critical: ApiKeyAuth apiKey scheme needs name and in.
- Warning: Server 1 uses http:// instead of https://.
- Note: GET /users has no operation or global security requirement.

Output
[ERROR] general: ApiKeyAuth apiKey scheme needs name and in.
[WARNING] general: Server 1 uses http:// instead of https://.
[INFO] general: GET /users has no operation or global security requirement.

What the OpenAPI Security Scheme Linter Checks

  • Security schemes object

    components.securitySchemes is inspected when present and flagged when missing.

  • Scheme field requirements

    apiKey schemes need name and in; http schemes need scheme.

  • HTTPS server URLs

    Server URLs using http:// are reported for review.

  • Operation security coverage

    Operations without operation-level or global security requirements are called out.

  • OpenAPI JSON shape

    The tool expects JSON OpenAPI input and does not resolve external files.

OpenAPI Security Scheme Linter Questions

  • Q: Does the OpenAPI security scheme linter upload my OpenAPI spec? A: No. Inputs are processed in your browser, and pasted content is not sent to analytics or a server.
  • Q: What should I paste into the OpenAPI security scheme linter? A: Paste an OpenAPI JSON document with servers, paths, and optional components.securitySchemes.
  • Q: What can I copy or download? A: You can copy the security lint report.
  • Q: What does the OpenAPI security scheme linter not verify? A: It does not threat-model the API, verify real auth middleware, resolve remote references, or replace a security review.

Related Tools

Updates

  • v1.0.0 New 2026-05-17: Initial security-scheme, HTTPS server, and operation security linting added.

Use OpenAPI Security Scheme Linter with an LLM

Copy the prompt or pass the llms.txt contract link to your assistant.

Prompt 
Use the CleanUtils OpenAPI Security Scheme Linter tool for this request.
Tool contract: https://cleanutils.com/developer-tools/openapi-security-scheme-linter/llms.txt

Read the llms.txt contract, ask me for any missing required input, then follow the contract exactly. If the contract includes JavaScript, run `runCleanUtilsTool(userInput)` in a sandboxed JavaScript runtime and return the result with any warnings or errors.
llms.txt https://cleanutils.com/developer-tools/openapi-security-scheme-linter/llms.txt