Authentication & Security

Securing Your API

OpenAPI provides comprehensive security scheme definitions that Tigrister fully supports. Define how your API authenticates requests, and Tigrister handles the rest - from UI forms to request headers.

Key Concepts
  • Security Schemes - Define auth methods in components/securitySchemes
  • Global Security - Apply schemes to all operations
  • Operation Security - Override for specific endpoints
  • Scopes - Fine-grained permissions for OAuth2/OIDC

Supported Security Types

Tigrister supports the most common OpenAPI 3.x security scheme types:

TypeDescriptionUse Case
apiKeyStatic key in header, query, or cookieSimple API access, third-party integrations
http (basic)Username + password via Authorization headerLegacy systems, internal tools
http (bearer)Token in Authorization: Bearer headerJWT, access tokens, modern APIs
oauth2Full OAuth 2.0 with multiple flowsUser delegation, third-party apps
openIdConnectOAuth2 + identity via discovery URLSSO, enterprise identity
mutualTLSClient certificate authenticationNot yet supported

API Key Authentication

Simple

Send a static key value in a header, query parameter, or cookie. The simplest form of API authentication.

header
type: apiKey
in: header
name: X-API-Key

Sends: X-API-Key: your-key

query
type: apiKey
in: query
name: api_key

Sends: ?api_key=your-key

cookie
type: apiKey
in: cookie
name: session

Sends: Cookie: session=val

Complete Example
components:
securitySchemes:
ApiKeyAuth:
type: apiKey
in: header
name: X-API-Key
description: API key for authentication
security:
- ApiKeyAuth: []

HTTP Basic Authentication

Legacy

Username and password encoded as Base64 in the Authorization header. Simple but sends credentials with every request.

Spec Definition
components:
securitySchemes:
BasicAuth:
type: http
scheme: basic
What Gets Sent
Authorization:
Basic dXNlcm5hbWU6cGFzc3dvcmQ=
# base64("username:password")

Security Note

Basic auth sends credentials with every request. Always use HTTPS. Consider upgrading to Bearer tokens for modern applications.

HTTP Bearer Authentication

Recommended

Token-based authentication using the Authorization: Bearer header. The most common pattern for modern APIs with JWTs.

Spec Definition
components:
securitySchemes:
BearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
What Gets Sent
Authorization:
Bearer eyJhbGciOiJIUzI1NiIs...

bearerFormat is informational only - doesn't affect how tokens are sent.

OAuth 2.0

Full Featured

Industry-standard protocol for delegated authorization. Supports four flows for different use cases, with optional PKCE for enhanced security.

Authorization Code

Most secure flow for web apps with a backend. User grants permission via browser, backend exchanges code for tokens.

flows:
authorizationCode:
authorizationUrl: https://auth.example.com/authorize
tokenUrl: https://auth.example.com/token
refreshUrl: https://auth.example.com/refresh
scopes:
read:users: Read user data
write:users: Modify users
Client Credentials

Machine-to-machine auth without user involvement. Client authenticates directly with its own credentials.

flows:
clientCredentials:
tokenUrl: https://auth.example.com/token
scopes:
api:access: API access
ImplicitLegacy

Token returned directly in URL fragment. No longer recommended - use Authorization Code + PKCE instead.

flows:
implicit:
authorizationUrl: https://auth.example.com/authorize
scopes:
read: Read access
Password (ROPC)Legacy

Direct username/password exchange. Only for trusted first-party apps or migration from legacy systems.

flows:
password:
tokenUrl: https://auth.example.com/token
scopes:
admin: Admin access
PKCE (Proof Key for Code Exchange)

Enhanced security for public clients (SPAs, mobile apps). Tigrister supports PKCE for authorization code flows.

1. Generate Verifier

Random string stored client-side

2. Send Challenge

SHA256 hash sent with auth request

3. Verify Exchange

Verifier sent with token request

Complete OAuth2 Example
components:
securitySchemes:
OAuth2:
type: oauth2
description: OAuth2 authentication
flows:
authorizationCode:
authorizationUrl: https://auth.example.com/oauth/authorize
tokenUrl: https://auth.example.com/oauth/token
refreshUrl: https://auth.example.com/oauth/refresh
scopes:
read:users: Read user profiles
write:users: Modify user data
admin: Full admin access
security:
- OAuth2:
- read:users

OpenID Connect

Identity

OAuth2 extension for identity. The discovery URL provides all configuration automatically - endpoints, supported scopes, and token validation keys.

Spec Definition
components:
securitySchemes:
OIDC:
type: openIdConnect
openIdConnectUrl:
https://auth.example.com/.well-known/openid-configuration
Discovery Document Contains
  • Authorization endpoint URL
  • Token endpoint URL
  • Supported scopes (openid, profile, email, etc.)
  • JWKS (keys for token validation)

How Tigrister Uses OIDC

When you authorize with OIDC, Tigrister fetches the discovery document, shows available scopes, and handles the OAuth2 flow automatically. You receive both an access token (for API calls) and an ID token (user identity).

Operation-Level Security

Override global security for specific endpoints. You can require different auth methods, scopes, or make endpoints public.

Examples
# Global security (applied to all operations)
security:
- BearerAuth: []
paths:
/public/health:
get:
summary: Health check
# Public endpoint - no auth required
security: []
/admin/users:
delete:
summary: Delete user
# Requires admin scope
security:
- OAuth2:
- admin
/mixed:
get:
summary: Flexible auth
# Accept either API key OR bearer token
security:
- ApiKeyAuth: []
- BearerAuth: []

security: []

No auth required (public)

Multiple array items

OR relationship (any one works)

Multiple schemes in one item

AND relationship (all required)

Using Authentication in Tigrister

Once you define security schemes in your spec, Tigrister makes it easy to authorize:

1

Click "Authorize" Button

Found in both Area Mode (top bar) and Preview (header). Shows all defined schemes.

2

Enter Credentials

Form adapts to scheme type - text input for API keys, OAuth flow for OAuth2, etc.

3

Headers Applied Automatically

All requests to secured endpoints include the appropriate auth headers.

Credential Storage

Credentials are stored per-project and shared between Area Mode and Preview. OAuth2/OIDC tokens are kept in memory only and not persisted to disk.

Credential Synchronization

Security credentials are fully synchronized across all views in OpenAPI projects:

Area Mode

Try It Out

Preview

Real-time sync: When you enter or change credentials in any view, they instantly apply everywhere for that endpoint. Authorize once, use everywhere.

Token Management (OAuth2/OIDC)

Tigrister provides full token lifecycle management for OAuth2 and OpenID Connect:

Token Status Indicator

See at a glance if your token is Valid, Expiring soon, or Expired.

Automatic Token Refresh

When a token is about to expire and a refresh token is available, Tigrister automatically refreshes it before making requests.

Expiration Countdown

See exactly when your token expires with a human-readable countdown.

Logout / Clear Token

Clear your token at any time. This removes the access token and refresh token from memory.

Security Best Practices

Use HTTPS Always

All auth methods transmit sensitive data. Never use HTTP in production.

Prefer Bearer Over Basic

Tokens can be revoked and have limited lifetimes. Basic auth exposes credentials.

Use PKCE for Public Clients

SPAs and mobile apps should use Authorization Code + PKCE, not Implicit flow.

Minimize Scope Requirements

Request only the scopes you need. Users trust apps that ask for less access.

Document Your Scopes

Include clear descriptions for each scope so API consumers understand what they grant.

ImportingThe Designer