It is widely understood that APIs should avoid HTTP Basic Auth, which is inherently insecure.
I recommend revising the Museum OpenAPI example to use a more secure security scheme.
use oauth2 security scheme (with authorizationCode flow and with specific read and write scopes -- scope names left to implementors) or openIdConnect security scheme
change the default security requirement to be a reference to that security scheme (not basic auth) and use a read scope
operations that require write access should not use the default security, but use an explicit operation-level security requirement with write or other scope.
Thank you for offering a new example for OpenAPI!
It is widely understood that APIs should avoid HTTP Basic Auth, which is inherently insecure. I recommend revising the Museum OpenAPI example to use a more secure security scheme.
oauth2
security scheme (withauthorizationCode
flow and with specific read and write scopes -- scope names left to implementors) oropenIdConnect
security schemesecurity
requirement with write or other scope.