The starting point for the API security is the API definition itself. If the API definition has gaping security holes, applying security measures on top of that just creates a ticking time bomb. The first step is to make sure your API conforms to security best practices.

API definitions have security components on both global and operation level. Global components are at the top level and apply to the whole API. Operation-level components apply only to the individual API operations in question.

Most of the global components are only available at the global level. Some, like the security component, can also exist on the operation level. The global level component provides the default behavior. On the operation level, you can override the global component and provide a specific exception to the behavior.