Ukraine needs your help.


On this page
Scramble PRO
Spatie’s Laravel Data support, realtime Typescript definitions generation, Inertia integration.

Most likely, your API is protected by some sort of authentication. OpenAPI has plenty of ways to describe the API (see full documentation of spec here

Adding security scheme

Scramble allows you to document how your API is secured. To document this, you can use Scramble::extendOpenApi method and add security information to OpenAPI document using secure method.

You should call extendOpenApi in the boot method of some of your service providers. This method accepts a callback that accepts an OpenAPI document as a first argument.

The secure method on OpenApi object accepts security scheme as an argument. It makes the security scheme default for all endpoints.

use Dedoc\Scramble\Scramble;
use Dedoc\Scramble\Support\Generator\OpenApi;
use Dedoc\Scramble\Support\Generator\SecurityScheme;

 * Bootstrap any application services.
 * @return void
public function boot()
    Scramble::extendOpenApi(function (OpenApi $openApi) {
            SecurityScheme::apiKey('query', 'api_token')

Security scheme examples

Here are some common examples of security schemes objects you may have in your API. For full list of available methods check implementation of SecurityScheme class.


SecurityScheme::apiKey('query', 'api_token');

Basic HTTP



SecurityScheme::http('bearer', 'JWT');


    ->flow('implicit', function (OAuthFlow $flow) {
            ->addScope('write:pets', 'modify pets in your account');

Excluding a route from security requirements

You can exclude a route from security requirements by adding @unauthenticated annotation to the route method’s PHPDoc comment block.

 * @unauthenticated
public function index(Request $request)
    return response()->json(/* some data */);
Scramble PRO
Laravel Data support, real-time Typescript definitions generation, Inertia integration.