OpenAPI: Add authorization header to all api gateway requests

Question

I am currently setting up first API Gateway with Google cloud platform but I am now a little confused how I can add a header to all requests, is it possible in the .yaml file? Here's what it looks like so far. Where it says my_api_key is where my real one is and I want to send it as a header to all upcoming endpoints. Is it possible?

x-cg-pro-api-key: my_api_key

swagger: "2.0"
info:
  title: Crypto API
  description: API Gateway with Cloud Run backend.
  version: 1.0.0
schemes:
  - https
produces:
  - application/json
paths:

  /new:
    get:
      summary: Returns a list of new coins.
      operationId: new
      x-google-backend:
        address: https://pro-api.coingecko.com/api/v3/coins/list/new
      parameters:
          - in: header
            name: x-cg-pro-api-key
            type: string
      responses:
        '200':
           description: OK
           schema:
             type: string

Googling a lot, trying different things

Answer 1

I would highly recommend using the latest version of OpenAPI 3.1.0. Swagger:2.0 is quite old.

I defined the securitySchemes in the components collection and then you need to add security to either the root or individual endpoints, like the example below.

openapi: 3.1.0
info:
  title: Crypto API
  description: API Gateway with Cloud Run backend.
  version: 1.0.0
servers:
  - url: https://pro-api.coingecko.com/api
    description: PROD Server
paths:
  /v3/coins:
    get:
      summary: Returns a list of new coins
      operationId: getCoins
      x-google-backend:
        address: https://pro-api.coingecko.com/api/v3/coins
      security:
        - apiKey: []
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/coins'
        '400':
          $ref: '#/components/responses/400'
        '401':
          $ref: '#/components/responses/401'
        '403':
          $ref: '#/components/responses/403'
        '500':
          $ref: '#/components/responses/500'

components:
  securitySchemes:
    apiKey:
      type: 'apiKey'
      description: '<apikey>'
      name: 'x-cg-pro-api-key'
      in: 'header'
  schemas:
    problem_json:
      description: Problem Details for HTTP APIs - RFC9457
      type: object
      properties:
        type:
          type: string
          format: uri-reference
        status:
          type: number
        title:
          type: string
        detail:
          type: string
        instance:
          type: string
          format: uri-reference
    coins:
      type: object
      properties:
        coins:
          type: array
          uniqueItems: true
          items:
            type: string
  responses:
    400:
      description: Bad Request
      content:
        application/problem+json:
          schema:
            $ref: '#/components/schemas/problem_json'
    401:
      description: Unauthorized
      content:
        application/problem+json:
          schema:
            $ref: '#/components/schemas/problem_json'
    403:
      description: Forbidden
      content:
        application/problem+json:
          schema:
            $ref: '#/components/schemas/problem_json'
    500:
      description: Internal Server Error
      content:
        application/problem+json:
          schema:
            $ref: '#/components/schemas/problem_json'

bonus content: RFC9457 defines problem+json schema which is recommended as a common error reporting schema for http apis.

EDIT:

Because Google API Gateway doesn't support OAS 3.x.x, Swagger 2.0 is required.

here's a sample of using security.

swagger: "2.0"
info:
  title: Crypto API
  description: API Gateway with Cloud Run backend.
  version: 1.0.0
schemes:
  - https
produces:
  - application/json
  - application/problem+json
host: pro-api.coingecko.com
basePath: /api/v3
securityDefinitions:
  apiKey:
    description: `<apiKey>`
    in: header
    name: 'x-cg-pro-api-key'
    type: apiKey
paths:
  /coins:
    get:
      summary: Returns a list of new coins.
      operationId: new
      security:
        - apiKey: []
      x-google-backend:
        address: https://pro-api.coingecko.com/api/v3/coins
      responses:
        "200":
          description: OK
          schema:
            $ref: "#/definitions/coins"
        "400":
          description: Bad Request
          schema: 
            $ref: "#/definitions/400"
        "401":
          description: Unauthorized
          schema: 
            $ref: "#/definitions/401"
        "403":
          description: Forbidden
          schema: 
            $ref: "#/definitions/403"
        "404":
          description: Not Found
          schema: 
            $ref: "#/definitions/404"
        "500":
          description: Internal Server Error
          schema: 
            $ref: "#/definitions/500"
definitions:
  problem_json:
    description: Problem Details for HTTP APIs - RFC9457
    type: object
    properties:
      type:
        type: string
        format: uri-reference
      status:
        type: number
      title:
        type: string
      detail:
        type: string
      instance:
        type: string
        format: uri-reference
  coins:
    type: object
    properties:
      coins:
        type: array
        uniqueItems: true
        items:
          type: string
  '400':
    $ref: "#/definitions/problem_json"
  '401':
    $ref: "#/definitions/problem_json"
  '403':
    $ref: "#/definitions/problem_json"
  '500':
    $ref: "#/definitions/problem_json"