Each individual API operation should possess a security definition property that is in alignment with the security schemes applied across an collection of APIs as defined by OpenAPI, but also the wider operational security strategy defined by APIs.json.
Governing the security properties of each individual API operation is the foundation for additional testing and security scanning, ensuring that the technical contract has 100% coverage of security applied as it pertains to authentication. Operational security properties just trickle down from wider OpenAPI security schemes, and wider APIs.json security properties, connecting the security dots between authentication, testing, and other areas.