Authentication
Configuring authentication schemes happens in the components.securitySchemes section of OpenAPI. All Fern-generated SDKs support both direct configuration and environment variables for authentication credentials.
To apply a security scheme across all endpoints, reference the securityScheme within the security section of your OpenAPI Specification.
Bearer security scheme
Start by defining a bearer security scheme in your openapi.yml:
This will generate an SDK where the user would have to provide
a mandatory argument called token.
If you want to control variable naming and the environment variable to scan, use the configuration below:
The generated SDK would look like:
Basic security scheme
Start by defining a basic security scheme in your openapi.yml:
This will generate an SDK where the user would have to provide
a mandatory arguments called username and password.
If you want to control variable naming and environment variables to scan, use the configuration below:
The generated SDK would look like:
ApiKey security scheme
Start by defining an apiKey security scheme in your openapi.yml:
This will generate an SDK where the user would have to provide
a mandatory argument called apiKey.
If you want to control variable naming and environment variables to scan, use the configuration below:
The prefix option lets you automatically add a prefix to API keys. This is useful when your API expects tokens in a specific format like "Bearer abc123" or "Token abc123".
The generated SDK would look like:
OAuth client credentials
Pro and Enterprise feature
This feature is available only for the Pro and Enterprise plans. To get started, reach out to support@buildwithfern.com.
Configure OAuth 2.0 client credentials in generators.yml rather than in the API specification:
Endpoint configuration and token refresh
The endpoint values (e.g., "POST /oauth/token") reference paths defined in your OpenAPI specification. When expires-in is returned, the SDK will automatically refresh tokens before they expire. For more details on OAuth configuration options, see the Auth scheme reference below.
The generated SDK would look like:
Override security scheme
You can use generators.yml to define custom authentication schemes that will take precedence when generating SDKs. This is also how OAuth authentication is configured for OpenAPI specs.
First, use the auth-schemes property to define your authentication scheme. Then, specify your auth scheme in the api property to override your OpenAPI spec.
Auth scheme reference
Header
Configure authentication using custom HTTP headers, such as API keys or tokens.
The name of the HTTP header to use for authentication.
A descriptive name for this authentication scheme.
The type of the header value.
A prefix to prepend to the header value (e.g., "Bearer " or "Token ").
Environment variable name containing the authentication value. When specified, the generated SDK will automatically scan for this environment variable at initialization.
Basic
Configure HTTP Basic authentication using username and password credentials.
Must be set to "basic" for Basic authentication schemes.
Configuration for the username credential.
Custom parameter name for the username in the generated SDK. If not specified, defaults to "username". Use this to provide more descriptive or domain-specific parameter names like "clientId", "userEmail", or "merchantId".
Configuration for the password credential.
Custom parameter name for the password in the generated SDK. If not specified, defaults to "password". Use this to provide more descriptive or domain-specific parameter names like "clientSecret", "apiKey", or "merchantKey".
Environment variable name that the SDK will automatically scan for the username or password value. When this environment variable is present, users don’t need to explicitly provide the username parameter. Follow naming conventions like YOUR_APP_USERNAME or SERVICE_CLIENT_ID.
Bearer token
Configure Bearer token authentication for API access.
Must be set to "bearer" for Bearer token authentication schemes.
Configuration for the bearer token.
A descriptive name for the token.
Environment variable name containing the bearer token. When specified, the generated SDK will automatically scan for this environment variable at initialization.
OAuth client credentials
For Fern Definition, you can configure OAuth authentication either in generators.yml or directly in your api.yml file. For OpenAPI, OAuth must be configured in generators.yml.
Configure OAuth 2.0 client credentials authentication. Optionally configure a refresh-token endpoint for token renewal without re-authentication.
Must be set to "oauth" for OAuth authentication schemes.
The OAuth 2.0 grant type. Currently only "client-credentials" is supported.
OAuth scopes to request when obtaining access tokens (e.g., "read:users", "write:orders").
Environment variable name containing the OAuth client ID. When specified, the generated SDK will automatically scan for this environment variable at initialization.
Environment variable name containing the OAuth client secret. When specified, the generated SDK will automatically scan for this environment variable at initialization.
Prefix added to the access token in the Authorization header (e.g., "Bearer" results in "Authorization: Bearer <token>"). Useful when your API expects a custom format.
HTTP header name used to send the access token. Defaults to "Authorization" but can be customized if your API uses a different header (e.g., "X-API-Token").
get-token
Specifies the endpoint that exchanges client credentials for an access token. This endpoint is called automatically when the SDK client is initialized.
The endpoint that issues access tokens, such as 'auth.get_token'.
Maps OAuth parameter names to your API’s request field names. Use this when your token endpoint expects different field names than the OAuth standard (e.g., your API uses clientId instead of client_id).
The request field name for the client ID in your API (e.g., "clientId", "client_id").
The request field name for the client secret in your API (e.g., "clientSecret", "client_secret").
The request field name for scopes in your API (e.g., "scope", "scopes").
Maps your API’s response field names to OAuth standard names. Use this when your API returns tokens with different field names (e.g., accessToken instead of access_token).
The response field name for the access token in your API (e.g., "accessToken", "access_token").
The response field name for token expiration time in seconds (e.g., "expiresIn", "expires_in"). When present, the SDK automatically refreshes tokens before expiration.
The response field name for the refresh token in your API (e.g., "refreshToken", "refresh_token"). Required if using the refresh-token flow.
refresh-token
Specifies the endpoint that exchanges a refresh token for a new access token. When configured, the SDK automatically uses this endpoint to renew expired tokens without re-sending credentials. If not configured, the SDK will re-authenticate using get-token when tokens expire.
The endpoint that refreshes access tokens (e.g., "POST /oauth/refresh" or "auth.refreshToken").
Maps OAuth parameter names to your API’s request field names for the refresh flow.
The request field name for the refresh token in your API (e.g., "refreshToken", "refresh_token").
Maps your API’s refresh response field names to OAuth standard names.
The response field name for the new access token (e.g., "accessToken", "access_token").
The response field name for the new token’s expiration time in seconds (e.g., "expiresIn", "expires_in").
The response field name if your API issues a new refresh token with each refresh (token rotation).
