SmartThings API open api definition (yaml) authorization parameter issue

I’ve noticed in the yaml definition here: https://swagger.api.smartthings.com/public/st-api.yml

There is a problem with both the parameter ‘authorization’ and the security Bearer. The definition states the ‘authorization’ parameter to be

required: true

Since this can be set in the security Bearer token this is not the case and should be set to false.

parameters:
  authorization:
    name: Authorization
    in: header
    description: OAuth token
    required: true
    type: string
    format: string

eg for devices see:

r:devices:*

/devices/{deviceId}:
    parameters:
    - $ref: '#/parameters/authorization'
    - $ref: '#/parameters/deviceId'
    get:
      summary: Get a device's description.
      operationId: getDevice
      description: Get a device's description.
      security:
      - Bearer:
        - r:devices:*
      responses:
        200:
          description: A Device
          schema:
            $ref: '#/definitions/Device'
        401:
          $ref: '#/responses/notAuthenticated'
        403:
          $ref: '#/responses/notAuthorized'
        400:
          $ref: '#/responses/badRequest'
        429:
          $ref: '#/responses/tooManyRequests'
        default:
          $ref: '#/responses/defaultResponse'
      tags:
      - devices

Tagging @nayelyz @erickv @jody.albritton

Hello @Jamie_D,
The authorization parameter refers to the OAuth Token for the API requests, while the security bearer specifies the token scopes.
You can display this file in the swagger tool and for the /devices/{deviceId} request you can see that only two parameters are needed, the OAuth Token and the device ID.

With the current implementation - it doesn’t play well with open-api-generator for csharp (not sure about other languages too). Since it will require the authorization parameter - even though it can be set in the base Configuration class eg:

Hello @Jamie_D,

In other languages, there is an alternative option to define/configure the access token, but the “authorization” parameter is the one that is validated to be added in the request’s header.

That suggests other languages will hit the same issue, in your screenshot I can’t see the remainder of the code block - but if it looks to then add a Bearer header, using the local accessToken property - the authorization parameter into createDeviceEvents isn’t required.