Override Types

Complete reference for catalog overrides. Overrides modify how API specs are interpreted without changing the original spec files.

Override Structure

All overrides share a common structure:

scope: string # What this override applies to
type: string # Override type (oauth, bearer, description, etc.)
strategy?: string # When to apply (always, when-missing, when-undeclared)
# ... type-specific properties

Scope Patterns

PatternApplies To
*All operations in catalog
serviceName/*All operations from an API
serviceName/operationNameSpecific operation

More specific scopes take precedence over broader ones.

Strategies

StrategyBehavior
alwaysApply regardless of what spec declares
when-missingApply only if spec doesn’t define it
when-undeclaredApply only if no security scheme is declared

Default strategy varies by override type.

Authentication Overrides

Fix or define authentication schemes for APIs.

oauth

Define OAuth 2.0 authentication.

type: oauth
schemeName: string # Security scheme name
grantType: string # OAuth grant type
authorizationUrl?: string # Authorization endpoint
tokenUrl: string # Token endpoint
scopes?: string[] # Required scopes
realm: string # Credential storage realm
normalizeHeaders?: boolean # Convert auth header params
strategy?: string # Default: when-undeclared

Grant Types:

TypeDescription
authorization_codeStandard web flow with redirect
client_credentialsMachine-to-machine, no user
refresh_tokenToken refresh flow

Example:

scope: github/*
type: oauth
schemeName: github_oauth
grantType: authorization_code
authorizationUrl: https://github.com/login/oauth/authorize
tokenUrl: https://github.com/login/oauth/access_token
scopes:
  - repo
  - user
realm: toolcog/github

bearer

Define HTTP Bearer token authentication.

type: bearer
schemeName: string # Security scheme name
realm?: string # Credential storage realm
normalizeHeaders?: boolean # Convert auth header params
strategy?: string # Default: when-undeclared

Example:

scope: myapi/*
type: bearer
schemeName: bearerAuth
normalizeHeaders: true
realm: myorg/myapi-realm

Header Normalization:

When normalizeHeaders: true, Toolcog:

  1. Detects Authorization header parameters in the spec
  2. Converts them to proper bearer security schemes
  3. Removes the duplicate parameter

basic

Define HTTP Basic authentication.

type: basic
schemeName: string # Security scheme name
realm?: string # Credential storage realm
normalizeHeaders?: boolean # Convert auth header params
strategy?: string # Default: when-undeclared

Example:

scope: legacy-api/*
type: basic
schemeName: basicAuth
normalizeHeaders: true

apikey

Define API key authentication.

type: apikey
schemeName: string # Security scheme name
in: string # Where key goes (header, query, cookie)
name: string # Parameter name
realm?: string # Credential storage realm
normalizeHeaders?: boolean # Convert auth header params
strategy?: string # Default: when-undeclared

Locations:

ValueDescription
headerAPI key in request header
queryAPI key in query string
cookieAPI key in cookie

Example:

scope: weather-api/*
type: apikey
schemeName: apiKey
in: header
name: X-API-Key

Content Overrides

Modify operation descriptions and summaries.

description

Replace an operation’s description.

type: description
value: string # New description (supports multiline)
strategy?: string # Default: always

Example:

scope: stripe/customers.create
type: description
value: |
  Creates a new customer in your Stripe account.


  The customer object represents a customer of your business.
  Use this to store contact information and payment methods.


  Required parameters:
  - email: Customer's email address


  Optional parameters:
  - name: Customer's full name
  - metadata: Key-value pairs for custom data

summary

Replace an operation’s summary (short one-liner).

type: summary
value: string # New summary
strategy?: string # Default: always

Example:

scope: stripe/customers.create
type: summary
value: Create a new customer

Structure Overrides

Modify API structure and behavior.

server

Change the base URL for API calls.

type: server
url: string # New server URL
strategy?: string # Default: always

Example:

scope: myapi/*
type: server
url: https://staging-api.example.com

Use Cases:

deprecated

Mark an operation as deprecated.

type: deprecated
value: boolean # true to mark deprecated
strategy?: string # Default: always

Example:

scope: legacy-api/users.list
type: deprecated
value: true

Deprecated operations:

strip

Remove examples and extensions from specs.

type: strip
examples?: boolean # Remove example values
extensions?: boolean # Remove x-* extensions
strategy?: string # Default: always

Example:

scope: verbose-api/*
type: strip
examples: true
extensions: true

Use Cases:

parameter

Modify a parameter’s properties.

type: parameter
name: string # Parameter name
description?: string # New description
required?: boolean # Whether required
strategy?: string # Default: always

Example:

scope: api/users.create
type: parameter
name: customer_id
description: The unique identifier for the customer (UUID format)
required: true

Common Properties

schemeName

Identifies the security scheme. Must match the scheme name used in operations’ security requirements.

schemeName: bearerAuth # Operations declare: security: [{ bearerAuth: [] }]

realm

Links to credential storage. Format: {owner}/{realm-name}.

realm: toolcog/github       # Toolcog-managed GitHub OAuth
realm: myorg/internal-api   # Organization's custom realm

Realms are configured separately with OAuth client credentials.

normalizeHeaders

Converts header-based auth parameters to proper security schemes.

Many APIs incorrectly declare auth as:

parameters:
  - name: Authorization
    in: header
    required: true

With normalizeHeaders: true, Toolcog:

  1. Detects this pattern
  2. Creates a proper security scheme
  3. Removes the redundant parameter
  4. Applies credentials automatically

strategy

Controls when the override applies.

always (default for most types):

strategy: always # Override regardless of spec

when-missing (for filling gaps):

strategy: when-missing # Only if spec doesn't define

when-undeclared (default for auth types):

strategy: when-undeclared # Only if no security declared

Override Order

When multiple overrides could apply to the same operation:

  1. Operation-specific (api/operation) applies first
  2. API-specific (api/*) applies second
  3. Global (*) applies last

Within the same scope, overrides are applied in definition order.

Example:

# Applied third (most general)
- scope: "*"
  type: bearer
  schemeName: defaultAuth


# Applied second
- scope: stripe/*
  type: oauth
  schemeName: stripeOAuth


# Applied first (most specific)
- scope: stripe/customers.create
  type: description
  value: Custom description for this operation

Examples

Fix Header-Based Auth Across All Operations

- scope: "*"
  type: bearer
  schemeName: bearerAuth
  normalizeHeaders: true

Add OAuth to a Specific API

- scope: github/*
  type: oauth
  schemeName: github_oauth
  grantType: authorization_code
  authorizationUrl: https://github.com/login/oauth/authorize
  tokenUrl: https://github.com/login/oauth/access_token
  scopes:
    - repo
    - user:email
  realm: toolcog/github

Use Staging Server for Development

- scope: myapi/*
  type: server
  url: https://staging.myapi.com/v2

Improve Vague Operation Descriptions

- scope: payments/charge.create
  type: description
  value: |
    Creates a charge against a customer's payment method.


    The charge is captured immediately unless capture: false is set.
    Returns the charge object on success.


- scope: payments/charge.create
  type: summary
  value: Create a payment charge

Clean Up Verbose Specs

- scope: verbose-vendor/*
  type: strip
  examples: true
  extensions: true

Mark Legacy Operations

- scope: v1/*
  type: deprecated
  value: true

Validation

Overrides are validated when saved:

Invalid overrides are rejected with specific error messages.

Next Steps