Currently the following is possible via the toolbox:

• Import API via the toolbox
• the OAS being imported is available via URL
• the current implementation of the toolbox does not allow to inject security beside the anonymous_policy
• currently 3scale tries to identify and configure the 3scale authentication settings by analyzing the security schema of the OpenAPI spec
• When there is no security schema in the oas 3scale falls back to the following:

• The product is considered as an "Open API"
• default_credentials 3scale policy will be added (also called as anonymous_policy)
• The command option --default-credentials-userkey is required and the command will fail if not provided

To allow a more flexible setting of the authentication requirements of the imported API

• it must be possible to skip this authentication auto discovery functionality when importing an OpenAPI spec with the toolbox
• For example there could be an option like --authentication-mode=[OIDC | ApiKey | AppIdKey ] to set the mode explicitly with the toolbox import
• In addition it must be possible to configure each of the three authentication modes in the command line options of the toolbox:

• ApiKey => API Key header field name, credentials location
• AppIdKey => App_ID header field name, App_key header field name, credentials location
• OIDC => Type, Issuer, Flow, JWT ClientId Claim Type and Name

• the provided authentication mode and configuration should be injected as a security scheme into the ActiveDoc OpenAPI spec so that it is as well available when the spec is being used for testing in 3scale