Most of the security measures defined in the security fields of the API definition are to do with authenticating the API consumer one way or another. This is only natural because knowing who accesses your API creates the basis of additional security, such as authorization or non-repudiation.
API definitions have security components on both global and operation level. Global components are at the top level and apply to the whole API. Operation-level components apply only to the individual API operations in question.
Most of the global components are only available at the global level. Some, like the
security component, can also exist on the operation level. The global level component provides the default behavior. On the operation level, you can override the global component and provide a specific exception to the behavior.