What does 'required' in OpenAPI really mean

Question

Given the following OpenAPI definition

Person:
  required:
    - id
  type: object
  properties:
    id:
      type: string

Which of the below objects are valid? Just 1. or 1. and 2.?

1. {"id": ""}
2. {"id": null}
3. {}

This boils down to the question whether "required = true" means "non-null value" or "property must be present".

The JSON schema validator at https://json-schema-validator.herokuapp.com/ says that 2. be invalid because null doesn't satisfy the type: string constraint. Note that it doesn't complain because id is null but because null is not a string. BUT how relevant is this for OpenAPI/Swagger?

Answer 1

The required keyword in OpenAPI Schema Objects is taken from JSON Schema and means:

An object instance is valid against this keyword if every item in the [required] array is the name of a property in the instance.

In other words, required means "property must be present", regardless of its value. The type, format, etc. of the property value are separate constraints that are evaluated separately from required, but together as a combined schema.

In your example:

1. {"id": ""} is valid:

   • ? validates against required
   • ? the value "" validates against type: string

2. {"id": null} is NOT valid:

   • ? validates against required
   • ? null does NOT validate against type: string (see the notes about nulls below)

3. {} is NOT valid:

   • ? does NOT validate against required

Note that 'null' as a type is not supported in OpenAPI 2.0 but is supported in OpenAPI 3.1, and 3.0 has nullable to handle nulls. So, {"id": null} is valid against this OpenAPI 3 schema:

Person:
  required:
    - id
  type: object
  properties:
    id:
      # OAS 3.1
      type: [string, 'null']

      # OAS 3.0
      # type: string
      # nullable: true