In OpenAPI the “security scheme” indicates which type of credential your API requires for authentication/authorization, e.g. HTTP auth, API Key, OAuth or OpenID connect.
OpenAPI supports AND OR combinations for an APIs security scheme.
For example, if an API can accept either an API token or an API key, just add each security scheme as a separate object in the security field for the API operation.
[Keep in mind your API security will be determined by the weakest link! 
]
If the API requires both an API token and an API key: add both schemes together in a single object:
