https://swagger.io/docs/specification/v3_0/authentication/#using-multiple-authentication-types

When defining multiple security schemes for 1 operation, they can be OR'd or AND'd. Currently they're always treated as an OR