Code samples ignore global security when multiple security schemes are defined (ApiKey + Bearer)

[andrisszep]

When using multiple security schemes (ApiKey + Bearer) defined globally in OpenAPI 3.0, the Try it out request correctly sends both headers, but the Code samples generated by Swagger UI include only one of them (typically the first one).

This is inconsistent with the OpenAPI spec and leads to misleading code samples.

To Reproduce

Use Swagger UI 5.22.0

Define global security in your OpenAPI spec with both ApiKey and BearerAuth:

openapi: 3.0.1
info:
  title: Test API
  version: 1.0.0

servers:
  - url: https://example.com/api

security:
  - ApiKeyAuth: []
    BearerAuth: []

components:
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: apiKey
    BearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT

paths:
  /models:
    get:
      summary: List models
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                type: object

Open Swagger UI, authorize with both apiKey and Bearer token.
Click Try it out → Execute → curl request shows both headers correctly.
Check the Code samples section → curl / PHP / other languages

Expected behavior
The generated Code samples should include both headers, matching the executed request and the OpenAPI specification.

[glowcloud]

Hi @andrisszep,

Could you please provide a screenshot or clarification showing where the issue occurs? As far as I know, out-of-the-box Swagger UI only generates cURL snippets, and I can see that both headers are included there. I'm not sure if I'm missing some configuration or if perhaps you are using a custom plugin.