Removing a security scheme is considered incompatible

[thake]

Removing a security scheme should IMHO not be considered incompatible, as the API should still accept requests with the old security scheme applied.

If this issue is accepted, I'm happy to provide a PR.

[joschi]

@thake I disagree. When you remove a security scheme, then clients using this scheme won't be able to authenticate against your API.

as the API should still accept requests with the old security scheme applied.

In this case your API and your API specification do not match, do they?

Do you have another use case in mind? Maybe I misunderstood you.