This "optionality" does not apply to JWE fields in general! We need to be careful not to define all of them as string|null.

chore: remove documentation about old (internal) destination API. Add remark about destination / keys duplication (planning#1788)

The ':' character is not allowed in URLs and should not be used in scope names.

usually we use the OAuth2 security schema. but public endpoints
do not have this security constraint. callbacks don't authenticate
against the called endpoint.

For reference, the warning was (one example):

> Every operation should have security defined on it or on the root level.
>
> 418 | get:
>     | ^^^
> 419 |   operationId: get-destination-key
> 420 |   summary: Ruft einen JWK des Zustelldienstes ab
>
> Warning was generated by the security-defined rule.

fix: inline $ref's from examples because they are not allowed according to the OpenAPI spec (bycatch from planning#1409)

The default is `false` so removing the parameter works.

See planning#501 (comment 107371)

Shahid Salim authored 1 year ago and Jonas Gröger committed 1 year ago

when a destination does not support the services requested
in a submission, it might throw an error.

this validation feature is configurable by the implementation.