diff --git a/packages/cli/api-importers/asyncapi-to-ir/src/AsyncAPIConverter.ts b/packages/cli/api-importers/asyncapi-to-ir/src/AsyncAPIConverter.ts
index ed929b9c00f4..62d1bb8b2964 100644
--- a/packages/cli/api-importers/asyncapi-to-ir/src/AsyncAPIConverter.ts
+++ b/packages/cli/api-importers/asyncapi-to-ir/src/AsyncAPIConverter.ts
@@ -165,8 +165,20 @@ export class AsyncAPIConverter extends AbstractSpecConverter<AsyncAPIConverterCo
 
     private convertSecuritySchemes(): void {
         if (this.context.authOverrides) {
+            // When auth-schemes is present without auth, synthesize auth: { any: [...schemeNames] }
+            let effectiveOverrides = this.context.authOverrides;
+            if (this.context.authOverrides.auth == null && this.context.authOverrides["auth-schemes"] != null) {
+                const schemeNames = Object.keys(this.context.authOverrides["auth-schemes"]);
+                if (schemeNames.length > 0) {
+                    effectiveOverrides = {
+                        ...this.context.authOverrides,
+                        auth: { any: schemeNames }
+                    };
+                }
+            }
+
             const overrideAuth = convertApiAuth({
-                rawApiFileSchema: this.context.authOverrides,
+                rawApiFileSchema: effectiveOverrides,
                 casingsGenerator: this.context.casingsGenerator
             });
 
diff --git a/packages/cli/api-importers/openapi-to-ir/src/3.1/OpenAPIConverter.ts b/packages/cli/api-importers/openapi-to-ir/src/3.1/OpenAPIConverter.ts
index 5ce9244fd4ad..78e48f8ff467 100644
--- a/packages/cli/api-importers/openapi-to-ir/src/3.1/OpenAPIConverter.ts
+++ b/packages/cli/api-importers/openapi-to-ir/src/3.1/OpenAPIConverter.ts
@@ -152,9 +152,23 @@ export class OpenAPIConverter extends AbstractSpecConverter<OpenAPIConverterCont
     private convertSecuritySchemes(): void {
         const openApiSchemes = this.convertOpenApiSecuritySchemes();
         if (this.context.authOverrides) {
-            const descriptions = new Map(openApiSchemes.map((scheme) => [scheme.key, scheme.docs]));
-            this.convertAuthOverrides(descriptions, this.context.authOverrides);
-            return;
+            if (this.context.authOverrides.auth != null) {
+                const descriptions = new Map(openApiSchemes.map((scheme) => [scheme.key, scheme.docs]));
+                this.convertAuthOverrides(descriptions, this.context.authOverrides);
+                return;
+            }
+
+            if (this.context.authOverrides["auth-schemes"] != null) {
+                const schemeNames = Object.keys(this.context.authOverrides["auth-schemes"]);
+                if (schemeNames.length > 0) {
+                    const descriptions = new Map(openApiSchemes.map((scheme) => [scheme.key, scheme.docs]));
+                    this.convertAuthOverrides(descriptions, {
+                        ...this.context.authOverrides,
+                        auth: { any: schemeNames }
+                    });
+                    return;
+                }
+            }
         }
 
         if (openApiSchemes.length > 0) {
@@ -393,7 +407,7 @@ export class OpenAPIConverter extends AbstractSpecConverter<OpenAPIConverterCont
     }
 
     private overrideOpenApiAuthWithGeneratorsAuth(): void {
-        if (!this.context.authOverrides?.["auth-schemes"]) {
+        if (!this.context.authOverrides?.auth || !this.context.authOverrides?.["auth-schemes"]) {
             return;
         }
 
diff --git a/packages/cli/cli/changes/unreleased/fix-auth-schemes-per-endpoint-security.yml b/packages/cli/cli/changes/unreleased/fix-auth-schemes-per-endpoint-security.yml
new file mode 100644
index 000000000000..3dfe3d301d58
--- /dev/null
+++ b/packages/cli/cli/changes/unreleased/fix-auth-schemes-per-endpoint-security.yml
@@ -0,0 +1,6 @@
+- summary: |
+    Fix auth-schemes without explicit auth key to preserve per-endpoint security
+    from OpenAPI specs instead of merging all schemes into a single global group.
+    This ensures OAuth client-credentials and bearer auth schemes render as
+    distinct options in the API playground for dual-auth endpoints.
+  type: fix
diff --git a/packages/cli/configuration-loader/src/generators-yml/convertGeneratorsConfiguration.ts b/packages/cli/configuration-loader/src/generators-yml/convertGeneratorsConfiguration.ts
index eaecb95f58d3..f604f853d80e 100644
--- a/packages/cli/configuration-loader/src/generators-yml/convertGeneratorsConfiguration.ts
+++ b/packages/cli/configuration-loader/src/generators-yml/convertGeneratorsConfiguration.ts
@@ -392,8 +392,8 @@ async function parseApiConfigurationV2Schema({
     apiSettings: generatorsYml.APIDefinitionSettings;
 }): Promise<generatorsYml.APIDefinition> {
     const partialConfig = {
-        "auth-schemes": rawConfiguration["auth-schemes"],
-        ...apiConfiguration
+        ...apiConfiguration,
+        "auth-schemes": apiConfiguration["auth-schemes"] ?? rawConfiguration["auth-schemes"]
     };
 
     if (generatorsYml.isConjureSchema(apiConfiguration.specs)) {
diff --git a/packages/cli/workspace/lazy-fern-workspace/src/OSSWorkspace.ts b/packages/cli/workspace/lazy-fern-workspace/src/OSSWorkspace.ts
index 0521b83facd4..a17c210b17b1 100644
--- a/packages/cli/workspace/lazy-fern-workspace/src/OSSWorkspace.ts
+++ b/packages/cli/workspace/lazy-fern-workspace/src/OSSWorkspace.ts
@@ -317,12 +317,16 @@ export class OSSWorkspace extends BaseOpenAPIWorkspace {
         const documents = await this.loader.loadDocuments({ context, specs });
 
         let authOverrides: RawSchemas.WithAuthSchema | undefined =
-            this.generatorsConfiguration?.api?.auth != null ? { ...this.generatorsConfiguration?.api } : undefined;
+            this.generatorsConfiguration?.api?.auth != null ||
+            this.generatorsConfiguration?.api?.["auth-schemes"] != null
+                ? { ...this.generatorsConfiguration?.api }
+                : undefined;
 
         // Fallback: read auth/auth-schemes from the spec's overrides file if not in generators.yml
         if (authOverrides == null) {
             authOverrides = await getAuthFromOverrideFiles(specs);
         }
+
         const environmentOverrides =
             this.generatorsConfiguration?.api?.environments != null
                 ? { ...this.generatorsConfiguration?.api }
@@ -567,19 +571,21 @@ export class OSSWorkspace extends BaseOpenAPIWorkspace {
             return this.createWorkspaceWithSpecsOverride({ context }, specsOverride, settings);
         }
 
-        // If auth is not in generators.yml and not in settings, try to read it from the spec's overrides files
+        // If auth is not in generators.yml and not in settings, try to read it from the spec's overrides files.
+        // When only auth-schemes is in generators.yml (no auth key), still check override files for auth.
         let effectiveSettings = settings;
         if (this.generatorsConfiguration?.api?.auth == null && settings?.auth == null) {
             const specs = await this.getOpenAPISpecsCached({ context });
             const authFromOverrides = await getAuthFromOverrideFiles(specs);
             if (authFromOverrides != null) {
+                const hasAuthSchemesInGenerators = this.generatorsConfiguration?.api?.["auth-schemes"] != null;
                 effectiveSettings = {
                     ...settings,
                     auth: authFromOverrides.auth as RawSchemas.ApiAuthSchema,
-                    authSchemes: authFromOverrides["auth-schemes"] as Record<
-                        string,
-                        RawSchemas.AuthSchemeDeclarationSchema
-                    >
+                    // Only use override file's auth-schemes if generators.yml doesn't already define them
+                    authSchemes: hasAuthSchemesInGenerators
+                        ? undefined
+                        : (authFromOverrides["auth-schemes"] as Record<string, RawSchemas.AuthSchemeDeclarationSchema>)
                 };
             }
         }
@@ -847,7 +853,7 @@ async function getAuthFromOverrideFiles(specs: Spec[]): Promise<RawSchemas.WithA
             try {
                 const contents = (await readFile(overridePath)).toString();
                 const parsed = yaml.load(contents) as Record<string, unknown> | null | undefined;
-                if (parsed != null && parsed["auth"] != null) {
+                if (parsed != null && (parsed["auth"] != null || parsed["auth-schemes"] != null)) {
                     return {
                         auth: parsed["auth"] as RawSchemas.WithAuthSchema["auth"],
                         ...(parsed["auth-schemes"] != null