OpenAPI Specification
This skill provides guidance for working with OpenAPI Specification (OAS) documents.
Current version: OpenAPI 3.2.0 (September 2025)
Quick Navigation
- Document structure:
references/document-structure.md - Operations & paths:
references/operations.md - Schemas & data types:
references/schemas.md - Parameters & serialization:
references/parameters.md - Security:
references/security.md
When to Use
- Creating a new OpenAPI specification document
- Describing HTTP API endpoints
- Defining request/response schemas
- Configuring API security (OAuth2, API keys, JWT)
- Validating an existing OpenAPI document
- Generating client/server code from specs
Document Structure Overview
An OpenAPI document MUST have either an OpenAPI Object or Schema Object at the root.
Required Fields
openapi: 3.2.0 # REQUIRED: OAS version
info: # REQUIRED: API metadata
title: My API
version: 1.0.0
Complete Structure
openapi: 3.2.0
info:
title: Example API
version: 1.0.0
description: API description (supports CommonMark)
servers:
- url: https://api.example.com/v1
paths:
/resources:
get:
summary: List resources
responses:
"200":
description: Success
components:
schemas: {}
parameters: {}
responses: {}
securitySchemes: {}
security:
- apiKey: []
tags:
- name: resources
description: Resource operations
Core Objects Reference
Info Object
info:
title: Example API # REQUIRED
version: 1.0.0 # REQUIRED (API version, NOT OAS version)
summary: Short summary
description: Full description (CommonMark)
termsOfService: https://example.com/terms
contact:
name: API Support
url: https://example.com/support
email: support@example.com
license:
name: Apache 2.0
identifier: Apache-2.0 # OR url (mutually exclusive)
Server Object
servers:
- url: https://api.example.com/v1
description: Production
- url: https://{environment}.example.com:{port}/v1
description: Configurable
variables:
environment:
default: api
enum: [api, staging, dev]
port:
default: "443"
Path Item Object
/users/{id}:
summary: User operations
parameters:
- $ref: "#/components/parameters/userId"
get:
operationId: getUser
responses:
"200":
description: User found
put:
operationId: updateUser
requestBody:
$ref: "#/components/requestBodies/UserUpdate"
responses:
"200":
description: User updated
Operation Object
get:
tags: [users]
summary: Get user by ID
description: Returns a single user
operationId: getUserById # MUST be unique across all operations
parameters:
- name: id
in: path
required: true
schema:
type: string
responses:
"200":
description: Success
content:
application/json:
schema:
$ref: "#/components/schemas/User"
"404":
description: Not found
security:
- bearerAuth: []
deprecated: false
Schema Recipes
Basic Object
components:
schemas:
User:
type: object
required: [id, email]
properties:
id:
type: string
format: uuid
email:
type: string
format: email
name:
type: string
age:
type: integer
minimum: 0
Composition with allOf
ExtendedUser:
allOf:
- $ref: "#/components/schemas/User"
- type: object
properties:
role:
type: string
enum: [admin, user, guest]
Polymorphism with oneOf
Pet:
oneOf:
- $ref: "#/components/schemas/Cat"
- $ref: "#/components/schemas/Dog"
discriminator:
propertyName: petType
mapping:
cat: "#/components/schemas/Cat"
dog: "#/components/schemas/Dog"
Nullable and Optional
# OAS 3.1+ uses JSON Schema type arrays
properties:
nickname:
type: [string, "null"] # nullable
Parameter Locations
| Location | in value | Notes |
|---|---|---|
| Path | path | MUST be required: true |
| Query | query | Standard query parameters |
| Query string | querystring | Entire query string as single param |
| Header | header | Case-insensitive names |
| Cookie | cookie | Cookie values |
Parameter Styles
| Style | in | Type | Example (color=blue,black) |
|---|---|---|---|
| simple | path | array | blue,black |
| form | query | primitive/array/object | color=blue,black |
| matrix | path | primitive/array/object | ;color=blue,black |
| label | path | primitive/array/object | .blue.black |
| deepObject | query | object | color[R]=100&color[G]=200 |
Security Schemes
API Key
components:
securitySchemes:
apiKey:
type: apiKey
in: header # header, query, or cookie
name: X-API-Key
Bearer Token (JWT)
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
OAuth2
oauth2:
type: oauth2
flows:
authorizationCode:
authorizationUrl: https://auth.example.com/authorize
tokenUrl: https://auth.example.com/token
scopes:
read:users: Read user data
write:users: Modify user data
Apply Security
# Global (all operations)
security:
- bearerAuth: []
# Per-operation
paths:
/public:
get:
security: [] # Override: no auth required
/protected:
get:
security:
- oauth2: [read:users]
Reference Object
Use $ref to avoid duplication:
# Reference within same document
$ref: '#/components/schemas/User'
# Reference to external file
$ref: './schemas/user.yaml'
$ref: './common.yaml#/components/schemas/Error'
Components Object
Reusable building blocks:
components:
schemas: # Data models
responses: # Reusable responses
parameters: # Reusable parameters
examples: # Reusable examples
requestBodies: # Reusable request bodies
headers: # Reusable headers
securitySchemes: # Security definitions
links: # Links between operations
callbacks: # Webhook definitions
pathItems: # Reusable path items
Best Practices Checklist
- Include
operationIdfor all operations (unique, programming-friendly) - Use
$reffor reusable components - Add meaningful
descriptionfields (supports CommonMark) - Define all possible response codes
- Include
examplesfor complex schemas - Use
tagsto group related operations - Mark deprecated operations with
deprecated: true - Use semantic versioning for
info.version
Critical Prohibitions
- Do NOT omit
openapiandinfofields (they are REQUIRED) - Do NOT use duplicate
operationIdvalues - Do NOT mix
$refwith sibling properties in Reference Objects - Do NOT use path parameters without
required: true - Do NOT use implicit OAuth2 flow in new APIs (deprecated)
- Do NOT forget security for protected endpoints
Validation
File Naming
- Entry document:
openapi.jsonoropenapi.yaml(recommended) - Format: JSON or YAML (equivalent)
- All field names are case-sensitive
Common Validation Errors
| Error | Fix |
|---|---|
| Missing required field | Add openapi, info.title, info.version |
| Invalid operationId | Use unique, valid identifier |
| Path parameter not in path | Ensure {param} matches parameter name |
| Duplicate path template | Remove conflicting /users/{id} vs /users/{userId} |
| Invalid $ref | Check URI syntax and target existence |