OpenAPI Specification
Design, validate, and maintain OpenAPI 3.x specifications for REST API contracts. Covers schema patterns, security schemes, versioning, and code generation integration.
When to Use This Skill
- Creating a new OpenAPI specification from scratch
- Adding endpoints or schemas to an existing spec
- Reviewing or validating an API contract for correctness
- Setting up code generation from OpenAPI definitions
- Designing reusable schema components for large APIs
- Implementing security schemes in API specifications
- Managing API versioning and deprecation
Quick Reference
| Resource | Purpose | Load when |
|---|---|---|
references/spec-patterns.md | Schema patterns, security schemes, validation, versioning, reusable components | Designing or reviewing specs |
Workflow
Phase 1: Design → Define API overview, resources, and operations
Phase 2: Schema → Build data models with reusable components
Phase 3: Validate → Lint and verify the spec for correctness
Phase 4: Integrate → Generate docs, SDKs, and contract tests
Phase 1: API Design
Start with a high-level design before writing the spec:
- Identify resources -- what nouns does this API expose?
- Map operations -- what CRUD and custom actions apply to each resource?
- Define relationships -- how do resources reference each other?
- Plan authentication -- what security schemes are needed?
- Set conventions -- naming style, pagination, error format
Spec Skeleton
openapi: 3.1.0
info:
title: [API Name]
version: 1.0.0
description: [What this API does]
paths:
/resources:
get:
summary: List resources
operationId: listResources
post:
summary: Create a resource
operationId: createResource
/resources/{id}:
get:
summary: Get a resource
operationId: getResource
components:
schemas: {}
securitySchemes: {}
Phase 2: Schema Design
Build data models using components/schemas for reuse:
- Use
$refto reference shared schemas -- never duplicate definitions - Apply
allOffor composition,oneOf/anyOffor polymorphism - Add
examplevalues to every schema and property - Use
requiredarrays explicitly -- don't rely on implicit behavior - Document nullable fields with
type: [string, "null"](3.1) ornullable: true(3.0)
Phase 3: Validate
Run validation before committing any spec changes:
# Spectral (recommended)
spectral lint openapi.yaml
# Redocly
redocly lint openapi.yaml
# swagger-cli
swagger-cli validate openapi.yaml
Common Validation Issues
| Issue | Fix |
|---|---|
Missing operationId | Add unique operationId to every operation |
| Unused schema | Remove from components or add a $ref |
Missing response description | Add description to every response code |
| Path parameter not in path | Match {param} in path with parameter definition |
No 2xx response defined | Add at least one success response per operation |
Phase 4: Integrate
Use the validated spec to generate downstream artifacts:
- Documentation: Redoc, Swagger UI, Stoplight
- Client SDKs: openapi-generator, autorest, orval
- Server stubs: openapi-generator with server templates
- Contract tests: Schemathesis, Dredd, Prism
Quality Checklist
- All paths have operationIds
- HTTP methods match resource actions (GET reads, POST creates, etc.)
- Every response has a description and schema
- Security requirements defined at operation or global level
- Examples provided for request and response bodies
- Consistent naming conventions (camelCase, snake_case -- pick one)
- Deprecation fields set on sunset endpoints
- Spec passes linter with zero errors
Anti-Patterns
- Do not inline schemas -- use
$reftocomponents/schemasfor anything reused - Do not mix API versions in a single spec file
- Do not use
200 OKfor create operations -- use201 Created - Do not omit error response schemas -- document
4xxand5xxconsistently - Do not use
additionalProperties: truewithout clear justification