This is a quick guide on how to use Spectral, a tool for validating and linting OpenAPI specifications. It helps ensure consistency, quality, and compliance within OpenAPI definitions.
For a complete guide, refer to here.
If you haven't installed Spectral yet, use npm (Node Package Manager) with the following command:
npm install -g @stoplight/spectral
Execution To run Spectral on an OpenAPI file (e.g., a YAML file), use the following command:
spectral lint your_openapi_file.yaml
This command will analyze your OpenAPI file and return any problems or errors found, including details on what's incorrect and where.
Spectral allows rule customization to fit your validation needs. You can create or use custom rules by defining them in a .spectral.yaml file in your project.
For more details and specific examples, refer to the complete document.
This document describes all custom Spectral rules configured in spectral/spectral.yaml.
Total Rules: 61 (26 original + 35 new)
Custom Functions: 16 (all implemented)
- Severity: error
- Description: Every operation must have an explicit operationId
- Severity: error
- Description: operationId must follow snake_case convention
- Pattern:
^[a-z][a-z0-9]*(_[a-z0-9]+)*$
- Severity: warn
- Description: CRUD operations should follow naming conventions (list_, get_, create_, update_, patch_, delete_)
- Severity: error
- Description: Path parameters must have explicit type
- Severity: error
- Description: Path parameters must be marked as required
- Severity: error
- Description: Path parameters must have a description
- Severity: error
- Description: Validates that list endpoints implement pagination correctly with query strings
- Function:
checkQueryStringsPagination
- Severity: error
- Description: Validates correct usage of the
fieldsparameter in query strings - Function:
checkFieldsQueryParam
- Severity: error
- Description: Query parameters (filters) must have a description
- Severity: error
- Description: Validates that the
searchquery parameter follows the expected pattern - Function:
checkSearchParameter
- Severity: error
- Description: Validates that the
orderingquery parameter follows the expected pattern - Function:
checkOrderingParameter
- Severity: warn
- Description: Ordering parameter must have enum with valid field names
- Severity: error
- Description: Validates that only allowed status codes are used
- Allowed values: 200, 201, 202, 204, 400, 401, 403, 404, 405, 406, 409, 422, 429, 500
- Severity: error
- Description: Validates that endpoints return appropriate mandatory status codes
- Function:
checkEndpointStatusCodes
- Severity: error
- Description: DELETE operations must return 204 or 202, and must not return 200
- Validation: Requires 204 or 202, prohibits 200
- Severity: error
- Description: Responses with status 204 must not have a response body
- Severity: error
- Description: GET operations must return 200 status code
- Severity: error
- Description: POST operations must return 201 (sync) or 202 (async)
- Severity: error
- Description: PUT operations must return 200 status code
- Severity: error
- Description: PATCH operations must return 200 (sync) or 202 (async)
- Severity: error
- Description: Error responses must contain the
detailproperty
- Severity: error
- Description: The
detailproperty in error responses must be of type string
- Severity: error
- Description: Endpoints with security must document 401 and 403 error responses
- Severity: warn
- Description: Async operation response must have operation_id field
- Severity: warn
- Description: Async operation response must have status_url field
- Severity: error
- Description: Boolean property names must not start with the 'is' prefix
- Pattern: Must not start with
is[A-Z]
- Severity: error
- Description: Validates minimum limits for numeric properties
- Function:
checkNumberMinimumLimit
- Severity: error
- Description: Validates maximum limits for numeric properties
- Function:
checkNumberMaximumLimit
- Severity: error
- Description: Validates minimum length for string properties
- Function:
checkStringMinLength
- Severity: error
- Description: Validates maximum length for string properties
- Function:
checkStringMaxLength
- Severity: error
- Description: Validates regex patterns for string properties
- Function:
checkStringPattern
- Severity: error
- Description: Validates that
last_modifiedproperties follow ISO 8601 format - Pattern:
^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}Z$
- Severity: error
- Description: Operations must have a detailed description
- Severity: warn
- Description: Operation summary should be concise (max 100 characters)
- Severity: error
- Description: Schema properties must have descriptions
- Severity: error
- Description: Schemas must have descriptions
- Severity: warn
- Description: POST and PUT operations should have request examples
- Severity: error
- Description: Validates that response content-type is appropriate
- Function:
checkContentTypeResponse
- Severity: warn
- Description: Validates that path URIs do not contain invalid patterns
- Pattern (notMatch):
api|v4|^[^/]*\/[^/]*$|/$
- Severity: error
- Description: Endpoints must follow DDD and snake_case convention
- Pattern:
^(/[a-z][a-z0-9]+(_[a-z][a-z0-9]+)*){2}($|/({[a-z][a-z0-9]+[a-zA-Z0-9]*}|[a-z][a-z0-9]+(_[a-z0-9]+)*)+)+
- Severity: warn
- Description: Validates path naming convention (plural for list endpoints)
- Function:
checkPathEndsWithSForList
- Severity: error
- Description: Endpoint URIs must not contain HTTP method names
- Pattern (notMatch):
/.*(GET|POST|PUT|PATCH|DELETE).*/i
- Severity: error
- Description: Validates correct usage of resource IDs in paths
- Function:
checkResourceIDUsage
- Severity: error
- Description: Endpoints must have security configuration (security)
- Severity: error
- Description: Security schemes should use Bearer token with JWT
- Severity: error
- Description: POST, PUT, and PATCH operations must have requestBody
- Severity: warn
- Description: requestBody should be marked as required
- Severity: error
- Description: Authorization, Content-Type, and Accept headers must not be explicitly defined as parameters
- Pattern (notMatch):
/^(authorization|content-type|accept)$/i
- Severity: error
- Description: Service title (info.title) must end with
-api - Pattern:
.*-api$
- Severity: error
- Description: API version should follow semantic versioning
- Pattern:
^\\d+\\.\\d+\\.\\d+$
- Severity: error
- Description: Validates paginated response structure with
count(integer) andresults(array)
- Severity: error
- Description: Validates the type of the
dataobject in responses - Function:
checkDataObjectType
- Severity: error
- Description: Validates the presence of required keys in the
dataobject - Function:
checkDataKeysPresence
- Severity: error
- Description: Validates the state of deleted resources
- Function:
checkStateDeletedResource
- Severity: error
- Description: Schema names must use business terminology, not technical implementation details
- Examples: Use 'Database' instead of 'OpenAPISchema', 'PaginatedDatabaseList' instead of 'PaginatedOpenAPISchemaList'
- Pattern (notMatch):
^.*(OpenAPI|Schema(?!Enum$)|DTO|Entity|Model(?!$)|RESTful|Swagger).*$
- Severity: error
- Description: Enums must include x-extensible-enum to ensure forward compatibility
- Purpose: Allows clients to handle unknown enum values gracefully without breaking
All rules are documented organized into 22 categories covering:
- Operation IDs and naming conventions
- Path and query parameters
- Status codes and error handling
- Async operations
- Schema validation and naming
- Content-type and examples
- Security and authorization
- Business domain naming
- Extensible enums for forward compatibility
For implementation details, see spectral/spectral.yaml.