Agent Skills: OpenAPI Specification

OpenAPI Specification

This skill provides guidance for working with OpenAPI Specification (OAS) documents.

Current version: OpenAPI 3.2.0 (September 2025)

Quick Navigation

• Document structure: references/document-structure.md
• Operations & paths: references/operations.md
• Schemas & data types: references/schemas.md
• Parameters & serialization: references/parameters.md
• Security: references/security.md

When to Use

• Creating a new OpenAPI specification document
• Describing HTTP API endpoints
• Defining request/response schemas
• Configuring API security (OAuth2, API keys, JWT)
• Validating an existing OpenAPI document
• Generating client/server code from specs

Document Structure Overview

An OpenAPI document MUST have either an OpenAPI Object or Schema Object at the root.

Required Fields

openapi: 3.2.0 # REQUIRED: OAS version
info: # REQUIRED: API metadata
  title: My API
  version: 1.0.0

Complete Structure

openapi: 3.2.0
info:
  title: Example API
  version: 1.0.0
  description: API description (supports CommonMark)
servers:
  - url: https://api.example.com/v1
paths:
  /resources:
    get:
      summary: List resources
      responses:
        "200":
          description: Success
components:
  schemas: {}
  parameters: {}
  responses: {}
  securitySchemes: {}
security:
  - apiKey: []
tags:
  - name: resources
    description: Resource operations

Core Objects Reference

Info Object

info:
  title: Example API # REQUIRED
  version: 1.0.0 # REQUIRED (API version, NOT OAS version)
  summary: Short summary
  description: Full description (CommonMark)
  termsOfService: https://example.com/terms
  contact:
    name: API Support
    url: https://example.com/support
    email: support@example.com
  license:
    name: Apache 2.0
    identifier: Apache-2.0 # OR url (mutually exclusive)

Server Object

servers:
  - url: https://api.example.com/v1
    description: Production
  - url: https://{environment}.example.com:{port}/v1
    description: Configurable
    variables:
      environment:
        default: api
        enum: [api, staging, dev]
      port:
        default: "443"

Path Item Object

/users/{id}:
  summary: User operations
  parameters:
    - $ref: "#/components/parameters/userId"
  get:
    operationId: getUser
    responses:
      "200":
        description: User found
  put:
    operationId: updateUser
    requestBody:
      $ref: "#/components/requestBodies/UserUpdate"
    responses:
      "200":
        description: User updated

Operation Object

get:
  tags: [users]
  summary: Get user by ID
  description: Returns a single user
  operationId: getUserById # MUST be unique across all operations
  parameters:
    - name: id
      in: path
      required: true
      schema:
        type: string
  responses:
    "200":
      description: Success
      content:
        application/json:
          schema:
            $ref: "#/components/schemas/User"
    "404":
      description: Not found
  security:
    - bearerAuth: []
  deprecated: false

Schema Recipes

Basic Object

components:
  schemas:
    User:
      type: object
      required: [id, email]
      properties:
        id:
          type: string
          format: uuid
        email:
          type: string
          format: email
        name:
          type: string
        age:
          type: integer
          minimum: 0

Composition with allOf

ExtendedUser:
  allOf:
    - $ref: "#/components/schemas/User"
    - type: object
      properties:
        role:
          type: string
          enum: [admin, user, guest]

Polymorphism with oneOf

Pet:
  oneOf:
    - $ref: "#/components/schemas/Cat"
    - $ref: "#/components/schemas/Dog"
  discriminator:
    propertyName: petType
    mapping:
      cat: "#/components/schemas/Cat"
      dog: "#/components/schemas/Dog"

Nullable and Optional

# OAS 3.1+ uses JSON Schema type arrays
properties:
  nickname:
    type: [string, "null"] # nullable

Parameter Locations

| Location | in value | Notes | | ------------ | ------------- | ----------------------------------- | | Path | path | MUST be required: true | | Query | query | Standard query parameters | | Query string | querystring | Entire query string as single param | | Header | header | Case-insensitive names | | Cookie | cookie | Cookie values |

Parameter Styles

| Style | in | Type | Example (color=blue,black) | | ---------- | ----- | ---------------------- | -------------------------- | | simple | path | array | blue,black | | form | query | primitive/array/object | color=blue,black | | matrix | path | primitive/array/object | ;color=blue,black | | label | path | primitive/array/object | .blue.black | | deepObject | query | object | color[R]=100&color[G]=200 |

Security Schemes

API Key

components:
  securitySchemes:
    apiKey:
      type: apiKey
      in: header # header, query, or cookie
      name: X-API-Key

Bearer Token (JWT)

bearerAuth:
  type: http
  scheme: bearer
  bearerFormat: JWT

OAuth2

oauth2:
  type: oauth2
  flows:
    authorizationCode:
      authorizationUrl: https://auth.example.com/authorize
      tokenUrl: https://auth.example.com/token
      scopes:
        read:users: Read user data
        write:users: Modify user data

Apply Security

# Global (all operations)
security:
  - bearerAuth: []

# Per-operation
paths:
  /public:
    get:
      security: [] # Override: no auth required
  /protected:
    get:
      security:
        - oauth2: [read:users]

Reference Object

Use $ref to avoid duplication:

# Reference within same document
$ref: '#/components/schemas/User'

# Reference to external file
$ref: './schemas/user.yaml'
$ref: './common.yaml#/components/schemas/Error'

Components Object

Reusable building blocks:

components:
  schemas: # Data models
  responses: # Reusable responses
  parameters: # Reusable parameters
  examples: # Reusable examples
  requestBodies: # Reusable request bodies
  headers: # Reusable headers
  securitySchemes: # Security definitions
  links: # Links between operations
  callbacks: # Webhook definitions
  pathItems: # Reusable path items

Best Practices Checklist

• [ ] Include operationId for all operations (unique, programming-friendly)
• [ ] Use $ref for reusable components
• [ ] Add meaningful description fields (supports CommonMark)
• [ ] Define all possible response codes
• [ ] Include examples for complex schemas
• [ ] Use tags to group related operations
• [ ] Mark deprecated operations with deprecated: true
• [ ] Use semantic versioning for info.version

Critical Prohibitions

• Do NOT omit openapi and info fields (they are REQUIRED)
• Do NOT use duplicate operationId values
• Do NOT mix $ref with sibling properties in Reference Objects
• Do NOT use path parameters without required: true
• Do NOT use implicit OAuth2 flow in new APIs (deprecated)
• Do NOT forget security for protected endpoints

Validation

File Naming

• Entry document: openapi.json or openapi.yaml (recommended)
• Format: JSON or YAML (equivalent)
• All field names are case-sensitive

Common Validation Errors

| Error | Fix | | -------------------------- | ----------------------------------------------------- | | Missing required field | Add openapi, info.title, info.version | | Invalid operationId | Use unique, valid identifier | | Path parameter not in path | Ensure {param} matches parameter name | | Duplicate path template | Remove conflicting /users/{id} vs /users/{userId} | | Invalid $ref | Check URI syntax and target existence |

Links

• Documentation
• Releases
• GitHub
• Learning Portal