Need help with your APIs? I offer API discovery, governance & evangelism services. Explore services →
API Evangelist API Evangelist
Learnings
Guidance
Toolbox
Alignment
API Evangelist LLC

Technical Policies
info
share_location

search
policy

2xx Response Examples (OpenAPI)

Require that every successful 2xx response in our OpenAPI definitions includes at least one realistic example, so a consumer can see exactly what a good answer looks like without making a live call...

policy

2xx Response Media Types (OpenAPI)

Require that every 2xx response declares the media types it returns, spelling out application/json or whatever content it actually serves rather than leaving the content negotiation a mystery. I ha...

policy

2xx Response Schema (OpenAPI)

Require that every 2xx response defines a schema for its body, describing the exact shape, properties, and types a consumer will receive on success rather than handing back an undocumented blob. I ...

policy

4xx Response Examples (OpenAPI)

Require that our 4xx client-error responses carry real examples, so a developer can see exactly what a validation failure, an unauthorized call, or a missing resource actually returns. I have spent...

policy

4xx Response Media Types (OpenAPI)

Require that every 4xx client-error response declares its media type, so consumers know whether an error comes back as application/json, application/problem+json, or something else entirely. I have...

policy

4xx Response Schema (OpenAPI)

Require that our 4xx client-error responses define a schema, ideally a consistent error object with a code, a message, and enough detail for a consumer to understand what went wrong and how to fix ...

policy

5xx Response Media Types (OpenAPI)

Require that every 5xx server-error response declares its media type, so that even when our own infrastructure fails, consumers still receive a predictable, parseable body instead of whatever a pro...

policy

5xx Response Schema (OpenAPI)

Require that our 5xx server-error responses define a schema, reusing the same standardized error object we use elsewhere so a consumer can handle our failures the same way they handle everything el...

policy

API Catalog (Experience)

Require that every API is registered in a central, searchable catalog with enough metadata that a developer can find it, understand it, and decide to use it without asking anyone. I care deeply abo...

policy

API Education and Enablement

Require that an API invests in educating and enabling its consumers through tutorials, guides, and clear explanations of not just how it works but why. Most friction around APIs comes from gaps in ...

policy

API Exit and Migration Path

Require that an API documents a clear path for consumers to migrate onto, between, or off of it without being stranded. Lock-in by design erodes trust, so an honest operation makes leaving possible...

policy

API First (Design)

Require that every API begins with a design-first contract, an OpenAPI definition authored and agreed upon before a single line of implementation code is written. I have watched too many teams code...

policy

API Governance Rules

Spectral rules that apply to the API level, linting OpenAPI.

Business Contract
policy

API Licensing

Publishing a license for the interface, client code, server code, and data to ensure consumers understand the legal implications of using the API, code, and data into their own applications and int...

Business Contract
policy

API Lifecycle

A human and machine-readable schema of the common and agreed upon API lifecycle.

Business Contract
policy

API Mocking (CI/CD)

Require that every API can be mocked directly from its contract so consumers and downstream teams can build against it before the implementation is finished. I lean on mocking because it is what ma...

policy

API Outreach and Content

Require that an API is actively communicated through ongoing content and outreach, including blog posts, changelogs, and updates that tell the story of what it does and why it matters. An API launc...

Business Contract
policy

Abuse Prevention (Security)

Require that every API is designed to resist abuse and misuse, so I want throttling, quotas, anomaly detection, bot and scraping defenses, and sensible request limits treated as part of the contrac...

policy

Agent Readiness with agents.md

I require that every API provider ships an agents.md file that tells an automated consumer exactly how to behave when working with the API, including the conventions, the guardrails, and the workfl...

policy

Agent Readiness with llms.txt

I require that every API publishes an llms.txt file at a predictable, well-known location so that large language models and the agents built on them can find a concise, curated map of what the API ...

policy

Agent-Scoped Authentication

I require that APIs support authentication credentials scoped specifically to agents, so that an autonomous consumer acts under its own narrowly-bound identity with least-privilege scopes rather th...

policy

Arazzo Workflows Provided

Require that APIs which chain multiple operations to accomplish real work provide Arazzo workflow definitions describing those sequences. I want the multi-step paths a consumer must follow, the ord...

policy

Async Webhooks (Design)

Require that any API delivering events to consumers describes its webhooks as first-class citizens in the contract, using the OpenAPI webhooks object to define the payloads, headers, and callbacks ...

policy

AsyncAPI Contracts Provided

I require that any event-driven or messaging interface is described with an AsyncAPI document, the same way we insist on OpenAPI for request-response APIs, so that channels, messages, and payloads ...

policy

Authentication

The details for how to authenticate with an API should always be part of the business and technical contracts for an API. Information on how to authenticate with an API should be readily available ...

policy

Authentication

Require details regarding how authentication is handled as part of API security.

Business Contract
policy

Authorization (Security)

Require that every API defines and enforces authorization explicitly, so I want each operation to declare what scopes, roles, or permissions it demands and to check them on every request, not just ...

policy

Base URL for API

Providing a valid URL to the base for an API that is designed for machines to use when making call to an API by an consumer.

API Contract
policy

Batch Operations (Design)

Require that APIs handling high volumes of records offer explicit batch operations rather than forcing consumers to hammer single-resource endpoints in a loop. Every API must define clear semantics...

policy

Best Practices (Design)

Require that every API adheres to the shared design best practices we have codified across the platform, so that consistency is a default and not something each team reinvents. Every API must refle...

policy

Blog Feeds

A blog RSS or Atom feed provides a simple way to syndicate information and updates about APIs with producers and consumers, allowing it to be pushed out to where they are located and regularly cons...

Business Contract
policy

Blogs

A blog helps provide a regular channel for publishing relevant stories and information for both producers and consumers of an API, providing a simple, informative, and recurring way to stay in enga...

Business Contract
policy

Breaking Changes (Lifecycle)

Require that breaking changes to a production API are identified, avoided where possible, and never shipped silently onto an existing version. I hold this line hard because a breaking change you di...

policy

Business Contract Validator

The APIs.json business contract must have a link to the validator for each, providing the ability to run linting rules for each type of contract and see the details of rules as they are applied.

Business Contract
policy

Business Guidance

Provide access to business API guidance as part of API contract support.

Business Contract
policy

CORS (Security)

Require that every browser-facing API sets a deliberate, least-privilege CORS policy, so I want explicit allowed origins, methods, and headers rather than a lazy wildcard slapped on to make an erro...

policy

CSharp

Require a CSharp client SDK available with each API.

Business Contract
policy

Caching (Operations)

Require that every read-heavy API sets explicit HTTP caching headers, so I want Cache-Control, ETag, and Last-Modified in play with sensible max-age and validation behavior spelled out in the contr...

policy

Caching Strategy Defined

Every API should define a caching strategy and express it through explicit Cache-Control headers on responses that can safely be reused. I require that providers decide, per operation, what is cach...

policy

Centralizing Headers Using Components

Requiring that OpenAPI components headers meet the policy standards.

Technical Contract
policy

Centralizing Headers Using Components

Requiring that OpenAPI components headers meet the policy standards.

Technical Contract
policy

Certifications

Provide the provenance of an API contract using regular certifications

Business Contract
policy

Change Log

Having a change log of anything added, updated, or removed for an API, but also for the other operational and supporting resources for each API, ensuring there is a easy to read manifest of what ha...

Business Contract
policy

Change Log Date

The date of the change that was made to an API.

policy

Change Log Details

The description of the change that was made to an API.

policy

Change Log Title

The title of the change that was made to an API.

policy

Change Log Version

The version of the change that was made to an API.

policy

Change Management (Lifecycle)

Require that every change to a production API moves through a defined change management process that assesses impact, tracks dependencies, and communicates what is changing before it lands. I want ...

policy

Communication Status Page

Every API must maintain a public status page that reports current health, active incidents, and scheduled maintenance in real time. I require that consumers be able to check the state of an API the...

policy

Community Engagement Channels

Require that an API provides real channels for its community to engage, whether a forum, chat, mailing list, or regular office hours. Consumers need a place to ask questions, share solutions, and c...

policy

Compatibility (Design)

Require that changes to an API preserve backward compatibility by default, and that any deviation is a deliberate, governed decision rather than an accident of a merge. Every API must be designed s...

policy

Compliance Mapping (Governance)

Require that every API in production maps its endpoints, data, and controls to the specific regulatory and compliance obligations it falls under, whether that is GDPR, HIPAA, PCI DSS, SOC 2, or an ...

policy

Consent and DPA Provided

Every API that touches personal data must provide a data processing agreement and a clear record of the consent under which that data is handled. I require that the DPA be available to consumers be...

policy

Consumer Rights Honored

Require that an API honors the rights of its consumers and the people its data represents, including access, correction, portability, and deletion. As APIs become the infrastructure of public and e...

Business Contract
policy

Contact Information for APIs

Requiring that there is a contact included in the OpenAPI info.

Technical Contract
policy

Contract Testing (CI/CD)

Require that every API is tested against its own contract in the CI/CD pipeline so the running service can never quietly drift from the OpenAPI it publishes. I insist on contract testing because a ...

policy

Created Date for APIs.json Contracts

Providing the data in which an API contract was created, establishing the inception of a specific contract involving one or more APIs, which defines the age of the contract.

Business Contract
policy

DNS Is Managed

Require that the DNS behind every API be deliberately managed, with ownership, records, and TTLs tracked as part of the API's operational contract. I expect hostnames to be stable, certificates to ...

policy

Data Classification (Security)

Require that every API classifies the data it moves and applies protections that match that classification, so I want fields and payloads labeled as public, internal, confidential, or regulated, wi...

policy

Data Ownership Respected

Require that an API respects the ownership of the data it handles, treating consumer and end-user data as belonging to them rather than to whoever stores it. Ownership shapes what a provider may do...

policy

Data Portability Provided

Require that consumers can export their data from an API in a portable, standard format without friction or penalty. The data flowing through an API belongs to the people and organizations it descr...

policy

Data Privacy and PII Classified

I require that every schema property carrying personally identifiable information is explicitly classified as such in the API definition, so that PII is visible to governance, tooling, and downstre...

policy

Data Residency Enforced

I require that every API declares where the data it handles is stored and processed, and that those residency commitments are actually enforced rather than merely stated in a policy document. Consu...

policy

Data Retention Defined

Require that every API declare a written retention policy stating how long each category of data is kept, why it is kept, and when it is destroyed. I expect this policy to be discoverable alongside...

policy

Data Types (Design)

Require that every property in an API contract declares an explicit, well-chosen data type with the right format, precision, and constraints instead of leaning on loose strings and hopeful parsing....

policy

Date

The date for the proposed API change in the road map.

Business Contract
policy

Date-Based Versioning

Require usage of date-base versioning for managing change.

Business Contract
policy

Dependency Management (Governance)

Require that every API declares the upstream services, libraries, and other APIs it depends on, and keeps that list current as part of its governance record. I care about this because APIs never st...

policy

Dependency SBOM Maintained

Require that every API maintain a current software bill of materials enumerating the libraries, services, and versions it depends on. I want a machine-readable SBOM and dependency manifest kept in ...

policy

Deployment Environments Defined

Every API must define its deployment environments explicitly, naming where it runs across development, staging, and production and how consumers reach each one. I require that base URLs, credential...

policy

Deployment Is Automated

Require that every API be deployed through an automated, repeatable pipeline rather than by hand. I want the path from a merged change to a running endpoint to be codified, versioned, and reproduci...

policy

Deprecation (Lifecycle)

Require that any API or operation being retired is formally deprecated first, marked in the contract, and announced with a clear sunset date and migration guidance. I treat deprecation as a promise...

policy

Deprecation Sunset Headers

Every deprecated API operation must announce itself in-band using Deprecation and Sunset headers that tell consumers a change is coming and when it lands. I require that deprecation be signaled thr...

policy

Description of API Operations

Requiring that all operational descriptions meets the policy standards.

Technical Contract
policy

Description of APIs

Requiring the info description property meets the policy standards.

Technical Contract
policy

Descriptions for APIs

Providing a robust description of each API, providing the right amount of information for consumers to understand what is possible and what the business use case is.

API Contract
policy

Descriptions for APIs.json Contracts

Providing a robust description of the API contract, as well as each API it contains, providing my context for stakeholders of the contract.

Business Contract
policy

Details

The description for the proposed API change in the road map.

Business Contract
policy

Developer Relations Program

Require that any API meant for real adoption is backed by a developer relations function responsible for supporting, advocating for, and growing its community of consumers. Endpoints and documentat...

Business Contract
policy

Documentation

The human-readable HTML, Markdown, or PDF representation of the technical surface area of each API, providing path, methods, summaries, description, examples, and the other resources consumers will...

Business Contract
policy

Documentation Examples

Providing examples of request and responses, with as many variations as possible, helping demonstrate wide usage of an API.

Business Contract
policy

Documentation Paths

Providing simple, clean, and intuitive paths as part of the documentation being published for consumers to use.

Business Contract
policy

Documentation Request Bodies

Including details and examples regarding the request bodies being submitted for POST, PUT, and other possible methods.

Business Contract
policy

Documentation Responses

Making sure there is a complete example for each API response in documentation, including happy and unhappy responses.

Business Contract
policy

Documentation Schema

Documenting all of the schema which are used as part of request bodies and responses, providing JSON SChema representations of each.

Business Contract
policy

Elements

Offering other elements or features of an API that are included or not included within a plan to help API consumers understand scope of what is available.

Business Contract
policy

Environments

The environments for development, staging, or production environments should be available to manually or automatically working with an API in any environment, providing a machine-readable way for n...

Business Contract
policy

Error Handling (Operations)

Require that every API returns standardized, informative errors, so I want a consistent error envelope, a correct HTTP status code, a machine-readable code, and a human-readable message on every fa...

policy

Event Types Cataloged

I require that every event an API emits is enumerated in a published catalog of event types, each with a stable name, a described payload, and a clear meaning, so consumers know exactly what can ha...

policy

Feedback

Providing feedback on the business and technical details of each API contract, helping facilitate feedback from consumers and other stakeholders, but also from the learnings across other private an...

Business Contract
policy

Feedback Issues

Allow for teams to receive feedback on API contracts via Git issue.

Business Contract
policy

Filtering & Sorting (Operations)

Require that collection endpoints offer consistent, documented filtering and sorting, so I want a shared convention for query parameters, allowed fields, operators, and sort order applied the same ...

policy

FinOps Cost Visibility

I require that the full cost of running an API is made visible through FinOps practices, so the people making decisions about an API can see what it actually costs to operate, not just what it earn...

policy

Gateways

All APIs are made available via a designated gateway for the company, domain, line of business, or team, ensuring that all APIs have access to shared authentication, rate limits, service compositio...

Business Contract
policy

Getting Started

The step by step walk-through for new API consumers, ensuring they have exactly what is needed to discover and onboard, but also help make sure the getting started steps are as simple, plain langua...

Business Contract
policy

Getting Started Authentication

Needs description.

Business Contract
policy

Getting Started Documentation

Provide a link and description to your API documentation, providing the entry point for API consumers to begin learning about what your API does.

Business Contract
policy

Getting Started SDKs

Provide a link and description of where API consumers can learn more about authentication and how it will work when they use an API.

Business Contract
policy

GitHub Actions

Employing actions as a pipeline to make sure that the deliver of each API is a repeatable process.

Business Contract
policy

GitHub Organization README

GitHub organization provide the ability to have a dedicated README, providing a single landing page for the API workspace of a domain, line of business, or domain, where all API contracts can be fo...

Business Contract
policy

GitHub Organization Repositories

GitHub organizations provide teams with the ability to create repositories for managing API contracts, separating and organizing contracts by meaningful bounded contexts within a specific domain.

Business Contract
policy

GitHub Organization Teams

GitHub organizations allow for the management of people and teams to help define who has access to repositories, contracts, and other assets managed via this dedicated domain workspace.

Business Contract
policy

GitHub Organizations

A GitHub organization provides a dedicated workspaces for teams to produce APIs, organize all the API contracts in motion, and leverage source countrol, CI/CD, teams, and other resources provided b...

policy

GitHub Repository

A GitHub repository for an API, providing the single source of truth for the API contract, OpenAPI, and other artifacts, as well as the road map, change log, support, feedback, and other elements o...

policy

Go

Require a Go client SDK available with each API.

Business Contract
policy

Governance

Governance standardizes APIs across teams using a common platform and lifecycle, applying governance policies and rules, and keeping everyone moving in the same direction using common guidance.

Business Contract
policy

Governance Policies

Human and machine-readable policies that define an aspect of API operations, which are always kept in alignment with business objectives.

Business Contract
policy

Governance Vocabulary

A formal vocabulary of words and phrases that can and cannot be used across operations.

Business Contract
policy

GraphQL Schema Governed

I require that any GraphQL API ships a published, versioned schema that we govern like any other contract, with consistent naming, deliberate types, and a clear boundary on what the graph exposes. ...

policy

Guidance

Ensuring there is guidance for teams throughout their API journey, providing simple text and video guidance for all of the topics business and engineering teams will encounter as part of their regu...

Business Contract
policy

HTTP

The Hyper Text Transfer Protocol (HTTP) from the IETF.

Standards
policy

HTTP Methods (OpenAPI)

Require that every operation in an OpenAPI definition uses the correct HTTP method for the action it performs, GET to read, POST to create, PUT and PATCH to update, DELETE to remove, and that we do...

policy

HTTP Status Codes (OpenAPI)

Require that every operation documents the HTTP status codes it can actually return, using the standard families the way the web intends, 2xx for success, 3xx for redirection, 4xx for consumer mist...

policy

Health Checks (Operations)

Require that every API exposes a standard health check endpoint, so I want a predictable path that reports liveness and readiness along with the status of critical dependencies. I insist on this be...

policy

How Will API Be Used

How will consumers be putting API resources and capabilities, getting into the details of programming languages and frameworks.

Business Contract
policy

Human URL for APIs.json Contract

Providing a valid URL to a landing page for the API that is designed for humans to use when learning more about an API.

Business Contract
policy

Hypermedia (Design)

Require that APIs return links alongside their data where it helps consumers navigate related resources, discover available actions, and follow state transitions without hardcoding URLs. APIs shoul...

policy

Idempotency (Design)

Require that state-changing operations be safe to retry, either because the method is inherently idempotent or because the API supports an idempotency key that lets a consumer replay a request with...

policy

Images for APIs

Including images as part of the metadata for your APIs helps make APIs more visible as part of portals, documentation, and other resources.

API Contract
policy

Images for APIs.json Contracts

Including images as part of the metadata for your APIs helps make APIs more visible as part of portals, documentation, and other resources.

Business Contract
policy

Input Validation (Security)

Require that every API validates all incoming data against its schema before acting on it, so I want types, formats, lengths, ranges, and required fields checked at the edge and anything that does ...

policy

Interactive Documentation (Experience)

Require that every API ships interactive documentation generated from its contract, where a developer can read the operations, see the schemas, and make a real call right from the page. I have beli...

policy

Issues

Provide the provenance of an API contract using Git issues.

Business Contract
policy

Issues

Leveraging issues as a way to communicate API change and feedback.

Business Contract
policy

JSON

Using the JavaScript Object Notation (JSON) format.

Standards
policy

JSON Schema

Using the JSON Schema to define and validate models.

policy

JWT (Authentication)

Require JWT usage meets standards set by authentication policies.

policy

Java

Require a Java client SDK available with each API.

Business Contract
policy

JavaScript

Require a JavaScript client SDK available with each API.

Business Contract
policy

Keys (Authentication)

Require the API key usage meets standards set by authentication policies.

policy

Latency

Requiring details regarding the regular latency for each available API.

Business Contract
policy

License for APIs

Requiring the info license property meets the policy standards.

Technical Contract
policy

Linting (CI/CD)

Require that every API contract is automatically linted against our design and governance rules on each commit, so standards are enforced by machines rather than by memory and goodwill. I love lint...

policy

Localization (Experience)

Require that APIs serving a global audience localize the things developers and end users actually experience, from documentation and portal content to error messages, currencies, and date and time ...

policy

Logging (Operations)

Require that every API produces structured, correlated logs for each request, so I want a consistent log schema, a correlation or trace identifier carried through, and clear rules about what gets c...

policy

Logging Is Standardized

Require that every API emit standardized, structured logs with consistent fields for request identity, timing, status, and correlation. I expect logs to follow a shared schema across services so th...

policy

Login for APIs

Providing a way to login and gain access to an API, offering a simple human-readable URL to the login page, or ideally some sort of automated login process that allows access with as few clicks and...

Business Contract
policy

Long Running Operations (Design)

Require that operations which cannot complete within a normal request window be modeled explicitly as asynchronous, long-running jobs rather than being forced into a single blocking call that ties ...

policy

MCP Server Provided

I require that an API of consequence exposes a Model Context Protocol server so that agents can discover its capabilities and invoke them through a standard, well-understood interface rather than a...

policy

Maintainers

Require that every API names its maintainers, the real people or team accountable for its design, operation, and support, and records them where the contract lives. I care about this from the very ...

policy

Maturity Scoring (Governance)

Require that every API is scored against a shared maturity model that measures design, documentation, testing, security, and operational readiness, and that the score is visible to the team that ow...

policy

Media Types (Design)

Require that every request and response declares an accurate, standard media type, and that content negotiation is handled deliberately rather than assumed to always be JSON. Every API must be expl...

policy

Metadata for APIs

Unique identifier, name, description, tags, and other metadata for the API that defines the purpose of each individual API, and how it benefits API producer and consumers, establishing the base of ...

API Contract
policy

Metadata for APIs.json Contracts

Unique identifier, name, description, tags, and other metadata for the contract that defines the purpose of the API Contract, and how it benefits API producer and consumers, establishing the base o...

Business Contract
policy

Metrics

Providing details regarding the metrics available for each plan, outlining how the usage of digital resources and capabilities are being measured.

Business Contract
policy

Migration Guides (Experience)

Require that whenever an API version is deprecated or a breaking change is introduced, a clear migration guide is published that shows consumers exactly how to move from the old to the new. I insis...

policy

Modified Date for APIs.json Contracts

Providing the data in which an API contract was last modified, tracking the change that occurs with each API contract, understanding the velocity as well as stagnation of APIs.

Business Contract
policy

Monetization Cost Attribution

I require that API usage and its costs can be attributed back to the team, application, or consumer that generated them, so the true cost of operating and consuming an API is visible rather than sm...

policy

Monetization Metering

I require that every monetized API meters usage accurately and makes the units it counts explicit, so both the provider and the consumer agree on exactly what is being measured and billed. Metering...

policy

Monetization Plans Defined

I require that every API in production publishes its access plans as machine-readable definitions, so consumers can see the tiers, the limits, and the pricing without emailing a salesperson or gues...

policy

Monitoring (Operations)

Require that every API is actively monitored for availability, latency, error rates, and traffic, so I want the golden signals collected, dashboarded, and wired to alerts before an API ever reaches...

policy

Names for APIs

Providing a clear, descriptive, and concise name for each API, as well as the APIs it contains, properly defining the scope, with an intuitive first impression of an API.

API Contract
policy

Names for APIs.json Contracts

Providing a clear, descriptive, and concise name for each API contract, as well as the APIs it contains, properly defining the scope.

Business Contract
policy

Naming Conventions (Design)

Require that every API follows a single, documented set of naming conventions for resources, fields, parameters, and enums, so a developer who learns one of our APIs already understands the next. E...

policy

OAuth (Authentication)

Require that OAuth usage meets standards set by authentication policies.

policy

OWASP

Require that OWASP API security top ten has been applied as part of API security.

Business Contract
policy

Observability Is Instrumented

Every API must be instrumented for observability, exposing metrics, traces, and health signals that let operators understand its behavior in real time. I require that latency, error rates, and thro...

policy

Open Source Tooling Preferred

Require that an API operation prefers open source tooling and applies open licensing to its definitions, SDKs, and supporting tools wherever practical. Open source lets consumers understand, extend...

policy

Open Standards Adopted

Require that APIs are defined and delivered using open standards such as OpenAPI, AsyncAPI, and JSON Schema rather than proprietary formats. Open specifications lower the cost of adoption, enable i...

policy

OpenAPI

A machine-readable OpenAPI using the most recent version of the API specification, describing the surface area of each API, which is then used to render the human-readable documentation, and other ...

Technical Contract
policy

OpenAPI

Using the OpenAPI specification to describe HTTP APIs.

policy

OpenAPI Components

The OpenAPI Components object enables the centralization of common technical details within an API, promoting modularity and reusability. Using the components object as a standard practice helps re...

Technical Contract
policy

OpenAPI Overlays Used

Require that consistent, cross-cutting changes to OpenAPI definitions be applied through OpenAPI Overlays rather than by hand-editing each specification. I want shared conventions, added examples, ...

policy

OpenAPI Security

Requiring that OpenAPI security meet the policy standards.

Technical Contract
policy

OpenAPI Tags

Requiring that all OpenAPI tags meet the policy standards.

Technical Contract
policy

OpenAPI Version

Requiring there is the latest version of OpenAPI available.

Technical Contract
policy

Operation ID Conventions (OpenAPI)

Require that every operation in our OpenAPI definitions carries a unique, human-readable operationId that follows a consistent naming convention across the whole surface, something like getUser or ...

policy

Operation Security

Requiring that all operational security meets the policy standards.

Technical Contract
policy

Operation Summary

Requiring that all operational summaries meets the policy standards.

Technical Contract
policy

Operation Tags

Requiring that all operational tags meets the policy standards.

Technical Contract
policy

Operational Governance Rules

Spectral rules that apply to the operational level, linting APIs.json.

Business Contract
policy

Operations Are Agent-Legible

I require that every operation in an OpenAPI carries a description rich enough that an agent can decide, from the definition alone, what the operation does, when to call it, and what it will get ba...

policy

PHP

Require a PHP client SDK available with each API.

Business Contract
policy

Pagination (Operations)

Require that every endpoint returning a collection paginates its results using a single, consistent strategy, so I want a documented approach, whether cursor or offset, with clear page-size limits ...

policy

Parameter Descriptions

Requiring that all operational parameters descriptions meets the policy standards.

Technical Contract
policy

Parameter Enumerators

Requiring that all operational parameters enums meets the policy standards.

Technical Contract
policy

Parameter In Query or Path

Requiring that all operational parameters in property meets the policy standards.

Technical Contract
policy

Parameter Names

Requiring that all operational parameters names meets the policy standards.

Technical Contract
policy

Parameter Schema

Requiring that all operational parameters schema meets the policy standards.

Technical Contract
policy

Parameter Types

Requiring that all operational parameters type property meets the policy standards.

Technical Contract
policy

Parameters

Requiring that all operational parameters meets the policy standards.

Technical Contract
policy

Path Names

Requiring API paths meets the policy standards that are set.

Technical Contract
policy

Path Trailing Slashes (OpenAPI)

Require that our OpenAPI paths follow one consistent rule about trailing slashes, and I strongly prefer no trailing slash so that /orders and /orders/ never become two subtly different things. I ha...

policy

People Guidance

Provide access to people API guidance as part of API contract support.

Business Contract
policy

Performance

Publishing details regarding the performance of APIs, complimenting status and uptime information, but drilling into more detail regarding speed, latency, and other performance related metrics that...

Business Contract
policy

Performance Budgets Defined

Require that every API define performance budgets, setting explicit targets for latency, throughput, and error rates that it commits to holding. I expect these budgets to be measured continuously a...

policy

Plans

Plans are all about being explicit and transparent with all of the access for an API, breaking down the tiers, rate limits, features, and pricing that is available for API consumers, standardizing ...

Business Contract
policy

Policies

Providing the machine-readable policies that link machine-readable rules with the business reasons why we are governing an API and the operations around it, helping organize rules based upon the bu...

Business Contract
policy

Policy Exceptions (Governance)

Require that any deviation from a governance policy is requested, justified, time-boxed, and approved through a documented exception process rather than quietly ignored. I have learned that rigid r...

policy

Policy Guidance

Provide access to API policy guidance as part of API contract support.

Business Contract
policy

Portals

Dedicated developer portals for an API provide a way to make documentation, sign-up, getting started, plans, SDKs, and other resources API consumers need more easily accessible publicly or privatel...

Business Contract
policy

Postman Collection

A machine-readable Postman Collection describing the surface area of the API contract or providing more modular and executable representations of portions of the API contract. - Postman - Executable

Technical Contract
policy

Postman Workspace

A Postman Workspace provides a dedicated space to manage API contracts within a domain, complimenting other types of workspaces, allowing for private, partner, and public workspaces to exist for ma...

Business Contract
policy

Privacy Policy

Publishing a privacy policy covering the producer and consumers of an API, as well as end-users of applications, adding to the legal resources that are available to 3rd party developers when puttin...

Business Contract
policy

Problem Details for HTTP APIs

Requiring that errors use the Problem Details for HTTP APIs standard.

Technical Contract
policy

Procurement Evaluation Checklist

Require that every API considered for adoption be run through a documented procurement evaluation checklist before a team commits to it. I want the same questions asked each time, covering security...

policy

Provenance

Helping curate the provenance of each API contract as it evolves over time, documenting change, and cataloging the reviews, validation, certification, and conversation that occurs as each API moves...

Business Contract
policy

Providing External Document References

Requiring that all OpenAPI external documentation meet the policy standards.

Technical Contract
policy

Pull Requests

Provide the provenance of an API contract using Git pull requests.

Business Contract
policy

Pull Requests

Using pull requests to submit changes to business or technical artifacts.

Business Contract
policy

Questions

Empowering teams to ask questions via issue or discussion via Git repository, or directly via email about the API lifecycle, governance, as well as the business or technical elements of producing a...

Business Contract
policy

Questions Issues

Allow for teams to ask questions and get answers via Git Issues.

Business Contract
policy

README

Require that each API contract repository has a dedicated README.

Business Contract
policy

Rate Limiting (Operations)

Require that every API enforces rate limits and communicates them clearly, so I want defined quotas per consumer, standard headers that report remaining budget, and a proper 429 with a Retry-After ...

policy

Rate Limits

Providing details of rate limits being applied as part of each plan, and what is available to consumers as part of their application usage.

Business Contract
policy

Regions

Providing regional details available for access API resources and capabilities in different geographical regions as part of API plan usage.

Business Contract
policy

Request Bodies

Requiring that all operational request bodies meets the policy standards.

Technical Contract
policy

Request Bodies Examples

Requiring that all operational request body examples meets the policy standards.

Technical Contract
policy

Request Bodies Media Types

Requiring that all operational request body media types meets the policy standards.

Technical Contract
policy

Request Bodies Schema

Requiring that all operational request body schema meets the policy standards.

Technical Contract
policy

Response 2xx

Requiring that all 2xx responses meets the policy standards.

Technical Contract
policy

Response 4xx

Requiring that all 4xx responses meets the policy standards.

Technical Contract
policy

Response 5xx

Requiring that all 5xx responses meets the policy standards.

Technical Contract
policy

Response Time

Requiring details regarding the regular response time for each available API.

Business Contract
policy

Retirement (Lifecycle)

Require that retiring an API is a deliberate, documented step that only happens after a deprecation period, with the shutdown date, the reason, and the alternative all made clear to consumers. I wa...

policy

Reuse Scoring Applied

Require that every API carry a reuse score that measures how widely and effectively it is being reused across teams and how much it duplicates existing capabilities. I want reuse assessed with a co...

policy

Review & Approval (Governance)

Require that every API design and significant change passes through a documented review and approval step before it ships, with clear owners and clear criteria. I am a big believer in design-first ...

policy

Reviews

Provide the provenance of an API contract using API governance reviews.

Business Contract
policy

Road Map

Providing a simple yet informative look at what features are being planned for future releases of an API, or even sharing that nothing is currently being planned--just providing any insight on what...

Business Contract
policy

Robustness (Design)

Require that APIs are designed for robustness on both sides of the wire, being conservative in what they send and tolerant in what they accept, so that small variations do not cascade into outages....

policy

Rules

Providing the machine-readable rules used to govern an API that can be used as part of pipelines or other automation to lint an API, making sure the baseline for each API and the operations around ...

Business Contract
policy

SDKs

Offering software development kits, or SDKs for an API, handling authentication, and working across all available API operations in a variety of relevant programming languages to the targeted consu...

Business Contract
policy

SDKs (Getting Started)

Provide a link and description of where API consumers can get access to SDKs, libraries, and the code that will jumpstart their integration with an API.

Business Contract
policy

SLA (Experience)

Require that every API published for consumers carries a clear service level agreement stating its uptime target, expected performance, support commitments, and what happens when we fall short. I p...

policy

SLA Defined and Published

I require that every production API defines a service level agreement and publishes it where consumers can find it, stating the availability, performance, and support commitments we are willing to ...

policy

Sandbox (Experience)

Require that every API offers a sandbox environment with test credentials and safe, representative data so a developer can experiment fully before touching production. I champion sandboxes because ...

policy

Schema Constraints (OpenAPI)

Require that our schemas express real constraints on their properties, the minLength and maxLength, minimum and maximum, patterns, and formats that describe what valid data actually is rather than ...

policy

Schema Descriptions

Requiring that all schema descriptions meets the policy standards.

Technical Contract
policy

Schema Names

Requiring that all schema names meets the policy standards.

Technical Contract
policy

Schema Properties

Requiring that all schema properties meets the policy standards.

Technical Contract
policy

Schema Property Descriptions

Requiring that all schema property descriptions meets the policy standards.

Technical Contract
policy

Schema Property Enums (OpenAPI)

Require that any property with a fixed set of allowed values declares those values as an enum in the schema, so status, type, and category fields cannot drift into a free-for-all of typos and inven...

policy

Schema Property Names

Requiring that all schema property names meets the policy standards.

Technical Contract
policy

Schema Property Required (OpenAPI)

Require that our schemas explicitly list which properties are required, so consumers know which fields they can always count on and which ones may be absent. I have written code that trusted a fiel...

policy

Schema Property Shapes

Requiring that all schema property shapes meets the policy standards.

Technical Contract
policy

Schema Property Type

Requiring that all schema property types meets the policy standards.

Technical Contract
policy

Schema Registry (CI/CD)

Require that the schemas an API relies on are published to a shared schema registry and validated against it in CI/CD, so the shapes of our data are versioned, discoverable, and compatible. I want ...

policy

Schema Required (OpenAPI)

Require that every request and response body in our OpenAPI definitions references a defined schema rather than accepting or returning free-form, untyped content. I have run into operations that de...

policy

Schema Type

Requiring that all schema type meets the policy standards.

Technical Contract
policy

Scopes (Authentication)

Require Oauth scopes meets standards set by authentication policies.

policy

Security

Providing an overview of security practices for an API, including details covered as part of authentication and access management, but also security testing and certifications that matter to API co...

Business Contract
policy

Semantic Versioning

Require usage of major, minor, and patch Semantic Versioning for managing change.

Business Contract
policy

Servers (OpenAPI)

Require that every OpenAPI definition declares its servers, the concrete base URLs where the API actually lives, ideally with an entry for each environment so production and sandbox are both discov...

policy

Spectral

Using the Spectral to define linting rules for APIs.

policy

Standards

Internet, industry, market, and government standards help make APIs more consistent, but also save time and money for both producer and consumer, while keeping APIs better aligned with existing ind...

Business Contract
policy

Status

Making an API status page, monitoring reports, or other real-time updates regarding the uptime and availability of an API, providing current, but also the historical status of API, helping maintain...

Business Contract
policy

Status Dashboard

Require a link to as well as results from a status dashboard for an API.

Business Contract
policy

Status History

Require a link to as well as results from a status history for an API.

Business Contract
policy

Support

Outline what support is available for API consumers, including email, tickets, forums, and paid support services, making it easy for API consumers to understand how they can get the help they need ...

Business Contract
policy

Support Channels Defined

Require that every API publish clear support channels so consumers know exactly how to get help and what to expect when they ask. I want the path to a human, an issue tracker, or a community forum ...

Business Contract
policy

Support Email

Require that an API is supported using email.

Business Contract
policy

Support Issues

Require that an API is supported using Git issues.

Business Contract
policy

Tags for APIs

Tags provide a bounded context for your APIs, providing keywords that help organize APIs by domains, and make them more discoverable.

API Contract
policy

Tags for APIs.json Contracts

Tags provide a bounded context for your APIs, providing keywords that help organize APIs by domains, and make them more discoverable.

Business Contract
policy

Teams

Require that API contract management is controlled using Git teams.

Business Contract
policy

Teams

Requiring at least one product and one engineering, as well as other potential stakeholders involved through the API lifecycle from define to production, ensuring there is always someone actively o...

Business Contract
policy

Technical Contract Validator

The OpenAPI technical contract must have a link to the validator for each, providing the ability to run linting rules for each type of contract and see the details of rules as they are applied.

Technical Contract
policy

Technical Guidance

Provide access to technical API guidance as part of API contract support.

Business Contract
policy

Terms of Service

Making sure that terms of service are front and center for API consumers, ensuring that the legal side of using API resources and capabilities in applications and integrations by 3rd party consumer...

Business Contract
policy

Terms of Service for APIs

Requiring the info terms of service property meets the policy standards.

Technical Contract
policy

Testing

Require that security testing has occurred and publishing results for API security.

Business Contract
policy

Time Frame

Break down usage for for consumers based upon second, minutes, days, weeks, months, or other relevant time-frame for them to understand their usage.

Business Contract
policy

Title

The title for the proposed API change in the road map.

Business Contract
policy

Title of APIs

Requiring the info title property meets the policy standards.

Technical Contract
policy

Tool Definitions Provided

I require that APIs publish explicit tool definitions that describe each callable capability as a discrete tool an agent can select, with clear names, descriptions, and typed inputs and outputs. Th...

policy

Transport (Security)

Require that every API is served exclusively over encrypted transport, so I want TLS enforced everywhere, plain HTTP either redirected or refused, weak protocols and ciphers disabled, and HSTS in p...

policy

URL Structure (Design)

Require that every API uses a consistent, predictable URL structure, with clear resource hierarchies, sensible pluralization, and paths that read like the nouns of the domain rather than a grab bag...

policy

URL for APIs.json Contracts

Providing the valid URL for the APIs.json contract, identifying the source of the contract which may or may not be where it is found, helping make contract authoritative.

Business Contract
policy

Unique Identifiers for APIs

Providing unique identifiers for API apis, as well as the APIs that are indexed as part of an API, providing a key reference for discovery and automating around a contract.

API Contract
policy

Unique Identifiers for APIs.json Contracts

Providing unique identifiers for API contracts, as well as the APIs that are indexed as part of a contract, providing a key reference.

Business Contract
policy

Unique Identrifiers for API Operations

Requiring that all operational unique identifiers meets the policy standards.

Technical Contract
policy

Usage of JSON Path Standard

Using JSON Path to identify properties of a schema.

Standard
policy

Use Cases

The who, what, how, and why of producing an API, making sure all of the known use cases are accurately described and kept up to date, then used to ensure each API is delivering what is expected wit...

Business Contract
policy

Validation (Design)

Require that every API defines and enforces validation rules in its contract, using schemas, constraints, required fields, and formats so that bad input is rejected with a clear, consistent error i...

policy

Version

The version of the proposed API change in the road map.

Business Contract
policy

Version of APIs

Requiring the info version property meets the policy standards.

Technical Contract
policy

Versioning

Providing semantic or date-based versioning for an API, offering an overview of what is adopted for an API and why, letting consumers know that their is change management in place and how they can ...

policy

Videos

Videos offer an engaging way to provide information and updates with producers nad consumers of APIs, demonstrating how an API can be used, providing webinars, workshops, and other useful videos ab...

Business Contract
policy

Webhook Contracts Defined

I require that every webhook an API sends is described by a real contract that specifies its trigger, its payload, its headers, and its delivery and retry behavior, so integrators can build against...

policy

What Will Be Done With API

What will consumers be building with the resources and capabilities being made available via APIs.

Business Contract
policy

Who Will Be Using API

Who is using an API, focusing on the people who will be putting an API to work in their applications.

Business Contract
policy

Why Will API Be Used

What are the reasons an API consumer will be putting APIs to work in their applications and integrations as part of their business.

Business Contract
policy

YAML

Using the Yet Another Markdown Language (YAML) format.

Standards