home / skills / itechmeat / llm-code / openapi
npx playbooks add skill itechmeat/llm-code --skill openapiReview the files below or copy the command above to add this skill to your agents.
---
name: openapi
description: "OpenAPI Specification (OAS 3.x): document structure, paths, operations, schemas, parameters, security schemes, and validation."
version: "3.2.0"
release_date: "2025-09-19"
---
# OpenAPI Specification
This skill provides guidance for working with OpenAPI Specification (OAS) documents.
**Current version:** OpenAPI 3.2.0 (September 2025)
## Quick Navigation
- Document structure: `references/document-structure.md`
- Operations & paths: `references/operations.md`
- Schemas & data types: `references/schemas.md`
- Parameters & serialization: `references/parameters.md`
- Security: `references/security.md`
## When to Use
- Creating a new OpenAPI specification document
- Describing HTTP API endpoints
- Defining request/response schemas
- Configuring API security (OAuth2, API keys, JWT)
- Validating an existing OpenAPI document
- Generating client/server code from specs
## Document Structure Overview
An OpenAPI document MUST have either an OpenAPI Object or Schema Object at the root.
### Required Fields
```yaml
openapi: 3.2.0 # REQUIRED: OAS version
info: # REQUIRED: API metadata
title: My API
version: 1.0.0
```
### Complete Structure
```yaml
openapi: 3.2.0
info:
title: Example API
version: 1.0.0
description: API description (supports CommonMark)
servers:
- url: https://api.example.com/v1
paths:
/resources:
get:
summary: List resources
responses:
"200":
description: Success
components:
schemas: {}
parameters: {}
responses: {}
securitySchemes: {}
security:
- apiKey: []
tags:
- name: resources
description: Resource operations
```
## Core Objects Reference
### Info Object
```yaml
info:
title: Example API # REQUIRED
version: 1.0.0 # REQUIRED (API version, NOT OAS version)
summary: Short summary
description: Full description (CommonMark)
termsOfService: https://example.com/terms
contact:
name: API Support
url: https://example.com/support
email: [email protected]
license:
name: Apache 2.0
identifier: Apache-2.0 # OR url (mutually exclusive)
```
### Server Object
```yaml
servers:
- url: https://api.example.com/v1
description: Production
- url: https://{environment}.example.com:{port}/v1
description: Configurable
variables:
environment:
default: api
enum: [api, staging, dev]
port:
default: "443"
```
### Path Item Object
```yaml
/users/{id}:
summary: User operations
parameters:
- $ref: "#/components/parameters/userId"
get:
operationId: getUser
responses:
"200":
description: User found
put:
operationId: updateUser
requestBody:
$ref: "#/components/requestBodies/UserUpdate"
responses:
"200":
description: User updated
```
### Operation Object
```yaml
get:
tags: [users]
summary: Get user by ID
description: Returns a single user
operationId: getUserById # MUST be unique across all operations
parameters:
- name: id
in: path
required: true
schema:
type: string
responses:
"200":
description: Success
content:
application/json:
schema:
$ref: "#/components/schemas/User"
"404":
description: Not found
security:
- bearerAuth: []
deprecated: false
```
## Schema Recipes
### Basic Object
```yaml
components:
schemas:
User:
type: object
required: [id, email]
properties:
id:
type: string
format: uuid
email:
type: string
format: email
name:
type: string
age:
type: integer
minimum: 0
```
### Composition with allOf
```yaml
ExtendedUser:
allOf:
- $ref: "#/components/schemas/User"
- type: object
properties:
role:
type: string
enum: [admin, user, guest]
```
### Polymorphism with oneOf
```yaml
Pet:
oneOf:
- $ref: "#/components/schemas/Cat"
- $ref: "#/components/schemas/Dog"
discriminator:
propertyName: petType
mapping:
cat: "#/components/schemas/Cat"
dog: "#/components/schemas/Dog"
```
### Nullable and Optional
```yaml
# OAS 3.1+ uses JSON Schema type arrays
properties:
nickname:
type: [string, "null"] # nullable
```
## Parameter Locations
| Location | `in` value | Notes |
| ------------ | ------------- | ----------------------------------- |
| Path | `path` | MUST be required: true |
| Query | `query` | Standard query parameters |
| Query string | `querystring` | Entire query string as single param |
| Header | `header` | Case-insensitive names |
| Cookie | `cookie` | Cookie values |
### Parameter Styles
| Style | `in` | Type | Example (color=blue,black) |
| ---------- | ----- | ---------------------- | -------------------------- |
| simple | path | array | blue,black |
| form | query | primitive/array/object | color=blue,black |
| matrix | path | primitive/array/object | ;color=blue,black |
| label | path | primitive/array/object | .blue.black |
| deepObject | query | object | color[R]=100&color[G]=200 |
## Security Schemes
### API Key
```yaml
components:
securitySchemes:
apiKey:
type: apiKey
in: header # header, query, or cookie
name: X-API-Key
```
### Bearer Token (JWT)
```yaml
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
```
### OAuth2
```yaml
oauth2:
type: oauth2
flows:
authorizationCode:
authorizationUrl: https://auth.example.com/authorize
tokenUrl: https://auth.example.com/token
scopes:
read:users: Read user data
write:users: Modify user data
```
### Apply Security
```yaml
# Global (all operations)
security:
- bearerAuth: []
# Per-operation
paths:
/public:
get:
security: [] # Override: no auth required
/protected:
get:
security:
- oauth2: [read:users]
```
## Reference Object
Use `$ref` to avoid duplication:
```yaml
# Reference within same document
$ref: '#/components/schemas/User'
# Reference to external file
$ref: './schemas/user.yaml'
$ref: './common.yaml#/components/schemas/Error'
```
## Components Object
Reusable building blocks:
```yaml
components:
schemas: # Data models
responses: # Reusable responses
parameters: # Reusable parameters
examples: # Reusable examples
requestBodies: # Reusable request bodies
headers: # Reusable headers
securitySchemes: # Security definitions
links: # Links between operations
callbacks: # Webhook definitions
pathItems: # Reusable path items
```
## Best Practices Checklist
- [ ] Include `operationId` for all operations (unique, programming-friendly)
- [ ] Use `$ref` for reusable components
- [ ] Add meaningful `description` fields (supports CommonMark)
- [ ] Define all possible response codes
- [ ] Include `examples` for complex schemas
- [ ] Use `tags` to group related operations
- [ ] Mark deprecated operations with `deprecated: true`
- [ ] Use semantic versioning for `info.version`
## Critical Prohibitions
- Do NOT omit `openapi` and `info` fields (they are REQUIRED)
- Do NOT use duplicate `operationId` values
- Do NOT mix `$ref` with sibling properties in Reference Objects
- Do NOT use path parameters without `required: true`
- Do NOT use implicit OAuth2 flow in new APIs (deprecated)
- Do NOT forget security for protected endpoints
## Validation
### File Naming
- Entry document: `openapi.json` or `openapi.yaml` (recommended)
- Format: JSON or YAML (equivalent)
- All field names are case-sensitive
### Common Validation Errors
| Error | Fix |
| -------------------------- | ----------------------------------------------------- |
| Missing required field | Add `openapi`, `info.title`, `info.version` |
| Invalid operationId | Use unique, valid identifier |
| Path parameter not in path | Ensure `{param}` matches parameter name |
| Duplicate path template | Remove conflicting `/users/{id}` vs `/users/{userId}` |
| Invalid $ref | Check URI syntax and target existence |
## Links
- Official spec: https://spec.openapis.org/oas/latest.html
- Learning resources: https://learn.openapis.org/
- JSON Schema (for schemas): https://json-schema.org/