AniList · API Governance Rules

AniList API Rules

Spectral linting rules defining API design standards and conventions for AniList.

49 Rules error 18 warn 22 info 9

View Rules File View on GitHub

Rule Categories

anilist

Rules

warn

anilist-info-title-prefix

API title should start with "AniList".

$.info.title

error

anilist-info-description-required

Info description is required and should describe the GraphQL surface.

$.info

warn

anilist-info-description-min-length

Info description should be at least 120 characters.

$.info.description

info

anilist-info-contact-email

Contact email should be [email protected].

$.info.contact.email

warn

anilist-info-license-required

License pointing to the AniList Terms of Use is required.

$.info

info

anilist-info-terms-of-service

termsOfService should reference docs.anilist.co.

$.info.termsOfService

error

anilist-openapi-version-3

Spec must declare OpenAPI 3.0.x.

$.openapi

error

anilist-servers-defined

At least one server must be defined.

$.servers

error

anilist-servers-https-only

All servers must use HTTPS.

$.servers[*].url

warn

anilist-servers-anilist-host

Server URLs must be on anilist.co or graphql.anilist.co.

$.servers[*].url

warn

anilist-servers-description

Each server entry should have a description.

$.servers[*]

error

anilist-paths-no-trailing-slash

Paths must not have a trailing slash (except the root "/").

$.paths[?(@property != "/")]~

warn

anilist-paths-oauth-prefix

OAuth2 paths must live under /api/v2/oauth.

$.paths

error

anilist-operation-id-required

Every operation must declare an operationId.

$.paths[*][get,put,post,delete,patch,options,head]

error

anilist-operation-id-camel-case

operationId must be camelCase.

$.paths[*][get,put,post,delete,patch,options,head].operationId

error

anilist-operation-summary-required

Every operation must have a summary.

$.paths[*][get,put,post,delete,patch,options,head]

warn

anilist-operation-summary-title-case

Summary should begin with an uppercase letter (Title Case).

$.paths[*][get,put,post,delete,patch,options,head].summary

warn

anilist-operation-description-required

Every operation must have a description.

$.paths[*][get,put,post,delete,patch,options,head]

warn

anilist-operation-tags-required

Every operation must declare at least one tag.

$.paths[*][get,put,post,delete,patch,options,head]

info

anilist-operation-microcks-extension

Operations should include x-microcks-operation for mock-server support.

$.paths[*][get,put,post,delete,patch,options,head]

warn

anilist-tags-defined

Spec must declare a top-level tags array.

$.tags

warn

anilist-tag-pascal-case

Tag names should be PascalCase (e.g. GraphQL, OAuth2).

$.tags[*].name

info

anilist-tag-description-required

Each tag should have a description.

$.tags[*]

warn

anilist-parameter-description-required

Every parameter must have a description.

$.paths[*][*].parameters[*]

error

anilist-parameter-oauth-snake-case

OAuth2 query parameters must be snake_case (client_id, redirect_uri, response_type).

$.paths[?(@property =~ /oauth/)][*].parameters[?(@.in == 'query')].name

error

anilist-parameter-schema-required

Every parameter must have a schema with a type.

$.paths[*][*].parameters[*]

warn

anilist-request-body-json

Request bodies should accept application/json (OAuth2 token endpoint may also accept form-encoded).

$.paths[*][post,put,patch].requestBody.content

info

anilist-request-body-example

Request bodies should include at least one named example.

$.paths[*][*].requestBody.content[*]

error

anilist-response-200-required

GraphQL POST / must document a 200 response.

$.paths['/'].post.responses

warn

anilist-response-429-required

GraphQL POST / must document a 429 response with rate-limit headers.

$.paths['/'].post.responses

info

anilist-response-403-documented

GraphQL POST / should document the 403 returned when the API is temporarily disabled.

$.paths['/'].post.responses

warn

anilist-response-rate-limit-headers

200 response on / should expose X-RateLimit-Limit and X-RateLimit-Remaining headers.

$.paths['/'].post.responses['200'].headers

warn

anilist-response-429-retry-headers

429 response should expose Retry-After and X-RateLimit-Reset headers.

$.paths['/'].post.responses['429'].headers

error

anilist-response-json-content-type

2xx and error responses on / must use application/json.

$.paths['/'].post.responses[*].content

warn

anilist-response-description-required

Every response must have a description.

$.paths[*][*].responses[*]

error

anilist-schema-graphql-request-required

components.schemas must define GraphQLRequest, GraphQLResponse, and GraphQLError.

$.components.schemas

warn

anilist-schema-token-required

components.schemas must define TokenRequest and TokenResponse for OAuth2.

$.components.schemas

warn

anilist-schema-property-camel-or-snake

Schema properties should be camelCase or snake_case (matches AniList's GraphQL camelCase + OAuth snake_case mix).

$.components.schemas[*].properties[*]~

info

anilist-schema-title-required

Top-level component schemas should have a title.

$.components.schemas[*]

error

anilist-security-schemes-defined

securitySchemes must be defined.

$.components.securitySchemes

error

anilist-security-bearer-jwt

A bearerAuth scheme using JWT must be defined for authenticated mutations.

$.components.securitySchemes.bearerAuth

warn

anilist-security-oauth2-flows

An oauth2 security scheme with authorizationCode and implicit flows should be defined.

$.components.securitySchemes

warn

anilist-security-global

Spec must declare a global security stanza (including the public/empty option for the GraphQL endpoint).

error

anilist-graphql-post-only

The GraphQL endpoint must be exposed via POST only.

$.paths['/']

error

anilist-oauth-authorize-get

/api/v2/oauth/authorize must be a GET (browser redirect target).

$.paths['/api/v2/oauth/authorize']

error

anilist-oauth-token-post

/api/v2/oauth/token must be a POST.

$.paths['/api/v2/oauth/token']

warn

anilist-no-empty-descriptions

Descriptions must not be empty strings.

$..description

info

anilist-deprecation-documented

Deprecated operations should explain the replacement in the description.

$.paths[*][?(@.deprecated == true)]

info

anilist-external-docs-encouraged

Operations should reference the AniList docs site under externalDocs.

$.paths[*][get,put,post,delete,patch,options,head]

Spectral Ruleset

# Spectral ruleset for the AniList API profile.
#
# AniList exposes a single GraphQL endpoint (POST /) at https://graphql.anilist.co
# plus OAuth2 endpoints under https://anilist.co/api/v2/oauth/*. This ruleset
# captures opinionated conventions for the HTTP surface in openapi/ and is intended
# to be paired with GraphQL-level linting (e.g. graphql-schema-linter) for the
# schema document in graphql/anilist-schema.graphql.
#
# Conventions captured from the AniList API:
#   - OpenAPI 3.0.x
#   - HTTPS-only servers (graphql.anilist.co, anilist.co)
#   - PascalCase for tags (GraphQL, OAuth2)
#   - camelCase operationIds (executeGraphQL, oauthAuthorize, oauthExchangeToken, oauthAuthPin)
#   - snake_case query parameters on OAuth2 endpoints (client_id, redirect_uri, response_type)
#   - JSON content type for all request and response bodies on /
#   - Bearer JWT auth for mutations
#   - Required X-RateLimit-* response headers documented on 200 and 429
#   - Title Case operation summaries
#
extends: [[spectral:oas, all]]
formats: [oas3]
rules:

  # ----------------------------------------------------------------------------
  # INFO / METADATA
  # ----------------------------------------------------------------------------
  anilist-info-title-prefix:
    description: API title should start with "AniList".
    severity: warn
    given: $.info.title
    then:
      function: pattern
      functionOptions:
        match: "^AniList"

  anilist-info-description-required:
    description: Info description is required and should describe the GraphQL surface.
    severity: error
    given: $.info
    then:
      field: description
      function: truthy

  anilist-info-description-min-length:
    description: Info description should be at least 120 characters.
    severity: warn
    given: $.info.description
    then:
      function: length
      functionOptions:
        min: 120

  anilist-info-contact-email:
    description: Contact email should be [email protected].
    severity: info
    given: $.info.contact.email
    then:
      function: pattern
      functionOptions:
        match: "^contact@anilist\\.co$"

  anilist-info-license-required:
    description: License pointing to the AniList Terms of Use is required.
    severity: warn
    given: $.info
    then:
      field: license
      function: truthy

  anilist-info-terms-of-service:
    description: termsOfService should reference docs.anilist.co.
    severity: info
    given: $.info.termsOfService
    then:
      function: pattern
      functionOptions:
        match: "^https://docs\\.anilist\\.co/"

  # ----------------------------------------------------------------------------
  # OPENAPI VERSION
  # ----------------------------------------------------------------------------
  anilist-openapi-version-3:
    description: Spec must declare OpenAPI 3.0.x.
    severity: error
    given: $.openapi
    then:
      function: pattern
      functionOptions:
        match: "^3\\.0\\."

  # ----------------------------------------------------------------------------
  # SERVERS
  # ----------------------------------------------------------------------------
  anilist-servers-defined:
    description: At least one server must be defined.
    severity: error
    given: $.servers
    then:
      function: schema
      functionOptions:
        schema:
          type: array
          minItems: 1

  anilist-servers-https-only:
    description: All servers must use HTTPS.
    severity: error
    given: $.servers[*].url
    then:
      function: pattern
      functionOptions:
        match: "^https://"

  anilist-servers-anilist-host:
    description: Server URLs must be on anilist.co or graphql.anilist.co.
    severity: warn
    given: $.servers[*].url
    then:
      function: pattern
      functionOptions:
        match: "^https://(graphql\\.)?anilist\\.co"

  anilist-servers-description:
    description: Each server entry should have a description.
    severity: warn
    given: $.servers[*]
    then:
      field: description
      function: truthy

  # ----------------------------------------------------------------------------
  # PATHS / OPERATIONS
  # ----------------------------------------------------------------------------
  anilist-paths-no-trailing-slash:
    description: Paths must not have a trailing slash (except the root "/").
    severity: error
    given: $.paths[?(@property != "/")]~
    then:
      function: pattern
      functionOptions:
        notMatch: "/$"

  anilist-paths-oauth-prefix:
    description: OAuth2 paths must live under /api/v2/oauth.
    severity: warn
    given: $.paths
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          patternProperties:
            "^/api/v2/oauth(/.*)?$": {}
            "^/$": {}
          additionalProperties: false

  anilist-operation-id-required:
    description: Every operation must declare an operationId.
    severity: error
    given: $.paths[*][get,put,post,delete,patch,options,head]
    then:
      field: operationId
      function: truthy

  anilist-operation-id-camel-case:
    description: operationId must be camelCase.
    severity: error
    given: $.paths[*][get,put,post,delete,patch,options,head].operationId
    then:
      function: pattern
      functionOptions:
        match: "^[a-z][a-zA-Z0-9]*$"

  anilist-operation-summary-required:
    description: Every operation must have a summary.
    severity: error
    given: $.paths[*][get,put,post,delete,patch,options,head]
    then:
      field: summary
      function: truthy

  anilist-operation-summary-title-case:
    description: Summary should begin with an uppercase letter (Title Case).
    severity: warn
    given: $.paths[*][get,put,post,delete,patch,options,head].summary
    then:
      function: pattern
      functionOptions:
        match: "^[A-Z]"

  anilist-operation-description-required:
    description: Every operation must have a description.
    severity: warn
    given: $.paths[*][get,put,post,delete,patch,options,head]
    then:
      field: description
      function: truthy

  anilist-operation-tags-required:
    description: Every operation must declare at least one tag.
    severity: warn
    given: $.paths[*][get,put,post,delete,patch,options,head]
    then:
      field: tags
      function: truthy

  anilist-operation-microcks-extension:
    description: Operations should include x-microcks-operation for mock-server support.
    severity: info
    given: $.paths[*][get,put,post,delete,patch,options,head]
    then:
      field: x-microcks-operation
      function: truthy

  # ----------------------------------------------------------------------------
  # TAGS
  # ----------------------------------------------------------------------------
  anilist-tags-defined:
    description: Spec must declare a top-level tags array.
    severity: warn
    given: $.tags
    then:
      function: truthy

  anilist-tag-pascal-case:
    description: Tag names should be PascalCase (e.g. GraphQL, OAuth2).
    severity: warn
    given: $.tags[*].name
    then:
      function: pattern
      functionOptions:
        match: "^[A-Z][A-Za-z0-9]*$"

  anilist-tag-description-required:
    description: Each tag should have a description.
    severity: info
    given: $.tags[*]
    then:
      field: description
      function: truthy

  # ----------------------------------------------------------------------------
  # PARAMETERS
  # ----------------------------------------------------------------------------
  anilist-parameter-description-required:
    description: Every parameter must have a description.
    severity: warn
    given: $.paths[*][*].parameters[*]
    then:
      field: description
      function: truthy

  anilist-parameter-oauth-snake-case:
    description: OAuth2 query parameters must be snake_case (client_id, redirect_uri, response_type).
    severity: error
    given: $.paths[?(@property =~ /oauth/)][*].parameters[?(@.in == 'query')].name
    then:
      function: pattern
      functionOptions:
        match: "^[a-z][a-z0-9_]*$"

  anilist-parameter-schema-required:
    description: Every parameter must have a schema with a type.
    severity: error
    given: $.paths[*][*].parameters[*]
    then:
      field: schema
      function: truthy

  # ----------------------------------------------------------------------------
  # REQUEST BODIES
  # ----------------------------------------------------------------------------
  anilist-request-body-json:
    description: Request bodies should accept application/json (OAuth2 token endpoint may also accept form-encoded).
    severity: warn
    given: $.paths[*][post,put,patch].requestBody.content
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          required: [application/json]

  anilist-request-body-example:
    description: Request bodies should include at least one named example.
    severity: info
    given: $.paths[*][*].requestBody.content[*]
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          anyOf:
            - required: [example]
            - required: [examples]

  # ----------------------------------------------------------------------------
  # RESPONSES
  # ----------------------------------------------------------------------------
  anilist-response-200-required:
    description: GraphQL POST / must document a 200 response.
    severity: error
    given: $.paths['/'].post.responses
    then:
      field: '200'
      function: truthy

  anilist-response-429-required:
    description: GraphQL POST / must document a 429 response with rate-limit headers.
    severity: warn
    given: $.paths['/'].post.responses
    then:
      field: '429'
      function: truthy

  anilist-response-403-documented:
    description: GraphQL POST / should document the 403 returned when the API is temporarily disabled.
    severity: info
    given: $.paths['/'].post.responses
    then:
      field: '403'
      function: truthy

  anilist-response-rate-limit-headers:
    description: 200 response on / should expose X-RateLimit-Limit and X-RateLimit-Remaining headers.
    severity: warn
    given: $.paths['/'].post.responses['200'].headers
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          required: [X-RateLimit-Limit, X-RateLimit-Remaining]

  anilist-response-429-retry-headers:
    description: 429 response should expose Retry-After and X-RateLimit-Reset headers.
    severity: warn
    given: $.paths['/'].post.responses['429'].headers
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          required: [Retry-After, X-RateLimit-Reset]

  anilist-response-json-content-type:
    description: 2xx and error responses on / must use application/json.
    severity: error
    given: $.paths['/'].post.responses[*].content
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          required: [application/json]

  anilist-response-description-required:
    description: Every response must have a description.
    severity: warn
    given: $.paths[*][*].responses[*]
    then:
      field: description
      function: truthy

  # ----------------------------------------------------------------------------
  # SCHEMAS
  # ----------------------------------------------------------------------------
  anilist-schema-graphql-request-required:
    description: components.schemas must define GraphQLRequest, GraphQLResponse, and GraphQLError.
    severity: error
    given: $.components.schemas
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          required: [GraphQLRequest, GraphQLResponse, GraphQLError]

  anilist-schema-token-required:
    description: components.schemas must define TokenRequest and TokenResponse for OAuth2.
    severity: warn
    given: $.components.schemas
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          required: [TokenRequest, TokenResponse]

  anilist-schema-property-camel-or-snake:
    description: Schema properties should be camelCase or snake_case (matches AniList's GraphQL camelCase + OAuth snake_case mix).
    severity: warn
    given: $.components.schemas[*].properties[*]~
    then:
      function: pattern
      functionOptions:
        match: "^[a-z][a-zA-Z0-9_]*$"

  anilist-schema-title-required:
    description: Top-level component schemas should have a title.
    severity: info
    given: $.components.schemas[*]
    then:
      field: title
      function: truthy

  # ----------------------------------------------------------------------------
  # SECURITY
  # ----------------------------------------------------------------------------
  anilist-security-schemes-defined:
    description: securitySchemes must be defined.
    severity: error
    given: $.components.securitySchemes
    then:
      function: truthy

  anilist-security-bearer-jwt:
    description: A bearerAuth scheme using JWT must be defined for authenticated mutations.
    severity: error
    given: $.components.securitySchemes.bearerAuth
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          required: [type, scheme, bearerFormat]
          properties:
            type: { const: http }
            scheme: { const: bearer }
            bearerFormat: { const: JWT }

  anilist-security-oauth2-flows:
    description: An oauth2 security scheme with authorizationCode and implicit flows should be defined.
    severity: warn
    given: $.components.securitySchemes
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          required: [oauth2]

  anilist-security-global:
    description: Spec must declare a global security stanza (including the public/empty option for the GraphQL endpoint).
    severity: warn
    given: $
    then:
      field: security
      function: truthy

  # ----------------------------------------------------------------------------
  # HTTP METHOD CONVENTIONS
  # ----------------------------------------------------------------------------
  anilist-graphql-post-only:
    description: The GraphQL endpoint must be exposed via POST only.
    severity: error
    given: $.paths['/']
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          required: [post]
          not:
            anyOf:
              - required: [get]
              - required: [put]
              - required: [patch]
              - required: [delete]

  anilist-oauth-authorize-get:
    description: /api/v2/oauth/authorize must be a GET (browser redirect target).
    severity: error
    given: $.paths['/api/v2/oauth/authorize']
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          required: [get]

  anilist-oauth-token-post:
    description: /api/v2/oauth/token must be a POST.
    severity: error
    given: $.paths['/api/v2/oauth/token']
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          required: [post]

  # ----------------------------------------------------------------------------
  # GENERAL QUALITY
  # ----------------------------------------------------------------------------
  anilist-no-empty-descriptions:
    description: Descriptions must not be empty strings.
    severity: warn
    given: $..description
    then:
      function: truthy

  anilist-deprecation-documented:
    description: Deprecated operations should explain the replacement in the description.
    severity: info
    given: $.paths[*][?(@.deprecated == true)]
    then:
      field: description
      function: truthy

  anilist-external-docs-encouraged:
    description: Operations should reference the AniList docs site under externalDocs.
    severity: info
    given: $.paths[*][get,put,post,delete,patch,options,head]
    then:
      field: externalDocs
      function: truthy