Microsoft Azure API Management · API Governance Rules

Microsoft Azure API Management API Rules

Spectral linting rules defining API design standards and conventions for Microsoft Azure API Management.

15 Rules error 1 warn 6 info 8
View Rules File View on GitHub

Rule Categories

azure

Rules

warn
azure-operation-id-format
Operation IDs must follow the {Resource}_{Action} pattern (e.g., Api_Get, ApiManagementService_CreateOrUpdate).
$.paths[*][get,put,post,patch,delete,head].operationId
warn
azure-operation-description
Every operation must have a description.
$.paths[*][get,put,post,patch,delete,head]
warn
azure-operation-summary
Every operation must have a summary.
$.paths[*][get,put,post,patch,delete,head]
warn
azure-operation-tags
Every operation must have at least one tag.
$.paths[*][get,put,post,patch,delete,head]
info
azure-arm-path-pattern
Paths should follow Azure Resource Manager conventions, starting with /subscriptions or /providers.
$.paths
warn
azure-provider-namespace
Resource provider paths must use a Microsoft.* namespace (e.g., Microsoft.ApiManagement).
$.paths
info
azure-auth-scheme-defined
The API should define an azure_auth OAuth2 security scheme.
$.components.securitySchemes
info
azure-global-security
The API should have global security referencing azure_auth.
$
info
azure-error-response
Operations should include a default error response for consistent error handling.
$.paths[*][get,put,post,patch,delete,head].responses
warn
azure-response-description
Success responses must have a description.
$.paths[*][get,put,post,patch,delete,head].responses.200
error
azure-api-version-info
The API info object must specify a version.
$.info
info
azure-management-server
ARM APIs should use https://management.azure.com as the server URL.
$.servers[*].url
info
azure-operationid-tag-consistency
The operation ID prefix (before underscore) should align with the operation tag for consistency.
$.paths[*][get,put,post,patch,delete,head]
info
azure-contact-info
API info should include contact information.
$.info
info
azure-license-info
API info should include license information.
$.info

Spectral Ruleset

Raw ↑ 
extends:
  - spectral:oas

rules:

  # ---------------------------------------------------------------------------
  # Operation ID naming convention: {Resource}_{Action}
  # ---------------------------------------------------------------------------
  azure-operation-id-format:
    description: Operation IDs must follow the {Resource}_{Action} pattern (e.g., Api_Get, ApiManagementService_CreateOrUpdate).
    severity: warn
    given: "$.paths[*][get,put,post,patch,delete,head].operationId"
    then:
      function: pattern
      functionOptions:
        match: "^[A-Z][a-zA-Z0-9]*(_[A-Z][a-zA-Z0-9]*)+$"

  # ---------------------------------------------------------------------------
  # Every operation must have a description
  # ---------------------------------------------------------------------------
  azure-operation-description:
    description: Every operation must have a description.
    severity: warn
    given: "$.paths[*][get,put,post,patch,delete,head]"
    then:
      field: description
      function: truthy

  # ---------------------------------------------------------------------------
  # Every operation must have a summary
  # ---------------------------------------------------------------------------
  azure-operation-summary:
    description: Every operation must have a summary.
    severity: warn
    given: "$.paths[*][get,put,post,patch,delete,head]"
    then:
      field: summary
      function: truthy

  # ---------------------------------------------------------------------------
  # Every operation must have tags
  # ---------------------------------------------------------------------------
  azure-operation-tags:
    description: Every operation must have at least one tag.
    severity: warn
    given: "$.paths[*][get,put,post,patch,delete,head]"
    then:
      field: tags
      function: truthy

  # ---------------------------------------------------------------------------
  # ARM paths should start with /subscriptions or /providers
  # ---------------------------------------------------------------------------
  azure-arm-path-pattern:
    description: Paths should follow Azure Resource Manager conventions, starting with /subscriptions or /providers.
    severity: info
    given: "$.paths"
    then:
      function: pattern
      functionOptions:
        match: "^/(subscriptions|providers)/.*$"
    # NOTE: This rule is expressed at the path-key level via the custom function below.
    # Spectral cannot iterate object keys natively, so we use oas-path-param instead.

  # ---------------------------------------------------------------------------
  # Paths containing /providers/ must use Microsoft.* namespace
  # ---------------------------------------------------------------------------
  azure-provider-namespace:
    description: Resource provider paths must use a Microsoft.* namespace (e.g., Microsoft.ApiManagement).
    severity: warn
    given: "$.paths"
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          patternProperties:
            ".*providers.*":
              description: Provider paths are present
          additionalProperties: true

  # ---------------------------------------------------------------------------
  # Security scheme should define OAuth2 (azure_auth)
  # ---------------------------------------------------------------------------
  azure-auth-scheme-defined:
    description: The API should define an azure_auth OAuth2 security scheme.
    severity: info
    given: "$.components.securitySchemes"
    then:
      field: azure_auth
      function: truthy

  # ---------------------------------------------------------------------------
  # Global security should reference azure_auth
  # ---------------------------------------------------------------------------
  azure-global-security:
    description: The API should have global security referencing azure_auth.
    severity: info
    given: "$"
    then:
      field: security
      function: truthy

  # ---------------------------------------------------------------------------
  # Responses should include a default or error response
  # ---------------------------------------------------------------------------
  azure-error-response:
    description: Operations should include a default error response for consistent error handling.
    severity: info
    given: "$.paths[*][get,put,post,patch,delete,head].responses"
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          anyOf:
            - required: ["default"]
            - required: ["4XX"]
            - required: ["400"]
            - required: ["404"]

  # ---------------------------------------------------------------------------
  # 200 response should have a description
  # ---------------------------------------------------------------------------
  azure-response-description:
    description: Success responses must have a description.
    severity: warn
    given: "$.paths[*][get,put,post,patch,delete,head].responses.200"
    then:
      field: description
      function: truthy

  # ---------------------------------------------------------------------------
  # Info must have a version
  # ---------------------------------------------------------------------------
  azure-api-version-info:
    description: The API info object must specify a version.
    severity: error
    given: "$.info"
    then:
      field: version
      function: truthy

  # ---------------------------------------------------------------------------
  # Server URL should use management.azure.com for ARM APIs
  # ---------------------------------------------------------------------------
  azure-management-server:
    description: ARM APIs should use https://management.azure.com as the server URL.
    severity: info
    given: "$.servers[*].url"
    then:
      function: pattern
      functionOptions:
        match: "^https://"

  # ---------------------------------------------------------------------------
  # Operation ID should match the tag prefix
  # ---------------------------------------------------------------------------
  azure-operationid-tag-consistency:
    description: The operation ID prefix (before underscore) should align with the operation tag for consistency.
    severity: info
    given: "$.paths[*][get,put,post,patch,delete,head]"
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          required:
            - operationId
            - tags

  # ---------------------------------------------------------------------------
  # Contact info should be present
  # ---------------------------------------------------------------------------
  azure-contact-info:
    description: API info should include contact information.
    severity: info
    given: "$.info"
    then:
      field: contact
      function: truthy

  # ---------------------------------------------------------------------------
  # License should be present
  # ---------------------------------------------------------------------------
  azure-license-info:
    description: API info should include license information.
    severity: info
    given: "$.info"
    then:
      field: license
      function: truthy