Restaurant Brands International · API Governance Rules

Restaurant Brands International API Rules

Spectral linting rules defining API design standards and conventions for Restaurant Brands International.

25 Rules error 6 warn 12 info 7
View Rules File View on GitHub

Rule Categories

info no openapi operation parameter paths request response schema security servers tag

Rules

error
info-title-required
API must declare a title.
$.info
warn
info-description-required
API must have a description of at least 40 characters.
$.info
error
info-version-required
API must declare a version.
$.info
warn
info-version-semver
API version should be semantic (e.g. 1.0.0).
$.info.version
warn
openapi-version-31
RBI Partners specs are authored against OpenAPI 3.1.0.
$
error
servers-defined
At least one server must be defined.
$
error
servers-https
Server URLs must use HTTPS.
$.servers[*].url
info
servers-rbictg-host
Production/sandbox servers should resolve to an rbictg.com host.
$.servers[*].url
warn
paths-no-trailing-slash
Paths must not end with a trailing slash.
$.paths[*]~
info
paths-version-prefix
RBI Partners resources are served under an /api/v{n} server prefix; path keys stay version-relative.
$.paths[*]~
error
operation-operationId-required
Every operation must declare an operationId.
$.paths[*][get,post,put,patch,delete]
warn
operation-operationId-camel
operationId must be camelCase (e.g. priceOrder, getStores).
$.paths[*][get,post,put,patch,delete].operationId
warn
operation-summary-required
Every operation must have a summary.
$.paths[*][get,post,put,patch,delete]
warn
operation-summary-title-case
Operation summaries should be Title Case (first letter uppercase).
$.paths[*][get,post,put,patch,delete].summary
warn
operation-tags-required
Every operation must be tagged for grouping.
$.paths[*][get,post,put,patch,delete]
info
tag-name-defined
Tags used on operations should be declared in the global tags array.
$.tags[*]
warn
parameter-description-required
Parameters should be described.
$.paths[*][*].parameters[*]
info
parameter-region-header
Region context is conveyed via the x-region header on the loyalty middleware surface.
$..parameters[?(@.in=='header')].name
warn
request-body-json
Request bodies should offer application/json content.
$.paths[*][post,put,patch].requestBody.content
warn
response-2xx-required
Every operation must define at least one success (2xx) response.
$.paths[*][get,post,put,patch,delete].responses
info
response-error-coverage
Operations should document error responses (400/401/404).
$.paths[*][get,post,put,patch,delete].responses
error
security-scheme-defined
A security scheme must be defined; RBI Partners uses bearer JWT.
$.components.securitySchemes
info
security-bearer-jwt
HTTP bearer schemes should declare the JWT bearerFormat.
$.components.securitySchemes[?(@.scheme=='bearer')]
info
schema-type-defined
Component schemas should declare a type.
$.components.schemas[*]
warn
no-empty-descriptions
Descriptions, when present, must not be empty.
$..description

Spectral Ruleset

Raw ↑ 
# Spectral ruleset for Restaurant Brands International (RBI) — Partners API
#
# Derived from the published RBI Developer Portal OpenAPI specifications
# (Burger King's Partners API v1 "channel" and v2 "menu"). These rules encode
# the conventions observed across RBI's own specs so that future RBI / brand
# (Burger King, Tim Hortons, Popeyes, Firehouse Subs) API definitions stay
# consistent with the platform contract.
#
# Usage: spectral lint openapi/*.yml --ruleset rules/restaurant-brands-spectral-rules.yml

extends:
  - "spectral:oas"

rules:

  # ── INFO / METADATA ─────────────────────────────────────────────
  info-title-required:
    description: API must declare a title.
    severity: error
    given: $.info
    then:
      field: title
      function: truthy
  info-description-required:
    description: API must have a description of at least 40 characters.
    severity: warn
    given: $.info
    then:
      field: description
      function: length
      functionOptions:
        min: 40
  info-version-required:
    description: API must declare a version.
    severity: error
    given: $.info
    then:
      field: version
      function: truthy
  info-version-semver:
    description: API version should be semantic (e.g. 1.0.0).
    severity: warn
    given: $.info.version
    then:
      function: pattern
      functionOptions:
        match: "^[0-9]+\\.[0-9]+\\.[0-9]+$"

  # ── OPENAPI VERSION ─────────────────────────────────────────────
  openapi-version-31:
    description: RBI Partners specs are authored against OpenAPI 3.1.0.
    severity: warn
    given: $
    then:
      field: openapi
      function: pattern
      functionOptions:
        match: "^3\\.1\\."

  # ── SERVERS ─────────────────────────────────────────────────────
  servers-defined:
    description: At least one server must be defined.
    severity: error
    given: $
    then:
      field: servers
      function: truthy
  servers-https:
    description: Server URLs must use HTTPS.
    severity: error
    given: $.servers[*].url
    then:
      function: pattern
      functionOptions:
        match: "^https://"
  servers-rbictg-host:
    description: Production/sandbox servers should resolve to an rbictg.com host.
    severity: info
    given: $.servers[*].url
    then:
      function: pattern
      functionOptions:
        match: "rbictg\\.com"

  # ── PATHS — NAMING ──────────────────────────────────────────────
  paths-no-trailing-slash:
    description: Paths must not end with a trailing slash.
    severity: warn
    given: $.paths[*]~
    then:
      function: pattern
      functionOptions:
        notMatch: ".+/$"
  paths-version-prefix:
    description: RBI Partners resources are served under an /api/v{n} server prefix; path keys stay version-relative.
    severity: info
    given: $.paths[*]~
    then:
      function: pattern
      functionOptions:
        notMatch: "^/api/v[0-9]"

  # ── OPERATIONS ──────────────────────────────────────────────────
  operation-operationId-required:
    description: Every operation must declare an operationId.
    severity: error
    given: $.paths[*][get,post,put,patch,delete]
    then:
      field: operationId
      function: truthy
  operation-operationId-camel:
    description: operationId must be camelCase (e.g. priceOrder, getStores).
    severity: warn
    given: $.paths[*][get,post,put,patch,delete].operationId
    then:
      function: pattern
      functionOptions:
        match: "^[a-z][a-zA-Z0-9]*$"
  operation-summary-required:
    description: Every operation must have a summary.
    severity: warn
    given: $.paths[*][get,post,put,patch,delete]
    then:
      field: summary
      function: truthy
  operation-summary-title-case:
    description: Operation summaries should be Title Case (first letter uppercase).
    severity: warn
    given: $.paths[*][get,post,put,patch,delete].summary
    then:
      function: pattern
      functionOptions:
        match: "^[A-Z]"
  operation-tags-required:
    description: Every operation must be tagged for grouping.
    severity: warn
    given: $.paths[*][get,post,put,patch,delete]
    then:
      field: tags
      function: truthy

  # ── TAGS ────────────────────────────────────────────────────────
  tag-name-defined:
    description: Tags used on operations should be declared in the global tags array.
    severity: info
    given: $.tags[*]
    then:
      field: name
      function: truthy

  # ── PARAMETERS ──────────────────────────────────────────────────
  parameter-description-required:
    description: Parameters should be described.
    severity: warn
    given: $.paths[*][*].parameters[*]
    then:
      field: description
      function: truthy
  parameter-region-header:
    description: Region context is conveyed via the x-region header on the loyalty middleware surface.
    severity: info
    given: $..parameters[?(@.in=='header')].name
    then:
      function: pattern
      functionOptions:
        match: "^[a-z][a-z0-9-]*$"

  # ── REQUEST BODIES ──────────────────────────────────────────────
  request-body-json:
    description: Request bodies should offer application/json content.
    severity: warn
    given: $.paths[*][post,put,patch].requestBody.content
    then:
      field: application/json
      function: truthy

  # ── RESPONSES ───────────────────────────────────────────────────
  response-2xx-required:
    description: Every operation must define at least one success (2xx) response.
    severity: warn
    given: $.paths[*][get,post,put,patch,delete].responses
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          minProperties: 1
  response-error-coverage:
    description: Operations should document error responses (400/401/404).
    severity: info
    given: $.paths[*][get,post,put,patch,delete].responses
    then:
      function: schema
      functionOptions:
        schema:
          type: object

  # ── SECURITY ────────────────────────────────────────────────────
  security-scheme-defined:
    description: A security scheme must be defined; RBI Partners uses bearer JWT.
    severity: error
    given: $.components.securitySchemes
    then:
      function: truthy
  security-bearer-jwt:
    description: HTTP bearer schemes should declare the JWT bearerFormat.
    severity: info
    given: $.components.securitySchemes[?(@.scheme=='bearer')]
    then:
      field: bearerFormat
      function: truthy

  # ── SCHEMAS ─────────────────────────────────────────────────────
  schema-type-defined:
    description: Component schemas should declare a type.
    severity: info
    given: $.components.schemas[*]
    then:
      function: schema
      functionOptions:
        schema:
          type: object

  # ── GENERAL QUALITY ─────────────────────────────────────────────
  no-empty-descriptions:
    description: Descriptions, when present, must not be empty.
    severity: warn
    given: $..description
    then:
      function: truthy