statsig · API Governance Rules

statsig API Rules

Spectral linting rules defining API design standards and conventions for statsig.

10 Rules error 2 warn 5
View Rules File View on GitHub

Rule Categories

statsig

Rules

error
statsig-api-key-header
Statsig APIs require authentication via the statsig-api-key header. All operations must declare this security requirement.
$.paths[*][*]
warn
statsig-operation-ids-camel-case
Statsig API operation IDs use camelCase naming convention throughout the HTTP, Console, Events, Client SDK, and Server SDK APIs.
$.paths[*][*].operationId
warn
statsig-summaries-title-case
All Statsig API operation summaries must use Title Case for readability and consistency across all API specifications.
$.paths[*][*].summary
error
statsig-tags-required
Every Statsig API operation must declare at least one tag for proper documentation grouping.
$.paths[*][*]
warn
statsig-client-time-header
Log event operations in Statsig APIs require the STATSIG-CLIENT-TIME header for timestamp normalization. Operations that accept events must declare this header parameter.
$.paths['/log_event'][*].parameters[?(@.name == 'STATSIG-CLIENT-TIME')]
hint
statsig-pagination-parameters
Console API list operations use limit and page query parameters for pagination. List endpoints should declare these parameters.
$.paths[?(!@ =~ /.*\{.*\}.*/)]..get.parameters[?(@.name == 'limit')]
hint
statsig-api-version-header
The Console API uses STATSIG-API-VERSION header for versioning. Console API operations should declare this optional header parameter.
$.paths[*].get.parameters[?(@.name == 'STATSIG-API-VERSION')]
warn
statsig-console-resource-ids
Statsig Console API uses string-type IDs (gate names, config names) as path parameters rather than numeric IDs.
$.paths[*][*].parameters[?(@.name == 'id' && @.in == 'path')]
warn
statsig-events-202-response
Statsig event ingestion endpoints return 202 Accepted (not 200 OK) since events are processed asynchronously.
$.paths['/log_event'][*].responses
hint
statsig-success-boolean-response
Statsig API event endpoints return a simple {"success": true} response body on success. Responses should follow this consistent pattern.
$.paths['/log_event'][*].responses['202'].content['application/json'].schema.properties

Spectral Ruleset

Raw ↑ 
extends: spectral:oas
rules:
  statsig-api-key-header:
    description: >-
      Statsig APIs require authentication via the statsig-api-key header.
      All operations must declare this security requirement.
    message: >-
      Operations should declare statsig-api-key header authentication.
    severity: error
    given: "$.paths[*][*]"
    then:
      field: security
      function: truthy

  statsig-operation-ids-camel-case:
    description: >-
      Statsig API operation IDs use camelCase naming convention throughout
      the HTTP, Console, Events, Client SDK, and Server SDK APIs.
    message: "Operation ID '{{value}}' should use camelCase."
    severity: warn
    given: "$.paths[*][*].operationId"
    then:
      function: casing
      functionOptions:
        type: camel

  statsig-summaries-title-case:
    description: >-
      All Statsig API operation summaries must use Title Case for
      readability and consistency across all API specifications.
    message: "Summary '{{value}}' should be in Title Case."
    severity: warn
    given: "$.paths[*][*].summary"
    then:
      function: pattern
      functionOptions:
        match: "^[A-Z][a-zA-Z0-9]*(\\s[A-Za-z][a-zA-Z0-9]*)*$"

  statsig-tags-required:
    description: >-
      Every Statsig API operation must declare at least one tag for
      proper documentation grouping.
    message: "Operations must declare at least one tag."
    severity: error
    given: "$.paths[*][*]"
    then:
      field: tags
      function: truthy

  statsig-client-time-header:
    description: >-
      Log event operations in Statsig APIs require the STATSIG-CLIENT-TIME
      header for timestamp normalization. Operations that accept events
      must declare this header parameter.
    message: >-
      Event logging endpoints must require the STATSIG-CLIENT-TIME header
      parameter.
    severity: warn
    given: "$.paths['/log_event'][*].parameters[?(@.name == 'STATSIG-CLIENT-TIME')]"
    then:
      field: required
      function: truthy

  statsig-pagination-parameters:
    description: >-
      Console API list operations use limit and page query parameters
      for pagination. List endpoints should declare these parameters.
    message: >-
      List operations should include limit and page query parameters
      for pagination.
    severity: hint
    given: "$.paths[?(!@ =~ /.*\\{.*\\}.*/)]..get.parameters[?(@.name == 'limit')]"
    then:
      field: schema.maximum
      function: truthy

  statsig-api-version-header:
    description: >-
      The Console API uses STATSIG-API-VERSION header for versioning.
      Console API operations should declare this optional header parameter.
    message: >-
      Console API operations should declare the STATSIG-API-VERSION header
      parameter.
    severity: hint
    given: "$.paths[*].get.parameters[?(@.name == 'STATSIG-API-VERSION')]"
    then:
      field: schema.default
      function: truthy

  statsig-console-resource-ids:
    description: >-
      Statsig Console API uses string-type IDs (gate names, config names)
      as path parameters rather than numeric IDs.
    message: >-
      Path parameter 'id' in Console API paths should be typed as string.
    severity: warn
    given: "$.paths[*][*].parameters[?(@.name == 'id' && @.in == 'path')]"
    then:
      field: schema.type
      function: enumeration
      functionOptions:
        values:
          - string

  statsig-events-202-response:
    description: >-
      Statsig event ingestion endpoints return 202 Accepted (not 200 OK)
      since events are processed asynchronously.
    message: >-
      Event logging operations should return 202 (Accepted) not 200 (OK)
      since events are processed asynchronously.
    severity: warn
    given: "$.paths['/log_event'][*].responses"
    then:
      field: "202"
      function: truthy

  statsig-success-boolean-response:
    description: >-
      Statsig API event endpoints return a simple {"success": true} response
      body on success. Responses should follow this consistent pattern.
    message: >-
      Event endpoint success responses should include a "success" boolean
      property.
    severity: hint
    given: "$.paths['/log_event'][*].responses['202'].content['application/json'].schema.properties"
    then:
      field: success
      function: truthy