Stitch · API Governance Rules

Stitch API Rules

Spectral linting rules defining API design standards and conventions for Stitch.

7 Rules error 5 warn 2
View Rules File View on GitHub

Rule Categories

stitch

Rules

error
stitch-bearer-auth-required
All Stitch GraphQL operations must use Bearer token authentication obtained from the OAuth 2.0 token endpoint.
$.components.securitySchemes
error
stitch-graphql-endpoint-post-only
The Stitch GraphQL endpoint (/graphql) must only accept POST requests.
$.paths./graphql
error
stitch-response-200-required
All Stitch operations must define a 200 success response.
$.paths[*][*]
warn
stitch-operationid-camel-case
OperationIds must use camelCase.
$.paths[*][*].operationId
warn
stitch-tags-title-case
All operation tags must use Title Case.
$.paths[*][*].tags[*]
error
stitch-server-https
All Stitch API servers must use HTTPS.
$.servers[*].url
error
stitch-token-endpoint-form-encoded
The Stitch OAuth token endpoint must accept application/x-www-form-urlencoded content type per OAuth 2.0 specification.
$.paths./connect/token.post.requestBody.content

Spectral Ruleset

Raw ↑ 
extends: spectral:oas
rules:
  stitch-bearer-auth-required:
    description: >-
      All Stitch GraphQL operations must use Bearer token authentication
      obtained from the OAuth 2.0 token endpoint.
    message: "Operations must declare BearerAuth security scheme."
    severity: error
    given: "$.components.securitySchemes"
    then:
      field: BearerAuth
      function: defined

  stitch-graphql-endpoint-post-only:
    description: >-
      The Stitch GraphQL endpoint (/graphql) must only accept POST requests.
    message: "GraphQL endpoint must use POST method."
    severity: error
    given: "$.paths./graphql"
    then:
      field: post
      function: defined

  stitch-response-200-required:
    description: All Stitch operations must define a 200 success response.
    message: "Operation '{{operationId}}' is missing a 200 response."
    severity: error
    given: "$.paths[*][*]"
    then:
      field: responses.200
      function: defined

  stitch-operationid-camel-case:
    description: OperationIds must use camelCase.
    message: "OperationId '{{value}}' must be camelCase."
    severity: warn
    given: "$.paths[*][*].operationId"
    then:
      function: pattern
      functionOptions:
        match: "^[a-z][a-zA-Z0-9]*$"

  stitch-tags-title-case:
    description: All operation tags must use Title Case.
    message: "Tag '{{value}}' must use Title Case."
    severity: warn
    given: "$.paths[*][*].tags[*]"
    then:
      function: pattern
      functionOptions:
        match: "^[A-Z][a-zA-Z0-9 &-]*$"

  stitch-server-https:
    description: All Stitch API servers must use HTTPS.
    message: "Server URL must use HTTPS."
    severity: error
    given: "$.servers[*].url"
    then:
      function: pattern
      functionOptions:
        match: "^https://"

  stitch-token-endpoint-form-encoded:
    description: >-
      The Stitch OAuth token endpoint must accept application/x-www-form-urlencoded
      content type per OAuth 2.0 specification.
    message: "Token endpoint must accept application/x-www-form-urlencoded."
    severity: error
    given: "$.paths./connect/token.post.requestBody.content"
    then:
      field: application/x-www-form-urlencoded
      function: defined