TIAA · API Governance Rules

TIAA API Rules

Spectral linting rules defining API design standards and conventions for TIAA.

13 Rules error 5 warn 6 info 2

View Rules File View on GitHub

Rule Categories

tiaa

Rules

warn

tiaa-operation-ids-kebab-case

Operation IDs must use camelCase (TIAA convention)

$.paths[*][*].operationId

warn

tiaa-tags-title-case

All tags must use Title Case

$.tags[*].name

error

tiaa-paths-kebab-case

Path segments must use kebab-case

$.paths[*]~

error

tiaa-security-oauth2-required

All operations must require OAuth2 security

$.paths[*][get,post,put,patch,delete]

warn

tiaa-responses-have-200

GET operations must include a 200 response

$.paths[*].get

warn

tiaa-responses-have-content

200 responses should include a content schema

$.paths[*][*].responses.200

error

tiaa-request-bodies-have-schema

Request bodies must define a JSON schema

$.paths[*][post,put,patch].requestBody.content.application/json

error

tiaa-components-schemas-defined

All $ref references must resolve within components/schemas

$.paths[*][*].responses[*].content[*].schema.$ref

warn

tiaa-sensitive-data-description

Fields handling SSN or PII must have a description

$.components.schemas[*].properties[ssn,socialSecurityNumber,taxId]

info

tiaa-pagination-on-list-operations

List operations should support pagination parameters

$.paths[*].get

error

tiaa-servers-https-only

All server URLs must use HTTPS

$.servers[*].url

warn

tiaa-info-contact-defined

API info must include contact information

$.info

info

tiaa-financial-amount-type

Financial amount fields should use number type with double format

$.components.schemas[*].properties[amount,balance,currentBalance,marketValue,costBasis]

Spectral Ruleset

extends:
  - spectral:oas

rules:
  tiaa-operation-ids-kebab-case:
    description: Operation IDs must use camelCase (TIAA convention)
    severity: warn
    given: "$.paths[*][*].operationId"
    then:
      function: pattern
      functionOptions:
        match: "^[a-z][a-zA-Z0-9]+$"

  tiaa-tags-title-case:
    description: All tags must use Title Case
    severity: warn
    given: "$.tags[*].name"
    then:
      function: pattern
      functionOptions:
        match: "^[A-Z][a-zA-Z0-9 &-]+$"

  tiaa-paths-kebab-case:
    description: Path segments must use kebab-case
    severity: error
    given: "$.paths[*]~"
    then:
      function: pattern
      functionOptions:
        match: "^(/[a-z][a-z0-9-]*|/\\{[a-zA-Z][a-zA-Z0-9]+\\})*$"

  tiaa-security-oauth2-required:
    description: All operations must require OAuth2 security
    severity: error
    given: "$.paths[*][get,post,put,patch,delete]"
    then:
      field: security
      function: defined

  tiaa-responses-have-200:
    description: GET operations must include a 200 response
    severity: warn
    given: "$.paths[*].get"
    then:
      field: responses.200
      function: defined

  tiaa-responses-have-content:
    description: 200 responses should include a content schema
    severity: warn
    given: "$.paths[*][*].responses.200"
    then:
      field: content
      function: defined

  tiaa-request-bodies-have-schema:
    description: Request bodies must define a JSON schema
    severity: error
    given: "$.paths[*][post,put,patch].requestBody.content.application/json"
    then:
      field: schema
      function: defined

  tiaa-components-schemas-defined:
    description: All $ref references must resolve within components/schemas
    severity: error
    given: "$.paths[*][*].responses[*].content[*].schema.$ref"
    then:
      function: truthy

  tiaa-sensitive-data-description:
    description: Fields handling SSN or PII must have a description
    severity: warn
    given: "$.components.schemas[*].properties[ssn,socialSecurityNumber,taxId]"
    then:
      field: description
      function: defined

  tiaa-pagination-on-list-operations:
    description: List operations should support pagination parameters
    severity: info
    given: "$.paths[*].get"
    then:
      function: schema
      functionOptions:
        schema:
          properties:
            operationId:
              pattern: "^list"

  tiaa-servers-https-only:
    description: All server URLs must use HTTPS
    severity: error
    given: "$.servers[*].url"
    then:
      function: pattern
      functionOptions:
        match: "^https://"

  tiaa-info-contact-defined:
    description: API info must include contact information
    severity: warn
    given: "$.info"
    then:
      field: contact
      function: defined

  tiaa-financial-amount-type:
    description: Financial amount fields should use number type with double format
    severity: info
    given: "$.components.schemas[*].properties[amount,balance,currentBalance,marketValue,costBasis]"
    then:
      function: schema
      functionOptions:
        schema:
          properties:
            type:
              const: number
            format:
              const: double