@zapier/spectral-api-ruleset
Advanced tools
Ownership • Features • Installation • Usage • Exemptions • Development • Testing
#team-staff-engineering owns the API Design Guidelines and these spectral rules that help teams align with them.
MRs are always welcome!
This ruleset ships in two major version lines:
The 1.x series (latest: 1.9.0) was designed to help existing API services incrementally improve their alignment with Zapier's API Design Guidelines. Rules used warn and info severities to surface issues without blocking CI pipelines, giving teams time to address them.
Existing services can stay on 1.x. There is no requirement to upgrade — 1.x will continue to receive backported rule additions where appropriate.
The 2.x series is for new API services that should come out of the box fully aligned with all key API Design Guidelines. All rules are elevated to error severity (except rate-limit/503 rules which remain info since those concerns may be handled upstream by a proxy, load balancer, or WAF).
Key differences from 1.x:
anonymousServiceJwt, serviceAndUserJwt, and OAuth are allowed (legacy schemes like userJwt, apiKey, zapierSession require an exemption)api.zapier.comNew services should adopt 2.x. Zapier's API service templates will ship with 2.x lint rules configured.
| Scenario | Version |
|---|---|
| Existing service, already linting with 1.x | Stay on 1.9.0 (upgrade when ready) |
| New API service | Use 2.x |
API being promoted to public via api.zapier.com | Must pass 2.x rules |
Provides a Spectral linting ruleset to lint OpenAPI schemas against Zapier's API Design Guidelines.
pnpm add -D @stoplight/spectral-cli
pnpm add -D @zapier/spectral-api-ruleset
For some reason, installing the CLI globally and running
spectral lintornpx spectral lintalways fails to find the package. Adding the CLI as a local dependency and then runningpnpm exec spectral lintdoes work.
There are a few ways you can use this ruleset in your projects.
You can load the ruleset in a few different ways with Spectral.
They support direct http access, via NPM, and via the local file system.
If you'd like to extend the ruleset and and even more specific rules for your API service, you can
create a local spectral.yaml that extends the ruleset:
extends:
- '@zapier/spectral-api-ruleset'
Then run:
spectral lint your-schema.yaml --ruleset .spectral.yaml
or
pnpm exec spectral lint your-schema.yaml --ruleset .spectral.yaml
or
spectral lint your-schema.yaml --ruleset https://unpkg.com/@zapier/spectral-api-ruleset@{VERSION}/.spectral.yaml
depending on whether you installed the CLI locally or globally.
See the Spectral CLI docs for more details.
Use a GitLab job like the following:
openapi:lint:
stage: validate
before_script:
- mkdir spectral
script:
- pnpm exec spectral lint your-schema.yaml -o spectral/junit.xml -f junit
artifacts:
when: always
paths:
- spectral
reports:
junit: spectral/junit.xml
For non-TypeScript projects, you can use the spectral docker image to avoid installing additional dependencies.
openapi:lint:
stage: test
image:
name: stoplight/spectral:6.11.0
entrypoint: [""]
script:
- spectral lint openapi.yaml
only:
- merge_requests
See Continuous Integration docs and our own openapi:lint guideance in the Engineering Index for more details.
Some rules in this ruleset can be exempted on a case-by-case basis with approval from #team-staff-engineering. Below are the available exemptions and how to use them.
The zapier-sorting-parameter rule requires using order_by instead of sort_by or ordering for sorting parameters. If you need to use an alternative parameter name, you can request an exemption.
paths:
/test:
get:
parameters:
- name: sort_by
in: query
x-zapier-sorting-parameter-exempt: true
description: Field to sort by
The zapier-single-major-version-in-paths rule requires all paths to contain a major version (e.g., /v1/). If you need paths without versioning, you can request an exemption.
paths:
/no-version-but-exempt:
x-zapier-version-in-paths-exempt: true
get:
description: This path is exempt from versioning requirement
The zapier-allowed-auth-schemes rule requires using one of the allowed authentication schemes for new APIs (anonymousServiceJwt, serviceAndUserJwt, or OAuth). If you need to use a different scheme (e.g., legacy userJwt, apiKey, or custom HMAC signatures), you can request an exemption.
components:
securitySchemes:
hmacSignature:
type: apiKey
in: header
name: X-Signature
x-zapier-auth-scheme-exempt: true
description: Legacy HMAC signature scheme
pnpm install
pnpm test
pnpm run build
pnpm run validate
You can add rules to .spectral.yaml. See the Rules docs for details.
severity. In 2.x, all rules should be error unless the rule covers something that may be handled upstream (e.g., rate limiting, service unavailability), in which case use info.description, as well as a documentationUrl that points to the relevant guide or guide section.message, which in most cases should just be {{error}}.tests/spectral.test.ts for all new rules.This project uses Vitest for testing. To run the tests:
pnpm test
GitLab CI will automatically publish the package to NPM when a merge request is merged into the main branch.
Be sure to update the package version in package.json accordingly before merging.
FAQs
Spectral ruleset for Zapier API Guidelines.
The npm package @zapier/spectral-api-ruleset receives a total of 7,763 weekly downloads. As such, @zapier/spectral-api-ruleset popularity was classified as popular.
We found that @zapier/spectral-api-ruleset demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Malicious Namastex.ai npm packages appear to replicate TeamPCP-style Canister Worm tradecraft, including exfiltration and self-propagation.
Product
Explore exportable charts for vulnerabilities, dependencies, and usage with Reports, Socket’s new extensible reporting framework.
Product
Socket for Jira lets teams turn alerts into Jira tickets with manual creation, automated ticketing rules, and two-way sync.