From 271bcf58c9a528a75bb1824640f8af30e13b1eb8 Mon Sep 17 00:00:00 2001
From: Ralf Handl The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. An OpenAPI Description (OAD) MAY be made up of a single document or be divided into multiple, connected parts at the discretion of the author. In the latter case, Reference Object and Path Item Object Any document consisting entirely of an OpenAPI Object is known as a complete OpenAPI document.
+ Any document consisting entirely of an OpenAPI Object is known as a syntactically complete OpenAPI document.
+An OpenAPI document that does not reference any other documents is known as a self-contained OpenAPI document.
+A single-document description is therefore both syntactically complete and self-contained.
In a multi-document description, the document containing the OpenAPI Object where parsing begins for a specific API’s description is known as that API’s entry OpenAPI document, or simply entry document. It is RECOMMENDED that the entry OpenAPI document be named: When parsing an OAD, JSON or YAML objects are parsed into specific Objects (such as Operation Objects, Response Objects, Reference Objects, etc.) based on the parsing context. Depending on how references are arranged, a given JSON or YAML object can be parsed in multiple different contexts: See Appendix F: Resolving Security Requirements in a Referenced Document for an example of the possible resolutions, including which one is recommended by this section.
The behavior for Discrimator Object non-URI mappings and for the Operation Object’s Note that no aspect of implicit connection resolution changes how URLs are resolved or restricts their possible targets. See also Appendix C: Using RFC6570-Based Serialization for additional guidance. For more complex scenarios, the See also Appendix C: Using RFC6570 Implementations for additional guidance. See also Appendix C: Using RFC6570-Based Serialization for additional guidance. The role of What is the OpenAPI Specification?
The OpenAPI Specification (OAS) defines a standard, programming language-agnostic interface description for HTTP APIs, which allows both humans and computers to discover and understand the capabilities of a service without requiring access to source code, additional documentation, or inspection of network traffic. When properly defined via OpenAPI, a consumer can understand and interact with the remote service with a minimal amount of implementation logic. Similar to what interface descriptions have done for lower-level programming, the OpenAPI Specification removes guesswork in calling a service.Status of This Document
The source-of-truth for this specification is the HTML file referenced above as This version.What is the OpenAPI Specification?
The OpenAPI Specification (OAS) defines a standard, programming language-agnostic interface description for HTTP APIs, which allows both humans and computers to discover and understand the capabilities of a service without requiring access to source code, additional documentation, or inspection of network traffic. When properly defined via OpenAPI, a consumer can understand and interact with the remote service with a minimal amount of implementation logic. Similar to what interface descriptions have done for lower-level programming, the OpenAPI Specification removes guesswork in calling a service.Status of This Document
The source-of-truth for this specification is the HTML file referenced above as This version.OpenAPI Specification v3.0.4
$ref
keywords, as well as the Link Object operationRef
keyword, are used.openapi.json
or openapi.yaml
.
-
@@ -401,7 +403,7 @@ OpenAPI Specification v3.0.4
Security Requirement in a Referenced Document for an example of the possible resolutions, including which one is recommended by this section.
+
tags
field operate on the same principles.OpenAPI Specification v3.0.4
"variables": {
"username": {
"default": "demo",
- "description": "this value is assigned by the service provider, in this example `gigantic-server.com`"
+ "description": "A user-specific subdomain. Use `demo` for a free sandbox environment."
},
"port": {
"enum": ["8443", "443"],
@@ -798,7 +800,7 @@
OpenAPI Specification v3.0.4
username:
# note! no enum here means it is an open value
default: demo
- description: this value is assigned by the service provider, in this example `gigantic-server.com`
+ description: A user-specific subdomain. Use `demo` for a free sandbox environment.
port:
enum:
- '8443'
@@ -828,7 +830,7 @@
OpenAPI Specification v3.0.4
default
-string
REQUIRED. The default value to use for substitution, which SHALL be sent if an alternate value is not supplied. Note this behavior is different than the Schema Object’s treatment of default values, because in those cases parameter values are optional. If the
+enum
is defined, the value SHOULD exist in the enum’s values.REQUIRED. The default value to use for substitution, which SHALL be sent if an alternate value is not supplied. If the
enum
is defined, the value SHOULD exist in the enum’s values. Note that this behavior is different from the Schema Object’s default
keyword, which documents the receiver’s behavior rather than inserting the value into the data.
description
@@ -1605,7 +1607,7 @@ OpenAPI Specification v3.0.4
allowReserved
-boolean
When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570] Section 3.2.3, which allows RFC3986’s reserved character set, as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including
+%
outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed in the query string ([
, ]
, #
), or have a special meaning in application/x-www-form-urlencoded
(-
, &
, +
); see Appendices C and E for details. This field only applies to parameters with an in
value of query
. The default value is false
.When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570] Section 3.2.3, which allows RFC3986’s reserved character set, as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including
%
outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed in the query string ([
, ]
, #
), or have a special meaning in application/x-www-form-urlencoded
(-
, &
, +
); see Appendices C and E for details. This field only applies to parameters with an in
value of query
. The default value is false
.
-schema
@@ -1624,7 +1626,7 @@ OpenAPI Specification v3.0.4
Appendix C: Using RFC6570 Implementations for additional guidance.
+
content
field can define the media type and schema of the parameter, as well as give examples of its use.
Using content
with a text/plain
media type is RECOMMENDED for in: "header"
and in: "cookie"
parameters where the schema
strategy is not appropriate.OpenAPI Specification v3.0.4
RFC6570] Section 2.3 terminology, which describes certain values including but not limited to
null
as “undefined” values with special handling; notably, the empty string is not undefined
-form
and the non-RFC6570 query string styles spaceDelimited
, pipeDelimited
, and deepObject
, each example is shown prefixed with ?
as if it were the only query parameter; see Appendix C for more information on constructing query strings from multiple parameters, and Appendix D for warnings regarding form
and cookie parametersform
and the non-RFC6570 query string styles spaceDelimited
, pipeDelimited
, and deepObject
, each example is shown prefixed with ?
as if it were the only query parameter; see Appendix C for more information on constructing query strings from multiple parameters, and Appendix D for warnings regarding form
and cookie parameters?
prefix is not appropriate for serializing application/x-www-form-urlencoded
HTTP message bodies, and MUST be stripped or (if constructing the string manually) not added when used in that context; see the Encoding Object for more information|
(%7C
), [
(%5B
), and ]
(%5D
) seem to work in some environments despite not being compliant.OpenAPI Specification v3.0.4
allowReserved
-boolean
When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570] Section 3.2.3, which allows RFC3986’s reserved character set, as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including
+%
outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed in the query string ([
, ]
, #
), or have a special meaning in application/x-www-form-urlencoded
(-
, &
, +
); see Appendices C and E for details. The default value is false
. This field SHALL be ignored if the request body media type is not application/x-www-form-urlencoded
.When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570] Section 3.2.3, which allows RFC3986’s reserved character set, as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including
%
outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed in the query string ([
, ]
, #
), or have a special meaning in application/x-www-form-urlencoded
(-
, &
, +
); see Appendices C and E for details. The default value is false
. This field SHALL be ignored if the request body media type is not application/x-www-form-urlencoded
.contentType
with application/x-www-form-urlencoded
request bodies was not described in detail in version 3.0.3 and earlier of this specification.
To match the intent of these fields and be compatible with version 3.1 of this specification, it is RECOMMENDED that whenever any of style
, explode
, or allowReserved
are present with an explicit value:
@@ -3023,9 +3025,10 @@
OpenAPI Specification v3.0.4
MAY be extended with Specification Extensions.
A linked operation MUST be identified using either an operationRef
or operationId
.
-In the case of an operationId
, it MUST be unique and resolved in the scope of the OpenAPI description.
-Because of the potential for name clashes, the operationRef
syntax is preferred
-for multi-document OpenAPI descriptions.
operationId
, it MUST be resolved within the scope of the OpenAPI Description (OAD).
+Because of the potential for name clashes, the operationRef
syntax is preferred for multi-document OADs.
+However, because use of an operation depends on its URL path template in the Paths Object, operations from any Path Item Object that is referenced multiple times within the OAD cannot be resolved unambiguously.
+In such ambiguous cases, the resulting behavior is implementation-defined and MAY result in an error.
Note that it is not possible to provide a constant value to parameters
that matches the syntax of a runtime expression.
It is possible to have ambiguous parameter names, e.g. name: "id", in: "path"
and name: "path.id", in: "query"
; this is NOT RECOMMENDED and the behavior is implementation-defined, however implementations SHOULD prefer the qualified interpretation (path.id
as a path parameter), as the names can always be qualified to disambiguate them (e.g. using query.path.id
for the query parameter).
See also Appendix C: Using RFC6570-Based Serialization for additional guidance.
For more complex scenarios, the content
field can define the media type and schema of the header, as well as give examples of its use.
Using content
with a text/plain
media type is RECOMMENDED for headers where the schema
strategy is not appropriate.
See also Appendix F: Resolving Security Requirements in a Referenced Document for an example using Security Requirement Objects in multi-document OpenAPI Descriptions.
{
"api_key": []
@@ -4510,81 +4514,6 @@ OpenAPI Specification v3.0.4
- write:pets
- read:pets
-See Resolving Implicit Connections for more information.
-First, our entry document is where parsing begins. It defines the MySecurity
security scheme to be JWT-based, and it defines a Path Item as a reference to a component in another document:
GET /api/description/openapi HTTP/1.1
-Host: www.example.com
-Accept: application/openapi+json
-
-"components": {
- "securitySchemes": {
- "MySecurity": {
- "type": "http",
- "scheme": "bearer",
- "bearerFormat": "JWT"
- }
- }
-},
-"paths": {
- "/foo": {
- "$ref": "other#/components/pathItems/Foo"
- }
-}
-
-GET /api/description/openapi HTTP/1.1
-Host: www.example.com
-Accept: application/openapi+yaml
-
-components:
- securitySchemes:
- MySecurity:
- type: http
- scheme: bearer
- bearerFormat: JWT
-paths:
- /foo:
- $ref: 'other#/components/pathItems/Foo'
-
-Next, we have our referenced document, other
. The fact that we don’t use file extensions gives the client the flexibility to choose an acceptable format on a resource-by-resource basis, assuming both representations are available:
GET /api/description/other HTTP/1.1
-Host: www.example.com
-Accept: application/openapi+json
-
-"components": {
- "securitySchemes": {
- "MySecurity": {
- "type": "http",
- "scheme": "basic"
- }
- },
- "pathItems": {
- "Foo": {
- "get": {
- "security": [
- "MySecurity": []
- ]
- }
- }
- }
-}
-
-GET /api/description/other HTTP/1.1
-Host: www.example.com
-Accept: application/openapi+yaml
-
-components:
- securitySchemes:
- MySecurity:
- type: http
- scheme: basic
- pathItems:
- Foo:
- get:
- security:
- - MySecurity: []
-
-In the other
document, the referenced path item has a Security Requirement for a Security Scheme, MySecurity
. The same Security Scheme exists in the original entry document. As outlined in Resolving Implicit Connections, MySecurity
is resolved with an implementation-defined behavior. However, documented in that section, it is RECOMMENDED that tools resolve component names from the entry document. As with all implementation-defined behavior, it is important to check tool documentation to determine which behavior is supported.
While the OpenAPI Specification tries to accommodate most use cases, additional data can be added to extend the specification at certain points.
The extensions properties are implemented as patterned fields that are always prefixed by x-
.
decimal
in the Format Registry) are less clear.
However, care must be taken with format
to ensure that the specific formats are supported by all relevant tools as unrecognized formats are ignored.
Requiring input as pre-formatted, schema-validated strings also improves round-trip interoperability as not all programming languages and environments support the same data types.
-Serialization is defined in terms of [RFC6570] URI Templates in two scenarios:
+Serialization is defined in terms of [RFC6570] URI Templates in three scenarios:
When schema is present |
+|||
Encoding Object | When encoding for application/x-www-form-urlencoded and any of style , explode , or allowReserved are used |
[Security Requirement Object] | -A declaration of which security mechanisms can be used across the API. The list of values includes alternative Security Requirement Objects that can be used. Only one of the Security Requirement Objects need to be satisfied to authorize a request. Individual operations can override this definition. To make security optional, an empty security requirement ({} ) can be included in the array. |
+A declaration of which security mechanisms can be used across the API. The list of values includes alternative Security Requirement Objects that can be used. Only one of the Security Requirement Objects need to be satisfied to authorize a request. Individual operations can override this definition. The list can be incomplete, up to being empty or absent. To make security explicitly optional, an empty security requirement ({} ) can be included in the array. |
tags | @@ -870,7 +872,7 @@string |
-REQUIRED. The default value to use for substitution, which SHALL be sent if an alternate value is not supplied. Note this behavior is different than the Schema Object’s treatment of default values, because in those cases parameter values are optional. If the enum is defined, the value MUST exist in the enum’s values. |
+REQUIRED. The default value to use for substitution, which SHALL be sent if an alternate value is not supplied. If the enum is defined, the value MUST exist in the enum’s values. Note that this behavior is different from the Schema Object’s default keyword, which documents the receiver’s behavior rather than inserting the value into the data. |
description | @@ -1703,7 +1705,7 @@boolean |
-When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570] Section 3.2.3, which allows RFC3986’s reserved character set, as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including % outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed in the query string ([ , ] , # ), or have a special meaning in application/x-www-form-urlencoded (- , & , + ); see Appendices C and E for details. This field only applies to parameters with an in value of query . The default value is false . |
+When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570] Section 3.2.3, which allows RFC3986’s reserved character set, as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including % outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed in the query string ([ , ] , # ), or have a special meaning in application/x-www-form-urlencoded (- , & , + ); see Appendices C and E for details. This field only applies to parameters with an in value of query . The default value is false . |
schema | @@ -1722,7 +1724,7 @@boolean |
-When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570] Section 3.2.3, which allows RFC3986’s reserved character set, as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including % outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed in the query string ([ , ] , # ), or have a special meaning in application/x-www-form-urlencoded (- , & , + ); see Appendices C and E for details. The default value is false . This field SHALL be ignored if the request body media type is not application/x-www-form-urlencoded or multipart/form-data . If a value is explicitly defined, then the value of contentType (implicit or explicit) SHALL be ignored. |
+When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570] Section 3.2.3, which allows RFC3986’s reserved character set, as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including % outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed in the query string ([ , ] , # ), or have a special meaning in application/x-www-form-urlencoded (- , & , + ); see Appendices C and E for details. The default value is false . This field SHALL be ignored if the request body media type is not application/x-www-form-urlencoded or multipart/form-data . If a value is explicitly defined, then the value of contentType (implicit or explicit) SHALL be ignored. |
See also Appendix C: Using RFC6570 Implementations for additional guidance, including on difficulties caused by the interaction between RFC6570’s percent-encoding rules and the multipart/form-data
media type.
See also Appendix C: Using RFC6570 Implementations for additional guidance, including on difficulties caused by the interaction between RFC6570’s percent-encoding rules and the multipart/form-data
media type.
Note that the presence of at least one of style
, explode
, or allowReserved
with an explicit value is equivalent to using schema
with in: "query"
Parameter Objects.
The absence of all three of those fields is the equivalent of using content
, but with the media type specified in contentType
rather than through a Media Type Object.
A linked operation MUST be identified using either an operationRef
or operationId
.
-In the case of an operationId
, it MUST be unique and resolved in the scope of the OpenAPI description.
-Because of the potential for name clashes, the operationRef
syntax is preferred
-for multi-document OpenAPI descriptions.
operationId
, it MUST be resolved within the scope of the OpenAPI Description (OAD).
+Because of the potential for name clashes, the operationRef
syntax is preferred for multi-document OADs.
+However, because use of an operation depends on its URL path template in the Paths Object, operations from any Path Item Object that is referenced multiple times within the OAD cannot be resolved unambiguously.
+In such ambiguous cases, the resulting behavior is implementation-defined and MAY result in an error.
Note that it is not possible to provide a constant value to parameters
that matches the syntax of a runtime expression.
It is possible to have ambiguous parameter names, e.g. name: "id", in: "path"
and name: "path.id", in: "query"
; this is NOT RECOMMENDED and the behavior is implementation-defined, however implementations SHOULD prefer the qualified interpretation (path.id
as a path parameter), as the names can always be qualified to disambiguate them (e.g. using query.path.id
for the query parameter).
See also Appendix C: Using RFC6570-Based Serialization for additional guidance.
For more complex scenarios, the content
field can define the media type and schema of the header, as well as give examples of its use.
Using content
with a text/plain
media type is RECOMMENDED for headers where the schema
strategy is not appropriate.
See also Appendix F: Resolving Security Requirements in a Referenced Document for an example using Security Requirement Objects in multi-document OpenAPI Descriptions.
{
"api_key": []
@@ -4700,81 +4704,6 @@ OpenAPI Specification v3.1.1
- write:pets
- read:pets
-See Resolving Implicit Connections for more information.
-First, our entry document is where parsing begins. It defines the MySecurity
security scheme to be JWT-based, and it defines a Path Item as a reference to a component in another document:
GET /api/description/openapi HTTP/1.1
-Host: www.example.com
-Accept: application/openapi+json
-
-"components": {
- "securitySchemes": {
- "MySecurity": {
- "type": "http",
- "scheme": "bearer",
- "bearerFormat": "JWT"
- }
- }
-},
-"paths": {
- "/foo": {
- "$ref": "other#/components/pathItems/Foo"
- }
-}
-
-GET /api/description/openapi HTTP/1.1
-Host: www.example.com
-Accept: application/openapi+yaml
-
-components:
- securitySchemes:
- MySecurity:
- type: http
- scheme: bearer
- bearerFormat: JWT
-paths:
- /foo:
- $ref: 'other#/components/pathItems/Foo'
-
-Next, we have our referenced document, other
. The fact that we don’t use file extensions gives the client the flexibility to choose an acceptable format on a resource-by-resource basis, assuming both representations are available:
GET /api/description/other HTTP/1.1
-Host: www.example.com
-Accept: application/openapi+json
-
-"components": {
- "securitySchemes": {
- "MySecurity": {
- "type": "http",
- "scheme": "basic"
- }
- },
- "pathItems": {
- "Foo": {
- "get": {
- "security": [
- "MySecurity": []
- ]
- }
- }
- }
-}
-
-GET /api/description/other HTTP/1.1
-Host: www.example.com
-Accept: application/openapi+yaml
-
-components:
- securitySchemes:
- MySecurity:
- type: http
- scheme: basic
- pathItems:
- Foo:
- get:
- security:
- - MySecurity: []
-
-In the other
document, the referenced path item has a Security Requirement for a Security Scheme, MySecurity
. The same Security Scheme exists in the original entry document. As outlined in Resolving Implicit Connections, MySecurity
is resolved with an implementation-defined behavior. However, documented in that section, it is RECOMMENDED that tools resolve component names from the entry document. As with all implementation-defined behavior, it is important to check tool documentation to determine which behavior is supported.
While the OpenAPI Specification tries to accommodate most use cases, additional data can be added to extend the specification at certain points.
The extensions properties are implemented as patterned fields that are always prefixed by x-
.
decimal
in the Format Registry) are less clear.
However, care must be taken with format
to ensure that the specific formats are supported by all relevant tools as unrecognized formats are ignored.
Requiring input as pre-formatted, schema-validated strings also improves round-trip interoperability as not all programming languages and environments support the same data types.
-Serialization is defined in terms of [RFC6570] URI Templates in two scenarios:
+Serialization is defined in terms of [RFC6570] URI Templates in three scenarios:
When schema is present |
+|
Encoding Object | When encoding for application/x-www-form-urlencoded and any of style , explode , or allowReserved are used |