From 67b94d9f0570b65c67c8671c14936d7fb21f9b8f Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 24 Oct 2024 12:16:43 -0700 Subject: [PATCH 01/91] Start next patch - bump version to 3.1.2 --- src/oas.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index b2db701c19..14eacbb701 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1,6 +1,6 @@ # OpenAPI Specification -## Version 3.1.1 +## Version 3.1.2 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [BCP 14](https://tools.ietf.org/html/bcp14) [RFC2119](https://tools.ietf.org/html/rfc2119) [RFC8174](https://tools.ietf.org/html/rfc8174) when, and only when, they appear in all capitals, as shown here. @@ -4116,6 +4116,7 @@ Certain fields allow the use of Markdown which can contain HTML including script | Version | Date | Notes | | ---- | ---- | ---- | +| 3.1.2 | TBD | Patch release of the OpenAPI Specification 3.1.2 | | 3.1.1 | 2024-10-24 | Patch release of the OpenAPI Specification 3.1.1 | | 3.1.0 | 2021-02-15 | Release of the OpenAPI Specification 3.1.0 | | 3.1.0-rc1 | 2020-10-08 | rc1 of the 3.1 specification | From f39b7880a69f0380e983185c5f6c9b50f9000bb1 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Wed, 13 Nov 2024 09:21:52 +0100 Subject: [PATCH 02/91] Validate src/oas.md --- .github/workflows/validate-markdown.yaml | 4 ++-- package.json | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/validate-markdown.yaml b/.github/workflows/validate-markdown.yaml index cd9d503ae4..577a16c8e6 100644 --- a/.github/workflows/validate-markdown.yaml +++ b/.github/workflows/validate-markdown.yaml @@ -28,6 +28,6 @@ jobs: with: node-version: '20.x' - name: Validate markdown - run: npx --yes mdv versions/3.*.md + run: npx --yes mdv versions/3.*.md src/oas.md - name: Lint markdown 3.0.4, 3.1.1, and later - run: npx --yes markdownlint-cli --config .markdownlint.yaml versions/3.0.4.md versions/3.1.[^0].md versions/3.[2-9].*.md + run: npx --yes markdownlint-cli --config .markdownlint.yaml versions/3.0.4.md versions/3.1.[^0].md versions/3.[2-9].*.md src/oas.md diff --git a/package.json b/package.json index e8cdb13a86..948d42887a 100644 --- a/package.json +++ b/package.json @@ -14,7 +14,8 @@ "license": "Apache-2.0", "scripts": { "build": "bash ./scripts/md2html/build.sh", - "test": "c8 --100 vitest --watch=false" + "test": "c8 --100 vitest --watch=false", + "validate-markdown": "npx mdv src/oas.md && npx markdownlint-cli src/oas.md" }, "readmeFilename": "README.md", "files": [ From 21b5bcfb9a60aeb973506714ac50ce48ccfafd36 Mon Sep 17 00:00:00 2001 From: Vladimir Gorej Date: Tue, 17 Dec 2024 15:41:45 +0100 Subject: [PATCH 03/91] Editorial change: Link Object points to Operation Object --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 14eacbb701..379e563885 100644 --- a/src/oas.md +++ b/src/oas.md @@ -176,7 +176,7 @@ In some cases, an unambiguous URI-based alternative is available, and OAD author | [Security Requirement Object](#security-requirement-object) `{name}` | [Security Scheme Object](#security-scheme-object) name under the [Components Object](#components-object) | _n/a_ | | [Discriminator Object](#discriminator-object) `mapping` _(implicit, or explicit name syntax)_ | [Schema Object](#schema-object) name under the Components Object | `mapping` _(explicit URI syntax)_ | | [Operation Object](#operation-object) `tags` | [Tag Object](#tag-object) `name` (in the [OpenAPI Object](#openapi-object)'s `tags` array) | _n/a_ | -| [Link Object](#link-object) `operationId` | [Path Item Object](#path-item-object) `operationId` | `operationRef` | +| [Link Object](#link-object) `operationId` | [Operation Object](#operation-object) `operationId` | `operationRef` | A fifth implicit connection involves appending the templated URL paths of the [Paths Object](#paths-object) to the appropriate [Server Object](#server-object)'s `url` field. This is unambiguous because only the entry document's Paths Object contributes URLs to the described API. From fe5b2343520ee81fb110be538b03dea8f51a3052 Mon Sep 17 00:00:00 2001 From: Vladimir Gorej Date: Wed, 18 Dec 2024 14:22:50 +0100 Subject: [PATCH 04/91] Editorial change: Include Header Object into 'Working With Examples' section --- src/oas.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/oas.md b/src/oas.md index 379e563885..adc1b57159 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2211,19 +2211,19 @@ Tooling implementations MAY choose to validate compatibility automatically, and ##### Working with Examples -Example Objects can be used in both [Parameter Objects](#parameter-object) and [Media Type Objects](#media-type-object). +Example Objects can be used in [Parameter Objects](#parameter-object), [Header Objects](#header-object) and [Media Type Objects](#media-type-object). In both Objects, this is done through the `examples` (plural) field. -However, there are several other ways to provide examples: The `example` (singular) field that is mutually exclusive with `examples` in both Objects, and two keywords (the deprecated singular `example` and the current plural `examples`, which takes an array of examples) in the [Schema Object](#schema-object) that appears in the `schema` field of both Objects. +However, there are several other ways to provide examples: The `example` (singular) field that is mutually exclusive with `examples` in all three Objects, and two keywords (the deprecated singular `example` and the current plural `examples`, which takes an array of examples) in the [Schema Object](#schema-object) that appears in the `schema` field of all three Objects. Each of these fields has slightly different considerations. The Schema Object's fields are used to show example values without regard to how they might be formatted as parameters or within media type representations. The `examples` array is part of JSON Schema and is the preferred way to include examples in the Schema Object, while `example` is retained purely for compatibility with older versions of the OpenAPI Specification. -The mutually exclusive fields in the Parameter or Media Type Objects are used to show example values which SHOULD both match the schema and be formatted as they would appear as a serialized parameter or within a media type representation. -The exact serialization and encoding is determined by various fields in the Parameter Object, or in the Media Type Object's [Encoding Object](#encoding-object). +The mutually exclusive fields in the Parameter, Header or Media Type Objects are used to show example values which SHOULD both match the schema and be formatted as they would appear as a serialized parameter or within a media type representation. +The exact serialization and encoding is determined by various fields in the Parameter Object, Header Object, or in the Media Type Object's [Encoding Object](#encoding-object). Because examples using these fields represent the final serialized form of the data, they SHALL _override_ any `example` in the corresponding Schema Object. -The singular `example` field in the Parameter or Media Type Object is concise and convenient for simple examples, but does not offer any other advantages over using Example Objects under `examples`. +The singular `example` field in the Parameter, Header or Media Type Object is concise and convenient for simple examples, but does not offer any other advantages over using Example Objects under `examples`. Some examples cannot be represented directly in JSON or YAML. For all three ways of providing examples, these can be shown as string values with any escaping necessary to make the string valid in the JSON or YAML format of documents that comprise the OpenAPI Description. From 7cd34d2a37f46efdc695959b771ef6fe9ca744cf Mon Sep 17 00:00:00 2001 From: Vladimir Gorej Date: Wed, 18 Dec 2024 16:53:26 +0100 Subject: [PATCH 05/91] Editorial change: fix typo in Link Object description --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 379e563885..15822cbac9 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2386,7 +2386,7 @@ For computing links and providing instructions to execute them, a [runtime expre This object MAY be extended with [Specification Extensions](#specification-extensions). A linked operation MUST be identified using either an `operationRef` or `operationId`. -The identified or reference operation MUST be unique, and in the case of an `operationId`, it MUST be resolved within the scope of the OpenAPI Description (OAD). +The identified or referenced operation MUST be unique, and in the case of an `operationId`, it MUST be resolved within the scope of the OpenAPI Description (OAD). Because of the potential for name clashes, the `operationRef` syntax is preferred for multi-document OADs. However, because use of an operation depends on its URL path template in the [Paths Object](#paths-object), operations from any [Path Item Object](#path-item-object) that is referenced multiple times within the OAD cannot be resolved unambiguously. In such ambiguous cases, the resulting behavior is implementation-defined and MAY result in an error. From 1b65003a029f410db221b011a2679228e9d6a047 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20Gorej?= Date: Wed, 18 Dec 2024 17:55:32 +0100 Subject: [PATCH 06/91] Update src/oas.md Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index adc1b57159..98e40bf114 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2211,7 +2211,7 @@ Tooling implementations MAY choose to validate compatibility automatically, and ##### Working with Examples -Example Objects can be used in [Parameter Objects](#parameter-object), [Header Objects](#header-object) and [Media Type Objects](#media-type-object). +Example Objects can be used in [Parameter Objects](#parameter-object), [Header Objects](#header-object), and [Media Type Objects](#media-type-object). In both Objects, this is done through the `examples` (plural) field. However, there are several other ways to provide examples: The `example` (singular) field that is mutually exclusive with `examples` in all three Objects, and two keywords (the deprecated singular `example` and the current plural `examples`, which takes an array of examples) in the [Schema Object](#schema-object) that appears in the `schema` field of all three Objects. Each of these fields has slightly different considerations. From 8cc59b6d6bc0fbde9b641688ec5c684e631276a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20Gorej?= Date: Wed, 18 Dec 2024 17:55:39 +0100 Subject: [PATCH 07/91] Update src/oas.md Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 98e40bf114..9e846a1575 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2212,7 +2212,7 @@ Tooling implementations MAY choose to validate compatibility automatically, and ##### Working with Examples Example Objects can be used in [Parameter Objects](#parameter-object), [Header Objects](#header-object), and [Media Type Objects](#media-type-object). -In both Objects, this is done through the `examples` (plural) field. +In all three Objects, this is done through the `examples` (plural) field. However, there are several other ways to provide examples: The `example` (singular) field that is mutually exclusive with `examples` in all three Objects, and two keywords (the deprecated singular `example` and the current plural `examples`, which takes an array of examples) in the [Schema Object](#schema-object) that appears in the `schema` field of all three Objects. Each of these fields has slightly different considerations. From 150e1259d867c21c3ab9a57e5ed8e40874a2c923 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20Gorej?= Date: Wed, 18 Dec 2024 17:55:45 +0100 Subject: [PATCH 08/91] Update src/oas.md Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 9e846a1575..9e50668a3a 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2219,7 +2219,7 @@ Each of these fields has slightly different considerations. The Schema Object's fields are used to show example values without regard to how they might be formatted as parameters or within media type representations. The `examples` array is part of JSON Schema and is the preferred way to include examples in the Schema Object, while `example` is retained purely for compatibility with older versions of the OpenAPI Specification. -The mutually exclusive fields in the Parameter, Header or Media Type Objects are used to show example values which SHOULD both match the schema and be formatted as they would appear as a serialized parameter or within a media type representation. +The mutually exclusive fields in the Parameter, Header, or Media Type Objects are used to show example values which SHOULD both match the schema and be formatted as they would appear as a serialized parameter or within a media type representation. The exact serialization and encoding is determined by various fields in the Parameter Object, Header Object, or in the Media Type Object's [Encoding Object](#encoding-object). Because examples using these fields represent the final serialized form of the data, they SHALL _override_ any `example` in the corresponding Schema Object. From 377e12447ab64dc2528d93ec71cf687f85dc6d5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20Gorej?= Date: Wed, 18 Dec 2024 17:55:51 +0100 Subject: [PATCH 09/91] Update src/oas.md Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 9e50668a3a..b10d2b1055 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2223,7 +2223,7 @@ The mutually exclusive fields in the Parameter, Header, or Media Type Objects ar The exact serialization and encoding is determined by various fields in the Parameter Object, Header Object, or in the Media Type Object's [Encoding Object](#encoding-object). Because examples using these fields represent the final serialized form of the data, they SHALL _override_ any `example` in the corresponding Schema Object. -The singular `example` field in the Parameter, Header or Media Type Object is concise and convenient for simple examples, but does not offer any other advantages over using Example Objects under `examples`. +The singular `example` field in the Parameter, Header, or Media Type Object is concise and convenient for simple examples, but does not offer any other advantages over using Example Objects under `examples`. Some examples cannot be represented directly in JSON or YAML. For all three ways of providing examples, these can be shown as string values with any escaping necessary to make the string valid in the JSON or YAML format of documents that comprise the OpenAPI Description. From 6eb487b5e65293e025531c2f078e408a2f297471 Mon Sep 17 00:00:00 2001 From: Vladimir Gorej Date: Wed, 18 Dec 2024 18:38:50 +0100 Subject: [PATCH 10/91] Editorial change: add Header Object to Generating and Validating URIs section --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 379e563885..60452330d9 100644 --- a/src/oas.md +++ b/src/oas.md @@ -4488,7 +4488,7 @@ This specification normatively cites the following relevant standards: Style-based serialization is used in the [Parameter Object](#parameter-object) when `schema` is present, and in the [Encoding Object](#encoding-object) when at least one of `style`, `explode`, or `allowReserved` is present. See [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more details of RFC6570's two different approaches to percent-encoding, including an example involving `+`. -Content-based serialization is defined by the [Media Type Object](#media-type-object), and used with the [Parameter Object](#parameter-object) when the `content` field is present, and with the [Encoding Object](#encoding-object) based on the `contentType` field when the fields `style`, `explode`, and `allowReserved` are absent. +Content-based serialization is defined by the [Media Type Object](#media-type-object), and used with the [Parameter Object](#parameter-object) and [Header Object](#header-object) when the `content` field is present, and with the [Encoding Object](#encoding-object) based on the `contentType` field when the fields `style`, `explode`, and `allowReserved` are absent. Each part is encoded based on the media type (e.g. `text/plain` or `application/json`), and must then be percent-encoded for use in a `form-urlencoded` string. Note that content-based serialization for `form-data` does not expect or require percent-encoding in the data, only in per-part header values. From f896bb7d6bf37903ce8da1c3538414511a5b0336 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20Gorej?= Date: Wed, 18 Dec 2024 21:56:13 +0100 Subject: [PATCH 11/91] Update src/oas.md Co-authored-by: Mike Kistler --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index b10d2b1055..e09c5256e0 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2219,7 +2219,7 @@ Each of these fields has slightly different considerations. The Schema Object's fields are used to show example values without regard to how they might be formatted as parameters or within media type representations. The `examples` array is part of JSON Schema and is the preferred way to include examples in the Schema Object, while `example` is retained purely for compatibility with older versions of the OpenAPI Specification. -The mutually exclusive fields in the Parameter, Header, or Media Type Objects are used to show example values which SHOULD both match the schema and be formatted as they would appear as a serialized parameter or within a media type representation. +The mutually exclusive fields in the Parameter, Header, or Media Type Objects are used to show example values which SHOULD both match the schema and be formatted as they would appear as a serialized parameter, serialized header, or within a media type representation. The exact serialization and encoding is determined by various fields in the Parameter Object, Header Object, or in the Media Type Object's [Encoding Object](#encoding-object). Because examples using these fields represent the final serialized form of the data, they SHALL _override_ any `example` in the corresponding Schema Object. From e738e4af028c2df32615f906de865cb16871e89f Mon Sep 17 00:00:00 2001 From: Vladimir Gorej Date: Thu, 19 Dec 2024 21:23:31 +0100 Subject: [PATCH 12/91] Introduce constraints for Server Object url fixed field --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 36bebdf8fb..af5143d905 100644 --- a/src/oas.md +++ b/src/oas.md @@ -455,7 +455,7 @@ An object representing a Server. | Field Name | Type | Description | | ---- | :----: | ---- | -| url | `string` | **REQUIRED**. A URL to the target host. This URL supports Server Variables and MAY be relative, to indicate that the host location is relative to the location where the document containing the Server Object is being served. Variable substitutions will be made when a variable is named in `{`braces`}`. | +| url | `string` | **REQUIRED**. A URL to the target host. This URL supports Server Variables and MAY be relative, to indicate that the host location is relative to the location where the document containing the Server Object is being served. Query and fragment MUST not be part of a URL. Variable substitutions will be made when a variable is named in `{`braces`}`. | | description | `string` | An optional string describing the host designated by the URL. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | variables | Map[`string`, [Server Variable Object](#server-variable-object)] | A map between a variable name and its value. The value is used for substitution in the server's URL template. | From 8b91379ffb5ae7cf87320e026a9d291c6ce08876 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20Gorej?= Date: Fri, 20 Dec 2024 12:50:18 +0100 Subject: [PATCH 13/91] Update src/oas.md Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index af5143d905..2e20f94314 100644 --- a/src/oas.md +++ b/src/oas.md @@ -455,7 +455,7 @@ An object representing a Server. | Field Name | Type | Description | | ---- | :----: | ---- | -| url | `string` | **REQUIRED**. A URL to the target host. This URL supports Server Variables and MAY be relative, to indicate that the host location is relative to the location where the document containing the Server Object is being served. Query and fragment MUST not be part of a URL. Variable substitutions will be made when a variable is named in `{`braces`}`. | +| url | `string` | **REQUIRED**. A URL to the target host. This URL supports Server Variables and MAY be relative, to indicate that the host location is relative to the location where the document containing the Server Object is being served. Query and fragment MUST not be part of this URL. Variable substitutions will be made when a variable is named in `{`braces`}`. | | description | `string` | An optional string describing the host designated by the URL. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | variables | Map[`string`, [Server Variable Object](#server-variable-object)] | A map between a variable name and its value. The value is used for substitution in the server's URL template. | From ccf329f8461475c3b8dd74554b0b1cf1c3775f8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20Gorej?= Date: Fri, 20 Dec 2024 12:59:41 +0100 Subject: [PATCH 14/91] Update src/oas.md --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 2e20f94314..4c89a019ce 100644 --- a/src/oas.md +++ b/src/oas.md @@ -455,7 +455,7 @@ An object representing a Server. | Field Name | Type | Description | | ---- | :----: | ---- | -| url | `string` | **REQUIRED**. A URL to the target host. This URL supports Server Variables and MAY be relative, to indicate that the host location is relative to the location where the document containing the Server Object is being served. Query and fragment MUST not be part of this URL. Variable substitutions will be made when a variable is named in `{`braces`}`. | +| url | `string` | **REQUIRED**. A URL to the target host. This URL supports Server Variables and MAY be relative, to indicate that the host location is relative to the location where the document containing the Server Object is being served. Query and fragment MUST NOT be part of this URL. Variable substitutions will be made when a variable is named in `{`braces`}`. | | description | `string` | An optional string describing the host designated by the URL. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | variables | Map[`string`, [Server Variable Object](#server-variable-object)] | A map between a variable name and its value. The value is used for substitution in the server's URL template. | From 1e0fd70155ad053af305eeb3af159ff74e35cb36 Mon Sep 17 00:00:00 2001 From: Vladimir Gorej Date: Fri, 27 Dec 2024 14:58:56 +0100 Subject: [PATCH 15/91] Editorial change: fix anchor to Components.securitySchemes Signed-off-by: Vladimir Gorej --- src/oas.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/oas.md b/src/oas.md index 36bebdf8fb..c574284f62 100644 --- a/src/oas.md +++ b/src/oas.md @@ -582,7 +582,7 @@ All objects defined within the Components Object will have no effect on the API | examples | Map[`string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Example Objects](#example-object). | | requestBodies | Map[`string`, [Request Body Object](#request-body-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Request Body Objects](#request-body-object). | | headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Header Objects](#header-object). | -| securitySchemes | Map[`string`, [Security Scheme Object](#security-scheme-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Security Scheme Objects](#security-scheme-object). | +| securitySchemes | Map[`string`, [Security Scheme Object](#security-scheme-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Security Scheme Objects](#security-scheme-object). | | links | Map[`string`, [Link Object](#link-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Link Objects](#link-object). | | callbacks | Map[`string`, [Callback Object](#callback-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Callback Objects](#callback-object). | | pathItems | Map[`string`, [Path Item Object](#path-item-object)] | An object to hold reusable [Path Item Objects](#path-item-object). | @@ -3983,7 +3983,7 @@ flows: #### Security Requirement Object Lists the required security schemes to execute this operation. -The name used for each property MUST correspond to a security scheme declared in the [Security Schemes](#security-scheme-object) under the [Components Object](#components-object). +The name used for each property MUST correspond to a security scheme declared in the [Security Schemes](#components-security-schemes) under the [Components Object](#components-object). A Security Requirement Object MAY refer to multiple security schemes in which case all schemes MUST be satisfied for a request to be authorized. This enables support for scenarios where multiple query parameters or HTTP headers are required to convey security information. @@ -3997,7 +3997,7 @@ An empty Security Requirement Object (`{}`) indicates anonymous access is suppor | Field Pattern | Type | Description | | ---- | :----: | ---- | -| {name} | [`string`] | Each name MUST correspond to a security scheme which is declared in the [Security Schemes](#security-scheme-object) under the [Components Object](#components-object). If the security scheme is of type `"oauth2"` or `"openIdConnect"`, then the value is a list of scope names required for the execution, and the list MAY be empty if authorization does not require a specified scope. For other security scheme types, the array MAY contain a list of role names which are required for the execution, but are not otherwise defined or exchanged in-band. | +| {name} | [`string`] | Each name MUST correspond to a security scheme which is declared in the [Security Schemes](#components-security-schemes) under the [Components Object](#components-object). If the security scheme is of type `"oauth2"` or `"openIdConnect"`, then the value is a list of scope names required for the execution, and the list MAY be empty if authorization does not require a specified scope. For other security scheme types, the array MAY contain a list of role names which are required for the execution, but are not otherwise defined or exchanged in-band. | ##### Security Requirement Object Examples From dbba0ba7442f486f993318fbcb9e4ae9d40a06d9 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 8 Jan 2025 17:36:20 -0800 Subject: [PATCH 16/91] Fix copy-paste "format: binary" error These examples got copied from 3.0.4 and apparently I forgot to adjust them for 3.1.1 and no one else noticed. --- src/oas.md | 36 ++++++++++++++++-------------------- 1 file changed, 16 insertions(+), 20 deletions(-) diff --git a/src/oas.md b/src/oas.md index 4c89a019ce..fa86d62a4e 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1800,17 +1800,17 @@ requestBody: schema: type: object properties: + # default for a string without `contentEncoding` is `text/plain` id: - # default for primitives without a special format is text/plain type: string format: uuid - profileImage: - # default for string with binary format is `application/octet-stream` - type: string - format: binary + + # default for a schema withhout `type` is `application/octet-stream` + profileImage: {} + + # default for arrays is based on the type in the `items` + # subschema, which is an object, so `application/json` addresses: - # default for arrays is based on the type in the `items` - # subschema, which is an object, so `application/json` type: array items: $ref: '#/components/schemas/Address' @@ -1828,31 +1828,27 @@ requestBody: schema: type: object properties: + # No Encoding Object, so use default `text/plain` id: - # default is `text/plain` type: string format: uuid + + # Encoding Object overrides the default `application/json` + # for each item in the array with `application/xml; charset=utf-8` addresses: - # default based on the `items` subschema would be - # `application/json`, but we want these address objects - # serialized as `application/xml` instead description: addresses in XML format type: array items: $ref: '#/components/schemas/Address' - profileImage: - # default is application/octet-stream, but we can declare - # a more specific image type or types - type: string - format: binary + + # Encoding Object accepts only PNG or JPEG, and also describes + # a custom header for just this part in the multipart format + profileImage: {} + encoding: addresses: - # require XML Content-Type in utf-8 encoding - # This is applied to each address part corresponding - # to each address in he array contentType: application/xml; charset=utf-8 profileImage: - # only accept png or jpeg contentType: image/png, image/jpeg headers: X-Rate-Limit-Limit: From f48940caddb738ddc134cb0c849caae0bc910a0a Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 10 Jan 2025 15:49:38 +0100 Subject: [PATCH 17/91] Typo --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index fa86d62a4e..3a00b8cf96 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1805,7 +1805,7 @@ requestBody: type: string format: uuid - # default for a schema withhout `type` is `application/octet-stream` + # default for a schema without `type` is `application/octet-stream` profileImage: {} # default for arrays is based on the type in the `items` From 5b0a31a43cb4a1b424404c49a175fb3a72c47900 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Wed, 15 Jan 2025 12:18:31 -0800 Subject: [PATCH 18/91] Feedback from mkistler about contentEncoding --- src/oas.md | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/src/oas.md b/src/oas.md index 4f68ac4eaf..59438ee612 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1746,8 +1746,9 @@ requestBody: name: type: string icon: - # The default with "contentEncoding" is application/octet-stream, - # so we need to set image media type(s) in the Encoding Object. + # The default content type with "contentEncoding" present + # is application/octet-stream, # so we need to set the correct + # image media type(s) in the Encoding Object. type: string contentEncoding: base64url encoding: @@ -1800,16 +1801,19 @@ requestBody: schema: type: object properties: - # default for a string without `contentEncoding` is `text/plain` + # default content type for a string without `contentEncoding` + # is `text/plain` id: type: string format: uuid - # default for a schema without `type` is `application/octet-stream` + # default content type for a schema without `type` + # is `application/octet-stream` profileImage: {} - # default for arrays is based on the type in the `items` - # subschema, which is an object, so `application/json` + # default content type for arrays is based on the type + # in the `items` subschema, which is an object here, + # so the default content type for each item is `application/json` addresses: type: array items: @@ -1833,7 +1837,7 @@ requestBody: type: string format: uuid - # Encoding Object overrides the default `application/json` + # Encoding Object overrides the default `application/json` content type # for each item in the array with `application/xml; charset=utf-8` addresses: description: addresses in XML format From 628e9711c5c40e53a60b27dc6ea042d24d674157 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Thu, 16 Jan 2025 17:26:51 +0100 Subject: [PATCH 19/91] Apply suggestions from code review Co-authored-by: Mike Kistler --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 59438ee612..8f0257a318 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1747,7 +1747,7 @@ requestBody: type: string icon: # The default content type with "contentEncoding" present - # is application/octet-stream, # so we need to set the correct + # is application/octet-stream, so we need to set the correct # image media type(s) in the Encoding Object. type: string contentEncoding: base64url From 39c3571e74ee22a486ddd0feb6b0aad7ebfabcfa Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Mon, 3 Feb 2025 19:08:39 -0500 Subject: [PATCH 20/91] Adjust uri to uri-reference for security schema fixed fields --- schemas/v3.1/schema.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/schemas/v3.1/schema.yaml b/schemas/v3.1/schema.yaml index 54c49a2f97..b66a5406f1 100644 --- a/schemas/v3.1/schema.yaml +++ b/schemas/v3.1/schema.yaml @@ -881,10 +881,10 @@ $defs: properties: tokenUrl: type: string - format: uri + format: uri-reference refreshUrl: type: string - format: uri + format: uri-reference scopes: $ref: '#/$defs/map-of-strings' required: @@ -898,10 +898,10 @@ $defs: properties: tokenUrl: type: string - format: uri + format: uri-reference refreshUrl: type: string - format: uri + format: uri-reference scopes: $ref: '#/$defs/map-of-strings' required: @@ -915,13 +915,13 @@ $defs: properties: authorizationUrl: type: string - format: uri + format: uri-reference tokenUrl: type: string - format: uri + format: uri-reference refreshUrl: type: string - format: uri + format: uri-reference scopes: $ref: '#/$defs/map-of-strings' required: From 8a686f68acadc7537778ba36dbb7256f70b9d285 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Wed, 5 Feb 2025 15:14:29 +0100 Subject: [PATCH 21/91] as decided in TDC call on 2025-01-23 --- src/oas.md | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/src/oas.md b/src/oas.md index 8f0257a318..f1d8314409 100644 --- a/src/oas.md +++ b/src/oas.md @@ -549,7 +549,7 @@ servers: - '443' default: '8443' basePath: - # open meaning there is the opportunity to use special base paths as assigned by the provider, default is `v2` + # open meaning there is the opportunity to use special base paths as assigned by the provider, default is "v2" default: v2 ``` @@ -1746,8 +1746,8 @@ requestBody: name: type: string icon: - # The default content type with "contentEncoding" present - # is application/octet-stream, so we need to set the correct + # The default content type with `contentEncoding` present + # is "application/octet-stream", so we need to set the correct # image media type(s) in the Encoding Object. type: string contentEncoding: base64url @@ -1802,18 +1802,18 @@ requestBody: type: object properties: # default content type for a string without `contentEncoding` - # is `text/plain` + # is "text/plain" id: type: string format: uuid # default content type for a schema without `type` - # is `application/octet-stream` + # is "application/octet-stream" profileImage: {} # default content type for arrays is based on the type # in the `items` subschema, which is an object here, - # so the default content type for each item is `application/json` + # so the default content type for each item is "application/json" addresses: type: array items: @@ -1832,13 +1832,13 @@ requestBody: schema: type: object properties: - # No Encoding Object, so use default `text/plain` + # No Encoding Object, so use default "text/plain" id: type: string format: uuid - # Encoding Object overrides the default `application/json` content type - # for each item in the array with `application/xml; charset=utf-8` + # Encoding Object overrides the default "application/json" content type + # for each item in the array with "application/xml; charset=utf-8" addresses: description: addresses in XML format type: array @@ -1871,7 +1871,7 @@ requestBody: multipart/form-data: schema: properties: - # The property name 'file' will be used for all files. + # The property name `file` will be used for all files. file: type: array items: {} @@ -2425,7 +2425,7 @@ paths: # the target link operationId operationId: getUserAddress parameters: - # get the `id` field from the request path parameter named `id` + # use the value of the request path parameter named "id" userid: $request.path.id # the path item of the linked operation /users/{userid}/address: @@ -2453,7 +2453,7 @@ links: address: operationId: getUserAddressByUUID parameters: - # get the `uuid` field from the `uuid` field in the response body + # use the value of the `uuid` field in the response body userUuid: $response.body#/uuid ``` @@ -2469,7 +2469,6 @@ field in an [Operation Object](#operation-object)), references MAY also be made ```yaml links: UserRepositories: - # returns array of '#/components/schemas/repository' operationRef: '#/paths/~12.0~1repositories~1%7Busername%7D/get' parameters: username: $response.body#/username @@ -2480,7 +2479,6 @@ or a URI `operationRef`: ```yaml links: UserRepositories: - # returns array of '#/components/schemas/repository' operationRef: https://na2.gigantic-server.com/#/paths/~12.0~1repositories~1%7Busername%7D/get parameters: username: $response.body#/username @@ -3396,7 +3394,7 @@ components: allOf: - $ref: '#/components/schemas/Pet' - type: object - # all other properties specific to a `Cat` + # all other properties specific to a "Cat" properties: name: type: string @@ -3404,7 +3402,7 @@ components: allOf: - $ref: '#/components/schemas/Pet' - type: object - # all other properties specific to a `Dog` + # all other properties specific to a "Dog" properties: bark: type: string @@ -3412,7 +3410,7 @@ components: allOf: - $ref: '#/components/schemas/Pet' - type: object - # all other properties specific to a `Lizard` + # all other properties specific to a "Lizard" properties: lovesRocks: type: boolean From 17ab8d6cb4e947c02dd61070aedd532568740e0b Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Wed, 5 Feb 2025 15:23:49 +0100 Subject: [PATCH 22/91] Update CONTRIBUTING.md --- CONTRIBUTING.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 7cc369eb4e..0a7542e912 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -214,6 +214,11 @@ Plus some suggestions, rather than rules: * property of a "plain" JSON object that is not an OpenAPI-defined Foo Object -> "property" * "attribute" is only used in the XML context and means "XML attribute" +### Field Names and Values in YAML comments + +Field names and entries such as content types should be in backticks, they would be fixed-width fonts if the markdown was rendered (which the comments are not). +Values like "Dog" should be double quoted as they are a value rather than a keyword. + ## Release Process and Scope This section relates to the 3.x versions only. From 5d505db64de684c163e47ade8f8347c9c320d5d9 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Thu, 6 Feb 2025 18:50:54 +0100 Subject: [PATCH 23/91] Update CONTRIBUTING.md Co-authored-by: Vincent Biret --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0a7542e912..3d217ec28c 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -216,7 +216,7 @@ Plus some suggestions, rather than rules: ### Field Names and Values in YAML comments -Field names and entries such as content types should be in backticks, they would be fixed-width fonts if the markdown was rendered (which the comments are not). +Field names and keys should be in backticks for consistency. Values like "Dog" should be double quoted as they are a value rather than a keyword. ## Release Process and Scope From b7163c127c589e03e2efa9dd24a1e675128beb8f Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Thu, 6 Feb 2025 14:48:42 -0500 Subject: [PATCH 24/91] Reactor all but xml.namespace from uri to uri-reference --- schemas/v3.1/schema.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/schemas/v3.1/schema.yaml b/schemas/v3.1/schema.yaml index b66a5406f1..ada84777fd 100644 --- a/schemas/v3.1/schema.yaml +++ b/schemas/v3.1/schema.yaml @@ -12,7 +12,7 @@ properties: $ref: '#/$defs/info' jsonSchemaDialect: type: string - format: uri + format: uri-reference default: 'https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS' servers: type: array @@ -64,7 +64,7 @@ $defs: type: string termsOfService: type: string - format: uri + format: uri-reference contact: $ref: '#/$defs/contact' license: @@ -85,7 +85,7 @@ $defs: type: string url: type: string - format: uri + format: uri-reference email: type: string format: email @@ -102,7 +102,7 @@ $defs: type: string url: type: string - format: uri + format: uri-reference required: - name dependentSchemas: @@ -297,7 +297,7 @@ $defs: type: string url: type: string - format: uri + format: uri-reference required: - url $ref: '#/$defs/specification-extensions' @@ -598,7 +598,7 @@ $defs: value: true externalValue: type: string - format: uri + format: uri-reference not: required: - value @@ -830,7 +830,7 @@ $defs: properties: openIdConnectUrl: type: string - format: uri + format: uri-reference required: - openIdConnectUrl @@ -864,10 +864,10 @@ $defs: properties: authorizationUrl: type: string - format: uri + format: uri-reference refreshUrl: type: string - format: uri + format: uri-reference scopes: $ref: '#/$defs/map-of-strings' required: From c2c9aaf9e110485ac3e1942eb75bdb063e2bb67f Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Thu, 6 Feb 2025 21:57:43 +0100 Subject: [PATCH 25/91] Update CONTRIBUTING.md --- CONTRIBUTING.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 3d217ec28c..2c2db67e7b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -216,8 +216,8 @@ Plus some suggestions, rather than rules: ### Field Names and Values in YAML comments -Field names and keys should be in backticks for consistency. -Values like "Dog" should be double quoted as they are a value rather than a keyword. +Field names and keys should be in backticks. +Values like "Dog" should be double quoted. ## Release Process and Scope From 97e7b3d6fead90242a599e09d8ffcf36acead4f7 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Fri, 7 Feb 2025 11:21:58 +0100 Subject: [PATCH 26/91] Update CONTRIBUTING.md --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 2c2db67e7b..b48f0096bc 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -216,7 +216,7 @@ Plus some suggestions, rather than rules: ### Field Names and Values in YAML comments -Field names and keys should be in backticks. +Field names and keywords should be in backticks. Values like "Dog" should be double quoted. ## Release Process and Scope From 4dc85ae1ce7d3e939c7b0ba4b7308f1595c4b4fe Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Thu, 13 Feb 2025 23:27:00 +0100 Subject: [PATCH 27/91] Update src schema with changes from #4328 --- src/schemas/validation/schema.yaml | 32 +++++++++++++++--------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 54c49a2f97..ada84777fd 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -12,7 +12,7 @@ properties: $ref: '#/$defs/info' jsonSchemaDialect: type: string - format: uri + format: uri-reference default: 'https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS' servers: type: array @@ -64,7 +64,7 @@ $defs: type: string termsOfService: type: string - format: uri + format: uri-reference contact: $ref: '#/$defs/contact' license: @@ -85,7 +85,7 @@ $defs: type: string url: type: string - format: uri + format: uri-reference email: type: string format: email @@ -102,7 +102,7 @@ $defs: type: string url: type: string - format: uri + format: uri-reference required: - name dependentSchemas: @@ -297,7 +297,7 @@ $defs: type: string url: type: string - format: uri + format: uri-reference required: - url $ref: '#/$defs/specification-extensions' @@ -598,7 +598,7 @@ $defs: value: true externalValue: type: string - format: uri + format: uri-reference not: required: - value @@ -830,7 +830,7 @@ $defs: properties: openIdConnectUrl: type: string - format: uri + format: uri-reference required: - openIdConnectUrl @@ -864,10 +864,10 @@ $defs: properties: authorizationUrl: type: string - format: uri + format: uri-reference refreshUrl: type: string - format: uri + format: uri-reference scopes: $ref: '#/$defs/map-of-strings' required: @@ -881,10 +881,10 @@ $defs: properties: tokenUrl: type: string - format: uri + format: uri-reference refreshUrl: type: string - format: uri + format: uri-reference scopes: $ref: '#/$defs/map-of-strings' required: @@ -898,10 +898,10 @@ $defs: properties: tokenUrl: type: string - format: uri + format: uri-reference refreshUrl: type: string - format: uri + format: uri-reference scopes: $ref: '#/$defs/map-of-strings' required: @@ -915,13 +915,13 @@ $defs: properties: authorizationUrl: type: string - format: uri + format: uri-reference tokenUrl: type: string - format: uri + format: uri-reference refreshUrl: type: string - format: uri + format: uri-reference scopes: $ref: '#/$defs/map-of-strings' required: From 0cb336b000fb2568fcee00233958345c4e56ad51 Mon Sep 17 00:00:00 2001 From: Vladimir Gorej Date: Mon, 17 Feb 2025 23:04:47 +0100 Subject: [PATCH 28/91] Editorial change: fix typo in runtime expression CHAR non-terminal --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index f1d8314409..6e0aa4b59c 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2513,7 +2513,7 @@ The runtime expression is defined by the following [ABNF](https://tools.ietf.org / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA ``` -Here, `json-pointer` is taken from [RFC6901](https://tools.ietf.org/html/rfc6901), `char` from [RFC7159](https://tools.ietf.org/html/rfc7159#section-7) and `token` from [RFC7230](https://tools.ietf.org/html/rfc7230#section-3.2.6). +Here, `json-pointer` is taken from [RFC6901](https://tools.ietf.org/html/rfc6901), `CHAR` from [RFC7159](https://tools.ietf.org/html/rfc7159#section-7) and `token` from [RFC7230](https://tools.ietf.org/html/rfc7230#section-3.2.6). The `name` identifier is case-sensitive, whereas `token` is not. From 9bcc030c0ab80bc52e1a90b72a89d8bc6356c095 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Thu, 6 Mar 2025 22:59:48 +0100 Subject: [PATCH 29/91] Delete schema.yaml --- schemas/v3.1/schema.yaml | 974 --------------------------------------- 1 file changed, 974 deletions(-) delete mode 100644 schemas/v3.1/schema.yaml diff --git a/schemas/v3.1/schema.yaml b/schemas/v3.1/schema.yaml deleted file mode 100644 index ada84777fd..0000000000 --- a/schemas/v3.1/schema.yaml +++ /dev/null @@ -1,974 +0,0 @@ -$id: 'https://spec.openapis.org/oas/3.1/schema/WORK-IN-PROGRESS' -$schema: 'https://json-schema.org/draft/2020-12/schema' - -description: The description of OpenAPI v3.1.x Documents without Schema Object validation - -type: object -properties: - openapi: - type: string - pattern: '^3\.1\.\d+(-.+)?$' - info: - $ref: '#/$defs/info' - jsonSchemaDialect: - type: string - format: uri-reference - default: 'https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS' - servers: - type: array - items: - $ref: '#/$defs/server' - default: - - url: / - paths: - $ref: '#/$defs/paths' - webhooks: - type: object - additionalProperties: - $ref: '#/$defs/path-item' - components: - $ref: '#/$defs/components' - security: - type: array - items: - $ref: '#/$defs/security-requirement' - tags: - type: array - items: - $ref: '#/$defs/tag' - externalDocs: - $ref: '#/$defs/external-documentation' -required: - - openapi - - info -anyOf: - - required: - - paths - - required: - - components - - required: - - webhooks -$ref: '#/$defs/specification-extensions' -unevaluatedProperties: false - -$defs: - info: - $comment: https://spec.openapis.org/oas/v3.1#info-object - type: object - properties: - title: - type: string - summary: - type: string - description: - type: string - termsOfService: - type: string - format: uri-reference - contact: - $ref: '#/$defs/contact' - license: - $ref: '#/$defs/license' - version: - type: string - required: - - title - - version - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - contact: - $comment: https://spec.openapis.org/oas/v3.1#contact-object - type: object - properties: - name: - type: string - url: - type: string - format: uri-reference - email: - type: string - format: email - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - license: - $comment: https://spec.openapis.org/oas/v3.1#license-object - type: object - properties: - name: - type: string - identifier: - type: string - url: - type: string - format: uri-reference - required: - - name - dependentSchemas: - identifier: - not: - required: - - url - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - server: - $comment: https://spec.openapis.org/oas/v3.1#server-object - type: object - properties: - url: - type: string - description: - type: string - variables: - type: object - additionalProperties: - $ref: '#/$defs/server-variable' - required: - - url - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - server-variable: - $comment: https://spec.openapis.org/oas/v3.1#server-variable-object - type: object - properties: - enum: - type: array - items: - type: string - minItems: 1 - default: - type: string - description: - type: string - required: - - default - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - components: - $comment: https://spec.openapis.org/oas/v3.1#components-object - type: object - properties: - schemas: - type: object - additionalProperties: - $dynamicRef: '#meta' - responses: - type: object - additionalProperties: - $ref: '#/$defs/response-or-reference' - parameters: - type: object - additionalProperties: - $ref: '#/$defs/parameter-or-reference' - examples: - type: object - additionalProperties: - $ref: '#/$defs/example-or-reference' - requestBodies: - type: object - additionalProperties: - $ref: '#/$defs/request-body-or-reference' - headers: - type: object - additionalProperties: - $ref: '#/$defs/header-or-reference' - securitySchemes: - type: object - additionalProperties: - $ref: '#/$defs/security-scheme-or-reference' - links: - type: object - additionalProperties: - $ref: '#/$defs/link-or-reference' - callbacks: - type: object - additionalProperties: - $ref: '#/$defs/callbacks-or-reference' - pathItems: - type: object - additionalProperties: - $ref: '#/$defs/path-item' - patternProperties: - '^(schemas|responses|parameters|examples|requestBodies|headers|securitySchemes|links|callbacks|pathItems)$': - $comment: Enumerating all of the property names in the regex above is necessary for unevaluatedProperties to work as expected - propertyNames: - pattern: '^[a-zA-Z0-9._-]+$' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - paths: - $comment: https://spec.openapis.org/oas/v3.1#paths-object - type: object - patternProperties: - '^/': - $ref: '#/$defs/path-item' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - path-item: - $comment: https://spec.openapis.org/oas/v3.1#path-item-object - type: object - properties: - $ref: - type: string - format: uri-reference - summary: - type: string - description: - type: string - servers: - type: array - items: - $ref: '#/$defs/server' - parameters: - type: array - items: - $ref: '#/$defs/parameter-or-reference' - get: - $ref: '#/$defs/operation' - put: - $ref: '#/$defs/operation' - post: - $ref: '#/$defs/operation' - delete: - $ref: '#/$defs/operation' - options: - $ref: '#/$defs/operation' - head: - $ref: '#/$defs/operation' - patch: - $ref: '#/$defs/operation' - trace: - $ref: '#/$defs/operation' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - operation: - $comment: https://spec.openapis.org/oas/v3.1#operation-object - type: object - properties: - tags: - type: array - items: - type: string - summary: - type: string - description: - type: string - externalDocs: - $ref: '#/$defs/external-documentation' - operationId: - type: string - parameters: - type: array - items: - $ref: '#/$defs/parameter-or-reference' - requestBody: - $ref: '#/$defs/request-body-or-reference' - responses: - $ref: '#/$defs/responses' - callbacks: - type: object - additionalProperties: - $ref: '#/$defs/callbacks-or-reference' - deprecated: - default: false - type: boolean - security: - type: array - items: - $ref: '#/$defs/security-requirement' - servers: - type: array - items: - $ref: '#/$defs/server' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - external-documentation: - $comment: https://spec.openapis.org/oas/v3.1#external-documentation-object - type: object - properties: - description: - type: string - url: - type: string - format: uri-reference - required: - - url - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - parameter: - $comment: https://spec.openapis.org/oas/v3.1#parameter-object - type: object - properties: - name: - type: string - in: - enum: - - query - - header - - path - - cookie - description: - type: string - required: - default: false - type: boolean - deprecated: - default: false - type: boolean - schema: - $dynamicRef: '#meta' - content: - $ref: '#/$defs/content' - minProperties: 1 - maxProperties: 1 - required: - - name - - in - oneOf: - - required: - - schema - - required: - - content - if: - properties: - in: - const: query - required: - - in - then: - properties: - allowEmptyValue: - default: false - type: boolean - dependentSchemas: - schema: - properties: - style: - type: string - explode: - type: boolean - allOf: - - $ref: '#/$defs/examples' - - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-path' - - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-header' - - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-query' - - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-cookie' - - $ref: '#/$defs/styles-for-form' - - $defs: - styles-for-path: - if: - properties: - in: - const: path - required: - - in - then: - properties: - style: - default: simple - enum: - - matrix - - label - - simple - required: - const: true - required: - - required - - styles-for-header: - if: - properties: - in: - const: header - required: - - in - then: - properties: - style: - default: simple - const: simple - - styles-for-query: - if: - properties: - in: - const: query - required: - - in - then: - properties: - style: - default: form - enum: - - form - - spaceDelimited - - pipeDelimited - - deepObject - allowReserved: - default: false - type: boolean - - styles-for-cookie: - if: - properties: - in: - const: cookie - required: - - in - then: - properties: - style: - default: form - const: form - - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - parameter-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/parameter' - - request-body: - $comment: https://spec.openapis.org/oas/v3.1#request-body-object - type: object - properties: - description: - type: string - content: - $ref: '#/$defs/content' - required: - default: false - type: boolean - required: - - content - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - request-body-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/request-body' - - content: - $comment: https://spec.openapis.org/oas/v3.1#fixed-fields-10 - type: object - additionalProperties: - $ref: '#/$defs/media-type' - propertyNames: - format: media-range - - media-type: - $comment: https://spec.openapis.org/oas/v3.1#media-type-object - type: object - properties: - schema: - $dynamicRef: '#meta' - encoding: - type: object - additionalProperties: - $ref: '#/$defs/encoding' - allOf: - - $ref: '#/$defs/specification-extensions' - - $ref: '#/$defs/examples' - unevaluatedProperties: false - - encoding: - $comment: https://spec.openapis.org/oas/v3.1#encoding-object - type: object - properties: - contentType: - type: string - format: media-range - headers: - type: object - additionalProperties: - $ref: '#/$defs/header-or-reference' - style: - default: form - enum: - - form - - spaceDelimited - - pipeDelimited - - deepObject - explode: - type: boolean - allowReserved: - default: false - type: boolean - allOf: - - $ref: '#/$defs/specification-extensions' - - $ref: '#/$defs/styles-for-form' - unevaluatedProperties: false - - responses: - $comment: https://spec.openapis.org/oas/v3.1#responses-object - type: object - properties: - default: - $ref: '#/$defs/response-or-reference' - patternProperties: - '^[1-5](?:[0-9]{2}|XX)$': - $ref: '#/$defs/response-or-reference' - minProperties: 1 - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - if: - $comment: either default, or at least one response code property must exist - patternProperties: - '^[1-5](?:[0-9]{2}|XX)$': false - then: - required: [default] - - response: - $comment: https://spec.openapis.org/oas/v3.1#response-object - type: object - properties: - description: - type: string - headers: - type: object - additionalProperties: - $ref: '#/$defs/header-or-reference' - content: - $ref: '#/$defs/content' - links: - type: object - additionalProperties: - $ref: '#/$defs/link-or-reference' - required: - - description - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - response-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/response' - - callbacks: - $comment: https://spec.openapis.org/oas/v3.1#callback-object - type: object - $ref: '#/$defs/specification-extensions' - additionalProperties: - $ref: '#/$defs/path-item' - - callbacks-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/callbacks' - - example: - $comment: https://spec.openapis.org/oas/v3.1#example-object - type: object - properties: - summary: - type: string - description: - type: string - value: true - externalValue: - type: string - format: uri-reference - not: - required: - - value - - externalValue - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - example-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/example' - - link: - $comment: https://spec.openapis.org/oas/v3.1#link-object - type: object - properties: - operationRef: - type: string - format: uri-reference - operationId: - type: string - parameters: - $ref: '#/$defs/map-of-strings' - requestBody: true - description: - type: string - body: - $ref: '#/$defs/server' - oneOf: - - required: - - operationRef - - required: - - operationId - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - link-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/link' - - header: - $comment: https://spec.openapis.org/oas/v3.1#header-object - type: object - properties: - description: - type: string - required: - default: false - type: boolean - deprecated: - default: false - type: boolean - schema: - $dynamicRef: '#meta' - content: - $ref: '#/$defs/content' - minProperties: 1 - maxProperties: 1 - oneOf: - - required: - - schema - - required: - - content - dependentSchemas: - schema: - properties: - style: - default: simple - const: simple - explode: - default: false - type: boolean - $ref: '#/$defs/examples' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - header-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/header' - - tag: - $comment: https://spec.openapis.org/oas/v3.1#tag-object - type: object - properties: - name: - type: string - description: - type: string - externalDocs: - $ref: '#/$defs/external-documentation' - required: - - name - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - reference: - $comment: https://spec.openapis.org/oas/v3.1#reference-object - type: object - properties: - $ref: - type: string - format: uri-reference - summary: - type: string - description: - type: string - - schema: - $comment: https://spec.openapis.org/oas/v3.1#schema-object - $dynamicAnchor: meta - type: - - object - - boolean - - security-scheme: - $comment: https://spec.openapis.org/oas/v3.1#security-scheme-object - type: object - properties: - type: - enum: - - apiKey - - http - - mutualTLS - - oauth2 - - openIdConnect - description: - type: string - required: - - type - allOf: - - $ref: '#/$defs/specification-extensions' - - $ref: '#/$defs/security-scheme/$defs/type-apikey' - - $ref: '#/$defs/security-scheme/$defs/type-http' - - $ref: '#/$defs/security-scheme/$defs/type-http-bearer' - - $ref: '#/$defs/security-scheme/$defs/type-oauth2' - - $ref: '#/$defs/security-scheme/$defs/type-oidc' - unevaluatedProperties: false - - $defs: - type-apikey: - if: - properties: - type: - const: apiKey - required: - - type - then: - properties: - name: - type: string - in: - enum: - - query - - header - - cookie - required: - - name - - in - - type-http: - if: - properties: - type: - const: http - required: - - type - then: - properties: - scheme: - type: string - required: - - scheme - - type-http-bearer: - if: - properties: - type: - const: http - scheme: - type: string - pattern: ^[Bb][Ee][Aa][Rr][Ee][Rr]$ - required: - - type - - scheme - then: - properties: - bearerFormat: - type: string - - type-oauth2: - if: - properties: - type: - const: oauth2 - required: - - type - then: - properties: - flows: - $ref: '#/$defs/oauth-flows' - required: - - flows - - type-oidc: - if: - properties: - type: - const: openIdConnect - required: - - type - then: - properties: - openIdConnectUrl: - type: string - format: uri-reference - required: - - openIdConnectUrl - - security-scheme-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/security-scheme' - - oauth-flows: - type: object - properties: - implicit: - $ref: '#/$defs/oauth-flows/$defs/implicit' - password: - $ref: '#/$defs/oauth-flows/$defs/password' - clientCredentials: - $ref: '#/$defs/oauth-flows/$defs/client-credentials' - authorizationCode: - $ref: '#/$defs/oauth-flows/$defs/authorization-code' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - $defs: - implicit: - type: object - properties: - authorizationUrl: - type: string - format: uri-reference - refreshUrl: - type: string - format: uri-reference - scopes: - $ref: '#/$defs/map-of-strings' - required: - - authorizationUrl - - scopes - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - password: - type: object - properties: - tokenUrl: - type: string - format: uri-reference - refreshUrl: - type: string - format: uri-reference - scopes: - $ref: '#/$defs/map-of-strings' - required: - - tokenUrl - - scopes - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - client-credentials: - type: object - properties: - tokenUrl: - type: string - format: uri-reference - refreshUrl: - type: string - format: uri-reference - scopes: - $ref: '#/$defs/map-of-strings' - required: - - tokenUrl - - scopes - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - authorization-code: - type: object - properties: - authorizationUrl: - type: string - format: uri-reference - tokenUrl: - type: string - format: uri-reference - refreshUrl: - type: string - format: uri-reference - scopes: - $ref: '#/$defs/map-of-strings' - required: - - authorizationUrl - - tokenUrl - - scopes - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - security-requirement: - $comment: https://spec.openapis.org/oas/v3.1#security-requirement-object - type: object - additionalProperties: - type: array - items: - type: string - - specification-extensions: - $comment: https://spec.openapis.org/oas/v3.1#specification-extensions - patternProperties: - '^x-': true - - examples: - properties: - example: true - examples: - type: object - additionalProperties: - $ref: '#/$defs/example-or-reference' - - map-of-strings: - type: object - additionalProperties: - type: string - - styles-for-form: - if: - properties: - style: - const: form - required: - - style - then: - properties: - explode: - default: true - else: - properties: - explode: - default: false From 3b45fd44421a618449a9094edf2269c5693de134 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Thu, 6 Mar 2025 23:01:20 +0100 Subject: [PATCH 30/91] Update CONTRIBUTING.md --- CONTRIBUTING.md | 491 ++++++++++++++++++++++++++++++------------------ 1 file changed, 309 insertions(+), 182 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b48f0096bc..8d243b0104 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,59 +1,333 @@ -# Contributing to the OpenAPI Specification +# Contribute to the OpenAPI Specification -***Work in progress!** Each section links to issues that are relevant to fill out the rest of this document.* +## Key information -We are currently working on [defining and documenting our new processes](https://github.com/orgs/OAI/projects/5). Information in this document is up-to-date. Older _(and sometimes now inaccurate)_ documentation can be found in [DEVELOPMENT.md](DEVELOPMENT.md), which will be removed when everything is updated and documented here. +This project is covered by our [Code of Conduct](https://github.com/OAI/OpenAPI-Specification?tab=coc-ov-file#readme). +All participants are expected to read and follow this code. -## Essential Policies +No changes, however trivial, are ever made to the contents of published specifications (the files in the `versions/` folder). +Exceptions may be made when links to external URLs have been changed by a 3rd party, in order to keep our documents accurate. -This section serves as a quick guide while we work on the full updated documentation. +Published versions of the specification are in the `versions/` folder. +The under-development versions of the specification are in the file `src/oas.md` on the appropriately-versioned branch. +For example, work on the next release for 3.2 is on `v3.2-dev` in the file `src/oas.md`. -If in doubt about a policy, please [ask on our Slack](https://communityinviter.com/apps/open-api/openapi) before opening a PR. +The [spec site](https://spec.openapis.org) is the source of truth for the OpenAPI specification as it contains all the citations and author credits (the markdown in this repository was previously the authoritative version until 2024). -### No changes to published specifications +The OpenAPI project is almost entirely staffed by volunteers. +Please be patient with the people in this project, who all have other jobs and are active here because we believe this project has a positive impact in the world. -No changes, ***no matter how trivial***, are ever made to the contents of published specifications. The only potential changes to those documents are updates to link URLs _if and only if_ the targeted document is moved by a 3rd party. Other changes to link URLs are not allowed. +### Active branches -### Authoritative source of truth +The current active specification releases are: -The [spec site](https://spec.openapis.org) is the source of truth. +| Version | Branch | Notes | +| ------- | ------ | ----- | +| 3.1.2 | `v3.1-dev` | active patch release line | +| 3.2.0 | `v3.2-dev` | minor release in development | +| 4.0.0 | [OAI/sig-moonwalk](https://github.com/OAI/sig-moonwalk) | [discussions only](https://github.com/OAI/sig-moonwalk/discussions) | -This changed in 2024, as the markdown files on `main` do not include certain credits and citations. -## Development process +## How to contribute -As of October 2024 (post-OAS 3.0.4 and 3.1.1), the OAS is developed in the `src/oas.md` file on minor release `vX.Y-dev` branches that are derived from the baseline `dev` branch. +We welcome new contributors to the project whether you have changes to suggest, problems to report, or some feedback for us. +Please jump to the most relevant section from the list below: -Schema changes are made on the same branch, but can be released independently. When making a specification change for a new minor or major release that has a schema impact, including the schema change in the PR is preferred. Patch releases cannot contain changes that _require_ a schema update. +- Ask a question or offer feedback: use a [discussion](#discussions) +- Suggest a change or report a problem: open an [issue](#issues) +- Contribute a change to the repository: open a [pull request](#pull-requests) +- Or just [get in touch](#get-in-touch) -### Branch roles +## Discussions -* `main` is used to publish finished work and hold the authoritative versions of general documentation such as this document, which can be merged out to other branches as needed. The `src` tree is ***not*** present on `main`. -* `dev` is the primary branch for working with the `src` tree, which is kept up-to-date with the most recent release on the most recent minor (X.Y) release line, and serves as the base for each new minor release line. Development infrastructure that is not needed on `main` is maintained here, and can be merged out to other non-`main` branches as needed. -* `vX.Y-dev` is the minor release line development branch for X.Y, including both the initial X.Y.0 minor version and all subsequent X.Y.Z patch versions. All PRs are made to oldest active `vX.Y-dev` branch to which the change is relevant, and then merged forward as shown in the diagram further down in this document. -* `vX.Y.Z-rel` is the release branch for an X.Y.Z release (including when Z == 0). It exists primarily for `git mv`-ing `src/oas.md` to the appropriate `versions/X.Y.Z.md` location before merging back to `main`, and can also be used for any emergency post-release fixes that come up, such as when a 3rd party changes URLs in a way that breaks published links. +We use [discussions](https://github.com/OAI/OpenAPI-Specification/discussions?discussions_q=is%3Aopen) for anything that doesn't (yet) have a specific action associated with it. +Most ideas start as discussions. + +Please do come and start a discussion to: + + - ask questions + - make suggestions + - give feedback + +Anyone can start a discussion and you're very welcome to do so! Write a message and pick a relevant discussion category. + +### Discussion management + +Participation in discussions and especially answering of questions is encouraged (and appreciated) by everyone. + +Discussions are closed when: + + - the question has been answered. + - no further action or conversation would be useful. + - there has been no engagement for a while, or a previously popular thread has been inactive for an extended period. + - activity is now taking place elsewhere, such as in an issue. + - the discussion is out of scope for the project. + +## Issues + +Issues are for planned tasks, problems to solve, or requests for (specific) changes. +Most issues should have a clear outcome; something will be fixed, improved or otherwise measurably different when the issue is complete. + +We use [discussions](#discussions) for ideas and early-stage suggestions. + +> [!NOTE] +> For larger or more extensive changes, we have a formal [proposal process](#propose-a-specification-change) to give more structure where it's needed. + +The best issues give a clear and concise explanation of the problem at hand, and ideally some examples of what the problem is. +Suggested solutions are also welcome, but it is very important that the issue outlines the problem that is being solved as well as the solution. +Some issues may be a backlog of a task that needs to be done; other issues might be automatically created as part of the project processes. + +### Issue management + +We have some issue automation to close inactive issues and create/pin/archive the weekly meeting issues. +More information is in the [Appendix: Issue automation](#appendix-issue-automation) section. + +Everyone is encouraged to open and comment on issues in the project. +If you want to tag/assign/close something and you don't have enough permissions, add a comment and someone will help. + +Issues are managed by the [Triage](#triage), [Maintainers](#maintainers) and [TSC](#tsc) teams. +They may move issues to other repositories within the project as needed. + +In order to keep the issues list manageable and realistic for a relatively small group of volunteers, issues are proactively closed when it's not clear that they can be completed. +Issues may be closed when: + +- they have been inactive for a long time +- they are out of scope or no further constructive action can be taken +- they are complete (yay!) +- they are unclear and more details are not forthcoming +- as a group, there is agreement that no further action will be taken + +When issues are closed, a comment is added about why. +Closing issues is a reversible action, and it is always acceptable to comment and explain (politely) why an issue should not have been closed. + +### Labels + +We make extensive use of labels. +The main categories are: + +- [Housekeeping](https://github.com/OAI/OpenAPI-Specification/labels/Housekeeping) for meetings, project logistics, etc. +- [approved pr port](https://github.com/OAI/OpenAPI-Specification/labels/approved%20pr%20port) for pull requests that repeat a change from one version to another +- most other tags are used to group similar or related issues into topic areas; this list is ever-changing + +Labels related to [issue automation](#appendix-issue-automation) + +- [Needs attention](https://github.com/OAI/OpenAPI-Specification/labels/Needs%20attention) automated tag when an issue is updated +- [Needs author feedback](https://github.com/OAI/OpenAPI-Specification/labels/Needs%20author%20feedback) used to indicate that more information is needed from the issue creator +- [No recent activity](https://github.com/OAI/OpenAPI-Specification/labels/No%20recent%20activity) if no information is received, the issue is marked for closure (automatic after 30 days) + +### Milestones + +We use milestones in GitHub to plan what should be included in future releases. +Issues and pull requests should both be added to the earliest milestone we expect they will be released in. +Any changes that aren't ready in time for release should be moved to the next milestone or untagged. + +The milestones and items assigned to them are under constant review and subject to change. + +### Projects + +The OpenAPI Initiative uses GitHub Projects to manage work _outside_ of the specification development process. There are currently two active projects: + +* [Contributor Guidance](https://github.com/orgs/OAI/projects/5/views/1) +* [Automation & Infrastructure](https://github.com/orgs/OAI/projects/4/views/1) + +## Pull requests + +> [!NOTE] +> Since the 3.0.4 and 3.1.1 releases (October 2024), the OAS is developed in the `src/oas.md` file. +> Check the [Appendix: Branch Strategy](#appendix-branch-strategy) for more information about the updated branching strategy. + +Changes to the next version of the specification are welcome and can be proposed by anyone. + +For large changes that will need discussion, please use the [Proposal process](#propose-a-specification-change). +For other changes, we recommend [opening an issue](#issues) first, so that you can get some feedback and any extra input you need before spending a lot of time on something. + +Schema changes are made on the same branch, but can be released independently. +When making a specification change for a new minor or major release that has a schema impact, including the schema change in the PR is preferred. +Patch releases cannot contain changes that _require_ a schema update. + +### Use a fork + +All work **MUST be done on a fork** and be submitted as a pull request. + +### Target the earliest active `*-dev` branch + +Branch from and submit pull requests to the a branch from the _earliest relevant and [active](#active-branches)_ `vX.Y-dev` branch. +For example, if a change applies to both 3.1 and 3.2, the PR would go to the `v3.1-dev` branch, which will be merged up to `v3.2-dev` before the next 3.2 release. +All changes to the specification must conform to the [style guide](./style-guide.md). + +Both specification and schema changes follow this approach. + +For changes to repository files that affect all versions, use the `main` branch. +This might apply to, for example, Markdown files, automation, and scripts. + +For all pull requests, if they should not be merged yet for any reason (they depend on something else, you would like feedback from a specific reviewer), mark them as draft and they will not be merged while in that state. +Draft pull requests can still be reviewed while in draft state. + +### Preview specification HTML locally + +The markdown source files are converted to HTML before publishing. +To do this locally, please + +1. Install [Node.js](https://nodejs.org/) +2. Check out this repo, go to the repo root, and switch to a development branch +3. Execute `npm install` (once, repeat after merging upstream changes) +4. Execute `npm run build-src` after changing `src/oas.md` (this first executes `npm run validate-markdown`, which can also be run separately) +5. Open output file `deploy-preview/oas.html` with a browser and check your changes + +Please make sure the markdown validates and builds using the above steps before creating a pull request or marking a draft pull request as ready for review. + +## Reviewers + +> [!NOTE] +> See also the detailed team outlines in the [roles section](#roles). -### Using forks +All pull requests must be reviewed and approved by one member of the TSC or Maintainers teams. +Reviews from other contributors are always welcome. -All work **MUST be done on a fork**, using a branch from the _earliest relevant and [active](#active-branches)_ `vX.Y-dev` branch, and then submitted as a PR to that `vX.Y-dev` branch. -For example, if a change in November 2024 apples to both 3.1 and 3.2, the PR would go to the `v3.1-dev` branch, which will be merged up to `v3.2-dev` before the next 3.2 release. +Additionally, all pull requests that change the specification file `src/oas.md` must be approved by two TSC members. + +Reviews requesting changes should have their changes addressed regardless of how many other approvers there are. ## Publishing -The specification and schemas are published to the [spec site](https://spec.openapis.org) by creating an `vX.Y.Z-rel` branch where `src/oas.md` is renamed to the appropriate `versions/X.Y.Z.md` file and then merged to `main`. The HTML versions of the OAS are automatically generated from the `versions` directory on `main`. This renaming on the `vX.Y.Z-rel` branch preserves the commit history for the published file on `main` when using `git log --follow` (as is the case for all older published files). +### Specification Versions + +The specification versions are published to the [spec site](https://spec.openapis.org) by creating an `vX.Y.Z-rel` branch where `src/oas.md` is renamed to the appropriate `versions/X.Y.Z.md` file and then merged to `main`. +This renaming on the `vX.Y.Z-rel` branch preserves the commit history for the published file on `main` when using `git log --follow` (as is the case for all older published files). + +The HTML renderings of the specification versions are automatically generated from the `versions` directory on `main` by the [`respec` workflow](https://github.com/OAI/OpenAPI-Specification/blob/main/.github/workflows/respec.yaml), which generates a pull request for publishing the HTML renderings to the [spec site](https://spec.openapis.org). + +### Schema Iterations + +The schema iterations are published independently from the specification releases [in the schema section on the spec site](https://spec.openapis.org/#openapi-specification-schemas). +Schemas are updated in and directly published from the `vX.Y-dev` branches. + +As part of the publishing process, the YAML source files are converted to JSON, renamed to the relevant last-changed dates, and `WORK-IN-PROGRESS` placeholders are replaced with these dates as appropriate. This is usually done by the `schema-publish` workflow which detects changes on each `vX.Y-dev` branch, which generates a pull request for publishing the new schema iterations to the [spec site](https://spec.openapis.org). The workflow can also be run manually if required. + +## Release Process and Scope + +This section relates to the 3.x versions only. + +### Minor Releases + +Our roadmap for 3.x releases is community-driven, meaning the specification is open for proposed additions by anyone (see [Propose a Specification Change](#propose-a-specification-change)), in addition to the issues already on the project backlog. + +Changes in minor releases (such as 3.2, 3.3) meet the following criteria: + +* Are **backwards-compatible** and be reasonably easy to implement in tooling that already supports the previous minor version. + For example, new optional fields can be added. +* Drive quality-of-life improvements to support how OpenAPI is used by practitioners, so that OpenAPI evolves to continue to meet user needs. + For example, adding fields to support changes in other standards, or adopting common `x-*` extension fields into the specification. +* Bring the future closer by making changes that are in line with future 3.x releases and the planned OpenAPI 4.x (Moonwalk) specification as the details of that become available. +* Make the specification document clearer or easier to understand. + +A minor release is due when there are some meaningful features (including one or a small number of headline features). + +### Patch Releases + +Patch releases reflect a constant quest for improving the active minor versions of OpenAPI. +Since we do not edit specification documents after publication, even the smallest change has to be in a new release. + +Changes in patch releases meet the following criteria: + +* Editorial changes such as spelling or formatting fixes, including link updates. +* Clarifications or additions that do not change the meaning of the specification. + +Patch releases are created as often as there are changes to the specification worth releasing. + +### Release Process + +A release requires a vote on the specification at a particular version and the associated release notes by TSC members within the voting period. +Major or minor release voting periods will be announced in the Slack channel and noted on the calendar at least 6 days in advance. +During this time, TSC members who have not yet voted must note their approval by leaving a comment on the GitHub pull request proposing the release; release notes should be included with the description. +TSC members are responsible for coordinating the information about the release to the outreach team as appropriate. + +* Patch-level releases require majority approval by TSC members. (Max voting period 3 days) + +* Minor: requires approval by 66% of TSC members. (Max voting period 7 days) + +* Major: requires approval by 66% of TSC members. (Max voting period 14 days) + +During the voting period, further changes should not be made to the specification being considered. + +Once the threshold of approvals is met, the release can be performed by any TSC member. + +## Propose a Specification Change + +As an organisation, we're open to changes, and these can be proposed by anyone. +The specification is very widely adopted, and there is an appropriately high bar for wide appeal and due scrutiny as a result. +We do not accept changes lightly (but we will consider any that we can). + +Small changes are welcome as pull requests. + +Bigger changes require a more formal process. + +1. Start a [discussion](https://github.com/OAI/OpenAPI-Specification/discussions) of type "Enhancements". + The discussion entry must include some use cases, your proposed solution and the alternatives you have considered. + If there is engagement and support for the proposal over time, then it can be considered as a candidate to move to the next stage. + +2. It really helps to see the proposed change in action. + Start using it as a `x-*` extension if that's appropriate, or try to bring other evidence of your proposed solution being adopted. + +3. If you are adding support for something from another specification (such as OAuth), please point to implementations of that + specification so that we can understand how, and to what degree, it is being used. + +4. If the suggested change has good support, you will be asked to create a formal proposal. + Use the [template in the proposals directory](https://github.com/OAI/OpenAPI-Specification/tree/main/proposals), copy it to a new file, and complete it. + Once you the document is ready, open a pull request on the main branch. + +5. The proposal will be more closely reviewed and commented on or amended until it is either rejected or accepted. + At that point, the proposal is merged into the `main` branch and a pull request is opened to add the feature to the appropriate `dev` version of the specification. + +Questions are welcome on the process at any time. Use the discussions feature or find us in Slack. + +## Roles + +The OpenAPI project has some key roles that are played by multiple people. + +### TSC + +The Technical Steering Committee are listed in the [MAINTAINERS file](./MAINTAINERS.md). +They are the maintainers of the OpenAPI Specification itself and every other aspect of the project operation and direction. +TSC members can review changes to all parts of the repository and make decisions about the project. + +### Maintainers + +The maintainers have write access to the repository and play a key role in the project. +They review pull requests to non-specification parts of the repository, and take on other strategic tasks around project planning and maintenance. + +### Triage -The publishing process for schemas is still under discussion (see issues [#3715](https://github.com/OAI/OpenAPI-Specification/issues/3715) and [#3716](https://github.com/OAI/OpenAPI-Specification/issues/3716)), with the current proposal being to release them directly from the `vX.Y-dev` branch without merging to `main`, as the schemas in source control have placeholder identifiers and are not intended to be used as-is. +The triage team are active OpenAPI members who help with discussion and issue management. +They respond to new issues and discussions, direct people to our existing resources or raise conversations to a wider audience. +The triage team keeps an eye on the backlog and closes issues and discussions that are no longer active or needed. -### Historical branch strategy +## Get in touch + +To get in touch with other people on the project, ask questions, or anything else: + +- Find us [on the OpenAPI Slack](https://communityinviter.com/apps/open-api/openapi). +- Start a [GitHub Discussion](https://github.com/OAI/OpenAPI-Specification/discussions/). +- Join one of our weekly meetings by checking the [issues list for an upcoming meetings](https://github.com/OAI/OpenAPI-Specification/issues?q=is%3Aissue%20state%3Aopen%20label%3AHousekeeping). + +## Appendix: Branch strategy For information on the branch and release strategy for OAS 3.0.4 and 3.1.1 and earlier, see the comments in [issue #3677](https://github.com/OAI/OpenAPI-Specification/issues/3677). +### Branch roles + +* `main` is used to publish finished work and hold the authoritative versions of general documentation such as this document, which can be merged out to other branches as needed. The `src` tree is ***not*** present on `main`. +* `dev` is the primary branch for working with the `src` tree, which is kept up-to-date with the most recent release on the most recent minor (X.Y) release line, and serves as the base for each new minor release line. Development infrastructure that is not needed on `main` is maintained here, and can be merged out to other non-`main` branches as needed. + Changes on `main` are automatically included in a pull request to `dev` (see the (section on [branch sync](#branch-sync-automation)). +* `vX.Y-dev` is the minor release line development branch for X.Y, including both the initial X.Y.0 minor version and all subsequent X.Y.Z patch versions. All PRs are made to oldest active `vX.Y-dev` branch to which the change is relevant, and then merged forward as shown in the diagram further down in this document. +* `vX.Y.Z-rel` is the release branch for an X.Y.Z release (including when Z == 0). It exists primarily for `git mv`-ing `src/oas.md` to the appropriate `versions/X.Y.Z.md` location before merging back to `main`, and can also be used for any emergency post-release fixes that come up, such as when a 3rd party changes URLs in a way that breaks published links. + ### Branching and merging (3.1.2, 3.2.0, and later) Upon release: * Pre-release steps: - * The most recent _published_ patch release from the previoius line is merged up to `vX.Y-dev`, if relevant + * The most recent _published_ patch release from the previous line is merged up to `vX.Y-dev`, if relevant * If doing simultaneous releases on multiple lines, do them from the oldest to newest line * If the release is the most recent on the current line, merge `vX.Y-dev` to `dev` * For example, if releasing 3.1.3 and 3.2.0: @@ -163,155 +437,18 @@ gitGraph TB: commit id:"3.3 work" ``` -#### Active branches - -The first PR for a change should be against the oldest release line to which it applies. Changes can then be forward-ported as appropriate. - -The specification under development is `src/oas.md`, which _only_ exists on development branches, not on `main`. - -The current (20 October 2024) active specification releases are: - -| Version | Branch | Notes | -| ------- | ------ | ----- | -| 3.1.2 | `v3.1-dev` | active patch release line | -| 3.2.0 | `v3.2-dev` | minor release in development | -| 4.0.0 | [OAI/sig-moonwalk](https://github.com/OAI/sig-moonwalk) | [discussions only](https://github.com/OAI/sig-moonwalk/discussions) | - -## Style Guide - -Contributions to this repository should follow the style guide as described in this section. - -### Markdown - -Markdown files in this project should follow the style enforced by the [markdownlint tool](https://www.npmjs.com/package/markdownlint), -as configured by the `.markdownlint.yaml` file in the root of the project. -The `markdownlint` tool can also fix formatting, which can save time with tables in particular. - -The following additional rules should be followed but currently are not enforced by tooling: - -1. The first mention of a normative reference or an OAS-defined Object in a (sub)*section is a link, additional mentions are not. -2. OAS-defined Objects such as Schema Objects are written in this style, and are not monospaced. -3. Use "example" instead of "sample" - this spec is not about statistics. -4. Use "OpenAPI Object" instead of "root". -5. Fixed fields are monospaced. -6. Field values are monospaced in JSON notation: `true`, `false`, `null`, `"header"` (with double-quotes around string values). -7. A combination of fixed field name with example value uses JS notation: `in: "header"`, combining rules 5 and 6. -8. An exception to 5-7 is colloquial use, for example "values of type `array` or `object`" - "type" is not monospaced, so the monospaced values aren't enclosed in double quotes. -9. Use Oxford commas, avoid Shatner commas. -10. Use `` for link anchors. The `` format has been deprecated. -11. Headings use [title case](https://en.wikipedia.org/wiki/Title_case) and are followed by a blank line. - -Plus some suggestions, rather than rules: - -* Use one sentence per line in paragraphs and bullet points, to make diffs and edits easier to compare and understand. - A blank line is needed to cause a paragraph break in Markdown. -* In examples, use realistic values rather than foo/bar. - -### Use of "keyword", "field", "property", and "attribute" - -* JSON Schema keywords -> "keyword" -* OpenAPI fixed fields -> "field" -* property of a "plain" JSON object that is not an OpenAPI-defined Foo Object -> "property" -* "attribute" is only used in the XML context and means "XML attribute" - -### Field Names and Values in YAML comments - -Field names and keywords should be in backticks. -Values like "Dog" should be double quoted. - -## Release Process and Scope - -This section relates to the 3.x versions only. - -### Minor Releases - -Our roadmap for 3.x releases is community-driven, meaning the specification is open for proposed additions by anyone (see [Proposals for Specification Changes](#proposals-for-specification-changes)), in addition to the issues already on the project backlog. - -Changes in minor releases (such as 3.2, 3.3) meet the following criteria: - -* Are **backwards-compatible** and be reasonably easy to implement in tooling that already supports the previous minor version. - For example, new optional fields can be added. -* Drive quality-of-life improvements to support how OpenAPI is used by practitioners, so that OpenAPI evolves to continue to meet user needs. - For example, adding fields to support changes in other standards, or adopting common `x-*` extension fields into the specification. -* Bring the future closer by making changes that are in line with future 3.x releases and the planned OpenAPI 4.x (Moonwalk) specification as the details of that become available. -* Make the specification document clearer or easier to understand. - -A minor release is due when there are some meaningful features (including one or a small number of headline features). - -### Patch Releases - -Patch releases reflect a constant quest for improving the active minor versions of OpenAPI. -Since we do not edit specification documents after publication, even the smallest change has to be in a new release. - -Changes in patch releases meet the following criteria: - -* Editorial changes such as spelling or formatting fixes, including link updates. -* Clarifications or additions that do not change the meaning of the specification. - -Patch releases are created as often as there are changes to the specification worth releasing. - -## Branching and Versioning - -* Issue #3677: [Define and document branch strategy for the spec, both development and publishing](https://github.com/OAI/OpenAPI-Specification/issues/3677) - -## Proposals for Specification Changes - -As an organisation, we're open to changes, and these can be proposed by anyone. -The specification is very widely adopted, and there is an appropriately high bar for wide appeal and due scrutiny as a result. -We do not accept changes lightly (but we will consider any that we can). - -Small changes are welcome as pull requests. - -Bigger changes require a more formal process. - -1. Start a [discussion](https://github.com/OAI/OpenAPI-Specification/discussions) of type "Enhancements". - The discussion entry must include some use cases, your proposed solution and the alternatives you have considered. - If there is engagement and support for the proposal over time, then it can be considered as a candidate to move to the next stage. - -2. It really helps to see the proposed change in action. - Start using it as a `x-*` extension if that's appropriate, or try to bring other evidence of your proposed solution being adopted. - -3. If you are adding support for something from another specification (such as OAuth), please point to implementations of that - specification so that we can understand how, and to what degree, it is being used. - -4. If the suggested change has good support, you will be asked to create a formal proposal. - Use the [template in the proposals directory](https://github.com/OAI/OpenAPI-Specification/tree/main/proposals), copy it to a new file, and complete it. - Once you the document is ready, open a pull request on the main branch. - -5. The proposal will be more closely reviewed and commented on or amended until it is either rejected or accepted. - At that point, the proposal is merged into the `main` branch and a pull request is opened to add the feature to the appropriate `dev` version of the specification. +### Branch sync automation -Questions are welcome on the process at any time. Use the discussions feature or find us in Slack. - -## Working in GitHub +To keep changes in sync, we have some GitHub actions that open pull requests to take changes from `main` onto the `dev` branch, and from `dev` to each active version branch. -* Issue #3847: [Document milestone usage in DEVELOPMENT.md](https://github.com/OAI/OpenAPI-Specification/issues/3847) -* Issue #3848: [Define and add new process labels and document general label usage in DEVELOPMENT.md](https://github.com/OAI/OpenAPI-Specification/issues/3848) +- `sync-main-to-dev` opens a pull request with all the changes from the `main` branch that aren't yet included on `dev`. +- `sync-dev-to-vX.Y-dev` opens pull requests with all the changes from `dev` that aren't yet included on the corresponding `vX.Y-dev` branch. -### Roles and Permissions +These need a single approval from either maintainers or TSC and can be merged. +The aim is to bring build script and repository documentation changes to the other branches. +Published versions of the specifications and schemas will also move across branches with this approach. -* Issue #3582: [TOB info needs to be updated](https://github.com/OAI/OpenAPI-Specification/issues/3482) -* Issue #3523: [Define triage role criteria and process](https://github.com/OAI/OpenAPI-Specification/issues/3523) -* Issue #3524: [Define the maintainer role criteria and process](https://github.com/OAI/OpenAPI-Specification/issues/3524) - -### Projects - -The OpenAPI Initiative uses GitHub Projects to manage work _outside_ of the specification development process. There are currently two active projects: - -* [Contributor Guidance](https://github.com/orgs/OAI/projects/5/views/1) -* [Automation & Infrastructure](https://github.com/orgs/OAI/projects/4/views/1) - -### Discussions - -We are beginning (as of mid-2024) to use GitHub [discussions](https://github.com/OAI/OpenAPI-Specification/discussions?discussions_q=is%3Aopen) for open-ended topics such as major enhancements. - -* Issue #3518: [Define criteria for filing/closing issues vs discussions](https://github.com/OAI/OpenAPI-Specification/issues/3518) - -### Issues - -As of mid-2024, we prefer to use issues for topics that have a clear associated action. However, many existing issues are more open-ended, as they predate GitHub's discussions features. - -* Issue #3518: [Define criteria for filing/closing issues vs discussions](https://github.com/OAI/OpenAPI-Specification/issues/3518) +## Appendix: Issue Automation ### Automated closure of issues Process @@ -327,14 +464,4 @@ This process makes use of the following labels: An issue is opened every week, 7 days in advance, for the Technical Developer Community (TDC), it provides the information to connect the meeting, and serves as a placeholder to build the agenda for the meeting. Anyone is welcome to attend the meeting, or to add items to the agenda as long as they plan on attending to present the item. These issues are also automatically pinned for visibility and labeled with "Housekeeping". -Ten (10) days after the meeting date is passed (date in the title of the issue), it gets closed and unpinned automatically. - -## Pull Requests - -* Issue #3581: [Who and how many people need to sign-off on a PR, exactly?](https://github.com/OAI/OpenAPI-Specification/issues/3581) -* Issue #3802: [Define a policy using draft PRs when waiting on specific approvals](https://github.com/OAI/OpenAPI-Specification/issues/3802) - -## Updating the Registries - -* Issue #3598: [Minimum criteria for Namespace Registry](https://github.com/OAI/OpenAPI-Specification/issues/3598) -* Issue #3899: [Expert review criteria for registries (How exactly does x-twitter work?)](https://github.com/OAI/OpenAPI-Specification/issues/3899) +Ten (10) days after the meeting date is passed (date in the title of the issue), it gets closed and unpinned automatically. \ No newline at end of file From ca0b2f790ace7bf34a299b7b5fc899e53d6ecabb Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Thu, 6 Mar 2025 23:02:57 +0100 Subject: [PATCH 31/91] Revert "Update CONTRIBUTING.md" This reverts commit 3b45fd44421a618449a9094edf2269c5693de134. --- CONTRIBUTING.md | 491 ++++++++++++++++++------------------------------ 1 file changed, 182 insertions(+), 309 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 8d243b0104..b48f0096bc 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,333 +1,59 @@ -# Contribute to the OpenAPI Specification +# Contributing to the OpenAPI Specification -## Key information +***Work in progress!** Each section links to issues that are relevant to fill out the rest of this document.* -This project is covered by our [Code of Conduct](https://github.com/OAI/OpenAPI-Specification?tab=coc-ov-file#readme). -All participants are expected to read and follow this code. +We are currently working on [defining and documenting our new processes](https://github.com/orgs/OAI/projects/5). Information in this document is up-to-date. Older _(and sometimes now inaccurate)_ documentation can be found in [DEVELOPMENT.md](DEVELOPMENT.md), which will be removed when everything is updated and documented here. -No changes, however trivial, are ever made to the contents of published specifications (the files in the `versions/` folder). -Exceptions may be made when links to external URLs have been changed by a 3rd party, in order to keep our documents accurate. +## Essential Policies -Published versions of the specification are in the `versions/` folder. -The under-development versions of the specification are in the file `src/oas.md` on the appropriately-versioned branch. -For example, work on the next release for 3.2 is on `v3.2-dev` in the file `src/oas.md`. +This section serves as a quick guide while we work on the full updated documentation. -The [spec site](https://spec.openapis.org) is the source of truth for the OpenAPI specification as it contains all the citations and author credits (the markdown in this repository was previously the authoritative version until 2024). +If in doubt about a policy, please [ask on our Slack](https://communityinviter.com/apps/open-api/openapi) before opening a PR. -The OpenAPI project is almost entirely staffed by volunteers. -Please be patient with the people in this project, who all have other jobs and are active here because we believe this project has a positive impact in the world. +### No changes to published specifications -### Active branches +No changes, ***no matter how trivial***, are ever made to the contents of published specifications. The only potential changes to those documents are updates to link URLs _if and only if_ the targeted document is moved by a 3rd party. Other changes to link URLs are not allowed. -The current active specification releases are: +### Authoritative source of truth -| Version | Branch | Notes | -| ------- | ------ | ----- | -| 3.1.2 | `v3.1-dev` | active patch release line | -| 3.2.0 | `v3.2-dev` | minor release in development | -| 4.0.0 | [OAI/sig-moonwalk](https://github.com/OAI/sig-moonwalk) | [discussions only](https://github.com/OAI/sig-moonwalk/discussions) | - - -## How to contribute - -We welcome new contributors to the project whether you have changes to suggest, problems to report, or some feedback for us. -Please jump to the most relevant section from the list below: - -- Ask a question or offer feedback: use a [discussion](#discussions) -- Suggest a change or report a problem: open an [issue](#issues) -- Contribute a change to the repository: open a [pull request](#pull-requests) -- Or just [get in touch](#get-in-touch) - -## Discussions - -We use [discussions](https://github.com/OAI/OpenAPI-Specification/discussions?discussions_q=is%3Aopen) for anything that doesn't (yet) have a specific action associated with it. -Most ideas start as discussions. - -Please do come and start a discussion to: - - - ask questions - - make suggestions - - give feedback - -Anyone can start a discussion and you're very welcome to do so! Write a message and pick a relevant discussion category. - -### Discussion management - -Participation in discussions and especially answering of questions is encouraged (and appreciated) by everyone. - -Discussions are closed when: - - - the question has been answered. - - no further action or conversation would be useful. - - there has been no engagement for a while, or a previously popular thread has been inactive for an extended period. - - activity is now taking place elsewhere, such as in an issue. - - the discussion is out of scope for the project. - -## Issues - -Issues are for planned tasks, problems to solve, or requests for (specific) changes. -Most issues should have a clear outcome; something will be fixed, improved or otherwise measurably different when the issue is complete. - -We use [discussions](#discussions) for ideas and early-stage suggestions. - -> [!NOTE] -> For larger or more extensive changes, we have a formal [proposal process](#propose-a-specification-change) to give more structure where it's needed. - -The best issues give a clear and concise explanation of the problem at hand, and ideally some examples of what the problem is. -Suggested solutions are also welcome, but it is very important that the issue outlines the problem that is being solved as well as the solution. -Some issues may be a backlog of a task that needs to be done; other issues might be automatically created as part of the project processes. - -### Issue management - -We have some issue automation to close inactive issues and create/pin/archive the weekly meeting issues. -More information is in the [Appendix: Issue automation](#appendix-issue-automation) section. - -Everyone is encouraged to open and comment on issues in the project. -If you want to tag/assign/close something and you don't have enough permissions, add a comment and someone will help. - -Issues are managed by the [Triage](#triage), [Maintainers](#maintainers) and [TSC](#tsc) teams. -They may move issues to other repositories within the project as needed. - -In order to keep the issues list manageable and realistic for a relatively small group of volunteers, issues are proactively closed when it's not clear that they can be completed. -Issues may be closed when: - -- they have been inactive for a long time -- they are out of scope or no further constructive action can be taken -- they are complete (yay!) -- they are unclear and more details are not forthcoming -- as a group, there is agreement that no further action will be taken - -When issues are closed, a comment is added about why. -Closing issues is a reversible action, and it is always acceptable to comment and explain (politely) why an issue should not have been closed. - -### Labels +The [spec site](https://spec.openapis.org) is the source of truth. -We make extensive use of labels. -The main categories are: +This changed in 2024, as the markdown files on `main` do not include certain credits and citations. -- [Housekeeping](https://github.com/OAI/OpenAPI-Specification/labels/Housekeeping) for meetings, project logistics, etc. -- [approved pr port](https://github.com/OAI/OpenAPI-Specification/labels/approved%20pr%20port) for pull requests that repeat a change from one version to another -- most other tags are used to group similar or related issues into topic areas; this list is ever-changing +## Development process -Labels related to [issue automation](#appendix-issue-automation) +As of October 2024 (post-OAS 3.0.4 and 3.1.1), the OAS is developed in the `src/oas.md` file on minor release `vX.Y-dev` branches that are derived from the baseline `dev` branch. -- [Needs attention](https://github.com/OAI/OpenAPI-Specification/labels/Needs%20attention) automated tag when an issue is updated -- [Needs author feedback](https://github.com/OAI/OpenAPI-Specification/labels/Needs%20author%20feedback) used to indicate that more information is needed from the issue creator -- [No recent activity](https://github.com/OAI/OpenAPI-Specification/labels/No%20recent%20activity) if no information is received, the issue is marked for closure (automatic after 30 days) +Schema changes are made on the same branch, but can be released independently. When making a specification change for a new minor or major release that has a schema impact, including the schema change in the PR is preferred. Patch releases cannot contain changes that _require_ a schema update. -### Milestones - -We use milestones in GitHub to plan what should be included in future releases. -Issues and pull requests should both be added to the earliest milestone we expect they will be released in. -Any changes that aren't ready in time for release should be moved to the next milestone or untagged. - -The milestones and items assigned to them are under constant review and subject to change. - -### Projects - -The OpenAPI Initiative uses GitHub Projects to manage work _outside_ of the specification development process. There are currently two active projects: - -* [Contributor Guidance](https://github.com/orgs/OAI/projects/5/views/1) -* [Automation & Infrastructure](https://github.com/orgs/OAI/projects/4/views/1) - -## Pull requests - -> [!NOTE] -> Since the 3.0.4 and 3.1.1 releases (October 2024), the OAS is developed in the `src/oas.md` file. -> Check the [Appendix: Branch Strategy](#appendix-branch-strategy) for more information about the updated branching strategy. - -Changes to the next version of the specification are welcome and can be proposed by anyone. - -For large changes that will need discussion, please use the [Proposal process](#propose-a-specification-change). -For other changes, we recommend [opening an issue](#issues) first, so that you can get some feedback and any extra input you need before spending a lot of time on something. - -Schema changes are made on the same branch, but can be released independently. -When making a specification change for a new minor or major release that has a schema impact, including the schema change in the PR is preferred. -Patch releases cannot contain changes that _require_ a schema update. - -### Use a fork - -All work **MUST be done on a fork** and be submitted as a pull request. - -### Target the earliest active `*-dev` branch - -Branch from and submit pull requests to the a branch from the _earliest relevant and [active](#active-branches)_ `vX.Y-dev` branch. -For example, if a change applies to both 3.1 and 3.2, the PR would go to the `v3.1-dev` branch, which will be merged up to `v3.2-dev` before the next 3.2 release. -All changes to the specification must conform to the [style guide](./style-guide.md). - -Both specification and schema changes follow this approach. - -For changes to repository files that affect all versions, use the `main` branch. -This might apply to, for example, Markdown files, automation, and scripts. - -For all pull requests, if they should not be merged yet for any reason (they depend on something else, you would like feedback from a specific reviewer), mark them as draft and they will not be merged while in that state. -Draft pull requests can still be reviewed while in draft state. - -### Preview specification HTML locally - -The markdown source files are converted to HTML before publishing. -To do this locally, please - -1. Install [Node.js](https://nodejs.org/) -2. Check out this repo, go to the repo root, and switch to a development branch -3. Execute `npm install` (once, repeat after merging upstream changes) -4. Execute `npm run build-src` after changing `src/oas.md` (this first executes `npm run validate-markdown`, which can also be run separately) -5. Open output file `deploy-preview/oas.html` with a browser and check your changes - -Please make sure the markdown validates and builds using the above steps before creating a pull request or marking a draft pull request as ready for review. - -## Reviewers - -> [!NOTE] -> See also the detailed team outlines in the [roles section](#roles). +### Branch roles -All pull requests must be reviewed and approved by one member of the TSC or Maintainers teams. -Reviews from other contributors are always welcome. +* `main` is used to publish finished work and hold the authoritative versions of general documentation such as this document, which can be merged out to other branches as needed. The `src` tree is ***not*** present on `main`. +* `dev` is the primary branch for working with the `src` tree, which is kept up-to-date with the most recent release on the most recent minor (X.Y) release line, and serves as the base for each new minor release line. Development infrastructure that is not needed on `main` is maintained here, and can be merged out to other non-`main` branches as needed. +* `vX.Y-dev` is the minor release line development branch for X.Y, including both the initial X.Y.0 minor version and all subsequent X.Y.Z patch versions. All PRs are made to oldest active `vX.Y-dev` branch to which the change is relevant, and then merged forward as shown in the diagram further down in this document. +* `vX.Y.Z-rel` is the release branch for an X.Y.Z release (including when Z == 0). It exists primarily for `git mv`-ing `src/oas.md` to the appropriate `versions/X.Y.Z.md` location before merging back to `main`, and can also be used for any emergency post-release fixes that come up, such as when a 3rd party changes URLs in a way that breaks published links. -Additionally, all pull requests that change the specification file `src/oas.md` must be approved by two TSC members. +### Using forks -Reviews requesting changes should have their changes addressed regardless of how many other approvers there are. +All work **MUST be done on a fork**, using a branch from the _earliest relevant and [active](#active-branches)_ `vX.Y-dev` branch, and then submitted as a PR to that `vX.Y-dev` branch. +For example, if a change in November 2024 apples to both 3.1 and 3.2, the PR would go to the `v3.1-dev` branch, which will be merged up to `v3.2-dev` before the next 3.2 release. ## Publishing -### Specification Versions - -The specification versions are published to the [spec site](https://spec.openapis.org) by creating an `vX.Y.Z-rel` branch where `src/oas.md` is renamed to the appropriate `versions/X.Y.Z.md` file and then merged to `main`. -This renaming on the `vX.Y.Z-rel` branch preserves the commit history for the published file on `main` when using `git log --follow` (as is the case for all older published files). - -The HTML renderings of the specification versions are automatically generated from the `versions` directory on `main` by the [`respec` workflow](https://github.com/OAI/OpenAPI-Specification/blob/main/.github/workflows/respec.yaml), which generates a pull request for publishing the HTML renderings to the [spec site](https://spec.openapis.org). - -### Schema Iterations - -The schema iterations are published independently from the specification releases [in the schema section on the spec site](https://spec.openapis.org/#openapi-specification-schemas). -Schemas are updated in and directly published from the `vX.Y-dev` branches. - -As part of the publishing process, the YAML source files are converted to JSON, renamed to the relevant last-changed dates, and `WORK-IN-PROGRESS` placeholders are replaced with these dates as appropriate. This is usually done by the `schema-publish` workflow which detects changes on each `vX.Y-dev` branch, which generates a pull request for publishing the new schema iterations to the [spec site](https://spec.openapis.org). The workflow can also be run manually if required. - -## Release Process and Scope - -This section relates to the 3.x versions only. - -### Minor Releases - -Our roadmap for 3.x releases is community-driven, meaning the specification is open for proposed additions by anyone (see [Propose a Specification Change](#propose-a-specification-change)), in addition to the issues already on the project backlog. - -Changes in minor releases (such as 3.2, 3.3) meet the following criteria: - -* Are **backwards-compatible** and be reasonably easy to implement in tooling that already supports the previous minor version. - For example, new optional fields can be added. -* Drive quality-of-life improvements to support how OpenAPI is used by practitioners, so that OpenAPI evolves to continue to meet user needs. - For example, adding fields to support changes in other standards, or adopting common `x-*` extension fields into the specification. -* Bring the future closer by making changes that are in line with future 3.x releases and the planned OpenAPI 4.x (Moonwalk) specification as the details of that become available. -* Make the specification document clearer or easier to understand. - -A minor release is due when there are some meaningful features (including one or a small number of headline features). - -### Patch Releases - -Patch releases reflect a constant quest for improving the active minor versions of OpenAPI. -Since we do not edit specification documents after publication, even the smallest change has to be in a new release. - -Changes in patch releases meet the following criteria: - -* Editorial changes such as spelling or formatting fixes, including link updates. -* Clarifications or additions that do not change the meaning of the specification. - -Patch releases are created as often as there are changes to the specification worth releasing. - -### Release Process - -A release requires a vote on the specification at a particular version and the associated release notes by TSC members within the voting period. -Major or minor release voting periods will be announced in the Slack channel and noted on the calendar at least 6 days in advance. -During this time, TSC members who have not yet voted must note their approval by leaving a comment on the GitHub pull request proposing the release; release notes should be included with the description. -TSC members are responsible for coordinating the information about the release to the outreach team as appropriate. - -* Patch-level releases require majority approval by TSC members. (Max voting period 3 days) - -* Minor: requires approval by 66% of TSC members. (Max voting period 7 days) - -* Major: requires approval by 66% of TSC members. (Max voting period 14 days) - -During the voting period, further changes should not be made to the specification being considered. - -Once the threshold of approvals is met, the release can be performed by any TSC member. - -## Propose a Specification Change - -As an organisation, we're open to changes, and these can be proposed by anyone. -The specification is very widely adopted, and there is an appropriately high bar for wide appeal and due scrutiny as a result. -We do not accept changes lightly (but we will consider any that we can). - -Small changes are welcome as pull requests. - -Bigger changes require a more formal process. - -1. Start a [discussion](https://github.com/OAI/OpenAPI-Specification/discussions) of type "Enhancements". - The discussion entry must include some use cases, your proposed solution and the alternatives you have considered. - If there is engagement and support for the proposal over time, then it can be considered as a candidate to move to the next stage. - -2. It really helps to see the proposed change in action. - Start using it as a `x-*` extension if that's appropriate, or try to bring other evidence of your proposed solution being adopted. - -3. If you are adding support for something from another specification (such as OAuth), please point to implementations of that - specification so that we can understand how, and to what degree, it is being used. - -4. If the suggested change has good support, you will be asked to create a formal proposal. - Use the [template in the proposals directory](https://github.com/OAI/OpenAPI-Specification/tree/main/proposals), copy it to a new file, and complete it. - Once you the document is ready, open a pull request on the main branch. - -5. The proposal will be more closely reviewed and commented on or amended until it is either rejected or accepted. - At that point, the proposal is merged into the `main` branch and a pull request is opened to add the feature to the appropriate `dev` version of the specification. - -Questions are welcome on the process at any time. Use the discussions feature or find us in Slack. - -## Roles - -The OpenAPI project has some key roles that are played by multiple people. - -### TSC - -The Technical Steering Committee are listed in the [MAINTAINERS file](./MAINTAINERS.md). -They are the maintainers of the OpenAPI Specification itself and every other aspect of the project operation and direction. -TSC members can review changes to all parts of the repository and make decisions about the project. - -### Maintainers - -The maintainers have write access to the repository and play a key role in the project. -They review pull requests to non-specification parts of the repository, and take on other strategic tasks around project planning and maintenance. - -### Triage +The specification and schemas are published to the [spec site](https://spec.openapis.org) by creating an `vX.Y.Z-rel` branch where `src/oas.md` is renamed to the appropriate `versions/X.Y.Z.md` file and then merged to `main`. The HTML versions of the OAS are automatically generated from the `versions` directory on `main`. This renaming on the `vX.Y.Z-rel` branch preserves the commit history for the published file on `main` when using `git log --follow` (as is the case for all older published files). -The triage team are active OpenAPI members who help with discussion and issue management. -They respond to new issues and discussions, direct people to our existing resources or raise conversations to a wider audience. -The triage team keeps an eye on the backlog and closes issues and discussions that are no longer active or needed. +The publishing process for schemas is still under discussion (see issues [#3715](https://github.com/OAI/OpenAPI-Specification/issues/3715) and [#3716](https://github.com/OAI/OpenAPI-Specification/issues/3716)), with the current proposal being to release them directly from the `vX.Y-dev` branch without merging to `main`, as the schemas in source control have placeholder identifiers and are not intended to be used as-is. -## Get in touch - -To get in touch with other people on the project, ask questions, or anything else: - -- Find us [on the OpenAPI Slack](https://communityinviter.com/apps/open-api/openapi). -- Start a [GitHub Discussion](https://github.com/OAI/OpenAPI-Specification/discussions/). -- Join one of our weekly meetings by checking the [issues list for an upcoming meetings](https://github.com/OAI/OpenAPI-Specification/issues?q=is%3Aissue%20state%3Aopen%20label%3AHousekeeping). - -## Appendix: Branch strategy +### Historical branch strategy For information on the branch and release strategy for OAS 3.0.4 and 3.1.1 and earlier, see the comments in [issue #3677](https://github.com/OAI/OpenAPI-Specification/issues/3677). -### Branch roles - -* `main` is used to publish finished work and hold the authoritative versions of general documentation such as this document, which can be merged out to other branches as needed. The `src` tree is ***not*** present on `main`. -* `dev` is the primary branch for working with the `src` tree, which is kept up-to-date with the most recent release on the most recent minor (X.Y) release line, and serves as the base for each new minor release line. Development infrastructure that is not needed on `main` is maintained here, and can be merged out to other non-`main` branches as needed. - Changes on `main` are automatically included in a pull request to `dev` (see the (section on [branch sync](#branch-sync-automation)). -* `vX.Y-dev` is the minor release line development branch for X.Y, including both the initial X.Y.0 minor version and all subsequent X.Y.Z patch versions. All PRs are made to oldest active `vX.Y-dev` branch to which the change is relevant, and then merged forward as shown in the diagram further down in this document. -* `vX.Y.Z-rel` is the release branch for an X.Y.Z release (including when Z == 0). It exists primarily for `git mv`-ing `src/oas.md` to the appropriate `versions/X.Y.Z.md` location before merging back to `main`, and can also be used for any emergency post-release fixes that come up, such as when a 3rd party changes URLs in a way that breaks published links. - ### Branching and merging (3.1.2, 3.2.0, and later) Upon release: * Pre-release steps: - * The most recent _published_ patch release from the previous line is merged up to `vX.Y-dev`, if relevant + * The most recent _published_ patch release from the previoius line is merged up to `vX.Y-dev`, if relevant * If doing simultaneous releases on multiple lines, do them from the oldest to newest line * If the release is the most recent on the current line, merge `vX.Y-dev` to `dev` * For example, if releasing 3.1.3 and 3.2.0: @@ -437,18 +163,155 @@ gitGraph TB: commit id:"3.3 work" ``` -### Branch sync automation +#### Active branches + +The first PR for a change should be against the oldest release line to which it applies. Changes can then be forward-ported as appropriate. + +The specification under development is `src/oas.md`, which _only_ exists on development branches, not on `main`. + +The current (20 October 2024) active specification releases are: + +| Version | Branch | Notes | +| ------- | ------ | ----- | +| 3.1.2 | `v3.1-dev` | active patch release line | +| 3.2.0 | `v3.2-dev` | minor release in development | +| 4.0.0 | [OAI/sig-moonwalk](https://github.com/OAI/sig-moonwalk) | [discussions only](https://github.com/OAI/sig-moonwalk/discussions) | + +## Style Guide + +Contributions to this repository should follow the style guide as described in this section. + +### Markdown + +Markdown files in this project should follow the style enforced by the [markdownlint tool](https://www.npmjs.com/package/markdownlint), +as configured by the `.markdownlint.yaml` file in the root of the project. +The `markdownlint` tool can also fix formatting, which can save time with tables in particular. + +The following additional rules should be followed but currently are not enforced by tooling: + +1. The first mention of a normative reference or an OAS-defined Object in a (sub)*section is a link, additional mentions are not. +2. OAS-defined Objects such as Schema Objects are written in this style, and are not monospaced. +3. Use "example" instead of "sample" - this spec is not about statistics. +4. Use "OpenAPI Object" instead of "root". +5. Fixed fields are monospaced. +6. Field values are monospaced in JSON notation: `true`, `false`, `null`, `"header"` (with double-quotes around string values). +7. A combination of fixed field name with example value uses JS notation: `in: "header"`, combining rules 5 and 6. +8. An exception to 5-7 is colloquial use, for example "values of type `array` or `object`" - "type" is not monospaced, so the monospaced values aren't enclosed in double quotes. +9. Use Oxford commas, avoid Shatner commas. +10. Use `` for link anchors. The `` format has been deprecated. +11. Headings use [title case](https://en.wikipedia.org/wiki/Title_case) and are followed by a blank line. + +Plus some suggestions, rather than rules: + +* Use one sentence per line in paragraphs and bullet points, to make diffs and edits easier to compare and understand. + A blank line is needed to cause a paragraph break in Markdown. +* In examples, use realistic values rather than foo/bar. + +### Use of "keyword", "field", "property", and "attribute" + +* JSON Schema keywords -> "keyword" +* OpenAPI fixed fields -> "field" +* property of a "plain" JSON object that is not an OpenAPI-defined Foo Object -> "property" +* "attribute" is only used in the XML context and means "XML attribute" + +### Field Names and Values in YAML comments + +Field names and keywords should be in backticks. +Values like "Dog" should be double quoted. + +## Release Process and Scope + +This section relates to the 3.x versions only. + +### Minor Releases + +Our roadmap for 3.x releases is community-driven, meaning the specification is open for proposed additions by anyone (see [Proposals for Specification Changes](#proposals-for-specification-changes)), in addition to the issues already on the project backlog. + +Changes in minor releases (such as 3.2, 3.3) meet the following criteria: + +* Are **backwards-compatible** and be reasonably easy to implement in tooling that already supports the previous minor version. + For example, new optional fields can be added. +* Drive quality-of-life improvements to support how OpenAPI is used by practitioners, so that OpenAPI evolves to continue to meet user needs. + For example, adding fields to support changes in other standards, or adopting common `x-*` extension fields into the specification. +* Bring the future closer by making changes that are in line with future 3.x releases and the planned OpenAPI 4.x (Moonwalk) specification as the details of that become available. +* Make the specification document clearer or easier to understand. + +A minor release is due when there are some meaningful features (including one or a small number of headline features). + +### Patch Releases + +Patch releases reflect a constant quest for improving the active minor versions of OpenAPI. +Since we do not edit specification documents after publication, even the smallest change has to be in a new release. + +Changes in patch releases meet the following criteria: + +* Editorial changes such as spelling or formatting fixes, including link updates. +* Clarifications or additions that do not change the meaning of the specification. + +Patch releases are created as often as there are changes to the specification worth releasing. + +## Branching and Versioning + +* Issue #3677: [Define and document branch strategy for the spec, both development and publishing](https://github.com/OAI/OpenAPI-Specification/issues/3677) + +## Proposals for Specification Changes + +As an organisation, we're open to changes, and these can be proposed by anyone. +The specification is very widely adopted, and there is an appropriately high bar for wide appeal and due scrutiny as a result. +We do not accept changes lightly (but we will consider any that we can). + +Small changes are welcome as pull requests. + +Bigger changes require a more formal process. + +1. Start a [discussion](https://github.com/OAI/OpenAPI-Specification/discussions) of type "Enhancements". + The discussion entry must include some use cases, your proposed solution and the alternatives you have considered. + If there is engagement and support for the proposal over time, then it can be considered as a candidate to move to the next stage. + +2. It really helps to see the proposed change in action. + Start using it as a `x-*` extension if that's appropriate, or try to bring other evidence of your proposed solution being adopted. + +3. If you are adding support for something from another specification (such as OAuth), please point to implementations of that + specification so that we can understand how, and to what degree, it is being used. + +4. If the suggested change has good support, you will be asked to create a formal proposal. + Use the [template in the proposals directory](https://github.com/OAI/OpenAPI-Specification/tree/main/proposals), copy it to a new file, and complete it. + Once you the document is ready, open a pull request on the main branch. + +5. The proposal will be more closely reviewed and commented on or amended until it is either rejected or accepted. + At that point, the proposal is merged into the `main` branch and a pull request is opened to add the feature to the appropriate `dev` version of the specification. -To keep changes in sync, we have some GitHub actions that open pull requests to take changes from `main` onto the `dev` branch, and from `dev` to each active version branch. +Questions are welcome on the process at any time. Use the discussions feature or find us in Slack. + +## Working in GitHub -- `sync-main-to-dev` opens a pull request with all the changes from the `main` branch that aren't yet included on `dev`. -- `sync-dev-to-vX.Y-dev` opens pull requests with all the changes from `dev` that aren't yet included on the corresponding `vX.Y-dev` branch. +* Issue #3847: [Document milestone usage in DEVELOPMENT.md](https://github.com/OAI/OpenAPI-Specification/issues/3847) +* Issue #3848: [Define and add new process labels and document general label usage in DEVELOPMENT.md](https://github.com/OAI/OpenAPI-Specification/issues/3848) -These need a single approval from either maintainers or TSC and can be merged. -The aim is to bring build script and repository documentation changes to the other branches. -Published versions of the specifications and schemas will also move across branches with this approach. +### Roles and Permissions -## Appendix: Issue Automation +* Issue #3582: [TOB info needs to be updated](https://github.com/OAI/OpenAPI-Specification/issues/3482) +* Issue #3523: [Define triage role criteria and process](https://github.com/OAI/OpenAPI-Specification/issues/3523) +* Issue #3524: [Define the maintainer role criteria and process](https://github.com/OAI/OpenAPI-Specification/issues/3524) + +### Projects + +The OpenAPI Initiative uses GitHub Projects to manage work _outside_ of the specification development process. There are currently two active projects: + +* [Contributor Guidance](https://github.com/orgs/OAI/projects/5/views/1) +* [Automation & Infrastructure](https://github.com/orgs/OAI/projects/4/views/1) + +### Discussions + +We are beginning (as of mid-2024) to use GitHub [discussions](https://github.com/OAI/OpenAPI-Specification/discussions?discussions_q=is%3Aopen) for open-ended topics such as major enhancements. + +* Issue #3518: [Define criteria for filing/closing issues vs discussions](https://github.com/OAI/OpenAPI-Specification/issues/3518) + +### Issues + +As of mid-2024, we prefer to use issues for topics that have a clear associated action. However, many existing issues are more open-ended, as they predate GitHub's discussions features. + +* Issue #3518: [Define criteria for filing/closing issues vs discussions](https://github.com/OAI/OpenAPI-Specification/issues/3518) ### Automated closure of issues Process @@ -464,4 +327,14 @@ This process makes use of the following labels: An issue is opened every week, 7 days in advance, for the Technical Developer Community (TDC), it provides the information to connect the meeting, and serves as a placeholder to build the agenda for the meeting. Anyone is welcome to attend the meeting, or to add items to the agenda as long as they plan on attending to present the item. These issues are also automatically pinned for visibility and labeled with "Housekeeping". -Ten (10) days after the meeting date is passed (date in the title of the issue), it gets closed and unpinned automatically. \ No newline at end of file +Ten (10) days after the meeting date is passed (date in the title of the issue), it gets closed and unpinned automatically. + +## Pull Requests + +* Issue #3581: [Who and how many people need to sign-off on a PR, exactly?](https://github.com/OAI/OpenAPI-Specification/issues/3581) +* Issue #3802: [Define a policy using draft PRs when waiting on specific approvals](https://github.com/OAI/OpenAPI-Specification/issues/3802) + +## Updating the Registries + +* Issue #3598: [Minimum criteria for Namespace Registry](https://github.com/OAI/OpenAPI-Specification/issues/3598) +* Issue #3899: [Expert review criteria for registries (How exactly does x-twitter work?)](https://github.com/OAI/OpenAPI-Specification/issues/3899) From c609a46ebfb9d821e9ee0cf3679424b20e2e5135 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Thu, 6 Mar 2025 23:13:28 +0100 Subject: [PATCH 32/91] Revert "Update CONTRIBUTING.md" This reverts commit 97e7b3d6fead90242a599e09d8ffcf36acead4f7. --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b48f0096bc..2c2db67e7b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -216,7 +216,7 @@ Plus some suggestions, rather than rules: ### Field Names and Values in YAML comments -Field names and keywords should be in backticks. +Field names and keys should be in backticks. Values like "Dog" should be double quoted. ## Release Process and Scope From 67ac64d783b75a5e5b625aad4fbc7bf0cac1b220 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Thu, 6 Mar 2025 23:13:32 +0100 Subject: [PATCH 33/91] Revert "Update CONTRIBUTING.md" This reverts commit c2c9aaf9e110485ac3e1942eb75bdb063e2bb67f. --- CONTRIBUTING.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 2c2db67e7b..3d217ec28c 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -216,8 +216,8 @@ Plus some suggestions, rather than rules: ### Field Names and Values in YAML comments -Field names and keys should be in backticks. -Values like "Dog" should be double quoted. +Field names and keys should be in backticks for consistency. +Values like "Dog" should be double quoted as they are a value rather than a keyword. ## Release Process and Scope From fb2bc8ed8a5f6ba771aeedc8e77ac7fa16547b66 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Thu, 6 Mar 2025 23:13:40 +0100 Subject: [PATCH 34/91] Revert "Update CONTRIBUTING.md" This reverts commit 5d505db64de684c163e47ade8f8347c9c320d5d9. --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 3d217ec28c..0a7542e912 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -216,7 +216,7 @@ Plus some suggestions, rather than rules: ### Field Names and Values in YAML comments -Field names and keys should be in backticks for consistency. +Field names and entries such as content types should be in backticks, they would be fixed-width fonts if the markdown was rendered (which the comments are not). Values like "Dog" should be double quoted as they are a value rather than a keyword. ## Release Process and Scope From 86f3f67c2cc74748d741335977926c1001894a72 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Thu, 6 Mar 2025 23:13:45 +0100 Subject: [PATCH 35/91] Revert "Update CONTRIBUTING.md" This reverts commit 17ab8d6cb4e947c02dd61070aedd532568740e0b. --- CONTRIBUTING.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0a7542e912..7cc369eb4e 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -214,11 +214,6 @@ Plus some suggestions, rather than rules: * property of a "plain" JSON object that is not an OpenAPI-defined Foo Object -> "property" * "attribute" is only used in the XML context and means "XML attribute" -### Field Names and Values in YAML comments - -Field names and entries such as content types should be in backticks, they would be fixed-width fonts if the markdown was rendered (which the comments are not). -Values like "Dog" should be double quoted as they are a value rather than a keyword. - ## Release Process and Scope This section relates to the 3.x versions only. From 52c89a34c912a98a324785941536ded21f86ef46 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Wed, 19 Mar 2025 11:37:10 +0100 Subject: [PATCH 36/91] Fixes #4463 and adds test --- src/schemas/validation/schema.yaml | 2 +- .../pass/path_item_servers_parameters.yaml | 112 ++++++++++++++++++ 2 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 tests/schema/pass/path_item_servers_parameters.yaml diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index ada84777fd..bfa2fcf3ea 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -630,7 +630,7 @@ $defs: requestBody: true description: type: string - body: + server: $ref: '#/$defs/server' oneOf: - required: diff --git a/tests/schema/pass/path_item_servers_parameters.yaml b/tests/schema/pass/path_item_servers_parameters.yaml new file mode 100644 index 0000000000..5db8a25cbf --- /dev/null +++ b/tests/schema/pass/path_item_servers_parameters.yaml @@ -0,0 +1,112 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +paths: + /things: + summary: Lots of things + servers: + - url: https://things.example.com + get: + summary: Get a list of things + externalDocs: + description: Find more info here + url: https://example.com + parameters: + - $ref: '#/components/parameters/biscuit' + summary: The maximum number of things to return + description: The maximum number of things to return + responses: + default: + description: A list of things + servers: + - url: https://things.example.com + post: + deprecated: false + requestBody: + $ref: '#/components/requestBodies/ThingRequestBody' + responses: + '201': + $ref: '#/components/responses/ThingResponse' + callbacks: + myCallback: + '{$request.query.queryUrl}': + post: + requestBody: + description: Callback payload + content: + application/json: + schema: + $ref: '#/components/schemas/SomePayload' + responses: + '200': + description: callback successfully processed + transactionCallback: + $ref: '#/components/callbacks/transactionCallback' + patch: {} + delete: {} + head: {} + options: {} + trace: {} +components: + callbacks: + transactionCallback: + 'http://notificationServer.com?transactionId={$request.body#/id}&email={$request.body#/email}': + post: + requestBody: + description: Callback payload + content: + application/json: + schema: + $ref: '#/components/schemas/SomePayload' + responses: + '200': + description: callback successfully processed + examples: + ThingExample: + summary: A thing + description: A thing + value: + id: 1 + name: Thing + links: + ThingLink: + description: A link to a thing + operationId: getThing + parameters: + thingId: '$response.body#/id' + server: + url: https://things.example.com + ThingyLink: + $ref: '#/components/links/ThingLink' + parameters: + limit: + name: limit + in: query + required: false + allowEmptyValue: false + allowReserved: false + deprecated: true + description: The maximum number of list items to return + schema: + type: integer + minimum: 0 + biscuit: + name: biscuit + in: cookie + style: form + schema: + type: string + requestBodies: + ThingRequestBody: + content: + application/json: + schema: + type: object + responses: + ThingResponse: + description: A thing + content: + application/json: + schema: + type: object \ No newline at end of file From 6f26e0bf1d4382869d3e4172e35f949621ebba81 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Tue, 18 Mar 2025 12:56:01 +0100 Subject: [PATCH 37/91] Schema coverage: 100% --- src/schemas/validation/schema.yaml | 2 +- .../schema/pass/callback-object-examples.yaml | 30 +++++ .../pass/components-object-example.yaml | 71 +++++++++++ .../schema/pass/example-object-examples.yaml | 63 ++++++++++ tests/schema/pass/header-object-examples.yaml | 25 ++++ tests/schema/pass/info-object-example.yaml | 19 +++ tests/schema/pass/link-object-examples.yaml | 62 ++++++++++ tests/schema/pass/media-type-examples.yaml | 97 +++++++++++++++ .../schema/pass/operation-object-example.yaml | 47 ++++++++ .../pass/parameter-object-examples.yaml | 54 +++++++++ .../schema/pass/path-item-object-example.yaml | 35 ++++++ .../pass/path_item_servers_parameters.yaml | 112 ++++++++++++++++++ tests/schema/pass/paths-object-example.yaml | 17 +++ tests/schema/pass/request-body-examples.yaml | 34 ++++++ .../schema/pass/response-object-examples.yaml | 42 +++++++ .../pass/security-scheme-object-examples.yaml | 59 +++++++++ tests/schema/pass/servers.yaml | 15 +++ tests/schema/pass/tag-object-example.yaml | 15 +++ tests/schema/schema.test.mjs | 2 +- 19 files changed, 799 insertions(+), 2 deletions(-) create mode 100644 tests/schema/pass/callback-object-examples.yaml create mode 100644 tests/schema/pass/components-object-example.yaml create mode 100644 tests/schema/pass/example-object-examples.yaml create mode 100644 tests/schema/pass/header-object-examples.yaml create mode 100644 tests/schema/pass/info-object-example.yaml create mode 100644 tests/schema/pass/link-object-examples.yaml create mode 100644 tests/schema/pass/media-type-examples.yaml create mode 100644 tests/schema/pass/operation-object-example.yaml create mode 100644 tests/schema/pass/parameter-object-examples.yaml create mode 100644 tests/schema/pass/path-item-object-example.yaml create mode 100644 tests/schema/pass/path_item_servers_parameters.yaml create mode 100644 tests/schema/pass/paths-object-example.yaml create mode 100644 tests/schema/pass/request-body-examples.yaml create mode 100644 tests/schema/pass/response-object-examples.yaml create mode 100644 tests/schema/pass/security-scheme-object-examples.yaml create mode 100644 tests/schema/pass/tag-object-example.yaml diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index ada84777fd..bfa2fcf3ea 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -630,7 +630,7 @@ $defs: requestBody: true description: type: string - body: + server: $ref: '#/$defs/server' oneOf: - required: diff --git a/tests/schema/pass/callback-object-examples.yaml b/tests/schema/pass/callback-object-examples.yaml new file mode 100644 index 0000000000..641a79ea99 --- /dev/null +++ b/tests/schema/pass/callback-object-examples.yaml @@ -0,0 +1,30 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +components: + callbacks: + myCallback: + '{$request.query.queryUrl}': + post: + requestBody: + description: Callback payload + content: + application/json: + schema: + $ref: '#/components/schemas/SomePayload' + responses: + '200': + description: callback successfully processed + transactionCallback: + 'http://notificationServer.com?transactionId={$request.body#/id}&email={$request.body#/email}': + post: + requestBody: + description: Callback payload + content: + application/json: + schema: + $ref: '#/components/schemas/SomePayload' + responses: + '200': + description: callback successfully processed \ No newline at end of file diff --git a/tests/schema/pass/components-object-example.yaml b/tests/schema/pass/components-object-example.yaml new file mode 100644 index 0000000000..9ef0c17665 --- /dev/null +++ b/tests/schema/pass/components-object-example.yaml @@ -0,0 +1,71 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +components: + schemas: + GeneralError: + type: object + properties: + code: + type: integer + format: int32 + message: + type: string + Category: + type: object + properties: + id: + type: integer + format: int64 + name: + type: string + Tag: + type: object + properties: + id: + type: integer + format: int64 + name: + type: string + parameters: + skipParam: + name: skip + in: query + description: number of items to skip + required: true + schema: + type: integer + format: int32 + limitParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer + format: int32 + responses: + NotFound: + description: Entity not found. + IllegalInput: + description: Illegal input for operation. + GeneralError: + description: General Error + content: + application/json: + schema: + $ref: '#/components/schemas/GeneralError' + securitySchemes: + api_key: + type: apiKey + name: api-key + in: header + petstore_auth: + type: oauth2 + flows: + implicit: + authorizationUrl: https://example.org/api/oauth/dialog + scopes: + write:pets: modify pets in your account + read:pets: read your pets \ No newline at end of file diff --git a/tests/schema/pass/example-object-examples.yaml b/tests/schema/pass/example-object-examples.yaml new file mode 100644 index 0000000000..664b22f429 --- /dev/null +++ b/tests/schema/pass/example-object-examples.yaml @@ -0,0 +1,63 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +components: + requestBodies: + with-example: + content: + 'application/json': + schema: + $ref: '#/components/schemas/Address' + examples: + foo: + summary: A foo example + value: + foo: bar + bar: + summary: A bar example + value: + bar: baz + application/xml: + examples: + xmlExample: + summary: This is an example in XML + externalValue: https://example.org/examples/address-example.xml + text/plain: + examples: + textExample: + summary: This is a text example + externalValue: https://foo.bar/examples/address-example.txt + parameters: + with-example: + name: zipCode + in: query + schema: + type: string + format: zip-code + examples: + zip-example: + $ref: '#/components/examples/zip-example' + responses: + '200': + description: your car appointment has been booked + content: + application/json: + schema: + $ref: '#/components/schemas/SuccessResponse' + examples: + confirmation-success: + $ref: '#/components/examples/confirmation-success' + application/x-www-form-urlencoded: + schema: + type: object + properties: + jsonValue: + type: string + encoding: + jsonValue: + contentType: application/json + examples: + jsonFormValue: + description: 'The JSON string "json" as a form value' + value: jsonValue=%22json%22 diff --git a/tests/schema/pass/header-object-examples.yaml b/tests/schema/pass/header-object-examples.yaml new file mode 100644 index 0000000000..7b91efbbae --- /dev/null +++ b/tests/schema/pass/header-object-examples.yaml @@ -0,0 +1,25 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +components: + headers: + X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + deprecated: false + schema: + type: integer + ETag: + required: true + content: + text/plain: + schema: + type: string + pattern: ^" + Reference: + $ref: '#/components/schemas/ETag' + Style: + schema: + type: array + style: simple + explode: true \ No newline at end of file diff --git a/tests/schema/pass/info-object-example.yaml b/tests/schema/pass/info-object-example.yaml new file mode 100644 index 0000000000..2c32cd9c10 --- /dev/null +++ b/tests/schema/pass/info-object-example.yaml @@ -0,0 +1,19 @@ +# including External Documentation Object Example +openapi: 3.1.0 +info: + title: Example Pet Store App + summary: A pet store manager. + description: This is an example server for a pet store. + termsOfService: https://example.com/terms/ + contact: + name: API Support + url: https://www.example.com/support + email: support@example.com + license: + name: Apache 2.0 + url: https://www.apache.org/licenses/LICENSE-2.0.html + version: 1.0.1 +externalDocs: + description: Find more info here + url: https://example.com +components: {} diff --git a/tests/schema/pass/link-object-examples.yaml b/tests/schema/pass/link-object-examples.yaml new file mode 100644 index 0000000000..92142a94a6 --- /dev/null +++ b/tests/schema/pass/link-object-examples.yaml @@ -0,0 +1,62 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +paths: + /users/{id}: + parameters: + - name: id + in: path + required: true + description: the user identifier, as userId + schema: + type: string + get: + responses: + '200': + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: # the unique user id + type: string + format: uuid + links: + address: + # the target link operationId + operationId: getUserAddress + parameters: + # get the `id` field from the request path parameter named `id` + userid: $request.path.id + address2: + operationId: getUserAddressByUUID + parameters: + # get the `uuid` field from the `uuid` field in the response body + userUuid: $response.body#/uuid + UserRepositories: + # returns array of '#/components/schemas/repository' + operationRef: '#/paths/~12.0~1repositories~1%7Busername%7D/get' + parameters: + username: $response.body#/username + UserRepositories2: + # returns array of '#/components/schemas/repository' + operationRef: https://na2.gigantic-server.com/#/paths/~12.0~1repositories~1%7Busername%7D/get + parameters: + username: $response.body#/username + # the path item of the linked operation + /users/{userid}/address: + parameters: + - name: userid + in: path + required: true + description: the user identifier, as userId + schema: + type: string + # linked operation + get: + operationId: getUserAddress + responses: + '200': + description: the user's address \ No newline at end of file diff --git a/tests/schema/pass/media-type-examples.yaml b/tests/schema/pass/media-type-examples.yaml new file mode 100644 index 0000000000..061a848b3f --- /dev/null +++ b/tests/schema/pass/media-type-examples.yaml @@ -0,0 +1,97 @@ +# including Encoding Object examples +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +paths: + /something: + put: + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Pet' + examples: + cat: + summary: An example of a cat + value: + name: Fluffy + petType: Cat + color: White + gender: male + breed: Persian + dog: + summary: An example of a dog with a cat's name + value: + name: Puma + petType: Dog + color: Black + gender: Female + breed: Mixed + frog: + $ref: '#/components/examples/frog-example' + application/x-www-form-urlencoded: + schema: + type: object + properties: + id: + type: string + format: uuid + address: + # complex types are stringified to support RFC 1866 + type: object + properties: {} + icon: + # The default with "contentEncoding" is application/octet-stream, + # so we need to set image media type(s) in the Encoding Object. + type: string + contentEncoding: base64url + encoding: + icon: + contentType: image/png, image/jpeg + multipart/form-data: + schema: + type: object + properties: + id: + # default is `text/plain` + type: string + format: uuid + addresses: + # default based on the `items` subschema would be + # `application/json`, but we want these address objects + # serialized as `application/xml` instead + description: addresses in XML format + type: array + items: + $ref: '#/components/schemas/Address' + profileImage: + # default is application/octet-stream, but we can declare + # a more specific image type or types + type: string + format: binary + forCoverage: + type: string + forCoverage2: + type: string + encoding: + addresses: + # require XML Content-Type in utf-8 encoding + # This is applied to each address part corresponding + # to each address in he array + contentType: application/xml; charset=utf-8 + profileImage: + # only accept png or jpeg + contentType: image/png, image/jpeg + headers: + X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + schema: + type: integer + forCoverage: + style: form + explode: false + allowReserved: true + forCoverage2: + style: spaceDelimited + explode: true \ No newline at end of file diff --git a/tests/schema/pass/operation-object-example.yaml b/tests/schema/pass/operation-object-example.yaml new file mode 100644 index 0000000000..9a5c76d0a0 --- /dev/null +++ b/tests/schema/pass/operation-object-example.yaml @@ -0,0 +1,47 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +paths: + /pets/{id}: + put: + tags: + - pet + summary: Updates a pet in the store with form data + operationId: updatePetWithForm + parameters: + - name: petId + in: path + description: ID of pet that needs to be updated + required: true + schema: + type: string + requestBody: + content: + application/x-www-form-urlencoded: + schema: + type: object + properties: + name: + description: Updated name of the pet + type: string + status: + description: Updated status of the pet + type: string + required: + - status + responses: + '200': + description: Pet updated. + content: + application/json: {} + application/xml: {} + '405': + description: Method Not Allowed + content: + application/json: {} + application/xml: {} + security: + - petstore_auth: + - write:pets + - read:pets \ No newline at end of file diff --git a/tests/schema/pass/parameter-object-examples.yaml b/tests/schema/pass/parameter-object-examples.yaml new file mode 100644 index 0000000000..fe6a13ea7c --- /dev/null +++ b/tests/schema/pass/parameter-object-examples.yaml @@ -0,0 +1,54 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +paths: + /user/{username}: + parameters: + - name: token + in: header + description: token to be passed as a header + required: true + schema: + type: array + items: + type: integer + format: int64 + style: simple + - name: username + in: path + description: username to fetch + required: true + schema: + type: string + - name: id + in: query + description: ID of the object to fetch + required: false + schema: + type: array + items: + type: string + style: form + explode: true + - in: query + name: freeForm + schema: + type: object + additionalProperties: + type: integer + style: form + - in: query + name: coordinates + content: + application/json: + schema: + type: object + required: + - lat + - long + properties: + lat: + type: number + long: + type: number \ No newline at end of file diff --git a/tests/schema/pass/path-item-object-example.yaml b/tests/schema/pass/path-item-object-example.yaml new file mode 100644 index 0000000000..41a86ec230 --- /dev/null +++ b/tests/schema/pass/path-item-object-example.yaml @@ -0,0 +1,35 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +paths: + /pets/{id}: + get: + description: Returns pets based on ID + summary: Find pets by ID + operationId: getPetsById + responses: + '200': + description: pet response + content: + '*/*': + schema: + type: array + items: + $ref: '#/components/schemas/Pet' + default: + description: error payload + content: + text/html: + schema: + $ref: '#/components/schemas/ErrorModel' + parameters: + - name: id + in: path + description: ID of pet to use + required: true + schema: + type: array + items: + type: string + style: simple \ No newline at end of file diff --git a/tests/schema/pass/path_item_servers_parameters.yaml b/tests/schema/pass/path_item_servers_parameters.yaml new file mode 100644 index 0000000000..70dccfe13d --- /dev/null +++ b/tests/schema/pass/path_item_servers_parameters.yaml @@ -0,0 +1,112 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +paths: + /things: + summary: Lots of things + servers: + - url: https://things.example.com + get: + summary: Get a list of things + externalDocs: + description: Find more info here + url: https://example.com + parameters: + - $ref: '#/components/parameters/biscuit' + summary: The maximum number of things to return + description: The maximum number of things to return + responses: + default: + description: A list of things + servers: + - url: https://things.example.com + post: + deprecated: false + requestBody: + $ref: '#/components/requestBodies/ThingRequestBody' + responses: + '201': + $ref: '#/components/responses/ThingResponse' + callbacks: + myCallback: + '{$request.query.queryUrl}': + post: + requestBody: + description: Callback payload + content: + application/json: + schema: + $ref: '#/components/schemas/SomePayload' + responses: + '200': + description: callback successfully processed + transactionCallback: + $ref: '#/components/callbacks/transactionCallback' + patch: {} + delete: {} + head: {} + options: {} + trace: {} +components: + callbacks: + transactionCallback: + 'http://notificationServer.com?transactionId={$request.body#/id}&email={$request.body#/email}': + post: + requestBody: + description: Callback payload + content: + application/json: + schema: + $ref: '#/components/schemas/SomePayload' + responses: + '200': + description: callback successfully processed + examples: + ThingExample: + summary: A thing + description: A thing + value: + id: 1 + name: Thing + links: + ThingLink: + description: A link to a thing + operationId: getThing + parameters: + thingId: '$response.body#/id' + server: + url: https://things.example.com + ThingyLink: + $ref: '#/components/links/ThingLink' + parameters: + limit: + name: limit + in: query + required: false + allowEmptyValue: false + allowReserved: false + deprecated: true + description: The maximum number of list items to return + schema: + type: integer + minimum: 0 + biscuit: + name: biscuit + in: cookie + style: form + schema: + type: string + requestBodies: + ThingRequestBody: + content: + application/json: + schema: + type: object + responses: + ThingResponse: + description: A thing + content: + application/json: + schema: + type: object diff --git a/tests/schema/pass/paths-object-example.yaml b/tests/schema/pass/paths-object-example.yaml new file mode 100644 index 0000000000..ec56acdb13 --- /dev/null +++ b/tests/schema/pass/paths-object-example.yaml @@ -0,0 +1,17 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +paths: + /pets: + get: + description: Returns all pets from the system that the user has access to + responses: + '200': + description: A list of pets. + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/pet' \ No newline at end of file diff --git a/tests/schema/pass/request-body-examples.yaml b/tests/schema/pass/request-body-examples.yaml new file mode 100644 index 0000000000..da1b0056ad --- /dev/null +++ b/tests/schema/pass/request-body-examples.yaml @@ -0,0 +1,34 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +paths: + /something: + put: + requestBody: + description: user to add to the system + content: + application/json: + schema: + $ref: '#/components/schemas/User' + examples: + user: + summary: User example + externalValue: https://foo.bar/examples/user-example.json + application/xml: + schema: + $ref: '#/components/schemas/User' + examples: + user: + summary: User example in XML + externalValue: https://foo.bar/examples/user-example.xml + text/plain: + examples: + user: + summary: User example in plain text + externalValue: https://foo.bar/examples/user-example.txt + '*/*': + examples: + user: + summary: User example in other format + externalValue: https://foo.bar/examples/user-example.whatever \ No newline at end of file diff --git a/tests/schema/pass/response-object-examples.yaml b/tests/schema/pass/response-object-examples.yaml new file mode 100644 index 0000000000..a63e995d48 --- /dev/null +++ b/tests/schema/pass/response-object-examples.yaml @@ -0,0 +1,42 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +components: + responses: + complex-object-array: + description: A complex object array response + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/VeryComplexType' + simple-string: + description: A simple string response + content: + text/plain: + schema: + type: string + plain-text-with-headers: + description: A simple string response + content: + text/plain: + schema: + type: string + example: 'whoa!' + headers: + X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + schema: + type: integer + X-Rate-Limit-Remaining: + description: The number of remaining requests in the current period + schema: + type: integer + X-Rate-Limit-Reset: + description: The number of seconds left in the current period + schema: + type: integer + no-return-value: + description: object created \ No newline at end of file diff --git a/tests/schema/pass/security-scheme-object-examples.yaml b/tests/schema/pass/security-scheme-object-examples.yaml new file mode 100644 index 0000000000..0b0e9900a6 --- /dev/null +++ b/tests/schema/pass/security-scheme-object-examples.yaml @@ -0,0 +1,59 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +security: + - basic: [] + - apiKey: [] + - JWT-bearer: [] + - mutualTLS: [] + - OAuth2: + - write:pets + - read:pets +components: + securitySchemes: + basic: + type: http + scheme: basic + apiKey: + type: apiKey + name: api-key + in: header + JWT-bearer: + type: http + scheme: bearer + bearerFormat: JWT + mutualTLS: + type: mutualTLS + description: Cert must be signed by example.com CA + OAuth2: + type: oauth2 + flows: + implicit: + authorizationUrl: https://example.com/api/oauth/dialog + scopes: + write:pets: modify pets in your account + read:pets: read your pets + refreshUrl: https://example.com/api/oauth/refresh + authorizationCode: + authorizationUrl: https://example.com/api/oauth/dialog + refreshUrl: https://example.com/api/oauth/refresh + tokenUrl: https://example.com/api/oauth/token + scopes: + write:pets: modify pets in your account + read:pets: read your pets + password: + tokenUrl: https://example.com/api/oauth/token + scopes: + read:pets: read your pets + refreshUrl: https://example.com/api/oauth/refresh + clientCredentials: + tokenUrl: https://example.com/api/oauth/token + scopes: + read:pets: read your pets + refreshUrl: https://example.com/api/oauth/refresh + OpenIdConnect: + type: openIdConnect + openIdConnectUrl: https://example.com/api/oauth/openid + external: + $ref: 'https://example.com/api/openapi.json#/components/externalDocs/ThingExternalDocs' \ No newline at end of file diff --git a/tests/schema/pass/servers.yaml b/tests/schema/pass/servers.yaml index 77a20498da..ca68a88b96 100644 --- a/tests/schema/pass/servers.yaml +++ b/tests/schema/pass/servers.yaml @@ -8,3 +8,18 @@ servers: description: Run locally. - url: https://production.com/v1 description: Run on production server. + - url: https://{username}.gigantic-server.com:{port}/{basePath} + description: The production API server + variables: + username: + # note! no enum here means it is an open value + default: demo + description: A user-specific subdomain. Use `demo` for a free sandbox environment. + port: + enum: + - '8443' + - '443' + default: '8443' + basePath: + # open meaning there is the opportunity to use special base paths as assigned by the provider, default is `v2` + default: v2 \ No newline at end of file diff --git a/tests/schema/pass/tag-object-example.yaml b/tests/schema/pass/tag-object-example.yaml new file mode 100644 index 0000000000..aba0c7d7d5 --- /dev/null +++ b/tests/schema/pass/tag-object-example.yaml @@ -0,0 +1,15 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +paths: {} +tags: + + - name: pet + description: Pets operations + + - name: external + description: Operations available to external consumers + externalDocs: + description: Find more info here + url: https://example.com diff --git a/tests/schema/schema.test.mjs b/tests/schema/schema.test.mjs index 17d1f9ce46..362ccc856c 100644 --- a/tests/schema/schema.test.mjs +++ b/tests/schema/schema.test.mjs @@ -37,7 +37,7 @@ describe("v3.1", () => { test(entry.name, () => { const instance = parseYamlFromFile(`${fixtures}/pass/${entry.name}`); const output = validateOpenApi(instance, BASIC); - expect(output.valid).to.equal(true); + expect(output).to.deep.equal({ valid: true }); }); }); }); From 6f5e6c4f1299e248b741bb6a91cf05c4dc7250a0 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Thu, 27 Mar 2025 09:05:28 +0100 Subject: [PATCH 38/91] Add test case for "body"/"server" bug fix --- tests/schema/fail/link-object-no-body.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 tests/schema/fail/link-object-no-body.yaml diff --git a/tests/schema/fail/link-object-no-body.yaml b/tests/schema/fail/link-object-no-body.yaml new file mode 100644 index 0000000000..2c327694f5 --- /dev/null +++ b/tests/schema/fail/link-object-no-body.yaml @@ -0,0 +1,11 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +components: + links: + Link-Object-with-body-property: + operationId: getThing + description: The "server" property was misspelled as "body" in a previous schema iteration, now fixed + body: + url: https://things.example.com From 5fb815df6c7960922dd2cd6f3deb7ee0f37c8c5c Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 27 Mar 2025 08:49:58 -0700 Subject: [PATCH 39/91] Discrimator -> Discriminator We do not have a feature that discriminates against tomatoes (this joke may not translate too all English-speaking regions, much less other languages :-) --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 6e0aa4b59c..243fd1c084 100644 --- a/src/oas.md +++ b/src/oas.md @@ -198,7 +198,7 @@ There are no URI-based alternatives for the Security Requirement Object or for t These limitations are expected to be addressed in a future release. See [Appendix F: Resolving Security Requirements in a Referenced Document](#appendix-f-resolving-security-requirements-in-a-referenced-document) for an example of the possible resolutions, including which one is recommended by this section. -The behavior for Discrimator Object non-URI mappings and for the Operation Object's `tags` field operate on the same principles. +The behavior for Discriminator Object non-URI mappings and for the Operation Object's `tags` field operate on the same principles. Note that no aspect of implicit connection resolution changes how [URIs are resolved](#relative-references-in-api-description-uris), or restricts their possible targets. From 385f2798739d693d46cff6f8e2fc3bd3b35bf2af Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Tue, 13 May 2025 10:00:02 -0700 Subject: [PATCH 40/91] Root XML element name comes from component name Clarifies that the name of the root XML element comes from the component name, which was shown in an example but was unclear due to the use of the obsolete OAS 2.0 terminology "model." This does not change the restriction (in the `xml` field of the Schema Object) that the `xml` field only applies to property schemas (and not root schemas). --- src/oas.md | 67 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 37 insertions(+), 30 deletions(-) diff --git a/src/oas.md b/src/oas.md index 243fd1c084..f7b604be52 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3447,7 +3447,7 @@ See examples for expected behavior. | Field Name | Type | Description | | ---- | :----: | ---- | -| name | `string` | Replaces the name of the element/attribute used for the described schema property. When defined within `items`, it will affect the name of the individual XML elements within the list. When defined alongside `type` being `"array"` (outside the `items`), it will affect the wrapping element if and only if `wrapped` is `true`. If `wrapped` is `false`, it will be ignored. | +| name | `string` | Replaces the name of the element/attribute used for the described schema property. For the root XML element, the name comes from the [schema component](#components-schemas) name; for other elements or attributes, the name comes from the property name. When defined within `items`, it will affect the name of the individual XML elements within the list. When defined alongside `type` being `"array"` (outside the `items`), it will affect the wrapping element if and only if `wrapped` is `true`. If `wrapped` is `false`, it will be ignored. | | namespace | `string` | The URI of the namespace definition. Value MUST be in the form of a non-relative URI. | | prefix | `string` | The prefix to be used for the [name](#xml-name). | | attribute | `boolean` | Declares whether the property definition translates to an attribute instead of an element. Default value is `false`. | @@ -3539,25 +3539,30 @@ animals: ###### XML Attribute, Prefix and Namespace -In this example, a full model definition is shown. +In this example, a full [schema component](#components-schemas) definition is shown. +Note that the name of the root XML element comes from the component name. ```json { - "Person": { - "type": "object", - "properties": { - "id": { - "type": "integer", - "format": "int32", - "xml": { - "attribute": true - } - }, - "name": { - "type": "string", - "xml": { - "namespace": "https://example.com/schema/sample", - "prefix": "sample" + "components": { + "schemas": { + "Person": { + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "int32", + "xml": { + "attribute": true + } + }, + "name": { + "type": "string", + "xml": { + "namespace": "https://example.com/schema/sample", + "prefix": "sample" + } + } } } } @@ -3566,19 +3571,21 @@ In this example, a full model definition is shown. ``` ```yaml -Person: - type: object - properties: - id: - type: integer - format: int32 - xml: - attribute: true - name: - type: string - xml: - namespace: https://example.com/schema/sample - prefix: sample +components: + schemas: + Person: + type: object + properties: + id: + type: integer + format: int32 + xml: + attribute: true + name: + type: string + xml: + namespace: https://example.com/schema/sample + prefix: sample ``` ```xml From 58c4f0660fedbfed6303b0989b410b1970204bce Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 15 May 2025 10:05:50 -0700 Subject: [PATCH 41/91] Align wording with components rather than "root" This avoids reinforcing the "root schema" vs "property schema" restriction that we plan to relax. --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index f7b604be52..12594da7c9 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3447,7 +3447,7 @@ See examples for expected behavior. | Field Name | Type | Description | | ---- | :----: | ---- | -| name | `string` | Replaces the name of the element/attribute used for the described schema property. For the root XML element, the name comes from the [schema component](#components-schemas) name; for other elements or attributes, the name comes from the property name. When defined within `items`, it will affect the name of the individual XML elements within the list. When defined alongside `type` being `"array"` (outside the `items`), it will affect the wrapping element if and only if `wrapped` is `true`. If `wrapped` is `false`, it will be ignored. | +| name | `string` | Replaces the inferred name of the element/attribute used for the described schema property. For the root schema object of a [schema component](#components-schemas), the inferred name is the name of the component; for other schemas the name is inferred from the parent property name. When defined within `items`, it will affect the name of the individual XML elements within the list. When defined alongside `type` being `"array"` (outside the `items`), it will affect the wrapping element if and only if `wrapped` is `true`. If `wrapped` is `false`, it will be ignored. | | namespace | `string` | The URI of the namespace definition. Value MUST be in the form of a non-relative URI. | | prefix | `string` | The prefix to be used for the [name](#xml-name). | | attribute | `boolean` | Declares whether the property definition translates to an attribute instead of an element. Default value is `false`. | From f8a7ad4d865d129b9de8fbef7de51f11e8c64baf Mon Sep 17 00:00:00 2001 From: Lorna Jane Mitchell Date: Fri, 16 May 2025 20:16:53 +0100 Subject: [PATCH 42/91] Tidy up some suspect formatting --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 243fd1c084..b0355faa8d 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1782,8 +1782,8 @@ Note that there are significant restrictions on what headers can be used with `m Note also that `Content-Transfer-Encoding` is deprecated for `multipart/form-data` ([RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.7)) where binary data is supported, as it is in HTTP. -+Using `contentEncoding` for a multipart field is equivalent to specifying an [Encoding Object](#encoding-object) with a `headers` field containing `Content-Transfer-Encoding` with a schema that requires the value used in `contentEncoding`. -+If `contentEncoding` is used for a multipart field that has an Encoding Object with a `headers` field containing `Content-Transfer-Encoding` with a schema that disallows the value from `contentEncoding`, the result is undefined for serialization and parsing. +Using `contentEncoding` for a multipart field is equivalent to specifying an [Encoding Object](#encoding-object) with a `headers` field containing `Content-Transfer-Encoding` with a schema that requires the value used in `contentEncoding`. +If `contentEncoding` is used for a multipart field that has an Encoding Object with a `headers` field containing `Content-Transfer-Encoding` with a schema that disallows the value from `contentEncoding`, the result is undefined for serialization and parsing. Note that as stated in [Working with Binary Data](#working-with-binary-data), if the Encoding Object's `contentType`, whether set explicitly or implicitly through its default value rules, disagrees with the `contentMediaType` in a Schema Object, the `contentMediaType` SHALL be ignored. Because of this, and because the Encoding Object's `contentType` defaulting rules do not take the Schema Object's`contentMediaType` into account, the use of `contentMediaType` with an Encoding Object is NOT RECOMMENDED. From 8f03154a83313b3b992b787b748961ab71003473 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 17 May 2025 20:46:36 -0700 Subject: [PATCH 43/91] Provide guidance on null in XML. There really isn't a native `null` type in XML, as both elements and attributes that are empty have an empty string value. We also need to leave the behavior implementation-defined for compatibility. However, the `xsi:nil` attribute is the closest thing to a `null` element. Attributes are harder, and the best I can come up with is letting `null` behave the same as an omitted attribute for the purpose of serialization. --- src/oas.md | 96 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) diff --git a/src/oas.md b/src/oas.md index 243fd1c084..53241e4bac 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3455,12 +3455,29 @@ See examples for expected behavior. This object MAY be extended with [Specification Extensions](#specification-extensions). +##### Namespace Limitations + The `namespace` field is intended to match the syntax of [XML namespaces](https://www.w3.org/TR/xml-names11/), although there are a few caveats: * Versions 3.1.0, 3.0.3, and earlier of this specification erroneously used the term "absolute URI" instead of "non-relative URI", so authors using namespaces that include a fragment should check tooling support carefully. * XML allows but discourages relative URI-references, while this specification outright forbids them. * XML 1.1 allows IRIs ([RFC3987](https://datatracker.ietf.org/doc/html/rfc3987)) as namespaces, and specifies that namespaces are compared without any encoding or decoding, which means that IRIs encoded to meet this specification's URI syntax requirement cannot be compared to IRIs as-is. +##### Handling `null` Values + +XML does not, by default, have a concept equivalent to `null`, and to preserve compatibility with version 3.1.1 and earlier of this specification, the behavior of serializing `null` values is implementation-defined. + +However, implementations SHOULD handle `null` values as follows: + +* For elements, produce an empty element with an `xsi:nil="true"` attribute +* For attributes, omit the attribute + +Note that for attributes, this makes either a `null` value or a missing property serialize to an omitted attribute. +As the Schema Object validates the in-memory representation, this allows handling the combination of `null` and a required property. +However, because there is no distinct way to represent `null` as an attribute, it is RECOMMENDED to make attribute properties optional rather than use `null`. + +To ensure correct round-trip behavior, when parsing an element that omits an attribute, implementations SHOULD set the corresponding property to `null` if the schema allows for that value (e.g. `type: ["number", "null"]`), and omit the property otherwise (e.g.`type: "number"`). + ##### XML Object Examples Each of the following examples represent the value of the `properties` keyword in a [Schema Object](#schema-object) that is omitted for brevity. @@ -3796,6 +3813,85 @@ animals: ``` +###### XML With `null` Values + +Recall that the schema validates the in-memory data, not the XML document itself. +The properties of the `"metadata"` element are omitted for brevity as it is here to show how the `null` value is represented. + +```json +{ + "product": { + "type": "object", + "required": ["count", "description", "related"], + "properties": { + "count": { + "type": ["number", "null"], + "xml": { + "attribute": true + } + }, + "rating": { + "type": "string", + "xml": { + "attribute": true + } + }, + "description": { + "type": "string" + }, + "related": { + "type": ["object", "null"] + } + } + } +} +``` + +```yaml +product: + type: object + required: + - count + - description + - related + properties: + count: + type: + - number + - "null" + xml: + attribute: true + rating: + type: string + xml: + attribute: true + description: + type: string + related: + type: + - object + - "null" +``` + +```xml + + Thing + + +``` + +The above XML example corresponds to the following in-memory instance: + +```json +{ + "product": { + "count": null, + "description": "Thing", + "related": null + } +} +``` + #### Security Scheme Object Defines a security scheme that can be used by the operations. From 70274dc5460f8d5722ae52dee55db72d394b5010 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sun, 18 May 2025 09:31:00 -0700 Subject: [PATCH 44/91] Clarify that Request Body Objects need a body We require `content` but failed to require it to be non-empty, even though a request body without a body does not make any sense. --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 243fd1c084..aa4823f6d7 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1404,7 +1404,7 @@ Describes a single request body. | Field Name | Type | Description | | ---- | :----: | ---- | | description | `string` | A brief description of the request body. This could contain examples of use. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | -| content | Map[`string`, [Media Type Object](#media-type-object)] | **REQUIRED**. The content of the request body. The key is a media type or [media type range](https://tools.ietf.org/html/rfc7231#appendix-D) and the value describes it. For requests that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | +| content | Map[`string`, [Media Type Object](#media-type-object)] | **REQUIRED**. The content of the request body. The key is a media type or [media type range](https://tools.ietf.org/html/rfc7231#appendix-D) and the value describes it. The map SHOULD Have at least one entry; if it does not, the behavior is implementation-defined. For requests that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | | required | `boolean` | Determines if the request body is required in the request. Defaults to `false`. | This object MAY be extended with [Specification Extensions](#specification-extensions). From 21d0a855710bca8552f2d75d12899e9edd4f0bcb Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 19 May 2025 08:40:59 -0700 Subject: [PATCH 45/91] Punctuation per style guide --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index 53241e4bac..ccc3ff0994 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3469,8 +3469,8 @@ XML does not, by default, have a concept equivalent to `null`, and to preserve c However, implementations SHOULD handle `null` values as follows: -* For elements, produce an empty element with an `xsi:nil="true"` attribute -* For attributes, omit the attribute +* For elements, produce an empty element with an `xsi:nil="true"` attribute. +* For attributes, omit the attribute. Note that for attributes, this makes either a `null` value or a missing property serialize to an omitted attribute. As the Schema Object validates the in-memory representation, this allows handling the combination of `null` and a required property. From a200ab6112accf334a2c05677a5cebe0ab11d421 Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Mon, 19 May 2025 08:42:04 -0700 Subject: [PATCH 46/91] Fix capitalization Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index aa4823f6d7..9662ce27bc 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1404,7 +1404,7 @@ Describes a single request body. | Field Name | Type | Description | | ---- | :----: | ---- | | description | `string` | A brief description of the request body. This could contain examples of use. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | -| content | Map[`string`, [Media Type Object](#media-type-object)] | **REQUIRED**. The content of the request body. The key is a media type or [media type range](https://tools.ietf.org/html/rfc7231#appendix-D) and the value describes it. The map SHOULD Have at least one entry; if it does not, the behavior is implementation-defined. For requests that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | +| content | Map[`string`, [Media Type Object](#media-type-object)] | **REQUIRED**. The content of the request body. The key is a media type or [media type range](https://tools.ietf.org/html/rfc7231#appendix-D) and the value describes it. The map SHOULD have at least one entry; if it does not, the behavior is implementation-defined. For requests that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | | required | `boolean` | Determines if the request body is required in the request. Defaults to `false`. | This object MAY be extended with [Specification Extensions](#specification-extensions). From f6a083c3e5a3ffb7ffb4fa034c31dd1f793501be Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 12 Jun 2025 16:01:14 -0700 Subject: [PATCH 47/91] Use matching jsonSchemaDialect Since we are testing with a placeholder, we need to match the placeholder. This will unfortunately need to be different on each new release line branch, so let's separate this test case into its own file. --- tests/schema/pass/json_schema_dialect.yaml | 15 +++++++++++++++ tests/schema/pass/mega.yaml | 1 - 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 tests/schema/pass/json_schema_dialect.yaml diff --git a/tests/schema/pass/json_schema_dialect.yaml b/tests/schema/pass/json_schema_dialect.yaml new file mode 100644 index 0000000000..ae0ed863b3 --- /dev/null +++ b/tests/schema/pass/json_schema_dialect.yaml @@ -0,0 +1,15 @@ +openapi: 3.1.0 +info: + summary: Testing jsonSchemaDialect + title: My API + version: 1.0.0 + license: + name: Apache 2.0 + identifier: Apache-2.0 +jsonSchemaDialect: https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS +components: + schemas: + WithDollarSchema: + $id: "locked-metaschema" + $schema: https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS +paths: {} diff --git a/tests/schema/pass/mega.yaml b/tests/schema/pass/mega.yaml index 8838c03a6d..98ce577dce 100644 --- a/tests/schema/pass/mega.yaml +++ b/tests/schema/pass/mega.yaml @@ -6,7 +6,6 @@ info: license: name: Apache 2.0 identifier: Apache-2.0 -jsonSchemaDialect: https://spec.openapis.org/oas/3.1/dialect/base paths: /: get: From 62151194f59a5c7ffc9bc5043df2d875475d52e5 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 12 Jun 2025 19:03:38 -0700 Subject: [PATCH 48/91] Add XML Object schema tests --- tests/schema/pass/media-type-examples.yaml | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/tests/schema/pass/media-type-examples.yaml b/tests/schema/pass/media-type-examples.yaml index 061a848b3f..ed5862f072 100644 --- a/tests/schema/pass/media-type-examples.yaml +++ b/tests/schema/pass/media-type-examples.yaml @@ -30,6 +30,26 @@ paths: breed: Mixed frog: $ref: '#/components/examples/frog-example' + application/xml: + schema: + type: object + properties: + foo: + type: string + xml: + namespace: https://example.com + prefix: example + name: Foo + bar: + type: array + items: + type: number + xml: + wrapped: true + attr: + type: string + xml: + attribute: true application/x-www-form-urlencoded: schema: type: object @@ -94,4 +114,4 @@ paths: allowReserved: true forCoverage2: style: spaceDelimited - explode: true \ No newline at end of file + explode: true From cbc870f2d9ef99fba3222af2c5a0596d9f1ae44c Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 12 Jun 2025 19:08:52 -0700 Subject: [PATCH 49/91] Use externalDocs in a schema test object --- tests/schema/pass/mega.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/schema/pass/mega.yaml b/tests/schema/pass/mega.yaml index 98ce577dce..d3048850f2 100644 --- a/tests/schema/pass/mega.yaml +++ b/tests/schema/pass/mega.yaml @@ -27,6 +27,9 @@ components: content: 'application/json': schema: + externalDocs: + description: More docs! + url: https://example.com/elsewhere.html type: object properties: type: From d287f99947cec7c765d836902d08644e9238e83c Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 12 Jun 2025 19:13:36 -0700 Subject: [PATCH 50/91] Cover discriminator with schema test cases Also make the discriminator usage valid. --- tests/schema/pass/mega.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tests/schema/pass/mega.yaml b/tests/schema/pass/mega.yaml index d3048850f2..dafae3991f 100644 --- a/tests/schema/pass/mega.yaml +++ b/tests/schema/pass/mega.yaml @@ -19,6 +19,12 @@ components: securitySchemes: mtls: type: mutualTLS + schemas: + Foo: + type: object + properties: + type: + const: foo pathItems: myPathItem: post: @@ -47,5 +53,9 @@ components: type: ['string','null'] discriminator: propertyName: type + mapping: + foo: Foo x-extension: true + anyOf: + - $ref: "#/components/schemas/Foo" myArbitraryKeyword: true From caaa7ab69040f37b64897690622f3967788af463 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 2 Aug 2025 12:16:31 -0700 Subject: [PATCH 51/91] Fix guidance on headers and RFC6570 percent-encoding After much debate and research, we agreed that percent-encoding was never meant to be applied to headers. Exactly how to handle RFC6570 and cookie parameters remains TBD. For now, this preserves (but streamlines) the existing guidance for cookies. --- src/oas.md | 47 +++++++++++++++++++---------------------------- 1 file changed, 19 insertions(+), 28 deletions(-) diff --git a/src/oas.md b/src/oas.md index 04a558d631..cdf076adc7 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1164,7 +1164,10 @@ For simpler scenarios, a [`schema`](#parameter-schema) and [`style`](#parameter- When `example` or `examples` are provided in conjunction with the `schema` field, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the parameter. The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. -Serializing with `schema` is NOT RECOMMENDED for `in: "cookie"` parameters, `in: "header"` parameters that use HTTP header parameters (name=value pairs following a `;`) in their values, or `in: "header"` parameters where values might have non-URL-safe characters; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for details. +When serializing `in: "header"` parameters with `schema`, URI percent-encoding MUST NOT be applied; if using an RFC6570 implementation that automatically applies it, it MUST be removed before use. +Implementations MUST NOT attempt to automatically quote header values, as the quoting rules vary too widely among different headers; users are expected to provide pre-quoted data as needed. + +Serializing with `schema` is NOT RECOMMENDED for `in: "cookie"` parameters; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for details. | Field Name | Type | Description | | ---- | :----: | ---- | @@ -2563,7 +2566,8 @@ This object MAY be extended with [Specification Extensions](#specification-exten For simpler scenarios, a [`schema`](#header-schema) and [`style`](#header-style) can describe the structure and syntax of the header. When `example` or `examples` are provided in conjunction with the `schema` field, the example MUST follow the prescribed serialization strategy for the header. -Serializing with `schema` is NOT RECOMMENDED for headers with parameters (name=value pairs following a `;`) in their values, or where values might have non-URL-safe characters; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for details. +When serializing `in: "header"` parameters with `schema`, URI percent-encoding MUST NOT be applied; if using an RFC6570 implementation that automatically applies it, it MUST be removed before use. +Implementations MUST NOT attempt to automatically quote header values, as the quoting rules vary too widely among different headers; users are expected to provide pre-quoted data as needed. When `example` or `examples` are provided in conjunction with the `schema` field, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the header. The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. @@ -2581,7 +2585,6 @@ See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc65 ###### Fixed Fields for use with `content` For more complex scenarios, the [`content`](#header-content) field can define the media type and schema of the header, as well as give examples of its use. -Using `content` with a `text/plain` media type is RECOMMENDED for headers where the `schema` strategy is not appropriate. | Field Name | Type | Description | | ---- | :----: | ---- | @@ -2612,13 +2615,9 @@ Requiring that a strong `ETag` header (with a value starting with `"` rather tha ```json "ETag": { "required": true, - "content": { - "text/plain": { - "schema": { - "type": "string", - "pattern": "^\"" - } - } + "schema": { + "type": "string", + "pattern": "^\"" } } ``` @@ -2626,11 +2625,9 @@ Requiring that a strong `ETag` header (with a value starting with `"` rather tha ```yaml ETag: required: true - content: - text/plain: - schema: - type: string - pattern: ^" + schema: + type: string + pattern: ^" ``` #### Tag Object @@ -4522,25 +4519,19 @@ This will expand to the result: ## Appendix D: Serializing Headers and Cookies -[RFC6570](https://www.rfc-editor.org/rfc/rfc6570)'s percent-encoding behavior is not always appropriate for `in: "header"` and `in: "cookie"` parameters. +_**Note:** OAS v3.0.4 and v3.1.1 applied the advice in this section to both headers and cookies. +However, further research has indicated that percent-encoding was never intended to apply to headers, so this section has been corrected to apply only to cookies._ + +[RFC6570](https://www.rfc-editor.org/rfc/rfc6570)'s percent-encoding behavior is not always appropriate for `in: "cookie"` parameters. In many cases, it is more appropriate to use `content` with a media type such as `text/plain` and require the application to assemble the correct string. -For both [RFC6265](https://www.rfc-editor.org/rfc/rfc6265) cookies and HTTP headers using the [RFC8941](https://www.rfc-editor.org/rfc/rfc8941) structured fields syntax, non-ASCII content is handled using base64 encoding (`contentEncoding: "base64"`). +[RFC6265](https://www.rfc-editor.org/rfc/rfc6265) recommends (but does not strictly required) base64 encoding (`contentEncoding: "base64"`) if "arbitrary data" will be stored in a cookie. Note that the standard base64-encoding alphabet includes non-URL-safe characters that are percent-encoded by RFC6570 expansion; serializing values through both encodings is NOT RECOMMENDED. While `contentEncoding` also supports the `base64url` encoding, which is URL-safe, the header and cookie RFCs do not mention this encoding. -Most HTTP headers predate the structured field syntax, and a comprehensive assessment of their syntax and encoding rules is well beyond the scope of this specification. -While [RFC8187](https://www.rfc-editor.org/rfc/rfc8187) recommends percent-encoding HTTP (header or trailer) field parameters, these parameters appear after a `;` character. -With `style: "simple"`, that delimiter would itself be percent-encoded, violating the general HTTP field syntax. - -Using `style: "form"` with `in: "cookie"` is ambiguous for a single value, and incorrect for multiple values. -This is true whether the multiple values are the result of using `explode: true` or not. - -This style is specified to be equivalent to RFC6570 form expansion which includes the `?` character (see [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more details), which is not part of the cookie syntax. -However, examples of this style in past versions of this specification have not included the `?` prefix, suggesting that the comparison is not exact. -Because implementations that rely on an RFC6570 implementation and those that perform custom serialization based on the style example will produce different results, it is implementation-defined as to which of the two results is correct. +Using `style: "form"` with `in: "cookie"` via an RFC6570 implementation requires stripping the `?` prefix, as when producing `application/x-www-form-urlencoded` message bodies. -For multiple values, `style: "form"` is always incorrect as name=value pairs in cookies are delimited by `;` (a semicolon followed by a space character) rather than `&`. +For multiple values, `style: "form"` is always incorrect, even if no characters are subject to percent-encoding, as name=value pairs in cookies are delimited by `; ` (a semicolon followed by a space character) rather than `&`. ## Appendix E: Percent-Encoding and Form Media Types From e9d97641a8293d06b7d9956c4a6569f587056742 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 2 Aug 2025 12:36:50 -0700 Subject: [PATCH 52/91] Fix guidance for RFC6570 and multipart/form-data Research has determined that percent-encoding was never intended to apply to this media type. --- src/oas.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/oas.md b/src/oas.md index 04a558d631..62b82e08a0 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1674,7 +1674,8 @@ See [Appendix B](#appendix-b-data-type-conversion) for a discussion of data type | explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this field has no effect. When [`style`](#encoding-style) is `"form"`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | | allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#section-3.4) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. The default value is `false`. This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | -See also [Appendix C: Using RFC6570 Implementations](#appendix-c-using-rfc6570-based-serialization) for additional guidance, including on difficulties caused by the interaction between RFC6570's percent-encoding rules and the `multipart/form-data` media type. +When using RFC6570-style serialization for `multipart/form-data`, URI percent-encoding MUST NOT be applied, and the value of `allowReserved` has no effect. +See also [Appendix C: Using RFC6570 Implementations](#appendix-c-using-rfc6570-based-serialization) for additional guidance. Note that the presence of at least one of `style`, `explode`, or `allowReserved` with an explicit value is equivalent to using `schema` with `in: "query"` Parameter Objects. The absence of all three of those fields is the equivalent of using `content`, but with the media type specified in `contentType` rather than through a Media Type Object. @@ -4278,9 +4279,9 @@ Implementations of this specification MAY use an implementation of RFC6570 to pe Note that when using `style: "form"` RFC6570 expansion to produce an `application/x-www-form-urlencoded` HTTP message body, it is necessary to remove the `?` prefix that is produced to satisfy the URI query string syntax. -When using `style` and similar keywords to produce a `multipart/form-data` body, the query string names are placed in the `name` parameter of the `Content-Disposition` part header, and the values are placed in the corresponding part body; the `?`, `=`, and `&` characters are not used. +When using `style` and similar keywords to produce a `multipart/form-data` body, the query string names are placed in the `name` parameter of the `Content-Disposition` part header, and the values are placed in the corresponding part body; the `?`, `=`, and `&` characters are not used, and URI percent encoding is not applied, regardless of the value of `allowReserved`. Note that while [RFC7578](https://datatracker.ietf.org/doc/html/rfc7578) allows using [[RFC3986]] percent-encoding in "file names", it does not otherwise address the use of percent-encoding within the format. -RFC7578 discusses character set and encoding issues for `multipart/form-data` in detail, and it is RECOMMENDED that OpenAPI Description authors read this guidance carefully before deciding to use RFC6570-based serialization with this media type. +Users are expected to provide names and data with any escaping necessary for conformance with RFC7578 already applied. Note also that not all RFC6570 implementations support all four levels of operators, all of which are needed to fully support the OpenAPI Specification's usage. Using an implementation with a lower level of support will require additional manual construction of URI Templates to work around the limitations. @@ -4569,8 +4570,9 @@ This means that while these three characters are reserved-but-allowed in query s [RFC7578](https://datatracker.ietf.org/doc/html/rfc7578#section-2) suggests RFC3986-based percent-encoding as a mechanism to keep text-based per-part header data such as file names within the ASCII character set. This suggestion was not part of older (pre-2015) specifications for `form-data`, so care must be taken to ensure interoperability. +Users wishing to use percent-encoding in this way MUST provide the data in percent-encoded form, as percent-encoding is not automatically applied for this media type regardless of which Encoding Object fields are used. -The `form-data` media type allows arbitrary text or binary data in its parts, so percent-encoding is not needed and is likely to cause interoperability problems unless the `Content-Type` of the part is defined to require it. +The `form-data` media type allows arbitrary text or binary data in its parts, so percent-encoding or similar escaping is not needed in general. ### Generating and Validating URIs and `form-urlencoded` Strings From 099421089e5612fee0c9014860e992edee7db731 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 2 Aug 2025 12:47:22 -0700 Subject: [PATCH 53/91] Reword to placate markdown-lint --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index cdf076adc7..79331088a8 100644 --- a/src/oas.md +++ b/src/oas.md @@ -4531,7 +4531,7 @@ While `contentEncoding` also supports the `base64url` encoding, which is URL-saf Using `style: "form"` with `in: "cookie"` via an RFC6570 implementation requires stripping the `?` prefix, as when producing `application/x-www-form-urlencoded` message bodies. -For multiple values, `style: "form"` is always incorrect, even if no characters are subject to percent-encoding, as name=value pairs in cookies are delimited by `; ` (a semicolon followed by a space character) rather than `&`. +For multiple values, `style: "form"` is always incorrect, even if no characters are subject to percent-encoding, as name=value pairs in cookies are delimited by a semicolon followed by a space character rather than `&`. ## Appendix E: Percent-Encoding and Form Media Types From 7a602dcc7c422074dbffedff226c29042430683c Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 2 Aug 2025 15:34:41 -0700 Subject: [PATCH 54/91] New percent-encoding section. --- src/oas.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/src/oas.md b/src/oas.md index 04a558d631..a11b9e4334 100644 --- a/src/oas.md +++ b/src/oas.md @@ -64,6 +64,32 @@ Some examples of possible media type definitions: application/vnd.github.v3.patch ``` +### URI Percent-Encoding + +All URIs MUST successfully parse and percent-decode using [[RFC3986]] rules. + +Content in the `application/x-www-form-urlencoded` format, including query strings produced by [Parameter Objects](#parameter-object) with `in: "query"`, MUST also successfully parse and percent-decode using [[RFC1866]] rules, including treating non-percent-encoded `+` as an escaped space character. + +These requirements are specified in terms of percent-_decoding_ rules, which are consistently tolerant across different versions of the various standards that apply to URIs. + +Percent-_encoding_ is performed in several places: + +* By [[RFC6570]] implementations (or simulations thereof; see [Appendix C](#appendix-c-using-rfc6570-based-serialization)) +* By the Parameter or [Encoding](#encoding-object) Objects when incorporating a value serialized with a [Media Type Object](#media-type-object) for a media type that does not already incorporate URI percent-encoding +* By the user, prior to passing data through RFC6570's reserved expansion process + +When percent-encoding, the safest approach is to percent-encode all characters not in RFC3986's "unreserved" set, and for `form-urlencoded` to also percent-encode the tilde character (`~`) to align with the historical requirements of [[RFC1738]], which is cited by RFC1866. +This approach is used in examples in this specification. + +For `form-urlencoded`, while the encoding algorithm given by RFC1866 requires escaping the space character as `+`, percent-encoding it as `%20` also meets the above requirements. +Examples in this specification will prefer `%20` when using RFC6570's default (non-reserved) form-style expansion, and `+` otherwise. + +Reserved characters MUST NOT be percent-encoded when being used for reserved purposes such as `&=+` for `form-urlencoded` or `,` for delimiting non-exploded array and object values in RFC6570 expansions. +The result of inserting non-percent-encoded delimiters into data using manual percent-encoding, including via RFC6570's reserved expansion rules, is undefined and will likely prevent implementations from parsing the results back into the correct data structures. +In some cases, such as inserting `/` into path parameter values, doing so is [explicitly forbidden](#path-templating) by this specification. + +See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding options, compatibility, and OAS-defined delimiters that are not allowed by RFC3986, and [Appendix C](#appendix-c-using-rfc6570-based-serialization) for guidance on using RFC6570 implementations. + ### HTTP Status Codes The HTTP Status Codes are used to indicate the status of the executed operation. From a9b21b2e4c50bbc877fbca6849e8898114a661bd Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sun, 3 Aug 2025 11:38:56 -0700 Subject: [PATCH 55/91] Address quoting and headers more thoroughly. --- src/oas.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/oas.md b/src/oas.md index 79331088a8..7a4314f50b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1165,7 +1165,7 @@ When `example` or `examples` are provided in conjunction with the `schema` field The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. When serializing `in: "header"` parameters with `schema`, URI percent-encoding MUST NOT be applied; if using an RFC6570 implementation that automatically applies it, it MUST be removed before use. -Implementations MUST NOT attempt to automatically quote header values, as the quoting rules vary too widely among different headers; users are expected to provide pre-quoted data as needed. +Implementations MUST NOT attempt to automatically quote header values, as the quoting rules vary too widely among different headers; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on quoting and escaping. Serializing with `schema` is NOT RECOMMENDED for `in: "cookie"` parameters; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for details. @@ -1183,7 +1183,7 @@ See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc65 ###### Fixed Fields for use with `content` For more complex scenarios, the [`content`](#parameter-content) field can define the media type and schema of the parameter, as well as give examples of its use. -Using `content` with a `text/plain` media type is RECOMMENDED for `in: "header"` and `in: "cookie"` parameters where the `schema` strategy is not appropriate. +Using `content` with a `text/plain` media type is RECOMMENDED for `in: "cookie"` parameters where the `schema` strategy's percent-encoding and/or delimiter rules are not appropriate. | Field Name | Type | Description | | ---- | :----: | ---- | @@ -2567,7 +2567,7 @@ For simpler scenarios, a [`schema`](#header-schema) and [`style`](#header-style) When `example` or `examples` are provided in conjunction with the `schema` field, the example MUST follow the prescribed serialization strategy for the header. When serializing `in: "header"` parameters with `schema`, URI percent-encoding MUST NOT be applied; if using an RFC6570 implementation that automatically applies it, it MUST be removed before use. -Implementations MUST NOT attempt to automatically quote header values, as the quoting rules vary too widely among different headers; users are expected to provide pre-quoted data as needed. +Implementations MUST NOT attempt to automatically quote header values, as the quoting rules vary too widely among different headers; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on quoting and escaping. When `example` or `examples` are provided in conjunction with the `schema` field, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the header. The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. @@ -4519,7 +4519,13 @@ This will expand to the result: ## Appendix D: Serializing Headers and Cookies -_**Note:** OAS v3.0.4 and v3.1.1 applied the advice in this section to both headers and cookies. +HTTP headers have inconsistent rules regarding what characters are allowed, and how some or all disallowed characters can be escaped and included. +While the `quoted-string` ABNF rule given in [[RFC7230]] [Section 3.2.6](https://httpwg.org/specs/rfc7230.html#field.components) is the most common escaping solution, it is not sufficiently universal to apply automatically. +For example, a strong `ETag` looks like `"foo"` (with quotes, regardless of the contents), and a weak `ETag` looks like `W/"foo"` (note that only part of the value is quoted); the contents of the quotes for this header are also not escaped in the way `quoted-string` contents are. + +For this reason, any data being passed to a header by way of a [Parameter](#parameter-object) or [Header](#header-object) Object needs to be quoted and escaped prior to passing it to the OAS implementation, and the parsed header values are expected to contain the quotes and escapes. + +_**Note:** OAS v3.0.4 and v3.1.1 applied the advice in this section to avoid RFC6570-style serialization to both headers and cookies. However, further research has indicated that percent-encoding was never intended to apply to headers, so this section has been corrected to apply only to cookies._ [RFC6570](https://www.rfc-editor.org/rfc/rfc6570)'s percent-encoding behavior is not always appropriate for `in: "cookie"` parameters. From 6ee805fa0848b971c58132f7adf3ec55962b2af7 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 4 Aug 2025 11:53:45 -0700 Subject: [PATCH 56/91] Clarify this is about API URLs --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index a11b9e4334..0313aed002 100644 --- a/src/oas.md +++ b/src/oas.md @@ -66,7 +66,7 @@ Some examples of possible media type definitions: ### URI Percent-Encoding -All URIs MUST successfully parse and percent-decode using [[RFC3986]] rules. +All API URLs MUST successfully parse and percent-decode using [[RFC3986]] rules. Content in the `application/x-www-form-urlencoded` format, including query strings produced by [Parameter Objects](#parameter-object) with `in: "query"`, MUST also successfully parse and percent-decode using [[RFC1866]] rules, including treating non-percent-encoded `+` as an escaped space character. From 506da3afed6f1b4fbe07f31d8edb9f9bd71bf9d1 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 4 Aug 2025 13:37:27 -0700 Subject: [PATCH 57/91] Move pct-enc section under Parameter Object --- src/oas.md | 53 ++++++++++++++++++++++++++--------------------------- 1 file changed, 26 insertions(+), 27 deletions(-) diff --git a/src/oas.md b/src/oas.md index 0313aed002..eb1c872f24 100644 --- a/src/oas.md +++ b/src/oas.md @@ -43,6 +43,7 @@ Path templating refers to the usage of template expressions, delimited by curly Each template expression in the path MUST correspond to a path parameter that is included in the [Path Item](#path-item-object) itself and/or in each of the Path Item's [Operations](#operation-object). An exception is if the path item is empty, for example due to ACL constraints, matching path parameters are not required. The value for these path parameters MUST NOT contain any unescaped "generic syntax" characters described by [RFC3986](https://tools.ietf.org/html/rfc3986#section-3): forward slashes (`/`), question marks (`?`), or hashes (`#`). +See [URL Percent-Encoding](#url-percent-encoding) for additional guidance on escaping characters. ### Media Types @@ -64,32 +65,6 @@ Some examples of possible media type definitions: application/vnd.github.v3.patch ``` -### URI Percent-Encoding - -All API URLs MUST successfully parse and percent-decode using [[RFC3986]] rules. - -Content in the `application/x-www-form-urlencoded` format, including query strings produced by [Parameter Objects](#parameter-object) with `in: "query"`, MUST also successfully parse and percent-decode using [[RFC1866]] rules, including treating non-percent-encoded `+` as an escaped space character. - -These requirements are specified in terms of percent-_decoding_ rules, which are consistently tolerant across different versions of the various standards that apply to URIs. - -Percent-_encoding_ is performed in several places: - -* By [[RFC6570]] implementations (or simulations thereof; see [Appendix C](#appendix-c-using-rfc6570-based-serialization)) -* By the Parameter or [Encoding](#encoding-object) Objects when incorporating a value serialized with a [Media Type Object](#media-type-object) for a media type that does not already incorporate URI percent-encoding -* By the user, prior to passing data through RFC6570's reserved expansion process - -When percent-encoding, the safest approach is to percent-encode all characters not in RFC3986's "unreserved" set, and for `form-urlencoded` to also percent-encode the tilde character (`~`) to align with the historical requirements of [[RFC1738]], which is cited by RFC1866. -This approach is used in examples in this specification. - -For `form-urlencoded`, while the encoding algorithm given by RFC1866 requires escaping the space character as `+`, percent-encoding it as `%20` also meets the above requirements. -Examples in this specification will prefer `%20` when using RFC6570's default (non-reserved) form-style expansion, and `+` otherwise. - -Reserved characters MUST NOT be percent-encoded when being used for reserved purposes such as `&=+` for `form-urlencoded` or `,` for delimiting non-exploded array and object values in RFC6570 expansions. -The result of inserting non-percent-encoded delimiters into data using manual percent-encoding, including via RFC6570's reserved expansion rules, is undefined and will likely prevent implementations from parsing the results back into the correct data structures. -In some cases, such as inserting `/` into path parameter values, doing so is [explicitly forbidden](#path-templating) by this specification. - -See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding options, compatibility, and OAS-defined delimiters that are not allowed by RFC3986, and [Appendix C](#appendix-c-using-rfc6570-based-serialization) for guidance on using RFC6570 implementations. - ### HTTP Status Codes The HTTP Status Codes are used to indicate the status of the executed operation. @@ -1226,7 +1201,31 @@ In order to support common ways of serializing simple parameters, a set of `styl | pipeDelimited | `array`, `object` | `query` | Pipe separated array values or object properties and values. This option replaces `collectionFormat` equal to `pipes` from OpenAPI 2.0. | | deepObject | `object` | `query` | Allows objects with scalar properties to be represented using form parameters. The representation of array or object properties is not defined. | -See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a discussion of percent-encoding, including when delimiters need to be percent-encoded and options for handling collisions with percent-encoded data. +#### URL Percent-Encoding + +All API URLs MUST successfully parse and percent-decode using [[RFC3986]] rules. + +Content in the `application/x-www-form-urlencoded` format, including query strings produced by [Parameter Objects](#parameter-object) with `in: "query"`, MUST also successfully parse and percent-decode using [[RFC1866]] rules, including treating non-percent-encoded `+` as an escaped space character. + +These requirements are specified in terms of percent-_decoding_ rules, which are consistently tolerant across different versions of the various standards that apply to URIs. + +Percent-_encoding_ is performed in several places: + +* By [[RFC6570]] implementations (or simulations thereof; see [Appendix C](#appendix-c-using-rfc6570-based-serialization)) +* By the Parameter or [Encoding](#encoding-object) Objects when incorporating a value serialized with a [Media Type Object](#media-type-object) for a media type that does not already incorporate URI percent-encoding +* By the user, prior to passing data through RFC6570's reserved expansion process + +When percent-encoding, the safest approach is to percent-encode all characters not in RFC3986's "unreserved" set, and for `form-urlencoded` to also percent-encode the tilde character (`~`) to align with the historical requirements of [[RFC1738]], which is cited by RFC1866. +This approach is used in examples in this specification. + +For `form-urlencoded`, while the encoding algorithm given by RFC1866 requires escaping the space character as `+`, percent-encoding it as `%20` also meets the above requirements. +Examples in this specification will prefer `%20` when using RFC6570's default (non-reserved) form-style expansion, and `+` otherwise. + +Reserved characters MUST NOT be percent-encoded when being used for reserved purposes such as `&=+` for `form-urlencoded` or `,` for delimiting non-exploded array and object values in RFC6570 expansions. +The result of inserting non-percent-encoded delimiters into data using manual percent-encoding, including via RFC6570's reserved expansion rules, is undefined and will likely prevent implementations from parsing the results back into the correct data structures. +In some cases, such as inserting `/` into path parameter values, doing so is [explicitly forbidden](#path-templating) by this specification. + +See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding options, compatibility, and OAS-defined delimiters that are not allowed by RFC3986, and [Appendix C](#appendix-c-using-rfc6570-based-serialization) for guidance on using RFC6570 implementations. ##### Style Examples From 1980fef0be331efe3632ba8033a43910ce06623c Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 7 Aug 2025 12:03:53 -0700 Subject: [PATCH 58/91] Clarifications --- src/oas.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/oas.md b/src/oas.md index 7a4314f50b..d8d1039792 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1165,7 +1165,7 @@ When `example` or `examples` are provided in conjunction with the `schema` field The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. When serializing `in: "header"` parameters with `schema`, URI percent-encoding MUST NOT be applied; if using an RFC6570 implementation that automatically applies it, it MUST be removed before use. -Implementations MUST NOT attempt to automatically quote header values, as the quoting rules vary too widely among different headers; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on quoting and escaping. +Implementations MUST pass header values through unchanged rather than attempting to automatically quote header values, as the quoting rules vary too widely among different headers; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on quoting and escaping. Serializing with `schema` is NOT RECOMMENDED for `in: "cookie"` parameters; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for details. @@ -2566,8 +2566,8 @@ This object MAY be extended with [Specification Extensions](#specification-exten For simpler scenarios, a [`schema`](#header-schema) and [`style`](#header-style) can describe the structure and syntax of the header. When `example` or `examples` are provided in conjunction with the `schema` field, the example MUST follow the prescribed serialization strategy for the header. -When serializing `in: "header"` parameters with `schema`, URI percent-encoding MUST NOT be applied; if using an RFC6570 implementation that automatically applies it, it MUST be removed before use. -Implementations MUST NOT attempt to automatically quote header values, as the quoting rules vary too widely among different headers; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on quoting and escaping. +When serializing headers with `schema`, URI percent-encoding MUST NOT be applied; if using an RFC6570 implementation that automatically applies it, it MUST be removed before use. +Implementations MUST pass header values through unchanged rather than attempting to automatically quote header values, as the quoting rules vary too widely among different headers; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on quoting and escaping. When `example` or `examples` are provided in conjunction with the `schema` field, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the header. The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. @@ -4525,6 +4525,8 @@ For example, a strong `ETag` looks like `"foo"` (with quotes, regardless of the For this reason, any data being passed to a header by way of a [Parameter](#parameter-object) or [Header](#header-object) Object needs to be quoted and escaped prior to passing it to the OAS implementation, and the parsed header values are expected to contain the quotes and escapes. +### Percent-Encoding and Cookies + _**Note:** OAS v3.0.4 and v3.1.1 applied the advice in this section to avoid RFC6570-style serialization to both headers and cookies. However, further research has indicated that percent-encoding was never intended to apply to headers, so this section has been corrected to apply only to cookies._ From 151841cd99ebc0115378b7a85b0fc64f7beb7b77 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Fri, 11 Jul 2025 16:58:05 -0700 Subject: [PATCH 59/91] Explain Param and Header example serialization The rules for this have not been clear, and are not always intuitive. This states and explains them directly and ensures that the Style Examples table matches the rules. Unlike past efforts, this provides a rule system regarding what is and is not included, based on a combination of what is produced by RFC6570 (or the nearest RFC6570 equivalent), modified by removing leading delimiters that are not correct for our usage due to differences from the assuptions made by RFC6570. --- src/oas.md | 41 +++++++++++++++++++++++++++++------------ 1 file changed, 29 insertions(+), 12 deletions(-) diff --git a/src/oas.md b/src/oas.md index e5c0bf7a86..927b7c91e6 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1230,9 +1230,27 @@ In some cases, such as inserting `/` into path parameter values, doing so is [ex See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding options, compatibility, and OAS-defined delimiters that are not allowed by RFC3986, and [Appendix C](#appendix-c-using-rfc6570-based-serialization) for guidance on using RFC6570 implementations. +##### Serialization and Examples + +The rules in this section apply to both the Parameter and [Header](#header-object) Objects, both of which use the same mechanisms. + +When showing serialized examples using the `example` field or [Example Objects](#example-object), in most cases the value to show is just the value, with all relevant percent-encoding or other encoding/escaping applied, and also including any delimiters produced by the `style` and `explode` configuration. + +In cases where the name is an inherent part of constructing the serialization, such as the `name=value` pairs produced by `style: "form"` or the combination of `style: "simple", explode: true`, the name and any delimiter between the name and value MUST be included. + +The `matrix` and `label` styles produce a leading delimiter which is always a valid part of the serialization and MUST be included. +The RFC6570 operators corresponding to `style: "form"` produce a leading delimiter of either `?` or `&` depending on the exact syntax used. +As the suitability of either delimiter depends on where in the query string the parameter occurs, as well as whether it is in a URI or in `application/x-www-form-urlencoded` content, this leading delimiter MUST NOT be included in examples of individual parameters or media type documents. +For `in: "cookie", style: "form"`, neither the `&` nor `?` delimiters are ever correct; see [Appendix D: Serializing Headers and Cookies](#appendix-d-serializing-headers-and-cookies) for more details. + +For headers, the header name MUST NOT be included as part of the serialization, as it is never part of the RFC6570-derived result. +However, names produced by `style: "simple", explode: "true"` are included as they appear within the header value, not as separate headers. + +The following section illustrates these rules. + ##### Style Examples -Assume a parameter named `color` has one of the following values: +Assume a parameter named `color` has one of the following values, where the value to the right of the `->` is what would be shown in the `dataValue` field of an Example Object: ```js string -> "blue" @@ -1240,13 +1258,12 @@ Assume a parameter named `color` has one of the following values: object -> { "R": 100, "G": 200, "B": 150 } ``` -The following table shows examples, as would be shown with the `example` or `examples` keywords, of the different serializations for each value. +The following table shows serialized examples, as would be shown with the `example` or `examples` keywords, of the different serializations for each value. -* The value _empty_ denotes the empty string, and is unrelated to the `allowEmptyValue` field -* The behavior of combinations marked _n/a_ is undefined -* The `undefined` column replaces the `empty` column in previous versions of this specification in order to better align with [RFC6570](https://www.rfc-editor.org/rfc/rfc6570.html#section-2.3) terminology, which describes certain values including but not limited to `null` as "undefined" values with special handling; notably, the empty string is _not_ undefined -* For `form` and the non-RFC6570 query string styles `spaceDelimited`, `pipeDelimited`, and `deepObject`, each example is shown prefixed with `?` as if it were the only query parameter; see [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more information on constructing query strings from multiple parameters, and [Appendix D](#appendix-d-serializing-headers-and-cookies) for warnings regarding `form` and cookie parameters -* Note that the `?` prefix is not appropriate for serializing `application/x-www-form-urlencoded` HTTP message bodies, and MUST be stripped or (if constructing the string manually) not added when used in that context; see the [Encoding Object](#encoding-object) for more information +* The value _empty_ denotes the empty string, and is unrelated to the `allowEmptyValue` field. +* The behavior of combinations marked _n/a_ is undefined. +* The `undefined` column replaces the `empty` column in previous versions of this specification in order to better align with [RFC6570](https://www.rfc-editor.org/rfc/rfc6570.html#section-2.3) terminology, which describes certain values including but not limited to `null` as "undefined" values with special handling; notably, the empty string is _not_ undefined. +* For `form` and the non-RFC6570 query string styles `spaceDelimited`, `pipeDelimited`, and `deepObject`, see [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more information on constructing query strings from multiple parameters, and [Appendix D](#appendix-d-serializing-headers-and-cookies) for warnings regarding `form` and cookie parameters. * The examples are percent-encoded as required by RFC6570 and RFC3986; see [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding concerns, including why unencoded `|` (`%7C`), `[` (`%5B`), and `]` (`%5D`) seem to work in some environments despite not being compliant. | [`style`](#style-values) | `explode` | `undefined` | `string` | `array` | `object` | @@ -1257,14 +1274,14 @@ The following table shows examples, as would be shown with the `example` or `exa | label | true | . | .blue | .blue.black.brown | .R=100.G=200.B=150 | | simple | false | _empty_ | blue | blue,black,brown | R,100,G,200,B,150 | | simple | true | _empty_ | blue | blue,black,brown | R=100,G=200,B=150 | -| form | false | ?color= | ?color=blue | ?color=blue,black,brown | ?color=R,100,G,200,B,150 | -| form | true | ?color= | ?color=blue | ?color=blue&color=black&color=brown | ?R=100&G=200&B=150 | -| spaceDelimited | false | _n/a_ | _n/a_ | ?color=blue%20black%20brown | ?color=R%20100%20G%20200%20B%20150 | +| form | false | color= | color=blue | color=blue,black,brown | color=R,100,G,200,B,150 | +| form | true | color= | color=blue | color=blue&color=black&color=brown | R=100&G=200&B=150 | +| spaceDelimited | false | _n/a_ | _n/a_ | color=blue%20black%20brown | color=R%20100%20G%20200%20B%20150 | | spaceDelimited | true | _n/a_ | _n/a_ | _n/a_ | _n/a_ | -| pipeDelimited | false | _n/a_ | _n/a_ | ?color=blue%7Cblack%7Cbrown | ?color=R%7C100%7CG%7C200%7CB%7C150 | +| pipeDelimited | false | _n/a_ | _n/a_ | color=blue%7Cblack%7Cbrown | color=R%7C100%7CG%7C200%7CB%7C150 | | pipeDelimited | true | _n/a_ | _n/a_ | _n/a_ | _n/a_ | | deepObject | false | _n/a_ | _n/a_ | _n/a_ | _n/a_ | -| deepObject | true | _n/a_ | _n/a_ | _n/a_ | ?color%5BR%5D=100&color%5BG%5D=200&color%5BB%5D=150 | +| deepObject | true | _n/a_ | _n/a_ | _n/a_ | color%5BR%5D=100&color%5BG%5D=200&color%5BB%5D=150 | ##### Parameter Object Examples From fd8722c1fe0f5bd2b922cb987a1ed0d557ac0697 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 11 Aug 2025 11:00:40 -0700 Subject: [PATCH 60/91] Fix bit from 3.2 that does not apply to 3.1 --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 927b7c91e6..a607281f6c 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1250,7 +1250,7 @@ The following section illustrates these rules. ##### Style Examples -Assume a parameter named `color` has one of the following values, where the value to the right of the `->` is what would be shown in the `dataValue` field of an Example Object: +Assume a parameter named `color` has one of the following values: ```js string -> "blue" From 4ccdf0df4f464a0c5850d300ff094e98f397e7f1 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Tue, 12 Aug 2025 10:29:42 +0200 Subject: [PATCH 61/91] schema tests: 100% statement coverage --- tests/schema/pass/link-object-examples.yaml | 4 ++++ ...hema-object-deprecated-example-keyword.yaml | 18 ++++++++++++++++++ .../schema/pass/specification-extensions.yaml | 6 ++++++ tests/schema/schema.test.mjs | 18 ++++++++++++++++++ 4 files changed, 46 insertions(+) create mode 100644 tests/schema/pass/schema-object-deprecated-example-keyword.yaml create mode 100644 tests/schema/pass/specification-extensions.yaml diff --git a/tests/schema/pass/link-object-examples.yaml b/tests/schema/pass/link-object-examples.yaml index 92142a94a6..b7d8e737ad 100644 --- a/tests/schema/pass/link-object-examples.yaml +++ b/tests/schema/pass/link-object-examples.yaml @@ -45,6 +45,10 @@ paths: operationRef: https://na2.gigantic-server.com/#/paths/~12.0~1repositories~1%7Busername%7D/get parameters: username: $response.body#/username + withBody: + operationId: queryUserWithBody + requestBody: + userId: $request.path.id # the path item of the linked operation /users/{userid}/address: parameters: diff --git a/tests/schema/pass/schema-object-deprecated-example-keyword.yaml b/tests/schema/pass/schema-object-deprecated-example-keyword.yaml new file mode 100644 index 0000000000..f66640f4c3 --- /dev/null +++ b/tests/schema/pass/schema-object-deprecated-example-keyword.yaml @@ -0,0 +1,18 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +paths: + /user: + parameters: + - in: query + name: example + schema: + # Allow an arbitrary JSON object to keep + # the example simple + type: object + # DEPRECATED: don't use example keyword inside Schema Object + example: { + "numbers": [1, 2], + "flag": null + } diff --git a/tests/schema/pass/specification-extensions.yaml b/tests/schema/pass/specification-extensions.yaml new file mode 100644 index 0000000000..3d63a5f148 --- /dev/null +++ b/tests/schema/pass/specification-extensions.yaml @@ -0,0 +1,6 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +paths: {} +x-tensions: specification extensions are prefixed with `x-` diff --git a/tests/schema/schema.test.mjs b/tests/schema/schema.test.mjs index e7b84f0a74..ba82a55a5b 100644 --- a/tests/schema/schema.test.mjs +++ b/tests/schema/schema.test.mjs @@ -14,6 +14,24 @@ await registerSchema("./src/schemas/validation/schema.yaml"); const fixtures = './tests/schema'; describe("v3.1", () => { + test("schema.yaml schema test", async () => { + // Files in the pass/fail folders get run against schema-base.yaml. + // This instance is instead run against schema.yaml. + const oad = { + openapi: "3.1.0", + info: { + title: "API", + version: "1.0.0" + }, + components: { + schemas: { + foo: {} + } + } + }; + await expect(oad).to.matchJsonSchema("./src/schemas/validation/schema.yaml"); // <-- "schema.yaml" instead of "schema-base.yaml" + }); + describe("Pass", () => { readdirSync(`${fixtures}/pass`, { withFileTypes: true }) .filter((entry) => entry.isFile() && /\.yaml$/.test(entry.name)) From 5c707500012a40655c456e6ff6c18b9b97ae44af Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Sat, 2 Aug 2025 21:12:27 -0700 Subject: [PATCH 62/91] Update examples and appendicies for percent-encoding After adding a new section on percent-encoding guidance, this updates the examples and other supplemental text to match it. --- src/oas.md | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/src/oas.md b/src/oas.md index a607281f6c..c631b0e5fb 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1174,7 +1174,7 @@ Serializing with `schema` is NOT RECOMMENDED for `in: "cookie"` parameters; see | ---- | :----: | ---- | | style | `string` | Describes how the parameter value will be serialized depending on the type of the parameter value. Default values (based on value of `in`): for `"query"` - `"form"`; for `"path"` - `"simple"`; for `"header"` - `"simple"`; for `"cookie"` - `"form"`. | | explode | `boolean` | When this is true, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters this field has no effect. When [`style`](#parameter-style) is `"form"`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. | -| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#section-3.4) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. This field only applies to parameters with an `in` value of `query`. The default value is `false`. | +| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#section-3.4) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see [URL Percent-Encoding](#url-percent-encoding) for details. This field only applies to parameters with an `in` value of `query`. The default value is `false`. | | schema | [Schema Object](#schema-object) | The schema defining the type used for the parameter. | | example | Any | Example of the parameter's potential value; see [Working With Examples](#working-with-examples). | | examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the parameter's potential value; see [Working With Examples](#working-with-examples). | @@ -1204,7 +1204,7 @@ In order to support common ways of serializing simple parameters, a set of `styl | pipeDelimited | `array`, `object` | `query` | Pipe separated array values or object properties and values. This option replaces `collectionFormat` equal to `pipes` from OpenAPI 2.0. | | deepObject | `object` | `query` | Allows objects with scalar properties to be represented using form parameters. The representation of array or object properties is not defined. | -#### URL Percent-Encoding +##### URL Percent-Encoding All API URLs MUST successfully parse and percent-decode using [[RFC3986]] rules. @@ -1264,7 +1264,7 @@ The following table shows serialized examples, as would be shown with the `examp * The behavior of combinations marked _n/a_ is undefined. * The `undefined` column replaces the `empty` column in previous versions of this specification in order to better align with [RFC6570](https://www.rfc-editor.org/rfc/rfc6570.html#section-2.3) terminology, which describes certain values including but not limited to `null` as "undefined" values with special handling; notably, the empty string is _not_ undefined. * For `form` and the non-RFC6570 query string styles `spaceDelimited`, `pipeDelimited`, and `deepObject`, see [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more information on constructing query strings from multiple parameters, and [Appendix D](#appendix-d-serializing-headers-and-cookies) for warnings regarding `form` and cookie parameters. -* The examples are percent-encoded as required by RFC6570 and RFC3986; see [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding concerns, including why unencoded `|` (`%7C`), `[` (`%5B`), and `]` (`%5D`) seem to work in some environments despite not being compliant. +* The examples are percent-encoded as explained in the [URL Percent-Encoding](#url-percent-encoding) section above; see [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding concerns, including why unencoded `|` (`%7C`), `[` (`%5B`), and `]` (`%5D`) seem to work in some environments despite not being compliant. | [`style`](#style-values) | `explode` | `undefined` | `string` | `array` | `object` | | ---- | ---- | ---- | ---- | ---- | ---- | @@ -1717,7 +1717,7 @@ See [Appendix B](#appendix-b-data-type-conversion) for a discussion of data type | ---- | :----: | ---- | | style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameter-object) for details on the [`style`](#parameter-style) field. The behavior follows the same values as `query` parameters, including default values. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | | explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this field has no effect. When [`style`](#encoding-style) is `"form"`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | -| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#section-3.4) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. The default value is `false`. This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | +| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#section-3.4) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see [URL Percent-Encoding](#url-percent-encoding) for details. The default value is `false`. This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | When using RFC6570-style serialization for `multipart/form-data`, URI percent-encoding MUST NOT be applied, and the value of `allowReserved` has no effect. See also [Appendix C: Using RFC6570 Implementations](#appendix-c-using-rfc6570-based-serialization) for additional guidance. @@ -1763,10 +1763,10 @@ With this example, consider an `id` of `f81d4fae-7dec-11d0-a765-00a0c91e6bf6` an } ``` -Assuming the most compact representation of the JSON value (with unnecessary whitespace removed), we would expect to see the following request body, where space characters have been replaced with `+` and `+`, `"`, `{`, and `}` have been percent-encoded to `%2B`, `%22`, `%7B`, and `%7D`, respectively: +Assuming the most compact representation of the JSON value (with unnecessary whitespace removed), we would expect to see the following request body, where space characters have been replaced with `+` and `+`, `"`, `:`, `,`, `{`, and `}` have been percent-encoded to `%2B`, `%22`, `%3A`, `%2C`, `%7B`, and `%7D`, respectively: ```uri -id=f81d4fae-7dec-11d0-a765-00a0c91e6bf6&address=%7B%22streetAddress%22:%22123+Example+Dr.%22,%22city%22:%22Somewhere%22,%22state%22:%22CA%22,%22zip%22:%2299999%2B1234%22%7D +id=f81d4fae-7dec-11d0-a765-00a0c91e6bf6&address=%7B%22streetAddress%22%3A%22123+Example+Dr.%22%2C%22city%22%3A%22Somewhere%22%2C%22state%22%3A%22CA%22%2C%22zip%22%3A%2299999%2B1234%22%7D ``` Note that the `id` keyword is treated as `text/plain` per the [Encoding Object](#encoding-object)'s default behavior, and is serialized as-is. @@ -2653,7 +2653,7 @@ X-Rate-Limit-Limit: type: integer ``` -Requiring that a strong `ETag` header (with a value starting with `"` rather than `W/`) is present. Note the use of `content`, because using `schema` and `style` would require the `"` to be percent-encoded as `%22`: +Requiring that a strong `ETag` header (with a value starting with `"` rather than `W/`) is present. ```json "ETag": { @@ -4470,8 +4470,10 @@ Since the `.` usage is not automatic, we'll need to construct an appropriate inp We'll also need to pre-process the values for `formulas` because while `/` and most other reserved characters are allowed in the query string by RFC3986, `[`, `]`, and `#` [are not](https://datatracker.ietf.org/doc/html/rfc3986#appendix-A), and `&`, `=`, and `+` all have [special behavior](https://www.rfc-editor.org/rfc/rfc1866#section-8.2.1) in the `application/x-www-form-urlencoded` format, which is what we are using in the query string. -Setting `allowReserved: true` does _not_ make reserved characters that are not allowed in URIs allowed, it just allows them to be _passed through expansion unchanged._ -Therefore, any tooling still needs to percent-encode those characters because reserved expansion will not do it, but it _will_ leave the percent-encoded triples unchanged. +Setting `allowReserved: true` does _not_ make reserved characters that are not allowed in URIs allowed, it just allows them to be _passed through expansion unchanged_, for example because some other specification has defined a particular meaning for them. + +Therefore, users still need to percent-encode any reserved characters that are _not_ being passed through due to a special meaning because reserved expansion does not know which reserved characters are being used, and which should still be percent-encoded. +However, reserved expansion, unlike regular expansion, _will_ leave the pre-percent-encoded triples unchanged. See also [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for further guidance on percent-encoding and form media types, including guidance on handling the delimiter characters for `spaceDelimited`, `pipeDelimited`, and `deepObject` in parameter names and values. So here is our data structure that arranges the names and values to suit the template above, where values for `formulas` have `[]#&=+` pre-percent encoded (although only `+` appears in this example): @@ -4619,7 +4621,7 @@ The `form-data` media type allows arbitrary text or binary data in its parts, so URI percent encoding and the `form-urlencoded` media type have complex specification histories spanning multiple revisions and, in some cases, conflicting claims of ownership by different standards bodies. Unfortunately, these specifications each define slightly different percent-encoding rules, which need to be taken into account if the URIs or `form-urlencoded` message bodies will be subject to strict validation. -(Note that many URI parsers do not perform validation by default.) +(Note that many URI parsers do not perform validation by default, if at all.) This specification normatively cites the following relevant standards: @@ -4629,13 +4631,11 @@ This specification normatively cites the following relevant standards: | [RFC6570](https://www.rfc-editor.org/rfc/rfc6570) | 03/2012 | style-based serialization | [[RFC3986]] | does not use `+` for form‑urlencoded | | [RFC1866](https://datatracker.ietf.org/doc/html/rfc1866#section-8.2.1) | 11/1995 | content-based serialization | [[RFC1738]] | obsoleted by [[HTML401]] [Section 17.13.4.1](https://www.w3.org/TR/html401/interact/forms.html#h-17.13.4.1), [[URL]] [Section 5](https://url.spec.whatwg.org/#urlencoded-serializing) | -Style-based serialization is used in the [Parameter Object](#parameter-object) when `schema` is present, and in the [Encoding Object](#encoding-object) when at least one of `style`, `explode`, or `allowReserved` is present. +Style-based serialization with percent-encoding is used in the [Parameter Object](#parameter-object) when `schema` is present, and in the [Encoding Object](#encoding-object) when at least one of `style`, `explode`, or `allowReserved` is present. See [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more details of RFC6570's two different approaches to percent-encoding, including an example involving `+`. Content-based serialization is defined by the [Media Type Object](#media-type-object), and used with the [Parameter Object](#parameter-object) and [Header Object](#header-object) when the `content` field is present, and with the [Encoding Object](#encoding-object) based on the `contentType` field when the fields `style`, `explode`, and `allowReserved` are absent. -Each part is encoded based on the media type (e.g. `text/plain` or `application/json`), and must then be percent-encoded for use in a `form-urlencoded` string. - -Note that content-based serialization for `form-data` does not expect or require percent-encoding in the data, only in per-part header values. +Each part is encoded based on the media type (e.g. `text/plain` or `application/json`), and must then be percent-encoded for use in a `form-urlencoded` string unless the media type already incorporates URI percent-encoding. #### Interoperability with Historical Specifications @@ -4665,9 +4665,11 @@ The `[`, `]`, `|`, and space characters, which are used as delimiters for the `d This requires users to pre-encode the character(s) in some other way in parameter names and values to distinguish them from the delimiter usage when using one of these styles. The space character is always illegal and encoded in some way by all implementations of all versions of the relevant standards. -While one could use the `form-urlencoded` convention of `+` to distinguish spaces in parameter names and values from `spaceDelimited` delimiters encoded as `%20`, the specifications define the decoding as a single pass, making it impossible to distinguish the different usages in the decoded result. +While one could use the `form-urlencoded` convention of `+` to distinguish spaces in parameter names and values from `spaceDelimited` delimiters encoded as `%20`, the specifications define the decoding as a single pass, making it impossible to distinguish the different usages in the decoded result unless a non-standard parsing algorithm is used that separates based on one delimiter before decoding the other. +Any such non-standard parsing approach will not be interoperable across all tools. -Some environments use `[`, `]`, and possibly `|` unencoded in query strings without apparent difficulties, and WHATWG's generic query string rules do not require percent-encoding them. +Some environments use `[`, `]`, and possibly `|` unencoded in query strings without apparent difficulties. +WHATWG's generic query string rules do not require percent-encoding them in non-`form-urlencoded` query strings, although it also excludes them from the set of valid URL Unicode code points. Code that relies on leaving these delimiters unencoded, while using regular percent-encoding for them within names and values, is not guaranteed to be interoperable across all implementations. For maximum interoperability, it is RECOMMENDED to either define and document an additional escape convention while percent-encoding the delimiters for these styles, or to avoid these styles entirely. From 776ac714b6639da1c752d53f449b4fd679bd0c0c Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Thu, 14 Aug 2025 09:13:54 -0700 Subject: [PATCH 63/91] Fix Link Object subsections, improve examples There were two subsections called "Examples", one for actual Link Object examples and one for runtime expression examples. This puts the `operationRef` examples under the main Examples section, and renames the runtime expression example section. While I was at it, I clarified some of the wording. --- src/oas.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/src/oas.md b/src/oas.md index c631b0e5fb..9065a810ae 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2507,10 +2507,12 @@ Clients follow all links at their discretion. Neither permissions nor the capability to make a successful call to that link is guaranteed solely by the existence of a relationship. -##### `operationRef` Examples +###### `operationRef` Examples -As references to `operationId` MAY NOT be possible (the `operationId` is an optional -field in an [Operation Object](#operation-object)), references MAY also be made through a relative `operationRef`: +As the `operationId` is an optional field in an [Operation Object](#operation-object)), references MAY instead be made through a URI-reference with `operationRef`. +Note that both of these examples reference operations that can be identified via the [Paths Object](#paths-object) to ensure that the operation's path template is unambiguous. + +A relative URI-reference `operationRef`: ```yaml links: @@ -2520,7 +2522,7 @@ links: username: $response.body#/username ``` -or a URI `operationRef`: +A non-relative URI `operationRef`: ```yaml links: @@ -2530,8 +2532,9 @@ links: username: $response.body#/username ``` -Note that in the use of `operationRef` the _escaped forward-slash_ is necessary when -using JSON Pointer, and it is necessary to URL-encode `{` and `}` as `%7B` and `%7D`, respectively, when using JSON Pointer as URI fragments. +Note that in the use of `operationRef` the _escaped forward-slash_ (`~1`) is necessary when +using JSON Pointer in URI fragments, and it is necessary to URL-encode `{` and `}` as `%7B` and `%7D`, respectively. +The unescaped, percent-decoded path template in the above examples would be `/2.0/repositories/{username}`. ##### Runtime Expressions @@ -2565,7 +2568,7 @@ The `name` identifier is case-sensitive, whereas `token` is not. The table below provides examples of runtime expressions and examples of their use in a value: -##### Examples +###### Example Expressions | Source Location | example expression | notes | | ---- | :---- | :---- | From 8e050efa6737baf1c14fa373b52bf97f0608620e Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Sat, 16 Aug 2025 13:28:31 +0200 Subject: [PATCH 64/91] Remove confusing sentence --- src/oas.md | 1 - 1 file changed, 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index c631b0e5fb..6165ab332b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -3863,7 +3863,6 @@ animals: ###### XML With `null` Values Recall that the schema validates the in-memory data, not the XML document itself. -The properties of the `"metadata"` element are omitted for brevity as it is here to show how the `null` value is represented. ```json { From eddf15a52864c855291c72cae3dd26fe034991d8 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Sat, 16 Aug 2025 17:55:28 +0200 Subject: [PATCH 65/91] Use same name as in RFC7159 --- src/oas.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oas.md b/src/oas.md index c631b0e5fb..62ad8a48a0 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2553,13 +2553,13 @@ The runtime expression is defined by the following [ABNF](https://tools.ietf.org ; %x2F ('/') and %x7E ('~') are excluded from 'unescaped' escaped = "~" ( "0" / "1" ) ; representing '~' and '/', respectively - name = *( CHAR ) + name = *char token = 1*tchar tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA ``` -Here, `json-pointer` is taken from [RFC6901](https://tools.ietf.org/html/rfc6901), `CHAR` from [RFC7159](https://tools.ietf.org/html/rfc7159#section-7) and `token` from [RFC7230](https://tools.ietf.org/html/rfc7230#section-3.2.6). +Here, `json-pointer` is taken from [RFC6901](https://tools.ietf.org/html/rfc6901), `char` from [RFC7159](https://tools.ietf.org/html/rfc7159#section-7) and `token` from [RFC7230](https://tools.ietf.org/html/rfc7230#section-3.2.6). The `name` identifier is case-sensitive, whereas `token` is not. From 94b16b23e2e2aaeeca05cceab64b74b787d4713d Mon Sep 17 00:00:00 2001 From: Henry Andrews Date: Sat, 16 Aug 2025 12:28:12 -0700 Subject: [PATCH 66/91] Fix stray extra paren Co-authored-by: Ralf Handl --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 9065a810ae..f124b4c87b 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2509,7 +2509,7 @@ solely by the existence of a relationship. ###### `operationRef` Examples -As the `operationId` is an optional field in an [Operation Object](#operation-object)), references MAY instead be made through a URI-reference with `operationRef`. +As the `operationId` is an optional field in an [Operation Object](#operation-object), references MAY instead be made through a URI-reference with `operationRef`. Note that both of these examples reference operations that can be identified via the [Paths Object](#paths-object) to ensure that the operation's path template is unambiguous. A relative URI-reference `operationRef`: From b561d4d0ed9e818a980843ec88e1d12f63f9eebc Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Sun, 17 Aug 2025 14:18:11 +0200 Subject: [PATCH 67/91] Sync Appendix E from 3.2 --- src/oas.md | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/src/oas.md b/src/oas.md index 24bf1f5ca9..0d4b7ace8d 100644 --- a/src/oas.md +++ b/src/oas.md @@ -4590,7 +4590,18 @@ For multiple values, `style: "form"` is always incorrect, even if no characters _**NOTE:** In this section, the `application/x-www-form-urlencoded` and `multipart/form-data` media types are abbreviated as `form-urlencoded` and `form-data`, respectively, for readability._ Percent-encoding is used in URIs and media types that derive their syntax from URIs. -This process is concerned with three sets of characters, the names of which vary among specifications but are defined as follows for the purposes of this section: +The fundamental rules of percent-encoding are: + +* The set of characters that MUST be encoded varies depending on which version of which specification you use, and (for URIs) in which part of the URI the character appears. +* The way an unencoded `+` character is decoded depends on whether you are using `application/x-www-form-urlencoded` rules or more general URI rules; this is the only time where choice of decoding algorithm can change the outcome. +* Encoding more characters than necessary is always safe in terms of the decoding process, but may produce non-normalized URIs. +* In practice, some systems tolerate or even expect unencoded characters that some or all percent-encoding specifications require to be encoded; this can cause interoperability issues with more strictly compliant implementations. + +The rest of this appendix provides more detailed guidance based on the above rules. + +### Percent-Encoding Character Classes + +This process is concerned with three classes of characters, the names of which vary among specifications but are defined as follows for the purposes of this section: * _unreserved_ characters do not need to be percent-encoded; while it is safe to percent-encode them, doing so produces a URI that is [not normalized](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.2) * _reserved_ characters either have special behavior in the URI syntax (such as delimiting components) or are reserved for other specifications that need to define special behavior (e.g. `form-urlencoded` defines special behavior for `=`, `&`, and `+`) @@ -4638,7 +4649,7 @@ Each part is encoded based on the media type (e.g. `text/plain` or `application/ #### Interoperability with Historical Specifications -In most cases, generating query strings in strict compliance with [[RFC3986]] is sufficient to pass validation (including JSON Schema's `format: "uri"` and `format: "uri-reference"`), but some `form-urlencoded` implementations still expect the slightly more restrictive [[RFC1738]] rules to be used. +In most cases, generating query strings in strict compliance with [[RFC3986]] is sufficient to pass validation (including JSON Schema's `format: "uri"` and `format: "uri-reference"` when `format` validation is enabled), but some `form-urlencoded` implementations still expect the slightly more restrictive [[RFC1738]] rules to be used. Since all RFC1738-compliant URIs are compliant with RFC3986, applications needing to ensure historical interoperability SHOULD use RFC1738's rules. @@ -4648,7 +4659,7 @@ WHATWG is a [web browser-oriented](https://whatwg.org/faq#what-is-the-whatwg-wor WHATWG's percent-encoding rules for query strings are different depending on whether the query string is [being treated as `form-urlencoded`](https://url.spec.whatwg.org/#application-x-www-form-urlencoded-percent-encode-set) (where it requires more percent-encoding than [[RFC1738]]) or [as part of the generic syntax](https://url.spec.whatwg.org/#query-percent-encode-set), where it allows characters that [[RFC3986]] forbids. Implementations needing maximum compatibility with web browsers SHOULD use WHATWG's `form-urlencoded` percent-encoding rules. -However, they SHOULD NOT rely on WHATWG's less stringent generic query string rules, as the resulting URLs would fail RFC3986 validation, including JSON Schema's `format: uri` and `format: uri-reference`. +However, they SHOULD NOT rely on WHATWG's less stringent generic query string rules, as the resulting URLs would fail RFC3986 validation, including JSON Schema's `format: uri` and `format: uri-reference` (when `format` validation is endabled). ### Decoding URIs and `form-urlencoded` Strings From 8ef326d1194720b8795b4f77b3e3f7e429996cb2 Mon Sep 17 00:00:00 2001 From: Vladimir Gorej Date: Thu, 21 Aug 2025 23:33:08 +0200 Subject: [PATCH 68/91] fix: fix type for Header.schema fixed field --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 7ae07c0a5e..8fb9522b63 100644 --- a/src/oas.md +++ b/src/oas.md @@ -2622,7 +2622,7 @@ The `example` and `examples` fields are mutually exclusive, and if either is pre | ---- | :----: | ---- | | style | `string` | Describes how the header value will be serialized. The default (and only legal value for headers) is `"simple"`. | | explode | `boolean` | When this is true, header values of type `array` or `object` generate a single header whose value is a comma-separated list of the array items or key-value pairs of the map, see [Style Examples](#style-examples). For other data types this field has no effect. The default value is `false`. | -| schema | [Schema Object](#schema-object) \| [Reference Object](#reference-object) | The schema defining the type used for the header. | +| schema | [Schema Object](#schema-object) | The schema defining the type used for the header. | | example | Any | Example of the header's potential value; see [Working With Examples](#working-with-examples). | | examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the header's potential value; see [Working With Examples](#working-with-examples). | From d592765830b1bcc5fdb0cccb9000c09f48008020 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 18 Aug 2025 14:47:42 -0700 Subject: [PATCH 69/91] Encoding style default behavior --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 7ae07c0a5e..0c2649a85e 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1715,7 +1715,7 @@ See [Appendix B](#appendix-b-data-type-conversion) for a discussion of data type | Field Name | Type | Description | | ---- | :----: | ---- | -| style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameter-object) for details on the [`style`](#parameter-style) field. The behavior follows the same values as `query` parameters, including default values. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | +| style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameter-object) for details on the [`style`](#parameter-style) field. The behavior follows the same values as `query` parameters, including the default value of `"form"` which applies if either `explode` or `allowReserved` are explicitly specified. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | | explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this field has no effect. When [`style`](#encoding-style) is `"form"`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | | allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#section-3.4) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see [URL Percent-Encoding](#url-percent-encoding) for details. The default value is `false`. This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | From 8cd87cba9c7fc46be11c62a116601e5bb0a71e34 Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 25 Aug 2025 12:51:27 -0700 Subject: [PATCH 70/91] Review feedback. --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index 0c2649a85e..f50f0d4ce0 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1715,7 +1715,7 @@ See [Appendix B](#appendix-b-data-type-conversion) for a discussion of data type | Field Name | Type | Description | | ---- | :----: | ---- | -| style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameter-object) for details on the [`style`](#parameter-style) field. The behavior follows the same values as `query` parameters, including the default value of `"form"` which applies if either `explode` or `allowReserved` are explicitly specified. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | +| style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameter-object) for details on the [`style`](#parameter-style) field. The behavior follows the same values as `query` parameters, including the default value of `"form"` which applies only when `contentType` is _not_ being used due to one or both of `explode` or `allowReserved` being explicitly specified. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | | explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this field has no effect. When [`style`](#encoding-style) is `"form"`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | | allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#section-3.4) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see [URL Percent-Encoding](#url-percent-encoding) for details. The default value is `false`. This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | From f34083a6eb30cf347c88cb71b0c044f4334884cb Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Sun, 31 Aug 2025 16:07:00 -0700 Subject: [PATCH 71/91] "example" and "examples" cannot appear together This affects the places where examples are used: parameter, header, and media-type objects for #4598, ported from #4912. --- src/schemas/validation/schema.yaml | 4 ++++ tests/schema/fail/example-examples.yaml | 20 ++++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 tests/schema/fail/example-examples.yaml diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index bfa2fcf3ea..b728cbfb98 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -951,6 +951,10 @@ $defs: type: object additionalProperties: $ref: '#/$defs/example-or-reference' + not: + required: + - example + - examples map-of-strings: type: object diff --git a/tests/schema/fail/example-examples.yaml b/tests/schema/fail/example-examples.yaml new file mode 100644 index 0000000000..97adcadba6 --- /dev/null +++ b/tests/schema/fail/example-examples.yaml @@ -0,0 +1,20 @@ +openapi: 3.1.1 + +# this example should fail, as example cannot be used together with examples. + +info: + title: API + version: 1.0.0 +components: + parameters: + animal: + name: animal + in: header + schema: {} + example: bear + examples: + a mammalian example: + value: bear + + + From c2fbd3f74f68df5b6d2d7c8e1e162853c8e3ca9b Mon Sep 17 00:00:00 2001 From: "Henry H. Andrews" Date: Mon, 8 Sep 2025 17:51:42 -0700 Subject: [PATCH 72/91] Fix reference to info.version --- src/oas.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oas.md b/src/oas.md index f04c5e20b7..968b053e2d 100644 --- a/src/oas.md +++ b/src/oas.md @@ -322,7 +322,7 @@ This is the root object of the [OpenAPI Description](#openapi-description). | Field Name | Type | Description | | ---- | :----: | ---- | -| openapi | `string` | **REQUIRED**. This string MUST be the [version number](#versions) of the OpenAPI Specification that the OpenAPI Document uses. The `openapi` field SHOULD be used by tooling to interpret the OpenAPI Document. This is _not_ related to the API [`info.version`](#info-version) string. | +| openapi | `string` | **REQUIRED**. This string MUST be the [version number](#versions) of the OpenAPI Specification that the OpenAPI Document uses. The `openapi` field SHOULD be used by tooling to interpret the OpenAPI Document. This is _not_ related to the [`info.version`](#info-version) string, which is the version of the OpenAPI Document. | | info | [Info Object](#info-object) | **REQUIRED**. Provides metadata about the API. The metadata MAY be used by tooling as required. | | jsonSchemaDialect | `string` | The default value for the `$schema` keyword within [Schema Objects](#schema-object) contained within this OAS document. This MUST be in the form of a URI. | | servers | [[Server Object](#server-object)] | An array of Server Objects, which provide connectivity information to a target server. If the `servers` field is not provided, or is an empty array, the default value would be a [Server Object](#server-object) with a [url](#server-url) value of `/`. | From f1edd254b73ccb86aea83c274f2c72d98d364442 Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Mon, 15 Sep 2025 12:20:24 -0700 Subject: [PATCH 73/91] use non-capturing parentheses everywhere --- src/schemas/validation/schema.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index b728cbfb98..1acbd738b6 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -193,7 +193,7 @@ $defs: additionalProperties: $ref: '#/$defs/path-item' patternProperties: - '^(schemas|responses|parameters|examples|requestBodies|headers|securitySchemes|links|callbacks|pathItems)$': + '^(?:schemas|responses|parameters|examples|requestBodies|headers|securitySchemes|links|callbacks|pathItems)$': $comment: Enumerating all of the property names in the regex above is necessary for unevaluatedProperties to work as expected propertyNames: pattern: '^[a-zA-Z0-9._-]+$' From d4fec14b61eb9e419c5641eb2cda368cc1bd6e54 Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Mon, 15 Sep 2025 12:26:03 -0700 Subject: [PATCH 74/91] remove redundant "requires" - "in" is always required for "parameter" - "type" is required for "security-scheme" --- src/schemas/validation/schema.yaml | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 1acbd738b6..f717cfebbb 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -341,8 +341,6 @@ $defs: properties: in: const: query - required: - - in then: properties: allowEmptyValue: @@ -369,8 +367,6 @@ $defs: properties: in: const: path - required: - - in then: properties: style: @@ -389,8 +385,6 @@ $defs: properties: in: const: header - required: - - in then: properties: style: @@ -402,8 +396,6 @@ $defs: properties: in: const: query - required: - - in then: properties: style: @@ -422,8 +414,6 @@ $defs: properties: in: const: cookie - required: - - in then: properties: style: @@ -760,8 +750,6 @@ $defs: properties: type: const: apiKey - required: - - type then: properties: name: @@ -780,8 +768,6 @@ $defs: properties: type: const: http - required: - - type then: properties: scheme: @@ -810,8 +796,6 @@ $defs: properties: type: const: oauth2 - required: - - type then: properties: flows: @@ -824,8 +808,6 @@ $defs: properties: type: const: openIdConnect - required: - - type then: properties: openIdConnectUrl: From c8565c76ab329d205d9886b0050c2073a234e774 Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Mon, 15 Sep 2025 12:28:05 -0700 Subject: [PATCH 75/91] whitespace --- tests/schema/fail/example-examples.yaml | 3 --- tests/schema/fail/invalid_schema_types.yaml | 1 - tests/schema/pass/example-object-examples.yaml | 2 +- tests/schema/pass/valid_schema_types.yaml | 1 - tests/schema/pass/webhook-example.yaml | 1 - 5 files changed, 1 insertion(+), 7 deletions(-) diff --git a/tests/schema/fail/example-examples.yaml b/tests/schema/fail/example-examples.yaml index 97adcadba6..6ed2f6b333 100644 --- a/tests/schema/fail/example-examples.yaml +++ b/tests/schema/fail/example-examples.yaml @@ -15,6 +15,3 @@ components: examples: a mammalian example: value: bear - - - diff --git a/tests/schema/fail/invalid_schema_types.yaml b/tests/schema/fail/invalid_schema_types.yaml index d295b1f0ed..55e3c900e3 100644 --- a/tests/schema/fail/invalid_schema_types.yaml +++ b/tests/schema/fail/invalid_schema_types.yaml @@ -10,4 +10,3 @@ components: invalid_null: null invalid_number: 0 invalid_array: [] - diff --git a/tests/schema/pass/example-object-examples.yaml b/tests/schema/pass/example-object-examples.yaml index 664b22f429..66f8f54133 100644 --- a/tests/schema/pass/example-object-examples.yaml +++ b/tests/schema/pass/example-object-examples.yaml @@ -29,7 +29,7 @@ components: summary: This is a text example externalValue: https://foo.bar/examples/address-example.txt parameters: - with-example: + with-example: name: zipCode in: query schema: diff --git a/tests/schema/pass/valid_schema_types.yaml b/tests/schema/pass/valid_schema_types.yaml index 4431adcda5..c2459ed37c 100644 --- a/tests/schema/pass/valid_schema_types.yaml +++ b/tests/schema/pass/valid_schema_types.yaml @@ -11,4 +11,3 @@ components: nothing_boolean: false anything_object: {} nothing_object: { not: {} } - diff --git a/tests/schema/pass/webhook-example.yaml b/tests/schema/pass/webhook-example.yaml index 2ac1cda985..44fc73aaa9 100644 --- a/tests/schema/pass/webhook-example.yaml +++ b/tests/schema/pass/webhook-example.yaml @@ -32,4 +32,3 @@ components: type: string tag: type: string - From 56aafd82a3a01db23209be3598bc9071d184d277 Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Mon, 15 Sep 2025 12:29:01 -0700 Subject: [PATCH 76/91] remove confusing use of json within yaml --- .../pass/schema-object-deprecated-example-keyword.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tests/schema/pass/schema-object-deprecated-example-keyword.yaml b/tests/schema/pass/schema-object-deprecated-example-keyword.yaml index f66640f4c3..92fcbb41a5 100644 --- a/tests/schema/pass/schema-object-deprecated-example-keyword.yaml +++ b/tests/schema/pass/schema-object-deprecated-example-keyword.yaml @@ -12,7 +12,6 @@ paths: # the example simple type: object # DEPRECATED: don't use example keyword inside Schema Object - example: { - "numbers": [1, 2], - "flag": null - } + example: + numbers: [1, 2] + flag: null From 72de87b52b771209efcb4c1c89ed5358c2d66879 Mon Sep 17 00:00:00 2001 From: Karen Etheridge Date: Mon, 15 Sep 2025 12:32:21 -0700 Subject: [PATCH 77/91] style and allowReserved defaults are only in effect when any of style, explode, allowReserved are present see #4899 --- src/schemas/validation/schema.yaml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index f717cfebbb..f4059cb1d3 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -494,7 +494,6 @@ $defs: additionalProperties: $ref: '#/$defs/header-or-reference' style: - default: form enum: - form - spaceDelimited @@ -503,8 +502,22 @@ $defs: explode: type: boolean allowReserved: - default: false type: boolean + dependentSchemas: + style: + properties: + allowReserved: + default: false + explode: + properties: + style: + default: form + allowReserved: + default: false + allowReserved: + properties: + style: + default: form allOf: - $ref: '#/$defs/specification-extensions' - $ref: '#/$defs/styles-for-form' From 91bc669c7eb0bc5b8b450d403b9c220d372bbe92 Mon Sep 17 00:00:00 2001 From: Lorna Mitchell Date: Thu, 18 Sep 2025 17:49:49 +0100 Subject: [PATCH 78/91] Adjust branch for 3.1 release --- src/schemas/validation/README.md | 69 -- src/schemas/validation/dialect.yaml | 21 - src/schemas/validation/meta.yaml | 70 -- src/schemas/validation/schema-base.yaml | 20 - src/schemas/validation/schema.yaml | 973 ------------------ tests/schema/fail/example-examples.yaml | 17 - tests/schema/fail/invalid_schema_types.yaml | 12 - tests/schema/fail/link-object-no-body.yaml | 11 - tests/schema/fail/no_containers.yaml | 7 - tests/schema/fail/server_enum_empty.yaml | 14 - tests/schema/fail/servers.yaml | 11 - tests/schema/fail/unknown_container.yaml | 8 - .../schema/pass/callback-object-examples.yaml | 30 - tests/schema/pass/comp_pathitems.yaml | 6 - .../pass/components-object-example.yaml | 71 -- .../schema/pass/example-object-examples.yaml | 63 -- tests/schema/pass/header-object-examples.yaml | 25 - tests/schema/pass/info-object-example.yaml | 19 - tests/schema/pass/info_summary.yaml | 6 - tests/schema/pass/json_schema_dialect.yaml | 15 - tests/schema/pass/license_identifier.yaml | 9 - tests/schema/pass/link-object-examples.yaml | 66 -- tests/schema/pass/media-type-examples.yaml | 117 --- tests/schema/pass/mega.yaml | 61 -- tests/schema/pass/minimal_comp.yaml | 5 - tests/schema/pass/minimal_hooks.yaml | 5 - tests/schema/pass/minimal_paths.yaml | 5 - tests/schema/pass/non-oauth-scopes.yaml | 19 - .../schema/pass/operation-object-example.yaml | 47 - .../pass/parameter-object-examples.yaml | 54 - .../schema/pass/path-item-object-example.yaml | 35 - .../pass/path_item_servers_parameters.yaml | 112 -- tests/schema/pass/path_no_response.yaml | 7 - .../schema/pass/path_var_empty_pathitem.yaml | 6 - tests/schema/pass/paths-object-example.yaml | 17 - tests/schema/pass/request-body-examples.yaml | 34 - .../schema/pass/response-object-examples.yaml | 42 - ...ema-object-deprecated-example-keyword.yaml | 17 - tests/schema/pass/schema.yaml | 55 - .../pass/security-scheme-object-examples.yaml | 59 -- tests/schema/pass/servers.yaml | 25 - .../schema/pass/specification-extensions.yaml | 6 - tests/schema/pass/tag-object-example.yaml | 15 - tests/schema/pass/valid_schema_types.yaml | 13 - tests/schema/pass/webhook-example.yaml | 34 - tests/schema/schema.test.mjs | 56 - versions/3.1.2-editors.md | 22 + src/oas.md => versions/3.1.2.md | 0 48 files changed, 22 insertions(+), 2389 deletions(-) delete mode 100644 src/schemas/validation/README.md delete mode 100644 src/schemas/validation/dialect.yaml delete mode 100644 src/schemas/validation/meta.yaml delete mode 100644 src/schemas/validation/schema-base.yaml delete mode 100644 src/schemas/validation/schema.yaml delete mode 100644 tests/schema/fail/example-examples.yaml delete mode 100644 tests/schema/fail/invalid_schema_types.yaml delete mode 100644 tests/schema/fail/link-object-no-body.yaml delete mode 100644 tests/schema/fail/no_containers.yaml delete mode 100644 tests/schema/fail/server_enum_empty.yaml delete mode 100644 tests/schema/fail/servers.yaml delete mode 100644 tests/schema/fail/unknown_container.yaml delete mode 100644 tests/schema/pass/callback-object-examples.yaml delete mode 100644 tests/schema/pass/comp_pathitems.yaml delete mode 100644 tests/schema/pass/components-object-example.yaml delete mode 100644 tests/schema/pass/example-object-examples.yaml delete mode 100644 tests/schema/pass/header-object-examples.yaml delete mode 100644 tests/schema/pass/info-object-example.yaml delete mode 100644 tests/schema/pass/info_summary.yaml delete mode 100644 tests/schema/pass/json_schema_dialect.yaml delete mode 100644 tests/schema/pass/license_identifier.yaml delete mode 100644 tests/schema/pass/link-object-examples.yaml delete mode 100644 tests/schema/pass/media-type-examples.yaml delete mode 100644 tests/schema/pass/mega.yaml delete mode 100644 tests/schema/pass/minimal_comp.yaml delete mode 100644 tests/schema/pass/minimal_hooks.yaml delete mode 100644 tests/schema/pass/minimal_paths.yaml delete mode 100644 tests/schema/pass/non-oauth-scopes.yaml delete mode 100644 tests/schema/pass/operation-object-example.yaml delete mode 100644 tests/schema/pass/parameter-object-examples.yaml delete mode 100644 tests/schema/pass/path-item-object-example.yaml delete mode 100644 tests/schema/pass/path_item_servers_parameters.yaml delete mode 100644 tests/schema/pass/path_no_response.yaml delete mode 100644 tests/schema/pass/path_var_empty_pathitem.yaml delete mode 100644 tests/schema/pass/paths-object-example.yaml delete mode 100644 tests/schema/pass/request-body-examples.yaml delete mode 100644 tests/schema/pass/response-object-examples.yaml delete mode 100644 tests/schema/pass/schema-object-deprecated-example-keyword.yaml delete mode 100644 tests/schema/pass/schema.yaml delete mode 100644 tests/schema/pass/security-scheme-object-examples.yaml delete mode 100644 tests/schema/pass/servers.yaml delete mode 100644 tests/schema/pass/specification-extensions.yaml delete mode 100644 tests/schema/pass/tag-object-example.yaml delete mode 100644 tests/schema/pass/valid_schema_types.yaml delete mode 100644 tests/schema/pass/webhook-example.yaml delete mode 100644 tests/schema/schema.test.mjs create mode 100644 versions/3.1.2-editors.md rename src/oas.md => versions/3.1.2.md (100%) diff --git a/src/schemas/validation/README.md b/src/schemas/validation/README.md deleted file mode 100644 index 57501dfc51..0000000000 --- a/src/schemas/validation/README.md +++ /dev/null @@ -1,69 +0,0 @@ -# OpenAPI 3.X.Y JSON Schema - -This directory contains the YAML sources for generating the JSON Schemas for validating OpenAPI definitions of versions 3.X.Y, which are published on [https://spec.openapis.org](https://spec.openapis.org). - -Due to limitations of GitHub pages, the schemas on the spec site are served with `Content-Type: application/octet-stream`, but should be interpreted as `application/schema+json`. - -The sources in this directory, which have `WORK-IN-PROGRESS` in their `$id`s, are _not intended for direct use_. - -## Schema `$id` dates - -The published schemas on the spec site have an _iteration date_ in their `id`s. -This allows the schemas for a release line to be updated independent of the spec patch release cycle. - -The iteration version of the JSON Schema can be found in the `$id` field. -For example, the value of `$id: https://spec.openapis.org/oas/3.1/schema/2021-03-02` means this iteration was created on March 2nd, 2021. - -We are [working on](https://github.com/OAI/OpenAPI-Specification/issues/4152) how to best provide programmatic access for determining the latest date for each schema. - -## Choosing which schema to use - -There are two schemas to choose from for versions 3.1 and greater, both of which have an `$id` that starts with `https://spec.openapis.org/oas/3.X/` and ends with the iteration date: - -* `https://spec.openapis.org/oas/3.X/schema/{date}`, source: `schema.yaml` — A self-contained schema that _does not_ validate Schema Objects beyond `type: [object, boolean]` -* `https://spec.openapis.org/oas/3.1/schema-base/{date}`, source: `schema-base.yaml` — A schema that combines the self-contained schema and the "base" dialect schema to validate Schema Objects with the dialect; this schema does not allow changing `$schema` or `jsonSchemaDialect` to other dialects - -Two metaschemas define the OAS "base" dialect: - -* `https://spec.openapis.org/oas/3.X/meta/{date}`, source: `meta.yaml` — The vocabulary metaschema for OAS 3.X's extensions to draft 2020-12 -* `https://spec.openapis.org/oas/3.X/dialect/{date}`, source: `dialect.yaml` — The dialect metaschema that extends the standard `draft/2020-12` metaschema by adding the OAS "base" vocabulary - -The name "base" for the dialect was intended to indicate that the OAS dialect could be further extended. - -~~~mermaid -flowchart LR - schema_base - schema - dialect - meta - schema --> |default| dialect - schema_base --> |$ref| schema - schema_base --> |$ref| dialect - dialect --> |$ref| meta -~~~ - -An additional schema that validates the Schema Object with the OAS 3.X dialect but does not restrict changing `$schema` is [under consideration](https://github.com/OAI/OpenAPI-Specification/issues/4147). - -## Improving the schemas - -As a reminder, the JSON Schema is not the source of truth for the Specification. In cases of conflicts between the Specification itself and the JSON Schema, the Specification wins. Also, some Specification constraints cannot be represented with the JSON Schema so it's highly recommended to employ other methods to ensure compliance. - -The schema only validates the mandatory aspects of the OAS. -Validating requirements that are optional, or field usage that has undefined or ignored behavior are not within the scope of this schema. -Schemas to perform additional optional validation are [under consideration](https://github.com/OAI/OpenAPI-Specification/issues/4141). - -Improvements can be submitted by opening a PR against the `vX.Y-dev` branch of the respective specification version. - -Modify the `schema.yaml` file and add test cases for your changes. - -The TSC will then: -- Run tests on the updated schema -- Update the iteration version -- Publish the new version - -The [test suite](../../../tests/schema) is part of this package. - -```bash -npm install -npm test -``` diff --git a/src/schemas/validation/dialect.yaml b/src/schemas/validation/dialect.yaml deleted file mode 100644 index d300d94feb..0000000000 --- a/src/schemas/validation/dialect.yaml +++ /dev/null @@ -1,21 +0,0 @@ -$id: https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS -$schema: https://json-schema.org/draft/2020-12/schema - -title: OpenAPI 3.1 Schema Object Dialect -description: A JSON Schema dialect describing schemas found in OpenAPI v3.1 Descriptions - -$dynamicAnchor: meta - -$vocabulary: - https://json-schema.org/draft/2020-12/vocab/applicator: true - https://json-schema.org/draft/2020-12/vocab/content: true - https://json-schema.org/draft/2020-12/vocab/core: true - https://json-schema.org/draft/2020-12/vocab/format-annotation: true - https://json-schema.org/draft/2020-12/vocab/meta-data: true - https://json-schema.org/draft/2020-12/vocab/unevaluated: true - https://json-schema.org/draft/2020-12/vocab/validation: true - https://spec.openapis.org/oas/3.1/vocab/base: false - -allOf: - - $ref: https://json-schema.org/draft/2020-12/schema - - $ref: https://spec.openapis.org/oas/3.1/meta/WORK-IN-PROGRESS diff --git a/src/schemas/validation/meta.yaml b/src/schemas/validation/meta.yaml deleted file mode 100644 index 6cfce4976d..0000000000 --- a/src/schemas/validation/meta.yaml +++ /dev/null @@ -1,70 +0,0 @@ -$id: https://spec.openapis.org/oas/3.1/meta/WORK-IN-PROGRESS -$schema: https://json-schema.org/draft/2020-12/schema - -title: OAS Base Vocabulary -description: A JSON Schema Vocabulary used in the OpenAPI Schema Dialect - -$dynamicAnchor: meta - -$vocabulary: - https://spec.openapis.org/oas/3.1/vocab/base: true - -type: - - object - - boolean -properties: - discriminator: - $ref: '#/$defs/discriminator' - example: true - externalDocs: - $ref: '#/$defs/external-docs' - xml: - $ref: '#/$defs/xml' - -$defs: - discriminator: - $ref: '#/$defs/extensible' - properties: - mapping: - additionalProperties: - type: string - type: object - propertyName: - type: string - required: - - propertyName - type: object - unevaluatedProperties: false - - extensible: - patternProperties: - ^x-: true - external-docs: - $ref: '#/$defs/extensible' - properties: - description: - type: string - url: - format: uri-reference - type: string - required: - - url - type: object - unevaluatedProperties: false - - xml: - $ref: '#/$defs/extensible' - properties: - attribute: - type: boolean - name: - type: string - namespace: - format: uri - type: string - prefix: - type: string - wrapped: - type: boolean - type: object - unevaluatedProperties: false diff --git a/src/schemas/validation/schema-base.yaml b/src/schemas/validation/schema-base.yaml deleted file mode 100644 index ea239c03e9..0000000000 --- a/src/schemas/validation/schema-base.yaml +++ /dev/null @@ -1,20 +0,0 @@ -$id: 'https://spec.openapis.org/oas/3.1/schema-base/WORK-IN-PROGRESS' -$schema: 'https://json-schema.org/draft/2020-12/schema' - -description: The description of OpenAPI v3.1.x Documents using the OpenAPI JSON Schema dialect - -$ref: 'https://spec.openapis.org/oas/3.1/schema/WORK-IN-PROGRESS' -properties: - jsonSchemaDialect: - $ref: '#/$defs/dialect' - -$defs: - dialect: - const: 'https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS' - - schema: - $dynamicAnchor: meta - $ref: 'https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS' - properties: - $schema: - $ref: '#/$defs/dialect' diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml deleted file mode 100644 index f4059cb1d3..0000000000 --- a/src/schemas/validation/schema.yaml +++ /dev/null @@ -1,973 +0,0 @@ -$id: 'https://spec.openapis.org/oas/3.1/schema/WORK-IN-PROGRESS' -$schema: 'https://json-schema.org/draft/2020-12/schema' - -description: The description of OpenAPI v3.1.x Documents without Schema Object validation - -type: object -properties: - openapi: - type: string - pattern: '^3\.1\.\d+(-.+)?$' - info: - $ref: '#/$defs/info' - jsonSchemaDialect: - type: string - format: uri-reference - default: 'https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS' - servers: - type: array - items: - $ref: '#/$defs/server' - default: - - url: / - paths: - $ref: '#/$defs/paths' - webhooks: - type: object - additionalProperties: - $ref: '#/$defs/path-item' - components: - $ref: '#/$defs/components' - security: - type: array - items: - $ref: '#/$defs/security-requirement' - tags: - type: array - items: - $ref: '#/$defs/tag' - externalDocs: - $ref: '#/$defs/external-documentation' -required: - - openapi - - info -anyOf: - - required: - - paths - - required: - - components - - required: - - webhooks -$ref: '#/$defs/specification-extensions' -unevaluatedProperties: false - -$defs: - info: - $comment: https://spec.openapis.org/oas/v3.1#info-object - type: object - properties: - title: - type: string - summary: - type: string - description: - type: string - termsOfService: - type: string - format: uri-reference - contact: - $ref: '#/$defs/contact' - license: - $ref: '#/$defs/license' - version: - type: string - required: - - title - - version - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - contact: - $comment: https://spec.openapis.org/oas/v3.1#contact-object - type: object - properties: - name: - type: string - url: - type: string - format: uri-reference - email: - type: string - format: email - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - license: - $comment: https://spec.openapis.org/oas/v3.1#license-object - type: object - properties: - name: - type: string - identifier: - type: string - url: - type: string - format: uri-reference - required: - - name - dependentSchemas: - identifier: - not: - required: - - url - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - server: - $comment: https://spec.openapis.org/oas/v3.1#server-object - type: object - properties: - url: - type: string - description: - type: string - variables: - type: object - additionalProperties: - $ref: '#/$defs/server-variable' - required: - - url - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - server-variable: - $comment: https://spec.openapis.org/oas/v3.1#server-variable-object - type: object - properties: - enum: - type: array - items: - type: string - minItems: 1 - default: - type: string - description: - type: string - required: - - default - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - components: - $comment: https://spec.openapis.org/oas/v3.1#components-object - type: object - properties: - schemas: - type: object - additionalProperties: - $dynamicRef: '#meta' - responses: - type: object - additionalProperties: - $ref: '#/$defs/response-or-reference' - parameters: - type: object - additionalProperties: - $ref: '#/$defs/parameter-or-reference' - examples: - type: object - additionalProperties: - $ref: '#/$defs/example-or-reference' - requestBodies: - type: object - additionalProperties: - $ref: '#/$defs/request-body-or-reference' - headers: - type: object - additionalProperties: - $ref: '#/$defs/header-or-reference' - securitySchemes: - type: object - additionalProperties: - $ref: '#/$defs/security-scheme-or-reference' - links: - type: object - additionalProperties: - $ref: '#/$defs/link-or-reference' - callbacks: - type: object - additionalProperties: - $ref: '#/$defs/callbacks-or-reference' - pathItems: - type: object - additionalProperties: - $ref: '#/$defs/path-item' - patternProperties: - '^(?:schemas|responses|parameters|examples|requestBodies|headers|securitySchemes|links|callbacks|pathItems)$': - $comment: Enumerating all of the property names in the regex above is necessary for unevaluatedProperties to work as expected - propertyNames: - pattern: '^[a-zA-Z0-9._-]+$' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - paths: - $comment: https://spec.openapis.org/oas/v3.1#paths-object - type: object - patternProperties: - '^/': - $ref: '#/$defs/path-item' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - path-item: - $comment: https://spec.openapis.org/oas/v3.1#path-item-object - type: object - properties: - $ref: - type: string - format: uri-reference - summary: - type: string - description: - type: string - servers: - type: array - items: - $ref: '#/$defs/server' - parameters: - type: array - items: - $ref: '#/$defs/parameter-or-reference' - get: - $ref: '#/$defs/operation' - put: - $ref: '#/$defs/operation' - post: - $ref: '#/$defs/operation' - delete: - $ref: '#/$defs/operation' - options: - $ref: '#/$defs/operation' - head: - $ref: '#/$defs/operation' - patch: - $ref: '#/$defs/operation' - trace: - $ref: '#/$defs/operation' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - operation: - $comment: https://spec.openapis.org/oas/v3.1#operation-object - type: object - properties: - tags: - type: array - items: - type: string - summary: - type: string - description: - type: string - externalDocs: - $ref: '#/$defs/external-documentation' - operationId: - type: string - parameters: - type: array - items: - $ref: '#/$defs/parameter-or-reference' - requestBody: - $ref: '#/$defs/request-body-or-reference' - responses: - $ref: '#/$defs/responses' - callbacks: - type: object - additionalProperties: - $ref: '#/$defs/callbacks-or-reference' - deprecated: - default: false - type: boolean - security: - type: array - items: - $ref: '#/$defs/security-requirement' - servers: - type: array - items: - $ref: '#/$defs/server' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - external-documentation: - $comment: https://spec.openapis.org/oas/v3.1#external-documentation-object - type: object - properties: - description: - type: string - url: - type: string - format: uri-reference - required: - - url - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - parameter: - $comment: https://spec.openapis.org/oas/v3.1#parameter-object - type: object - properties: - name: - type: string - in: - enum: - - query - - header - - path - - cookie - description: - type: string - required: - default: false - type: boolean - deprecated: - default: false - type: boolean - schema: - $dynamicRef: '#meta' - content: - $ref: '#/$defs/content' - minProperties: 1 - maxProperties: 1 - required: - - name - - in - oneOf: - - required: - - schema - - required: - - content - if: - properties: - in: - const: query - then: - properties: - allowEmptyValue: - default: false - type: boolean - dependentSchemas: - schema: - properties: - style: - type: string - explode: - type: boolean - allOf: - - $ref: '#/$defs/examples' - - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-path' - - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-header' - - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-query' - - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-cookie' - - $ref: '#/$defs/styles-for-form' - - $defs: - styles-for-path: - if: - properties: - in: - const: path - then: - properties: - style: - default: simple - enum: - - matrix - - label - - simple - required: - const: true - required: - - required - - styles-for-header: - if: - properties: - in: - const: header - then: - properties: - style: - default: simple - const: simple - - styles-for-query: - if: - properties: - in: - const: query - then: - properties: - style: - default: form - enum: - - form - - spaceDelimited - - pipeDelimited - - deepObject - allowReserved: - default: false - type: boolean - - styles-for-cookie: - if: - properties: - in: - const: cookie - then: - properties: - style: - default: form - const: form - - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - parameter-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/parameter' - - request-body: - $comment: https://spec.openapis.org/oas/v3.1#request-body-object - type: object - properties: - description: - type: string - content: - $ref: '#/$defs/content' - required: - default: false - type: boolean - required: - - content - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - request-body-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/request-body' - - content: - $comment: https://spec.openapis.org/oas/v3.1#fixed-fields-10 - type: object - additionalProperties: - $ref: '#/$defs/media-type' - propertyNames: - format: media-range - - media-type: - $comment: https://spec.openapis.org/oas/v3.1#media-type-object - type: object - properties: - schema: - $dynamicRef: '#meta' - encoding: - type: object - additionalProperties: - $ref: '#/$defs/encoding' - allOf: - - $ref: '#/$defs/specification-extensions' - - $ref: '#/$defs/examples' - unevaluatedProperties: false - - encoding: - $comment: https://spec.openapis.org/oas/v3.1#encoding-object - type: object - properties: - contentType: - type: string - format: media-range - headers: - type: object - additionalProperties: - $ref: '#/$defs/header-or-reference' - style: - enum: - - form - - spaceDelimited - - pipeDelimited - - deepObject - explode: - type: boolean - allowReserved: - type: boolean - dependentSchemas: - style: - properties: - allowReserved: - default: false - explode: - properties: - style: - default: form - allowReserved: - default: false - allowReserved: - properties: - style: - default: form - allOf: - - $ref: '#/$defs/specification-extensions' - - $ref: '#/$defs/styles-for-form' - unevaluatedProperties: false - - responses: - $comment: https://spec.openapis.org/oas/v3.1#responses-object - type: object - properties: - default: - $ref: '#/$defs/response-or-reference' - patternProperties: - '^[1-5](?:[0-9]{2}|XX)$': - $ref: '#/$defs/response-or-reference' - minProperties: 1 - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - if: - $comment: either default, or at least one response code property must exist - patternProperties: - '^[1-5](?:[0-9]{2}|XX)$': false - then: - required: [default] - - response: - $comment: https://spec.openapis.org/oas/v3.1#response-object - type: object - properties: - description: - type: string - headers: - type: object - additionalProperties: - $ref: '#/$defs/header-or-reference' - content: - $ref: '#/$defs/content' - links: - type: object - additionalProperties: - $ref: '#/$defs/link-or-reference' - required: - - description - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - response-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/response' - - callbacks: - $comment: https://spec.openapis.org/oas/v3.1#callback-object - type: object - $ref: '#/$defs/specification-extensions' - additionalProperties: - $ref: '#/$defs/path-item' - - callbacks-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/callbacks' - - example: - $comment: https://spec.openapis.org/oas/v3.1#example-object - type: object - properties: - summary: - type: string - description: - type: string - value: true - externalValue: - type: string - format: uri-reference - not: - required: - - value - - externalValue - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - example-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/example' - - link: - $comment: https://spec.openapis.org/oas/v3.1#link-object - type: object - properties: - operationRef: - type: string - format: uri-reference - operationId: - type: string - parameters: - $ref: '#/$defs/map-of-strings' - requestBody: true - description: - type: string - server: - $ref: '#/$defs/server' - oneOf: - - required: - - operationRef - - required: - - operationId - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - link-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/link' - - header: - $comment: https://spec.openapis.org/oas/v3.1#header-object - type: object - properties: - description: - type: string - required: - default: false - type: boolean - deprecated: - default: false - type: boolean - schema: - $dynamicRef: '#meta' - content: - $ref: '#/$defs/content' - minProperties: 1 - maxProperties: 1 - oneOf: - - required: - - schema - - required: - - content - dependentSchemas: - schema: - properties: - style: - default: simple - const: simple - explode: - default: false - type: boolean - $ref: '#/$defs/examples' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - header-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/header' - - tag: - $comment: https://spec.openapis.org/oas/v3.1#tag-object - type: object - properties: - name: - type: string - description: - type: string - externalDocs: - $ref: '#/$defs/external-documentation' - required: - - name - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - reference: - $comment: https://spec.openapis.org/oas/v3.1#reference-object - type: object - properties: - $ref: - type: string - format: uri-reference - summary: - type: string - description: - type: string - - schema: - $comment: https://spec.openapis.org/oas/v3.1#schema-object - $dynamicAnchor: meta - type: - - object - - boolean - - security-scheme: - $comment: https://spec.openapis.org/oas/v3.1#security-scheme-object - type: object - properties: - type: - enum: - - apiKey - - http - - mutualTLS - - oauth2 - - openIdConnect - description: - type: string - required: - - type - allOf: - - $ref: '#/$defs/specification-extensions' - - $ref: '#/$defs/security-scheme/$defs/type-apikey' - - $ref: '#/$defs/security-scheme/$defs/type-http' - - $ref: '#/$defs/security-scheme/$defs/type-http-bearer' - - $ref: '#/$defs/security-scheme/$defs/type-oauth2' - - $ref: '#/$defs/security-scheme/$defs/type-oidc' - unevaluatedProperties: false - - $defs: - type-apikey: - if: - properties: - type: - const: apiKey - then: - properties: - name: - type: string - in: - enum: - - query - - header - - cookie - required: - - name - - in - - type-http: - if: - properties: - type: - const: http - then: - properties: - scheme: - type: string - required: - - scheme - - type-http-bearer: - if: - properties: - type: - const: http - scheme: - type: string - pattern: ^[Bb][Ee][Aa][Rr][Ee][Rr]$ - required: - - type - - scheme - then: - properties: - bearerFormat: - type: string - - type-oauth2: - if: - properties: - type: - const: oauth2 - then: - properties: - flows: - $ref: '#/$defs/oauth-flows' - required: - - flows - - type-oidc: - if: - properties: - type: - const: openIdConnect - then: - properties: - openIdConnectUrl: - type: string - format: uri-reference - required: - - openIdConnectUrl - - security-scheme-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/security-scheme' - - oauth-flows: - type: object - properties: - implicit: - $ref: '#/$defs/oauth-flows/$defs/implicit' - password: - $ref: '#/$defs/oauth-flows/$defs/password' - clientCredentials: - $ref: '#/$defs/oauth-flows/$defs/client-credentials' - authorizationCode: - $ref: '#/$defs/oauth-flows/$defs/authorization-code' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - $defs: - implicit: - type: object - properties: - authorizationUrl: - type: string - format: uri-reference - refreshUrl: - type: string - format: uri-reference - scopes: - $ref: '#/$defs/map-of-strings' - required: - - authorizationUrl - - scopes - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - password: - type: object - properties: - tokenUrl: - type: string - format: uri-reference - refreshUrl: - type: string - format: uri-reference - scopes: - $ref: '#/$defs/map-of-strings' - required: - - tokenUrl - - scopes - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - client-credentials: - type: object - properties: - tokenUrl: - type: string - format: uri-reference - refreshUrl: - type: string - format: uri-reference - scopes: - $ref: '#/$defs/map-of-strings' - required: - - tokenUrl - - scopes - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - authorization-code: - type: object - properties: - authorizationUrl: - type: string - format: uri-reference - tokenUrl: - type: string - format: uri-reference - refreshUrl: - type: string - format: uri-reference - scopes: - $ref: '#/$defs/map-of-strings' - required: - - authorizationUrl - - tokenUrl - - scopes - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - security-requirement: - $comment: https://spec.openapis.org/oas/v3.1#security-requirement-object - type: object - additionalProperties: - type: array - items: - type: string - - specification-extensions: - $comment: https://spec.openapis.org/oas/v3.1#specification-extensions - patternProperties: - '^x-': true - - examples: - properties: - example: true - examples: - type: object - additionalProperties: - $ref: '#/$defs/example-or-reference' - not: - required: - - example - - examples - - map-of-strings: - type: object - additionalProperties: - type: string - - styles-for-form: - if: - properties: - style: - const: form - required: - - style - then: - properties: - explode: - default: true - else: - properties: - explode: - default: false diff --git a/tests/schema/fail/example-examples.yaml b/tests/schema/fail/example-examples.yaml deleted file mode 100644 index 6ed2f6b333..0000000000 --- a/tests/schema/fail/example-examples.yaml +++ /dev/null @@ -1,17 +0,0 @@ -openapi: 3.1.1 - -# this example should fail, as example cannot be used together with examples. - -info: - title: API - version: 1.0.0 -components: - parameters: - animal: - name: animal - in: header - schema: {} - example: bear - examples: - a mammalian example: - value: bear diff --git a/tests/schema/fail/invalid_schema_types.yaml b/tests/schema/fail/invalid_schema_types.yaml deleted file mode 100644 index 55e3c900e3..0000000000 --- a/tests/schema/fail/invalid_schema_types.yaml +++ /dev/null @@ -1,12 +0,0 @@ -openapi: 3.1.1 - -# this example shows invalid types for the schemaObject - -info: - title: API - version: 1.0.0 -components: - schemas: - invalid_null: null - invalid_number: 0 - invalid_array: [] diff --git a/tests/schema/fail/link-object-no-body.yaml b/tests/schema/fail/link-object-no-body.yaml deleted file mode 100644 index 2c327694f5..0000000000 --- a/tests/schema/fail/link-object-no-body.yaml +++ /dev/null @@ -1,11 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -components: - links: - Link-Object-with-body-property: - operationId: getThing - description: The "server" property was misspelled as "body" in a previous schema iteration, now fixed - body: - url: https://things.example.com diff --git a/tests/schema/fail/no_containers.yaml b/tests/schema/fail/no_containers.yaml deleted file mode 100644 index c158bcb2b6..0000000000 --- a/tests/schema/fail/no_containers.yaml +++ /dev/null @@ -1,7 +0,0 @@ -openapi: 3.1.0 - -# this example should fail as there are no paths, components or webhooks containers (at least one of which must be present) - -info: - title: API - version: 1.0.0 diff --git a/tests/schema/fail/server_enum_empty.yaml b/tests/schema/fail/server_enum_empty.yaml deleted file mode 100644 index cd6d30eb3e..0000000000 --- a/tests/schema/fail/server_enum_empty.yaml +++ /dev/null @@ -1,14 +0,0 @@ -openapi: 3.1.0 - -# this example should fail as the server variable enum is empty, and so does not contain the default value - -info: - title: API - version: 1.0.0 -servers: - - url: https://example.com/{var} - variables: - var: - enum: [] - default: a -components: {} diff --git a/tests/schema/fail/servers.yaml b/tests/schema/fail/servers.yaml deleted file mode 100644 index 1470fe1ec8..0000000000 --- a/tests/schema/fail/servers.yaml +++ /dev/null @@ -1,11 +0,0 @@ -openapi: 3.1.0 - -# this example should fail, as servers must be an array, not an object - -info: - title: API - version: 1.0.0 -paths: {} -servers: - url: /v1 - description: Run locally. diff --git a/tests/schema/fail/unknown_container.yaml b/tests/schema/fail/unknown_container.yaml deleted file mode 100644 index 7f31e86053..0000000000 --- a/tests/schema/fail/unknown_container.yaml +++ /dev/null @@ -1,8 +0,0 @@ -openapi: 3.1.0 - -# this example should fail as overlays is not a valid top-level object/keyword - -info: - title: API - version: 1.0.0 -overlays: {} diff --git a/tests/schema/pass/callback-object-examples.yaml b/tests/schema/pass/callback-object-examples.yaml deleted file mode 100644 index 641a79ea99..0000000000 --- a/tests/schema/pass/callback-object-examples.yaml +++ /dev/null @@ -1,30 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -components: - callbacks: - myCallback: - '{$request.query.queryUrl}': - post: - requestBody: - description: Callback payload - content: - application/json: - schema: - $ref: '#/components/schemas/SomePayload' - responses: - '200': - description: callback successfully processed - transactionCallback: - 'http://notificationServer.com?transactionId={$request.body#/id}&email={$request.body#/email}': - post: - requestBody: - description: Callback payload - content: - application/json: - schema: - $ref: '#/components/schemas/SomePayload' - responses: - '200': - description: callback successfully processed \ No newline at end of file diff --git a/tests/schema/pass/comp_pathitems.yaml b/tests/schema/pass/comp_pathitems.yaml deleted file mode 100644 index 502ca1fca2..0000000000 --- a/tests/schema/pass/comp_pathitems.yaml +++ /dev/null @@ -1,6 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -components: - pathItems: {} diff --git a/tests/schema/pass/components-object-example.yaml b/tests/schema/pass/components-object-example.yaml deleted file mode 100644 index 9ef0c17665..0000000000 --- a/tests/schema/pass/components-object-example.yaml +++ /dev/null @@ -1,71 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -components: - schemas: - GeneralError: - type: object - properties: - code: - type: integer - format: int32 - message: - type: string - Category: - type: object - properties: - id: - type: integer - format: int64 - name: - type: string - Tag: - type: object - properties: - id: - type: integer - format: int64 - name: - type: string - parameters: - skipParam: - name: skip - in: query - description: number of items to skip - required: true - schema: - type: integer - format: int32 - limitParam: - name: limit - in: query - description: max records to return - required: true - schema: - type: integer - format: int32 - responses: - NotFound: - description: Entity not found. - IllegalInput: - description: Illegal input for operation. - GeneralError: - description: General Error - content: - application/json: - schema: - $ref: '#/components/schemas/GeneralError' - securitySchemes: - api_key: - type: apiKey - name: api-key - in: header - petstore_auth: - type: oauth2 - flows: - implicit: - authorizationUrl: https://example.org/api/oauth/dialog - scopes: - write:pets: modify pets in your account - read:pets: read your pets \ No newline at end of file diff --git a/tests/schema/pass/example-object-examples.yaml b/tests/schema/pass/example-object-examples.yaml deleted file mode 100644 index 66f8f54133..0000000000 --- a/tests/schema/pass/example-object-examples.yaml +++ /dev/null @@ -1,63 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -components: - requestBodies: - with-example: - content: - 'application/json': - schema: - $ref: '#/components/schemas/Address' - examples: - foo: - summary: A foo example - value: - foo: bar - bar: - summary: A bar example - value: - bar: baz - application/xml: - examples: - xmlExample: - summary: This is an example in XML - externalValue: https://example.org/examples/address-example.xml - text/plain: - examples: - textExample: - summary: This is a text example - externalValue: https://foo.bar/examples/address-example.txt - parameters: - with-example: - name: zipCode - in: query - schema: - type: string - format: zip-code - examples: - zip-example: - $ref: '#/components/examples/zip-example' - responses: - '200': - description: your car appointment has been booked - content: - application/json: - schema: - $ref: '#/components/schemas/SuccessResponse' - examples: - confirmation-success: - $ref: '#/components/examples/confirmation-success' - application/x-www-form-urlencoded: - schema: - type: object - properties: - jsonValue: - type: string - encoding: - jsonValue: - contentType: application/json - examples: - jsonFormValue: - description: 'The JSON string "json" as a form value' - value: jsonValue=%22json%22 diff --git a/tests/schema/pass/header-object-examples.yaml b/tests/schema/pass/header-object-examples.yaml deleted file mode 100644 index 7b91efbbae..0000000000 --- a/tests/schema/pass/header-object-examples.yaml +++ /dev/null @@ -1,25 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -components: - headers: - X-Rate-Limit-Limit: - description: The number of allowed requests in the current period - deprecated: false - schema: - type: integer - ETag: - required: true - content: - text/plain: - schema: - type: string - pattern: ^" - Reference: - $ref: '#/components/schemas/ETag' - Style: - schema: - type: array - style: simple - explode: true \ No newline at end of file diff --git a/tests/schema/pass/info-object-example.yaml b/tests/schema/pass/info-object-example.yaml deleted file mode 100644 index 2c32cd9c10..0000000000 --- a/tests/schema/pass/info-object-example.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# including External Documentation Object Example -openapi: 3.1.0 -info: - title: Example Pet Store App - summary: A pet store manager. - description: This is an example server for a pet store. - termsOfService: https://example.com/terms/ - contact: - name: API Support - url: https://www.example.com/support - email: support@example.com - license: - name: Apache 2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - version: 1.0.1 -externalDocs: - description: Find more info here - url: https://example.com -components: {} diff --git a/tests/schema/pass/info_summary.yaml b/tests/schema/pass/info_summary.yaml deleted file mode 100644 index 30d224afc2..0000000000 --- a/tests/schema/pass/info_summary.yaml +++ /dev/null @@ -1,6 +0,0 @@ -openapi: 3.1.0 -info: - title: API - summary: My lovely API - version: 1.0.0 -components: {} diff --git a/tests/schema/pass/json_schema_dialect.yaml b/tests/schema/pass/json_schema_dialect.yaml deleted file mode 100644 index ae0ed863b3..0000000000 --- a/tests/schema/pass/json_schema_dialect.yaml +++ /dev/null @@ -1,15 +0,0 @@ -openapi: 3.1.0 -info: - summary: Testing jsonSchemaDialect - title: My API - version: 1.0.0 - license: - name: Apache 2.0 - identifier: Apache-2.0 -jsonSchemaDialect: https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS -components: - schemas: - WithDollarSchema: - $id: "locked-metaschema" - $schema: https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS -paths: {} diff --git a/tests/schema/pass/license_identifier.yaml b/tests/schema/pass/license_identifier.yaml deleted file mode 100644 index fbdba5efbe..0000000000 --- a/tests/schema/pass/license_identifier.yaml +++ /dev/null @@ -1,9 +0,0 @@ -openapi: 3.1.0 -info: - title: API - summary: My lovely API - version: 1.0.0 - license: - name: Apache - identifier: Apache-2.0 -components: {} diff --git a/tests/schema/pass/link-object-examples.yaml b/tests/schema/pass/link-object-examples.yaml deleted file mode 100644 index b7d8e737ad..0000000000 --- a/tests/schema/pass/link-object-examples.yaml +++ /dev/null @@ -1,66 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -paths: - /users/{id}: - parameters: - - name: id - in: path - required: true - description: the user identifier, as userId - schema: - type: string - get: - responses: - '200': - description: the user being returned - content: - application/json: - schema: - type: object - properties: - uuid: # the unique user id - type: string - format: uuid - links: - address: - # the target link operationId - operationId: getUserAddress - parameters: - # get the `id` field from the request path parameter named `id` - userid: $request.path.id - address2: - operationId: getUserAddressByUUID - parameters: - # get the `uuid` field from the `uuid` field in the response body - userUuid: $response.body#/uuid - UserRepositories: - # returns array of '#/components/schemas/repository' - operationRef: '#/paths/~12.0~1repositories~1%7Busername%7D/get' - parameters: - username: $response.body#/username - UserRepositories2: - # returns array of '#/components/schemas/repository' - operationRef: https://na2.gigantic-server.com/#/paths/~12.0~1repositories~1%7Busername%7D/get - parameters: - username: $response.body#/username - withBody: - operationId: queryUserWithBody - requestBody: - userId: $request.path.id - # the path item of the linked operation - /users/{userid}/address: - parameters: - - name: userid - in: path - required: true - description: the user identifier, as userId - schema: - type: string - # linked operation - get: - operationId: getUserAddress - responses: - '200': - description: the user's address \ No newline at end of file diff --git a/tests/schema/pass/media-type-examples.yaml b/tests/schema/pass/media-type-examples.yaml deleted file mode 100644 index ed5862f072..0000000000 --- a/tests/schema/pass/media-type-examples.yaml +++ /dev/null @@ -1,117 +0,0 @@ -# including Encoding Object examples -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -paths: - /something: - put: - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Pet' - examples: - cat: - summary: An example of a cat - value: - name: Fluffy - petType: Cat - color: White - gender: male - breed: Persian - dog: - summary: An example of a dog with a cat's name - value: - name: Puma - petType: Dog - color: Black - gender: Female - breed: Mixed - frog: - $ref: '#/components/examples/frog-example' - application/xml: - schema: - type: object - properties: - foo: - type: string - xml: - namespace: https://example.com - prefix: example - name: Foo - bar: - type: array - items: - type: number - xml: - wrapped: true - attr: - type: string - xml: - attribute: true - application/x-www-form-urlencoded: - schema: - type: object - properties: - id: - type: string - format: uuid - address: - # complex types are stringified to support RFC 1866 - type: object - properties: {} - icon: - # The default with "contentEncoding" is application/octet-stream, - # so we need to set image media type(s) in the Encoding Object. - type: string - contentEncoding: base64url - encoding: - icon: - contentType: image/png, image/jpeg - multipart/form-data: - schema: - type: object - properties: - id: - # default is `text/plain` - type: string - format: uuid - addresses: - # default based on the `items` subschema would be - # `application/json`, but we want these address objects - # serialized as `application/xml` instead - description: addresses in XML format - type: array - items: - $ref: '#/components/schemas/Address' - profileImage: - # default is application/octet-stream, but we can declare - # a more specific image type or types - type: string - format: binary - forCoverage: - type: string - forCoverage2: - type: string - encoding: - addresses: - # require XML Content-Type in utf-8 encoding - # This is applied to each address part corresponding - # to each address in he array - contentType: application/xml; charset=utf-8 - profileImage: - # only accept png or jpeg - contentType: image/png, image/jpeg - headers: - X-Rate-Limit-Limit: - description: The number of allowed requests in the current period - schema: - type: integer - forCoverage: - style: form - explode: false - allowReserved: true - forCoverage2: - style: spaceDelimited - explode: true diff --git a/tests/schema/pass/mega.yaml b/tests/schema/pass/mega.yaml deleted file mode 100644 index dafae3991f..0000000000 --- a/tests/schema/pass/mega.yaml +++ /dev/null @@ -1,61 +0,0 @@ -openapi: 3.1.0 -info: - summary: My API's summary - title: My API - version: 1.0.0 - license: - name: Apache 2.0 - identifier: Apache-2.0 -paths: - /: - get: - parameters: [] - /{pathTest}: {} -webhooks: - myWebhook: - $ref: '#/components/pathItems/myPathItem' - description: Overriding description -components: - securitySchemes: - mtls: - type: mutualTLS - schemas: - Foo: - type: object - properties: - type: - const: foo - pathItems: - myPathItem: - post: - requestBody: - required: true - content: - 'application/json': - schema: - externalDocs: - description: More docs! - url: https://example.com/elsewhere.html - type: object - properties: - type: - type: string - int: - type: integer - exclusiveMaximum: 100 - exclusiveMinimum: 0 - none: - type: 'null' - arr: - type: array - $comment: Array without items keyword - either: - type: ['string','null'] - discriminator: - propertyName: type - mapping: - foo: Foo - x-extension: true - anyOf: - - $ref: "#/components/schemas/Foo" - myArbitraryKeyword: true diff --git a/tests/schema/pass/minimal_comp.yaml b/tests/schema/pass/minimal_comp.yaml deleted file mode 100644 index 4553689ab4..0000000000 --- a/tests/schema/pass/minimal_comp.yaml +++ /dev/null @@ -1,5 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -components: {} diff --git a/tests/schema/pass/minimal_hooks.yaml b/tests/schema/pass/minimal_hooks.yaml deleted file mode 100644 index e67b2889de..0000000000 --- a/tests/schema/pass/minimal_hooks.yaml +++ /dev/null @@ -1,5 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -webhooks: {} diff --git a/tests/schema/pass/minimal_paths.yaml b/tests/schema/pass/minimal_paths.yaml deleted file mode 100644 index 016e86796f..0000000000 --- a/tests/schema/pass/minimal_paths.yaml +++ /dev/null @@ -1,5 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -paths: {} diff --git a/tests/schema/pass/non-oauth-scopes.yaml b/tests/schema/pass/non-oauth-scopes.yaml deleted file mode 100644 index e757452f38..0000000000 --- a/tests/schema/pass/non-oauth-scopes.yaml +++ /dev/null @@ -1,19 +0,0 @@ -openapi: 3.1.0 -info: - title: Non-oAuth Scopes example - version: 1.0.0 -paths: - /users: - get: - security: - - bearerAuth: - - 'read:users' - - 'public' -components: - securitySchemes: - bearerAuth: - type: http - scheme: bearer - bearerFormat: jwt - description: 'note: non-oauth scopes are not defined at the securityScheme level' - diff --git a/tests/schema/pass/operation-object-example.yaml b/tests/schema/pass/operation-object-example.yaml deleted file mode 100644 index 9a5c76d0a0..0000000000 --- a/tests/schema/pass/operation-object-example.yaml +++ /dev/null @@ -1,47 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -paths: - /pets/{id}: - put: - tags: - - pet - summary: Updates a pet in the store with form data - operationId: updatePetWithForm - parameters: - - name: petId - in: path - description: ID of pet that needs to be updated - required: true - schema: - type: string - requestBody: - content: - application/x-www-form-urlencoded: - schema: - type: object - properties: - name: - description: Updated name of the pet - type: string - status: - description: Updated status of the pet - type: string - required: - - status - responses: - '200': - description: Pet updated. - content: - application/json: {} - application/xml: {} - '405': - description: Method Not Allowed - content: - application/json: {} - application/xml: {} - security: - - petstore_auth: - - write:pets - - read:pets \ No newline at end of file diff --git a/tests/schema/pass/parameter-object-examples.yaml b/tests/schema/pass/parameter-object-examples.yaml deleted file mode 100644 index fe6a13ea7c..0000000000 --- a/tests/schema/pass/parameter-object-examples.yaml +++ /dev/null @@ -1,54 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -paths: - /user/{username}: - parameters: - - name: token - in: header - description: token to be passed as a header - required: true - schema: - type: array - items: - type: integer - format: int64 - style: simple - - name: username - in: path - description: username to fetch - required: true - schema: - type: string - - name: id - in: query - description: ID of the object to fetch - required: false - schema: - type: array - items: - type: string - style: form - explode: true - - in: query - name: freeForm - schema: - type: object - additionalProperties: - type: integer - style: form - - in: query - name: coordinates - content: - application/json: - schema: - type: object - required: - - lat - - long - properties: - lat: - type: number - long: - type: number \ No newline at end of file diff --git a/tests/schema/pass/path-item-object-example.yaml b/tests/schema/pass/path-item-object-example.yaml deleted file mode 100644 index 41a86ec230..0000000000 --- a/tests/schema/pass/path-item-object-example.yaml +++ /dev/null @@ -1,35 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -paths: - /pets/{id}: - get: - description: Returns pets based on ID - summary: Find pets by ID - operationId: getPetsById - responses: - '200': - description: pet response - content: - '*/*': - schema: - type: array - items: - $ref: '#/components/schemas/Pet' - default: - description: error payload - content: - text/html: - schema: - $ref: '#/components/schemas/ErrorModel' - parameters: - - name: id - in: path - description: ID of pet to use - required: true - schema: - type: array - items: - type: string - style: simple \ No newline at end of file diff --git a/tests/schema/pass/path_item_servers_parameters.yaml b/tests/schema/pass/path_item_servers_parameters.yaml deleted file mode 100644 index 5db8a25cbf..0000000000 --- a/tests/schema/pass/path_item_servers_parameters.yaml +++ /dev/null @@ -1,112 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -paths: - /things: - summary: Lots of things - servers: - - url: https://things.example.com - get: - summary: Get a list of things - externalDocs: - description: Find more info here - url: https://example.com - parameters: - - $ref: '#/components/parameters/biscuit' - summary: The maximum number of things to return - description: The maximum number of things to return - responses: - default: - description: A list of things - servers: - - url: https://things.example.com - post: - deprecated: false - requestBody: - $ref: '#/components/requestBodies/ThingRequestBody' - responses: - '201': - $ref: '#/components/responses/ThingResponse' - callbacks: - myCallback: - '{$request.query.queryUrl}': - post: - requestBody: - description: Callback payload - content: - application/json: - schema: - $ref: '#/components/schemas/SomePayload' - responses: - '200': - description: callback successfully processed - transactionCallback: - $ref: '#/components/callbacks/transactionCallback' - patch: {} - delete: {} - head: {} - options: {} - trace: {} -components: - callbacks: - transactionCallback: - 'http://notificationServer.com?transactionId={$request.body#/id}&email={$request.body#/email}': - post: - requestBody: - description: Callback payload - content: - application/json: - schema: - $ref: '#/components/schemas/SomePayload' - responses: - '200': - description: callback successfully processed - examples: - ThingExample: - summary: A thing - description: A thing - value: - id: 1 - name: Thing - links: - ThingLink: - description: A link to a thing - operationId: getThing - parameters: - thingId: '$response.body#/id' - server: - url: https://things.example.com - ThingyLink: - $ref: '#/components/links/ThingLink' - parameters: - limit: - name: limit - in: query - required: false - allowEmptyValue: false - allowReserved: false - deprecated: true - description: The maximum number of list items to return - schema: - type: integer - minimum: 0 - biscuit: - name: biscuit - in: cookie - style: form - schema: - type: string - requestBodies: - ThingRequestBody: - content: - application/json: - schema: - type: object - responses: - ThingResponse: - description: A thing - content: - application/json: - schema: - type: object \ No newline at end of file diff --git a/tests/schema/pass/path_no_response.yaml b/tests/schema/pass/path_no_response.yaml deleted file mode 100644 index 334608f111..0000000000 --- a/tests/schema/pass/path_no_response.yaml +++ /dev/null @@ -1,7 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -paths: - /: - get: {} diff --git a/tests/schema/pass/path_var_empty_pathitem.yaml b/tests/schema/pass/path_var_empty_pathitem.yaml deleted file mode 100644 index ba92742f10..0000000000 --- a/tests/schema/pass/path_var_empty_pathitem.yaml +++ /dev/null @@ -1,6 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -paths: - /{var}: {} diff --git a/tests/schema/pass/paths-object-example.yaml b/tests/schema/pass/paths-object-example.yaml deleted file mode 100644 index ec56acdb13..0000000000 --- a/tests/schema/pass/paths-object-example.yaml +++ /dev/null @@ -1,17 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -paths: - /pets: - get: - description: Returns all pets from the system that the user has access to - responses: - '200': - description: A list of pets. - content: - application/json: - schema: - type: array - items: - $ref: '#/components/schemas/pet' \ No newline at end of file diff --git a/tests/schema/pass/request-body-examples.yaml b/tests/schema/pass/request-body-examples.yaml deleted file mode 100644 index da1b0056ad..0000000000 --- a/tests/schema/pass/request-body-examples.yaml +++ /dev/null @@ -1,34 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -paths: - /something: - put: - requestBody: - description: user to add to the system - content: - application/json: - schema: - $ref: '#/components/schemas/User' - examples: - user: - summary: User example - externalValue: https://foo.bar/examples/user-example.json - application/xml: - schema: - $ref: '#/components/schemas/User' - examples: - user: - summary: User example in XML - externalValue: https://foo.bar/examples/user-example.xml - text/plain: - examples: - user: - summary: User example in plain text - externalValue: https://foo.bar/examples/user-example.txt - '*/*': - examples: - user: - summary: User example in other format - externalValue: https://foo.bar/examples/user-example.whatever \ No newline at end of file diff --git a/tests/schema/pass/response-object-examples.yaml b/tests/schema/pass/response-object-examples.yaml deleted file mode 100644 index a63e995d48..0000000000 --- a/tests/schema/pass/response-object-examples.yaml +++ /dev/null @@ -1,42 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -components: - responses: - complex-object-array: - description: A complex object array response - content: - application/json: - schema: - type: array - items: - $ref: '#/components/schemas/VeryComplexType' - simple-string: - description: A simple string response - content: - text/plain: - schema: - type: string - plain-text-with-headers: - description: A simple string response - content: - text/plain: - schema: - type: string - example: 'whoa!' - headers: - X-Rate-Limit-Limit: - description: The number of allowed requests in the current period - schema: - type: integer - X-Rate-Limit-Remaining: - description: The number of remaining requests in the current period - schema: - type: integer - X-Rate-Limit-Reset: - description: The number of seconds left in the current period - schema: - type: integer - no-return-value: - description: object created \ No newline at end of file diff --git a/tests/schema/pass/schema-object-deprecated-example-keyword.yaml b/tests/schema/pass/schema-object-deprecated-example-keyword.yaml deleted file mode 100644 index 92fcbb41a5..0000000000 --- a/tests/schema/pass/schema-object-deprecated-example-keyword.yaml +++ /dev/null @@ -1,17 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -paths: - /user: - parameters: - - in: query - name: example - schema: - # Allow an arbitrary JSON object to keep - # the example simple - type: object - # DEPRECATED: don't use example keyword inside Schema Object - example: - numbers: [1, 2] - flag: null diff --git a/tests/schema/pass/schema.yaml b/tests/schema/pass/schema.yaml deleted file mode 100644 index e192529a68..0000000000 --- a/tests/schema/pass/schema.yaml +++ /dev/null @@ -1,55 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -paths: {} -components: - schemas: - model: - type: object - properties: - one: - description: type array - type: - - integer - - string - two: - description: type 'null' - type: "null" - three: - description: type array including 'null' - type: - - string - - "null" - four: - description: array with no items - type: array - five: - description: singular example - type: string - examples: - - exampleValue - six: - description: exclusiveMinimum true - exclusiveMinimum: 10 - seven: - description: exclusiveMinimum false - minimum: 10 - eight: - description: exclusiveMaximum true - exclusiveMaximum: 20 - nine: - description: exclusiveMaximum false - maximum: 20 - ten: - description: nullable string - type: - - string - - "null" - eleven: - description: x-nullable string - type: - - string - - "null" - twelve: - description: file/binary diff --git a/tests/schema/pass/security-scheme-object-examples.yaml b/tests/schema/pass/security-scheme-object-examples.yaml deleted file mode 100644 index 0b0e9900a6..0000000000 --- a/tests/schema/pass/security-scheme-object-examples.yaml +++ /dev/null @@ -1,59 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -security: - - basic: [] - - apiKey: [] - - JWT-bearer: [] - - mutualTLS: [] - - OAuth2: - - write:pets - - read:pets -components: - securitySchemes: - basic: - type: http - scheme: basic - apiKey: - type: apiKey - name: api-key - in: header - JWT-bearer: - type: http - scheme: bearer - bearerFormat: JWT - mutualTLS: - type: mutualTLS - description: Cert must be signed by example.com CA - OAuth2: - type: oauth2 - flows: - implicit: - authorizationUrl: https://example.com/api/oauth/dialog - scopes: - write:pets: modify pets in your account - read:pets: read your pets - refreshUrl: https://example.com/api/oauth/refresh - authorizationCode: - authorizationUrl: https://example.com/api/oauth/dialog - refreshUrl: https://example.com/api/oauth/refresh - tokenUrl: https://example.com/api/oauth/token - scopes: - write:pets: modify pets in your account - read:pets: read your pets - password: - tokenUrl: https://example.com/api/oauth/token - scopes: - read:pets: read your pets - refreshUrl: https://example.com/api/oauth/refresh - clientCredentials: - tokenUrl: https://example.com/api/oauth/token - scopes: - read:pets: read your pets - refreshUrl: https://example.com/api/oauth/refresh - OpenIdConnect: - type: openIdConnect - openIdConnectUrl: https://example.com/api/oauth/openid - external: - $ref: 'https://example.com/api/openapi.json#/components/externalDocs/ThingExternalDocs' \ No newline at end of file diff --git a/tests/schema/pass/servers.yaml b/tests/schema/pass/servers.yaml deleted file mode 100644 index ca68a88b96..0000000000 --- a/tests/schema/pass/servers.yaml +++ /dev/null @@ -1,25 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -paths: {} -servers: - - url: /v1 - description: Run locally. - - url: https://production.com/v1 - description: Run on production server. - - url: https://{username}.gigantic-server.com:{port}/{basePath} - description: The production API server - variables: - username: - # note! no enum here means it is an open value - default: demo - description: A user-specific subdomain. Use `demo` for a free sandbox environment. - port: - enum: - - '8443' - - '443' - default: '8443' - basePath: - # open meaning there is the opportunity to use special base paths as assigned by the provider, default is `v2` - default: v2 \ No newline at end of file diff --git a/tests/schema/pass/specification-extensions.yaml b/tests/schema/pass/specification-extensions.yaml deleted file mode 100644 index 3d63a5f148..0000000000 --- a/tests/schema/pass/specification-extensions.yaml +++ /dev/null @@ -1,6 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -paths: {} -x-tensions: specification extensions are prefixed with `x-` diff --git a/tests/schema/pass/tag-object-example.yaml b/tests/schema/pass/tag-object-example.yaml deleted file mode 100644 index aba0c7d7d5..0000000000 --- a/tests/schema/pass/tag-object-example.yaml +++ /dev/null @@ -1,15 +0,0 @@ -openapi: 3.1.0 -info: - title: API - version: 1.0.0 -paths: {} -tags: - - - name: pet - description: Pets operations - - - name: external - description: Operations available to external consumers - externalDocs: - description: Find more info here - url: https://example.com diff --git a/tests/schema/pass/valid_schema_types.yaml b/tests/schema/pass/valid_schema_types.yaml deleted file mode 100644 index c2459ed37c..0000000000 --- a/tests/schema/pass/valid_schema_types.yaml +++ /dev/null @@ -1,13 +0,0 @@ -openapi: 3.1.1 - -# this example shows that top-level schemaObjects MAY be booleans - -info: - title: API - version: 1.0.0 -components: - schemas: - anything_boolean: true - nothing_boolean: false - anything_object: {} - nothing_object: { not: {} } diff --git a/tests/schema/pass/webhook-example.yaml b/tests/schema/pass/webhook-example.yaml deleted file mode 100644 index 44fc73aaa9..0000000000 --- a/tests/schema/pass/webhook-example.yaml +++ /dev/null @@ -1,34 +0,0 @@ -openapi: 3.1.0 -info: - title: Webhook Example - version: 1.0.0 -# Since OAS 3.1.0 the paths element isn't necessary. Now a valid OpenAPI Document can describe only paths, webhooks, or even only reusable components -webhooks: - # Each webhook needs a name - newPet: - # This is a Path Item Object, the only difference is that the request is initiated by the API provider - post: - requestBody: - description: Information about a new pet in the system - content: - application/json: - schema: - $ref: "#/components/schemas/Pet" - responses: - "200": - description: Return a 200 status to indicate that the data was received successfully - -components: - schemas: - Pet: - required: - - id - - name - properties: - id: - type: integer - format: int64 - name: - type: string - tag: - type: string diff --git a/tests/schema/schema.test.mjs b/tests/schema/schema.test.mjs deleted file mode 100644 index ba82a55a5b..0000000000 --- a/tests/schema/schema.test.mjs +++ /dev/null @@ -1,56 +0,0 @@ -import { readdirSync, readFileSync } from "node:fs"; -import YAML from "yaml"; -import { describe, test, expect } from "vitest"; -import { registerSchema } from "@hyperjump/json-schema-coverage/vitest"; -import registerOasSchema from "./oas-schema.mjs"; - -const parseYamlFromFile = (filePath) => { - const schemaYaml = readFileSync(filePath, "utf8"); - return YAML.parse(schemaYaml, { prettyErrors: true }); -}; - -await registerOasSchema(); -await registerSchema("./src/schemas/validation/schema.yaml"); -const fixtures = './tests/schema'; - -describe("v3.1", () => { - test("schema.yaml schema test", async () => { - // Files in the pass/fail folders get run against schema-base.yaml. - // This instance is instead run against schema.yaml. - const oad = { - openapi: "3.1.0", - info: { - title: "API", - version: "1.0.0" - }, - components: { - schemas: { - foo: {} - } - } - }; - await expect(oad).to.matchJsonSchema("./src/schemas/validation/schema.yaml"); // <-- "schema.yaml" instead of "schema-base.yaml" - }); - - describe("Pass", () => { - readdirSync(`${fixtures}/pass`, { withFileTypes: true }) - .filter((entry) => entry.isFile() && /\.yaml$/.test(entry.name)) - .forEach((entry) => { - test(entry.name, async () => { - const instance = parseYamlFromFile(`${fixtures}/pass/${entry.name}`); - await expect(instance).to.matchJsonSchema("./src/schemas/validation/schema-base.yaml"); - }); - }); - }); - - describe("Fail", () => { - readdirSync(`${fixtures}/fail`, { withFileTypes: true }) - .filter((entry) => entry.isFile() && /\.yaml$/.test(entry.name)) - .forEach((entry) => { - test(entry.name, async () => { - const instance = parseYamlFromFile(`${fixtures}/fail/${entry.name}`); - await expect(instance).to.not.matchJsonSchema("./src/schemas/validation/schema-base.yaml"); - }); - }); - }); -}); diff --git a/versions/3.1.2-editors.md b/versions/3.1.2-editors.md new file mode 100644 index 0000000000..fc5f990794 --- /dev/null +++ b/versions/3.1.2-editors.md @@ -0,0 +1,22 @@ +# OpenAPI Specification Editors + +## Active + +* Henry Andrews [@handrews](https://github.com/handrews) +* Jeremy Whitlock [@whitlockjc](https://github.com/whitlockjc) +* Karen Etheridge [@karenetheridge](https://github.com/karenetheridge) +* Lorna Mitchell [@lornajane](https://github.com/lornajane) +* Marsh Gardiner [@earth2marsh](https://github.com/earth2marsh) +* Miguel Quintero [@miqui](https://github.com/miqui) +* Mike Kistler [@mikekistler](https://github.com/mikekistler) +* Ralf Handl [@ralfhandl](https://github.com/ralfhandl) +* Vincent Biret [@baywet](https://github.com/baywet) + +## Emeritus + +* Ron Ratovsky [@webron](https://github.com/webron) +* Darrel Miller [@darrelmiller](https://github.com/darrelmiller) +* Mike Ralphson [@MikeRalphson](https://github.com/MikeRalphson) +* Uri Sarid [@usarid](https://github.com/usarid) +* Jason Harmon [@jharmn](https://github.com/jharmn) +* Tony Tam [@fehguy](https://github.com/fehguy) diff --git a/src/oas.md b/versions/3.1.2.md similarity index 100% rename from src/oas.md rename to versions/3.1.2.md From 2c162bfc557ba10d3c9b22bbca0b86d286f12f04 Mon Sep 17 00:00:00 2001 From: Lorna Mitchell Date: Thu, 18 Sep 2025 17:54:48 +0100 Subject: [PATCH 79/91] Adjust the branch for release of 3.2 --- src/schemas/validation/README.md | 69 - src/schemas/validation/dialect.yaml | 21 - src/schemas/validation/meta.yaml | 86 -- src/schemas/validation/schema-base.yaml | 20 - src/schemas/validation/schema.yaml | 1135 ----------------- .../fail/encoding-enc-item-exclusion.yaml | 13 - .../fail/encoding-enc-prefix-exclusion.yaml | 13 - tests/schema/fail/example-examples.yaml | 17 - .../fail/example-object-old-exclusions.yaml | 10 - .../fail/example-object-old-vs-data.yaml | 10 - .../fail/example-object-old-vs-ser.yaml | 10 - .../fail/example-object-ser-exclusions.yaml | 10 - tests/schema/fail/invalid_schema_types.yaml | 12 - .../fail/media-type-enc-item-exclusion.yaml | 11 - .../fail/media-type-enc-prefix-exclusion.yaml | 11 - tests/schema/fail/no_containers.yaml | 7 - ...eration-object-query-with-querystring.yaml | 20 - .../operation-object-two-querystrings.yaml | 20 - ...rameter-object-content-not-with-style.yaml | 14 - ...er-object-querystring-not-with-schema.yaml | 11 - ...ject-conflicting-additional-operation.yaml | 64 - ...th-item-object-query-with-querystring.yaml | 19 - .../path-item-object-two-querystrings.yaml | 20 - tests/schema/fail/server_enum_empty.yaml | 14 - tests/schema/fail/servers.yaml | 11 - tests/schema/fail/unknown_container.yaml | 8 - tests/schema/fail/xml-attr-exclusion.yaml | 11 - tests/schema/fail/xml-wrapped-exclusion.yaml | 11 - .../schema/pass/callback-object-examples.yaml | 30 - tests/schema/pass/comp_pathitems.yaml | 6 - .../pass/components-object-example.yaml | 71 -- .../schema/pass/example-object-examples.yaml | 64 - tests/schema/pass/header-object-examples.yaml | 26 - tests/schema/pass/info-object-example.yaml | 20 - tests/schema/pass/info_summary.yaml | 6 - tests/schema/pass/json_schema_dialect.yaml | 15 - tests/schema/pass/license_identifier.yaml | 9 - tests/schema/pass/link-object-examples.yaml | 66 - tests/schema/pass/media-type-examples.yaml | 173 --- tests/schema/pass/mega.yaml | 62 - tests/schema/pass/minimal_comp.yaml | 5 - tests/schema/pass/minimal_hooks.yaml | 5 - tests/schema/pass/minimal_paths.yaml | 5 - tests/schema/pass/non-oauth-scopes.yaml | 19 - .../schema/pass/operation-object-example.yaml | 47 - .../pass/parameter-object-examples.yaml | 75 -- .../schema/pass/path-item-object-example.yaml | 74 -- .../pass/path_item_servers_parameters.yaml | 112 -- tests/schema/pass/path_no_response.yaml | 7 - .../schema/pass/path_var_empty_pathitem.yaml | 6 - tests/schema/pass/paths-object-example.yaml | 17 - tests/schema/pass/request-body-examples.yaml | 34 - .../schema/pass/response-object-examples.yaml | 43 - ...ema-object-deprecated-example-keyword.yaml | 17 - tests/schema/pass/schema.yaml | 55 - .../pass/security-scheme-object-examples.yaml | 69 - tests/schema/pass/servers.yaml | 26 - .../schema/pass/specification-extensions.yaml | 6 - tests/schema/pass/tag-object-example.yaml | 25 - tests/schema/pass/valid_schema_types.yaml | 14 - tests/schema/pass/webhook-example.yaml | 35 - tests/schema/schema.test.mjs | 56 - versions/3.2.0-editors.md | 22 + src/oas.md => versions/3.2.0.md | 0 64 files changed, 22 insertions(+), 2978 deletions(-) delete mode 100644 src/schemas/validation/README.md delete mode 100644 src/schemas/validation/dialect.yaml delete mode 100644 src/schemas/validation/meta.yaml delete mode 100644 src/schemas/validation/schema-base.yaml delete mode 100644 src/schemas/validation/schema.yaml delete mode 100644 tests/schema/fail/encoding-enc-item-exclusion.yaml delete mode 100644 tests/schema/fail/encoding-enc-prefix-exclusion.yaml delete mode 100644 tests/schema/fail/example-examples.yaml delete mode 100644 tests/schema/fail/example-object-old-exclusions.yaml delete mode 100644 tests/schema/fail/example-object-old-vs-data.yaml delete mode 100644 tests/schema/fail/example-object-old-vs-ser.yaml delete mode 100644 tests/schema/fail/example-object-ser-exclusions.yaml delete mode 100644 tests/schema/fail/invalid_schema_types.yaml delete mode 100644 tests/schema/fail/media-type-enc-item-exclusion.yaml delete mode 100644 tests/schema/fail/media-type-enc-prefix-exclusion.yaml delete mode 100644 tests/schema/fail/no_containers.yaml delete mode 100644 tests/schema/fail/operation-object-query-with-querystring.yaml delete mode 100644 tests/schema/fail/operation-object-two-querystrings.yaml delete mode 100644 tests/schema/fail/parameter-object-content-not-with-style.yaml delete mode 100644 tests/schema/fail/parameter-object-querystring-not-with-schema.yaml delete mode 100644 tests/schema/fail/path-item-object-conflicting-additional-operation.yaml delete mode 100644 tests/schema/fail/path-item-object-query-with-querystring.yaml delete mode 100644 tests/schema/fail/path-item-object-two-querystrings.yaml delete mode 100644 tests/schema/fail/server_enum_empty.yaml delete mode 100644 tests/schema/fail/servers.yaml delete mode 100644 tests/schema/fail/unknown_container.yaml delete mode 100644 tests/schema/fail/xml-attr-exclusion.yaml delete mode 100644 tests/schema/fail/xml-wrapped-exclusion.yaml delete mode 100644 tests/schema/pass/callback-object-examples.yaml delete mode 100644 tests/schema/pass/comp_pathitems.yaml delete mode 100644 tests/schema/pass/components-object-example.yaml delete mode 100644 tests/schema/pass/example-object-examples.yaml delete mode 100644 tests/schema/pass/header-object-examples.yaml delete mode 100644 tests/schema/pass/info-object-example.yaml delete mode 100644 tests/schema/pass/info_summary.yaml delete mode 100644 tests/schema/pass/json_schema_dialect.yaml delete mode 100644 tests/schema/pass/license_identifier.yaml delete mode 100644 tests/schema/pass/link-object-examples.yaml delete mode 100644 tests/schema/pass/media-type-examples.yaml delete mode 100644 tests/schema/pass/mega.yaml delete mode 100644 tests/schema/pass/minimal_comp.yaml delete mode 100644 tests/schema/pass/minimal_hooks.yaml delete mode 100644 tests/schema/pass/minimal_paths.yaml delete mode 100644 tests/schema/pass/non-oauth-scopes.yaml delete mode 100644 tests/schema/pass/operation-object-example.yaml delete mode 100644 tests/schema/pass/parameter-object-examples.yaml delete mode 100644 tests/schema/pass/path-item-object-example.yaml delete mode 100644 tests/schema/pass/path_item_servers_parameters.yaml delete mode 100644 tests/schema/pass/path_no_response.yaml delete mode 100644 tests/schema/pass/path_var_empty_pathitem.yaml delete mode 100644 tests/schema/pass/paths-object-example.yaml delete mode 100644 tests/schema/pass/request-body-examples.yaml delete mode 100644 tests/schema/pass/response-object-examples.yaml delete mode 100644 tests/schema/pass/schema-object-deprecated-example-keyword.yaml delete mode 100644 tests/schema/pass/schema.yaml delete mode 100644 tests/schema/pass/security-scheme-object-examples.yaml delete mode 100644 tests/schema/pass/servers.yaml delete mode 100644 tests/schema/pass/specification-extensions.yaml delete mode 100644 tests/schema/pass/tag-object-example.yaml delete mode 100644 tests/schema/pass/valid_schema_types.yaml delete mode 100644 tests/schema/pass/webhook-example.yaml delete mode 100644 tests/schema/schema.test.mjs create mode 100644 versions/3.2.0-editors.md rename src/oas.md => versions/3.2.0.md (100%) diff --git a/src/schemas/validation/README.md b/src/schemas/validation/README.md deleted file mode 100644 index 57501dfc51..0000000000 --- a/src/schemas/validation/README.md +++ /dev/null @@ -1,69 +0,0 @@ -# OpenAPI 3.X.Y JSON Schema - -This directory contains the YAML sources for generating the JSON Schemas for validating OpenAPI definitions of versions 3.X.Y, which are published on [https://spec.openapis.org](https://spec.openapis.org). - -Due to limitations of GitHub pages, the schemas on the spec site are served with `Content-Type: application/octet-stream`, but should be interpreted as `application/schema+json`. - -The sources in this directory, which have `WORK-IN-PROGRESS` in their `$id`s, are _not intended for direct use_. - -## Schema `$id` dates - -The published schemas on the spec site have an _iteration date_ in their `id`s. -This allows the schemas for a release line to be updated independent of the spec patch release cycle. - -The iteration version of the JSON Schema can be found in the `$id` field. -For example, the value of `$id: https://spec.openapis.org/oas/3.1/schema/2021-03-02` means this iteration was created on March 2nd, 2021. - -We are [working on](https://github.com/OAI/OpenAPI-Specification/issues/4152) how to best provide programmatic access for determining the latest date for each schema. - -## Choosing which schema to use - -There are two schemas to choose from for versions 3.1 and greater, both of which have an `$id` that starts with `https://spec.openapis.org/oas/3.X/` and ends with the iteration date: - -* `https://spec.openapis.org/oas/3.X/schema/{date}`, source: `schema.yaml` — A self-contained schema that _does not_ validate Schema Objects beyond `type: [object, boolean]` -* `https://spec.openapis.org/oas/3.1/schema-base/{date}`, source: `schema-base.yaml` — A schema that combines the self-contained schema and the "base" dialect schema to validate Schema Objects with the dialect; this schema does not allow changing `$schema` or `jsonSchemaDialect` to other dialects - -Two metaschemas define the OAS "base" dialect: - -* `https://spec.openapis.org/oas/3.X/meta/{date}`, source: `meta.yaml` — The vocabulary metaschema for OAS 3.X's extensions to draft 2020-12 -* `https://spec.openapis.org/oas/3.X/dialect/{date}`, source: `dialect.yaml` — The dialect metaschema that extends the standard `draft/2020-12` metaschema by adding the OAS "base" vocabulary - -The name "base" for the dialect was intended to indicate that the OAS dialect could be further extended. - -~~~mermaid -flowchart LR - schema_base - schema - dialect - meta - schema --> |default| dialect - schema_base --> |$ref| schema - schema_base --> |$ref| dialect - dialect --> |$ref| meta -~~~ - -An additional schema that validates the Schema Object with the OAS 3.X dialect but does not restrict changing `$schema` is [under consideration](https://github.com/OAI/OpenAPI-Specification/issues/4147). - -## Improving the schemas - -As a reminder, the JSON Schema is not the source of truth for the Specification. In cases of conflicts between the Specification itself and the JSON Schema, the Specification wins. Also, some Specification constraints cannot be represented with the JSON Schema so it's highly recommended to employ other methods to ensure compliance. - -The schema only validates the mandatory aspects of the OAS. -Validating requirements that are optional, or field usage that has undefined or ignored behavior are not within the scope of this schema. -Schemas to perform additional optional validation are [under consideration](https://github.com/OAI/OpenAPI-Specification/issues/4141). - -Improvements can be submitted by opening a PR against the `vX.Y-dev` branch of the respective specification version. - -Modify the `schema.yaml` file and add test cases for your changes. - -The TSC will then: -- Run tests on the updated schema -- Update the iteration version -- Publish the new version - -The [test suite](../../../tests/schema) is part of this package. - -```bash -npm install -npm test -``` diff --git a/src/schemas/validation/dialect.yaml b/src/schemas/validation/dialect.yaml deleted file mode 100644 index 1986c9e8f8..0000000000 --- a/src/schemas/validation/dialect.yaml +++ /dev/null @@ -1,21 +0,0 @@ -$id: https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS -$schema: https://json-schema.org/draft/2020-12/schema - -title: OpenAPI 3.2 Schema Object Dialect -description: A JSON Schema dialect describing schemas found in OpenAPI v3.2.x Descriptions - -$dynamicAnchor: meta - -$vocabulary: - https://json-schema.org/draft/2020-12/vocab/applicator: true - https://json-schema.org/draft/2020-12/vocab/content: true - https://json-schema.org/draft/2020-12/vocab/core: true - https://json-schema.org/draft/2020-12/vocab/format-annotation: true - https://json-schema.org/draft/2020-12/vocab/meta-data: true - https://json-schema.org/draft/2020-12/vocab/unevaluated: true - https://json-schema.org/draft/2020-12/vocab/validation: true - https://spec.openapis.org/oas/3.2/vocab/base: false - -allOf: - - $ref: https://json-schema.org/draft/2020-12/schema - - $ref: https://spec.openapis.org/oas/3.2/meta/WORK-IN-PROGRESS diff --git a/src/schemas/validation/meta.yaml b/src/schemas/validation/meta.yaml deleted file mode 100644 index ca512c4353..0000000000 --- a/src/schemas/validation/meta.yaml +++ /dev/null @@ -1,86 +0,0 @@ -$id: https://spec.openapis.org/oas/3.2/meta/WORK-IN-PROGRESS -$schema: https://json-schema.org/draft/2020-12/schema - -title: OAS Base Vocabulary -description: A JSON Schema Vocabulary used in the OpenAPI JSON Schema Dialect - -$dynamicAnchor: meta - -$vocabulary: - https://spec.openapis.org/oas/3.2/vocab/base: true - -type: - - object - - boolean -properties: - discriminator: - $ref: '#/$defs/discriminator' - example: - deprecated: true - externalDocs: - $ref: '#/$defs/external-docs' - xml: - $ref: '#/$defs/xml' - -$defs: - discriminator: - $ref: '#/$defs/extensible' - properties: - mapping: - additionalProperties: - type: string - type: object - defaultMapping: - type: string - propertyName: - type: string - type: object - unevaluatedProperties: false - - extensible: - patternProperties: - ^x-: true - external-docs: - $ref: '#/$defs/extensible' - properties: - description: - type: string - url: - format: uri-reference - type: string - required: - - url - type: object - unevaluatedProperties: false - - xml: - $ref: '#/$defs/extensible' - properties: - nodeType: - type: string - enum: - - element - - attribute - - text - - cdata - - none - name: - type: string - namespace: - format: iri - type: string - prefix: - type: string - attribute: - type: boolean - deprecated: true - wrapped: - type: boolean - deprecated: true - type: object - dependentSchemas: - nodeType: - properties: - attribute: false - wrapped: false - unevaluatedProperties: false diff --git a/src/schemas/validation/schema-base.yaml b/src/schemas/validation/schema-base.yaml deleted file mode 100644 index 195ae5ed43..0000000000 --- a/src/schemas/validation/schema-base.yaml +++ /dev/null @@ -1,20 +0,0 @@ -$id: 'https://spec.openapis.org/oas/3.2/schema-base/WORK-IN-PROGRESS' -$schema: 'https://json-schema.org/draft/2020-12/schema' - -description: The description of OpenAPI v3.2.x Documents using the OpenAPI JSON Schema dialect - -$ref: 'https://spec.openapis.org/oas/3.2/schema/WORK-IN-PROGRESS' -properties: - jsonSchemaDialect: - $ref: '#/$defs/dialect' - -$defs: - dialect: - const: 'https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS' - - schema: - $dynamicAnchor: meta - $ref: 'https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS' - properties: - $schema: - $ref: '#/$defs/dialect' diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml deleted file mode 100644 index 05e5704fe1..0000000000 --- a/src/schemas/validation/schema.yaml +++ /dev/null @@ -1,1135 +0,0 @@ -$id: 'https://spec.openapis.org/oas/3.2/schema/WORK-IN-PROGRESS' -$schema: 'https://json-schema.org/draft/2020-12/schema' - -description: The description of OpenAPI v3.2.x Documents without Schema Object validation - -type: object -properties: - openapi: - type: string - pattern: '^3\.2\.\d+(-.+)?$' - $self: - type: string - format: uri-reference - $comment: MUST NOT contain a fragment - pattern: '^[^#]*$' - info: - $ref: '#/$defs/info' - jsonSchemaDialect: - type: string - format: uri-reference - default: 'https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS' - servers: - type: array - items: - $ref: '#/$defs/server' - default: - - url: / - paths: - $ref: '#/$defs/paths' - webhooks: - type: object - additionalProperties: - $ref: '#/$defs/path-item' - components: - $ref: '#/$defs/components' - security: - type: array - items: - $ref: '#/$defs/security-requirement' - tags: - type: array - items: - $ref: '#/$defs/tag' - externalDocs: - $ref: '#/$defs/external-documentation' -required: - - openapi - - info -anyOf: - - required: - - paths - - required: - - components - - required: - - webhooks -$ref: '#/$defs/specification-extensions' -unevaluatedProperties: false - -$defs: - info: - $comment: https://spec.openapis.org/oas/v3.2#info-object - type: object - properties: - title: - type: string - summary: - type: string - description: - type: string - termsOfService: - type: string - format: uri-reference - contact: - $ref: '#/$defs/contact' - license: - $ref: '#/$defs/license' - version: - type: string - required: - - title - - version - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - contact: - $comment: https://spec.openapis.org/oas/v3.2#contact-object - type: object - properties: - name: - type: string - url: - type: string - format: uri-reference - email: - type: string - format: email - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - license: - $comment: https://spec.openapis.org/oas/v3.2#license-object - type: object - properties: - name: - type: string - identifier: - type: string - url: - type: string - format: uri-reference - required: - - name - dependentSchemas: - identifier: - not: - required: - - url - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - server: - $comment: https://spec.openapis.org/oas/v3.2#server-object - type: object - properties: - url: - type: string - description: - type: string - name: - type: string - variables: - type: object - additionalProperties: - $ref: '#/$defs/server-variable' - required: - - url - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - server-variable: - $comment: https://spec.openapis.org/oas/v3.2#server-variable-object - type: object - properties: - enum: - type: array - items: - type: string - minItems: 1 - default: - type: string - description: - type: string - required: - - default - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - components: - $comment: https://spec.openapis.org/oas/v3.2#components-object - type: object - properties: - schemas: - type: object - additionalProperties: - $dynamicRef: '#meta' - responses: - type: object - additionalProperties: - $ref: '#/$defs/response-or-reference' - parameters: - type: object - additionalProperties: - $ref: '#/$defs/parameter-or-reference' - examples: - type: object - additionalProperties: - $ref: '#/$defs/example-or-reference' - requestBodies: - type: object - additionalProperties: - $ref: '#/$defs/request-body-or-reference' - headers: - type: object - additionalProperties: - $ref: '#/$defs/header-or-reference' - securitySchemes: - type: object - additionalProperties: - $ref: '#/$defs/security-scheme-or-reference' - links: - type: object - additionalProperties: - $ref: '#/$defs/link-or-reference' - callbacks: - type: object - additionalProperties: - $ref: '#/$defs/callbacks-or-reference' - pathItems: - type: object - additionalProperties: - $ref: '#/$defs/path-item' - mediaTypes: - type: object - additionalProperties: - $ref: '#/$defs/media-type-or-reference' - patternProperties: - '^(?:schemas|responses|parameters|examples|requestBodies|headers|securitySchemes|links|callbacks|pathItems|mediaTypes)$': - $comment: Enumerating all of the property names in the regex above is necessary for unevaluatedProperties to work as expected - propertyNames: - pattern: '^[a-zA-Z0-9._-]+$' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - paths: - $comment: https://spec.openapis.org/oas/v3.2#paths-object - type: object - patternProperties: - '^/': - $ref: '#/$defs/path-item' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - path-item: - $comment: https://spec.openapis.org/oas/v3.2#path-item-object - type: object - properties: - $ref: - type: string - format: uri-reference - summary: - type: string - description: - type: string - servers: - type: array - items: - $ref: '#/$defs/server' - parameters: - $ref: '#/$defs/parameters' - additionalOperations: - type: object - additionalProperties: - $ref: '#/$defs/operation' - propertyNames: - $comment: RFC9110 restricts methods to "1*tchar" in ABNF - pattern: "^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$" - not: - enum: - - GET - - PUT - - POST - - DELETE - - OPTIONS - - HEAD - - PATCH - - TRACE - - QUERY - get: - $ref: '#/$defs/operation' - put: - $ref: '#/$defs/operation' - post: - $ref: '#/$defs/operation' - delete: - $ref: '#/$defs/operation' - options: - $ref: '#/$defs/operation' - head: - $ref: '#/$defs/operation' - patch: - $ref: '#/$defs/operation' - trace: - $ref: '#/$defs/operation' - query: - $ref: '#/$defs/operation' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - operation: - $comment: https://spec.openapis.org/oas/v3.2#operation-object - type: object - properties: - tags: - type: array - items: - type: string - summary: - type: string - description: - type: string - externalDocs: - $ref: '#/$defs/external-documentation' - operationId: - type: string - parameters: - $ref: '#/$defs/parameters' - requestBody: - $ref: '#/$defs/request-body-or-reference' - responses: - $ref: '#/$defs/responses' - callbacks: - type: object - additionalProperties: - $ref: '#/$defs/callbacks-or-reference' - deprecated: - default: false - type: boolean - security: - type: array - items: - $ref: '#/$defs/security-requirement' - servers: - type: array - items: - $ref: '#/$defs/server' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - external-documentation: - $comment: https://spec.openapis.org/oas/v3.2#external-documentation-object - type: object - properties: - description: - type: string - url: - type: string - format: uri-reference - required: - - url - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - parameters: - type: array - items: - $ref: '#/$defs/parameter-or-reference' - not: - allOf: - - contains: - type: object - properties: - in: - const: query - required: - - in - - contains: - type: object - properties: - in: - const: querystring - required: - - in - contains: - type: object - properties: - in: - const: querystring - required: - - in - minContains: 0 - maxContains: 1 - - parameter: - $comment: https://spec.openapis.org/oas/v3.2#parameter-object - type: object - properties: - name: - type: string - in: - enum: - - query - - querystring - - header - - path - - cookie - description: - type: string - required: - default: false - type: boolean - deprecated: - default: false - type: boolean - schema: - $dynamicRef: '#meta' - content: - $ref: '#/$defs/content' - minProperties: 1 - maxProperties: 1 - required: - - name - - in - oneOf: - - required: - - schema - - required: - - content - allOf: - - $ref: '#/$defs/examples' - - $ref: '#/$defs/specification-extensions' - - if: - properties: - in: - const: query - then: - properties: - allowEmptyValue: - default: false - type: boolean - - if: - properties: - in: - const: querystring - then: - required: - - content - dependentSchemas: - schema: - properties: - style: - type: string - explode: - type: boolean - allowReserved: - default: false - type: boolean - allOf: - - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-path' - - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-header' - - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-query' - - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-cookie' - - $ref: '#/$defs/styles-for-form' - - $defs: - styles-for-path: - if: - properties: - in: - const: path - then: - properties: - style: - default: simple - enum: - - matrix - - label - - simple - required: - const: true - required: - - required - - styles-for-header: - if: - properties: - in: - const: header - then: - properties: - style: - default: simple - const: simple - - styles-for-query: - if: - properties: - in: - const: query - then: - properties: - style: - default: form - enum: - - form - - spaceDelimited - - pipeDelimited - - deepObject - - styles-for-cookie: - if: - properties: - in: - const: cookie - then: - properties: - style: - default: form - enum: - - form - - cookie - - unevaluatedProperties: false - - parameter-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/parameter' - - request-body: - $comment: https://spec.openapis.org/oas/v3.2#request-body-object - type: object - properties: - description: - type: string - content: - $ref: '#/$defs/content' - required: - default: false - type: boolean - required: - - content - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - request-body-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/request-body' - - content: - $comment: https://spec.openapis.org/oas/v3.2#fixed-fields-10 - type: object - additionalProperties: - $ref: '#/$defs/media-type-or-reference' - propertyNames: - format: media-range - - media-type: - $comment: https://spec.openapis.org/oas/v3.2#media-type-object - type: object - properties: - description: - type: string - schema: - $dynamicRef: '#meta' - itemSchema: - $dynamicRef: '#meta' - encoding: - type: object - additionalProperties: - $ref: '#/$defs/encoding' - prefixEncoding: - type: array - items: - $ref: '#/$defs/encoding' - itemEncoding: - $ref: '#/$defs/encoding' - dependentSchemas: - encoding: - properties: - prefixEncoding: false - itemEncoding: false - allOf: - - $ref: '#/$defs/examples' - - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - media-type-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/media-type' - - encoding: - $comment: https://spec.openapis.org/oas/v3.2#encoding-object - type: object - properties: - contentType: - type: string - format: media-range - headers: - type: object - additionalProperties: - $ref: '#/$defs/header-or-reference' - style: - enum: - - form - - spaceDelimited - - pipeDelimited - - deepObject - explode: - type: boolean - allowReserved: - type: boolean - encoding: - type: object - additionalProperties: - $ref: '#/$defs/encoding' - prefixEncoding: - type: array - items: - $ref: '#/$defs/encoding' - itemEncoding: - $ref: '#/$defs/encoding' - dependentSchemas: - encoding: - properties: - prefixEncoding: false - itemEncoding: false - style: - properties: - allowReserved: - default: false - explode: - properties: - style: - default: form - allowReserved: - default: false - allowReserved: - properties: - style: - default: form - allOf: - - $ref: '#/$defs/specification-extensions' - - $ref: '#/$defs/styles-for-form' - unevaluatedProperties: false - - responses: - $comment: https://spec.openapis.org/oas/v3.2#responses-object - type: object - properties: - default: - $ref: '#/$defs/response-or-reference' - patternProperties: - '^[1-5](?:[0-9]{2}|XX)$': - $ref: '#/$defs/response-or-reference' - minProperties: 1 - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - if: - $comment: either default, or at least one response code property must exist - patternProperties: - '^[1-5](?:[0-9]{2}|XX)$': false - then: - required: [default] - - response: - $comment: https://spec.openapis.org/oas/v3.2#response-object - type: object - properties: - summary: - type: string - description: - type: string - headers: - type: object - additionalProperties: - $ref: '#/$defs/header-or-reference' - content: - $ref: '#/$defs/content' - links: - type: object - additionalProperties: - $ref: '#/$defs/link-or-reference' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - response-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/response' - - callbacks: - $comment: https://spec.openapis.org/oas/v3.2#callback-object - type: object - $ref: '#/$defs/specification-extensions' - additionalProperties: - $ref: '#/$defs/path-item' - - callbacks-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/callbacks' - - example: - $comment: https://spec.openapis.org/oas/v3.2#example-object - type: object - properties: - summary: - type: string - description: - type: string - dataValue: true - serializedValue: - type: string - value: true - externalValue: - type: string - format: uri-reference - allOf: - - not: - required: - - value - - externalValue - - not: - required: - - value - - dataValue - - not: - required: - - value - - serializedValue - - not: - required: - - serializedValue - - externalValue - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - example-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/example' - - link: - $comment: https://spec.openapis.org/oas/v3.2#link-object - type: object - properties: - operationRef: - type: string - format: uri-reference - operationId: - type: string - parameters: - $ref: '#/$defs/map-of-strings' - requestBody: true - description: - type: string - server: - $ref: '#/$defs/server' - oneOf: - - required: - - operationRef - - required: - - operationId - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - link-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/link' - - header: - $comment: https://spec.openapis.org/oas/v3.2#header-object - type: object - properties: - description: - type: string - required: - default: false - type: boolean - deprecated: - default: false - type: boolean - schema: - $dynamicRef: '#meta' - content: - $ref: '#/$defs/content' - minProperties: 1 - maxProperties: 1 - oneOf: - - required: - - schema - - required: - - content - dependentSchemas: - schema: - properties: - style: - default: simple - const: simple - explode: - default: false - type: boolean - allowReserved: - default: false - type: boolean - allOf: - - $ref: '#/$defs/examples' - - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - header-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/header' - - tag: - $comment: https://spec.openapis.org/oas/v3.2#tag-object - type: object - properties: - name: - type: string - summary: - type: string - description: - type: string - externalDocs: - $ref: '#/$defs/external-documentation' - parent: - type: string - kind: - type: string - required: - - name - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - reference: - $comment: https://spec.openapis.org/oas/v3.2#reference-object - type: object - properties: - $ref: - type: string - format: uri-reference - summary: - type: string - description: - type: string - - schema: - $comment: https://spec.openapis.org/oas/v3.2#schema-object - $dynamicAnchor: meta - type: - - object - - boolean - - security-scheme: - $comment: https://spec.openapis.org/oas/v3.2#security-scheme-object - type: object - properties: - type: - enum: - - apiKey - - http - - mutualTLS - - oauth2 - - openIdConnect - description: - type: string - deprecated: - default: false - type: boolean - required: - - type - allOf: - - $ref: '#/$defs/specification-extensions' - - $ref: '#/$defs/security-scheme/$defs/type-apikey' - - $ref: '#/$defs/security-scheme/$defs/type-http' - - $ref: '#/$defs/security-scheme/$defs/type-http-bearer' - - $ref: '#/$defs/security-scheme/$defs/type-oauth2' - - $ref: '#/$defs/security-scheme/$defs/type-oidc' - unevaluatedProperties: false - - $defs: - type-apikey: - if: - properties: - type: - const: apiKey - then: - properties: - name: - type: string - in: - enum: - - query - - header - - cookie - required: - - name - - in - - type-http: - if: - properties: - type: - const: http - then: - properties: - scheme: - type: string - required: - - scheme - - type-http-bearer: - if: - properties: - type: - const: http - scheme: - type: string - pattern: ^[Bb][Ee][Aa][Rr][Ee][Rr]$ - required: - - type - - scheme - then: - properties: - bearerFormat: - type: string - - type-oauth2: - if: - properties: - type: - const: oauth2 - then: - properties: - flows: - $ref: '#/$defs/oauth-flows' - oauth2MetadataUrl: - type: string - format: uri-reference - required: - - flows - - type-oidc: - if: - properties: - type: - const: openIdConnect - then: - properties: - openIdConnectUrl: - type: string - format: uri-reference - required: - - openIdConnectUrl - - security-scheme-or-reference: - if: - type: object - required: - - $ref - then: - $ref: '#/$defs/reference' - else: - $ref: '#/$defs/security-scheme' - - oauth-flows: - type: object - properties: - implicit: - $ref: '#/$defs/oauth-flows/$defs/implicit' - password: - $ref: '#/$defs/oauth-flows/$defs/password' - clientCredentials: - $ref: '#/$defs/oauth-flows/$defs/client-credentials' - authorizationCode: - $ref: '#/$defs/oauth-flows/$defs/authorization-code' - deviceAuthorization: - $ref: '#/$defs/oauth-flows/$defs/device-authorization' - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - $defs: - implicit: - type: object - properties: - authorizationUrl: - type: string - format: uri-reference - refreshUrl: - type: string - format: uri-reference - scopes: - $ref: '#/$defs/map-of-strings' - required: - - authorizationUrl - - scopes - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - password: - type: object - properties: - tokenUrl: - type: string - format: uri-reference - refreshUrl: - type: string - format: uri-reference - scopes: - $ref: '#/$defs/map-of-strings' - required: - - tokenUrl - - scopes - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - client-credentials: - type: object - properties: - tokenUrl: - type: string - format: uri-reference - refreshUrl: - type: string - format: uri-reference - scopes: - $ref: '#/$defs/map-of-strings' - required: - - tokenUrl - - scopes - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - authorization-code: - type: object - properties: - authorizationUrl: - type: string - format: uri-reference - tokenUrl: - type: string - format: uri-reference - refreshUrl: - type: string - format: uri-reference - scopes: - $ref: '#/$defs/map-of-strings' - required: - - authorizationUrl - - tokenUrl - - scopes - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - device-authorization: - type: object - properties: - deviceAuthorizationUrl: - type: string - format: uri-reference - tokenUrl: - type: string - format: uri-reference - refreshUrl: - type: string - format: uri-reference - scopes: - $ref: '#/$defs/map-of-strings' - required: - - deviceAuthorizationUrl - - tokenUrl - - scopes - $ref: '#/$defs/specification-extensions' - unevaluatedProperties: false - - security-requirement: - $comment: https://spec.openapis.org/oas/v3.2#security-requirement-object - type: object - additionalProperties: - type: array - items: - type: string - - specification-extensions: - $comment: https://spec.openapis.org/oas/v3.2#specification-extensions - patternProperties: - '^x-': true - - examples: - properties: - example: true - examples: - type: object - additionalProperties: - $ref: '#/$defs/example-or-reference' - not: - required: - - example - - examples - - map-of-strings: - type: object - additionalProperties: - type: string - - styles-for-form: - if: - properties: - style: - const: form - required: - - style - then: - properties: - explode: - default: true - else: - properties: - explode: - default: false diff --git a/tests/schema/fail/encoding-enc-item-exclusion.yaml b/tests/schema/fail/encoding-enc-item-exclusion.yaml deleted file mode 100644 index e0c7e03b8e..0000000000 --- a/tests/schema/fail/encoding-enc-item-exclusion.yaml +++ /dev/null @@ -1,13 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - requestBodies: - encoding-with-prefixEncoding-not-allowed: - content: - multipart/mixed: - prefixEncoding: - - contentType: multipart/mixed - encoding: {} - prefixEncoding: [] diff --git a/tests/schema/fail/encoding-enc-prefix-exclusion.yaml b/tests/schema/fail/encoding-enc-prefix-exclusion.yaml deleted file mode 100644 index 9ed8c09c18..0000000000 --- a/tests/schema/fail/encoding-enc-prefix-exclusion.yaml +++ /dev/null @@ -1,13 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - requestBodies: - encoding-with-itemEncoding-not-allowed: - content: - multipart/mixed: - prefixEncoding: - - contentType: multipart/mixed - encoding: {} - itemEncoding: [] diff --git a/tests/schema/fail/example-examples.yaml b/tests/schema/fail/example-examples.yaml deleted file mode 100644 index aa8227817d..0000000000 --- a/tests/schema/fail/example-examples.yaml +++ /dev/null @@ -1,17 +0,0 @@ -openapi: 3.2.0 - -# this example should fail, as example cannot be used together with examples. - -info: - title: API - version: 1.0.0 -components: - parameters: - animal: - name: animal - in: header - schema: {} - example: bear - examples: - a mammalian example: - dataValue: bear diff --git a/tests/schema/fail/example-object-old-exclusions.yaml b/tests/schema/fail/example-object-old-exclusions.yaml deleted file mode 100644 index 37be07da1c..0000000000 --- a/tests/schema/fail/example-object-old-exclusions.yaml +++ /dev/null @@ -1,10 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 - -components: - examples: - CannotHaveBoth: - value: foo - externalValue: https://example.com/foo diff --git a/tests/schema/fail/example-object-old-vs-data.yaml b/tests/schema/fail/example-object-old-vs-data.yaml deleted file mode 100644 index f52e7feb0e..0000000000 --- a/tests/schema/fail/example-object-old-vs-data.yaml +++ /dev/null @@ -1,10 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 - -components: - examples: - NoValueWithDataValue: - value: foo - dataValue: foo diff --git a/tests/schema/fail/example-object-old-vs-ser.yaml b/tests/schema/fail/example-object-old-vs-ser.yaml deleted file mode 100644 index 43ba991e4e..0000000000 --- a/tests/schema/fail/example-object-old-vs-ser.yaml +++ /dev/null @@ -1,10 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 - -components: - examples: - CannotHaveBoth: - value: foo - serializedValue: foo diff --git a/tests/schema/fail/example-object-ser-exclusions.yaml b/tests/schema/fail/example-object-ser-exclusions.yaml deleted file mode 100644 index 3a6bc01e21..0000000000 --- a/tests/schema/fail/example-object-ser-exclusions.yaml +++ /dev/null @@ -1,10 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 - -components: - examples: - CannotHaveBoth: - serializedValue: foo - externalValue: https://example.com/foo diff --git a/tests/schema/fail/invalid_schema_types.yaml b/tests/schema/fail/invalid_schema_types.yaml deleted file mode 100644 index b3aa50a6c8..0000000000 --- a/tests/schema/fail/invalid_schema_types.yaml +++ /dev/null @@ -1,12 +0,0 @@ -openapi: 3.2.0 - -# this example shows invalid types for the schemaObject - -info: - title: API - version: 1.0.0 -components: - schemas: - invalid_null: null - invalid_number: 0 - invalid_array: [] diff --git a/tests/schema/fail/media-type-enc-item-exclusion.yaml b/tests/schema/fail/media-type-enc-item-exclusion.yaml deleted file mode 100644 index 5bcf06a94d..0000000000 --- a/tests/schema/fail/media-type-enc-item-exclusion.yaml +++ /dev/null @@ -1,11 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - requestBodies: - encoding-with-itemEncoding-not-allowed: - content: - multipart/mixed: - encoding: {} - itemEncoding: {} diff --git a/tests/schema/fail/media-type-enc-prefix-exclusion.yaml b/tests/schema/fail/media-type-enc-prefix-exclusion.yaml deleted file mode 100644 index 2f19064c22..0000000000 --- a/tests/schema/fail/media-type-enc-prefix-exclusion.yaml +++ /dev/null @@ -1,11 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - requestBodies: - encoding-with-prefixEncoding-not-allowed: - content: - multipart/mixed: - encoding: {} - prefixEncoding: [] diff --git a/tests/schema/fail/no_containers.yaml b/tests/schema/fail/no_containers.yaml deleted file mode 100644 index 3c38be021d..0000000000 --- a/tests/schema/fail/no_containers.yaml +++ /dev/null @@ -1,7 +0,0 @@ -openapi: 3.2.0 - -# this example should fail as there are no paths, components or webhooks containers (at least one of which must be present) - -info: - title: API - version: 1.0.0 diff --git a/tests/schema/fail/operation-object-query-with-querystring.yaml b/tests/schema/fail/operation-object-query-with-querystring.yaml deleted file mode 100644 index 5046d9c73c..0000000000 --- a/tests/schema/fail/operation-object-query-with-querystring.yaml +++ /dev/null @@ -1,20 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - pathItems: - my-path-item: - get: - description: a query parameter cannot be used together with a querystring parameter - parameters: - - name: myquerystring - in: querystring - content: - application/json: - schema: - type: string - - name: myquery - in: query - schema: - type: string diff --git a/tests/schema/fail/operation-object-two-querystrings.yaml b/tests/schema/fail/operation-object-two-querystrings.yaml deleted file mode 100644 index 35cebf0a3c..0000000000 --- a/tests/schema/fail/operation-object-two-querystrings.yaml +++ /dev/null @@ -1,20 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - pathItems: - my-path-item: - get: - description: querystring cannot be used twice - parameters: - - name: myquerystring1 - in: querystring - content: - application/json: - schema: {} - - name: myquerystring2 - in: querystring - content: - application/json: - schema: {} diff --git a/tests/schema/fail/parameter-object-content-not-with-style.yaml b/tests/schema/fail/parameter-object-content-not-with-style.yaml deleted file mode 100644 index 7a16b89aa8..0000000000 --- a/tests/schema/fail/parameter-object-content-not-with-style.yaml +++ /dev/null @@ -1,14 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - parameters: - content-not-with-style: - in: querystring - name: json - content: - application/json: - schema: - type: object - style: simple diff --git a/tests/schema/fail/parameter-object-querystring-not-with-schema.yaml b/tests/schema/fail/parameter-object-querystring-not-with-schema.yaml deleted file mode 100644 index 4f4cf98666..0000000000 --- a/tests/schema/fail/parameter-object-querystring-not-with-schema.yaml +++ /dev/null @@ -1,11 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - parameters: - querystring-not-with-schema: - in: querystring - name: json - schema: - type: object diff --git a/tests/schema/fail/path-item-object-conflicting-additional-operation.yaml b/tests/schema/fail/path-item-object-conflicting-additional-operation.yaml deleted file mode 100644 index f068406b68..0000000000 --- a/tests/schema/fail/path-item-object-conflicting-additional-operation.yaml +++ /dev/null @@ -1,64 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /pets/{id}: - get: - description: Returns pets based on ID - summary: Find pets by ID - operationId: getPetsById - responses: - '200': - description: pet response - content: - '*/*': - schema: - type: array - items: - $ref: '#/components/schemas/Pet' - default: - description: error payload - content: - text/html: - schema: - $ref: '#/components/schemas/ErrorModel' - parameters: - - name: id - in: path - description: ID of pet to use - required: true - schema: - type: array - items: - type: string - style: simple - additionalOperations: - POST: - description: Returns pets based on ID - summary: Find pets by ID - operationId: postPetsById - requestBody: - description: ID of pet to use - required: true - content: - application/json: - schema: - type: array - items: - type: string - responses: - '200': - description: pet response - content: - '*/*': - schema: - type: array - items: - $ref: '#/components/schemas/Pet' - default: - description: error payload - content: - text/html: - schema: - $ref: '#/components/schemas/ErrorModel' \ No newline at end of file diff --git a/tests/schema/fail/path-item-object-query-with-querystring.yaml b/tests/schema/fail/path-item-object-query-with-querystring.yaml deleted file mode 100644 index 6efbda4468..0000000000 --- a/tests/schema/fail/path-item-object-query-with-querystring.yaml +++ /dev/null @@ -1,19 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - pathItems: - my-path-item: - parameters: - - name: myquerystring - in: querystring - content: - application/json: - schema: - type: string - - name: myquery - in: query - schema: - type: string - get: {} diff --git a/tests/schema/fail/path-item-object-two-querystrings.yaml b/tests/schema/fail/path-item-object-two-querystrings.yaml deleted file mode 100644 index daf5caa494..0000000000 --- a/tests/schema/fail/path-item-object-two-querystrings.yaml +++ /dev/null @@ -1,20 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - pathItems: - my-path-item: - description: querystring cannot be used twice - parameters: - - name: myquerystring1 - in: querystring - content: - application/json: - schema: {} - - name: myquerystring2 - in: querystring - content: - application/json: - schema: {} - get: {} diff --git a/tests/schema/fail/server_enum_empty.yaml b/tests/schema/fail/server_enum_empty.yaml deleted file mode 100644 index db4b970ced..0000000000 --- a/tests/schema/fail/server_enum_empty.yaml +++ /dev/null @@ -1,14 +0,0 @@ -openapi: 3.2.0 - -# this example should fail as the server variable enum is empty, and so does not contain the default value - -info: - title: API - version: 1.0.0 -servers: - - url: https://example.com/{var} - variables: - var: - enum: [] - default: a -components: {} diff --git a/tests/schema/fail/servers.yaml b/tests/schema/fail/servers.yaml deleted file mode 100644 index 1b5e2d5fc8..0000000000 --- a/tests/schema/fail/servers.yaml +++ /dev/null @@ -1,11 +0,0 @@ -openapi: 3.2.0 - -# this example should fail, as servers must be an array, not an object - -info: - title: API - version: 1.0.0 -paths: {} -servers: - url: /v1 - description: Run locally. diff --git a/tests/schema/fail/unknown_container.yaml b/tests/schema/fail/unknown_container.yaml deleted file mode 100644 index c0a4b8bb7e..0000000000 --- a/tests/schema/fail/unknown_container.yaml +++ /dev/null @@ -1,8 +0,0 @@ -openapi: 3.2.0 - -# this example should fail as overlays is not a valid top-level object/keyword - -info: - title: API - version: 1.0.0 -overlays: {} diff --git a/tests/schema/fail/xml-attr-exclusion.yaml b/tests/schema/fail/xml-attr-exclusion.yaml deleted file mode 100644 index b48a02d1a5..0000000000 --- a/tests/schema/fail/xml-attr-exclusion.yaml +++ /dev/null @@ -1,11 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - schemas: - Attr: - type: string - xml: - attribute: true - nodeType: attribute diff --git a/tests/schema/fail/xml-wrapped-exclusion.yaml b/tests/schema/fail/xml-wrapped-exclusion.yaml deleted file mode 100644 index 74f8ea512e..0000000000 --- a/tests/schema/fail/xml-wrapped-exclusion.yaml +++ /dev/null @@ -1,11 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - schemas: - List: - type: array - xml: - wrapped: true - nodeType: element diff --git a/tests/schema/pass/callback-object-examples.yaml b/tests/schema/pass/callback-object-examples.yaml deleted file mode 100644 index 7a7f86f070..0000000000 --- a/tests/schema/pass/callback-object-examples.yaml +++ /dev/null @@ -1,30 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - callbacks: - myCallback: - '{$request.query.queryUrl}': - post: - requestBody: - description: Callback payload - content: - application/json: - schema: - $ref: '#/components/schemas/SomePayload' - responses: - '200': - description: callback successfully processed - transactionCallback: - 'http://notificationServer.com?transactionId={$request.body#/id}&email={$request.body#/email}': - post: - requestBody: - description: Callback payload - content: - application/json: - schema: - $ref: '#/components/schemas/SomePayload' - responses: - '200': - description: callback successfully processed \ No newline at end of file diff --git a/tests/schema/pass/comp_pathitems.yaml b/tests/schema/pass/comp_pathitems.yaml deleted file mode 100644 index 5178c1f56b..0000000000 --- a/tests/schema/pass/comp_pathitems.yaml +++ /dev/null @@ -1,6 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - pathItems: {} diff --git a/tests/schema/pass/components-object-example.yaml b/tests/schema/pass/components-object-example.yaml deleted file mode 100644 index 33a56e608f..0000000000 --- a/tests/schema/pass/components-object-example.yaml +++ /dev/null @@ -1,71 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - schemas: - GeneralError: - type: object - properties: - code: - type: integer - format: int32 - message: - type: string - Category: - type: object - properties: - id: - type: integer - format: int64 - name: - type: string - Tag: - type: object - properties: - id: - type: integer - format: int64 - name: - type: string - parameters: - skipParam: - name: skip - in: query - description: number of items to skip - required: true - schema: - type: integer - format: int32 - limitParam: - name: limit - in: query - description: max records to return - required: true - schema: - type: integer - format: int32 - responses: - NotFound: - description: Entity not found. - IllegalInput: - description: Illegal input for operation. - GeneralError: - description: General Error - content: - application/json: - schema: - $ref: '#/components/schemas/GeneralError' - securitySchemes: - api_key: - type: apiKey - name: api-key - in: header - petstore_auth: - type: oauth2 - flows: - implicit: - authorizationUrl: https://example.org/api/oauth/dialog - scopes: - write:pets: modify pets in your account - read:pets: read your pets \ No newline at end of file diff --git a/tests/schema/pass/example-object-examples.yaml b/tests/schema/pass/example-object-examples.yaml deleted file mode 100644 index af8cc255f0..0000000000 --- a/tests/schema/pass/example-object-examples.yaml +++ /dev/null @@ -1,64 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - requestBodies: - with-example: - content: - 'application/json': - schema: - $ref: '#/components/schemas/Address' - examples: - foo: - summary: A foo example - value: - foo: bar - bar: - summary: A bar example - value: - bar: baz - application/xml: - examples: - xmlExample: - summary: This is an example in XML - externalValue: https://example.org/examples/address-example.xml - text/plain: - examples: - textExample: - summary: This is a text example - externalValue: https://foo.bar/examples/address-example.txt - parameters: - with-example: - name: zipCode - in: query - schema: - type: string - format: zip-code - examples: - zip-example: - $ref: '#/components/examples/zip-example' - responses: - '200': - description: your car appointment has been booked - content: - application/json: - schema: - $ref: '#/components/schemas/SuccessResponse' - examples: - confirmation-success: - $ref: '#/components/examples/confirmation-success' - application/x-www-form-urlencoded: - schema: - type: object - properties: - jsonValue: - type: string - encoding: - jsonValue: - contentType: application/json - examples: - jsonFormValue: - description: 'The JSON string "json" as a form value' - dataValue: json - serializedValue: jsonValue=%22json%22 diff --git a/tests/schema/pass/header-object-examples.yaml b/tests/schema/pass/header-object-examples.yaml deleted file mode 100644 index 4122c75c61..0000000000 --- a/tests/schema/pass/header-object-examples.yaml +++ /dev/null @@ -1,26 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - headers: - X-Rate-Limit-Limit: - description: The number of allowed requests in the current period - deprecated: false - schema: - type: integer - ETag: - required: true - content: - text/plain: - schema: - type: string - pattern: ^" - Reference: - $ref: '#/components/schemas/ETag' - Style: - schema: - type: array - style: simple - explode: true - allowReserved: true \ No newline at end of file diff --git a/tests/schema/pass/info-object-example.yaml b/tests/schema/pass/info-object-example.yaml deleted file mode 100644 index 1d36bef06c..0000000000 --- a/tests/schema/pass/info-object-example.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# including External Documentation Object Example -openapi: 3.2.0 -$self: https://example.com/openapi -info: - title: Example Pet Store App - summary: A pet store manager. - description: This is an example server for a pet store. - termsOfService: https://example.com/terms/ - contact: - name: API Support - url: https://www.example.com/support - email: support@example.com - license: - name: Apache 2.0 - url: https://www.apache.org/licenses/LICENSE-2.0.html - version: 1.0.1 -externalDocs: - description: Find more info here - url: https://example.com -components: {} diff --git a/tests/schema/pass/info_summary.yaml b/tests/schema/pass/info_summary.yaml deleted file mode 100644 index 6697751d56..0000000000 --- a/tests/schema/pass/info_summary.yaml +++ /dev/null @@ -1,6 +0,0 @@ -openapi: 3.2.0 -info: - title: API - summary: My lovely API - version: 1.0.0 -components: {} diff --git a/tests/schema/pass/json_schema_dialect.yaml b/tests/schema/pass/json_schema_dialect.yaml deleted file mode 100644 index fa054c9b89..0000000000 --- a/tests/schema/pass/json_schema_dialect.yaml +++ /dev/null @@ -1,15 +0,0 @@ -openapi: 3.2.0 -info: - summary: Testing jsonSchemaDialect - title: My API - version: 1.0.0 - license: - name: Apache 2.0 - identifier: Apache-2.0 -jsonSchemaDialect: https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS -components: - schemas: - WithDollarSchema: - $id: "locked-metaschema" - $schema: https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS -paths: {} diff --git a/tests/schema/pass/license_identifier.yaml b/tests/schema/pass/license_identifier.yaml deleted file mode 100644 index 20d5e4368e..0000000000 --- a/tests/schema/pass/license_identifier.yaml +++ /dev/null @@ -1,9 +0,0 @@ -openapi: 3.2.0 -info: - title: API - summary: My lovely API - version: 1.0.0 - license: - name: Apache - identifier: Apache-2.0 -components: {} diff --git a/tests/schema/pass/link-object-examples.yaml b/tests/schema/pass/link-object-examples.yaml deleted file mode 100644 index 9d471f0a03..0000000000 --- a/tests/schema/pass/link-object-examples.yaml +++ /dev/null @@ -1,66 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /users/{id}: - parameters: - - name: id - in: path - required: true - description: the user identifier, as userId - schema: - type: string - get: - responses: - '200': - description: the user being returned - content: - application/json: - schema: - type: object - properties: - uuid: # the unique user id - type: string - format: uuid - links: - address: - # the target link operationId - operationId: getUserAddress - parameters: - # get the `id` field from the request path parameter named `id` - userid: $request.path.id - address2: - operationId: getUserAddressByUUID - parameters: - # get the `uuid` field from the `uuid` field in the response body - userUuid: $response.body#/uuid - UserRepositories: - # returns array of '#/components/schemas/repository' - operationRef: '#/paths/~12.0~1repositories~1%7Busername%7D/get' - parameters: - username: $response.body#/username - UserRepositories2: - # returns array of '#/components/schemas/repository' - operationRef: https://na2.gigantic-server.com/#/paths/~12.0~1repositories~1%7Busername%7D/get - parameters: - username: $response.body#/username - withBody: - operationId: queryUserWithBody - requestBody: - userId: $request.path.id - # the path item of the linked operation - /users/{userid}/address: - parameters: - - name: userid - in: path - required: true - description: the user identifier, as userId - schema: - type: string - # linked operation - get: - operationId: getUserAddress - responses: - '200': - description: the user's address \ No newline at end of file diff --git a/tests/schema/pass/media-type-examples.yaml b/tests/schema/pass/media-type-examples.yaml deleted file mode 100644 index 6ace84a8d5..0000000000 --- a/tests/schema/pass/media-type-examples.yaml +++ /dev/null @@ -1,173 +0,0 @@ -# including Encoding Object examples -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - mediaTypes: - StreamingPets: - description: | - Streaming sequence of JSON pet representations, - suitable for use with any of the streaming JSON - media types. - itemSchema: - $ref: '#components/schemas/Pet' -paths: - /something: - put: - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Pet' - examples: - cat: - summary: An example of a cat - value: - name: Fluffy - petType: Cat - color: White - gender: male - breed: Persian - dog: - summary: An example of a dog with a cat's name - value: - name: Puma - petType: Dog - color: Black - gender: Female - breed: Mixed - frog: - $ref: '#/components/examples/frog-example' - application/jsonl: - $ref: '#/components/mediaTypes/StreamingPets' - application/x-ndjson: - $ref: '#/components/mediaTypes/StreamingPets' - application/xml: - schema: - type: object - properties: - foo: - type: string - xml: - namespace: https://example.com - prefix: example - name: Foo - bar: - type: array - items: - type: number - xml: - wrapped: true - attr: - type: string - xml: - attribute: true - elementNode: - $ref: "#/components/schemas/Pet" - xml: - nodeType: element - attributeNode: - type: string - xml: - nodeType: attribute - textNode: - type: string - xml: - nodeType: text - cdataNode: - type: string - xml: - nodeType: cdata - noneNode: - type: object - xml: - nodeType: none - application/x-www-form-urlencoded: - schema: - type: object - properties: - id: - type: string - format: uuid - address: - # complex types are stringified to support RFC 1866 - type: object - properties: {} - icon: - # The default with "contentEncoding" is application/octet-stream, - # so we need to set image media type(s) in the Encoding Object. - type: string - contentEncoding: base64url - encoding: - icon: - contentType: image/png, image/jpeg - multipart/form-data: - schema: - type: object - properties: - id: - # default is `text/plain` - type: string - format: uuid - addresses: - # default based on the `items` subschema would be - # `application/json`, but we want these address objects - # serialized as `application/xml` instead - description: addresses in XML format - type: array - items: - $ref: '#/components/schemas/Address' - profileImage: - # default is application/octet-stream, but we can declare - # a more specific image type or types - type: string - format: binary - forCoverage: - type: string - forCoverage2: - type: string - nested1: - type: object - nested2: - type: array - encoding: - addresses: - # require XML Content-Type in utf-8 encoding - # This is applied to each address part corresponding - # to each address in he array - contentType: application/xml; charset=utf-8 - profileImage: - # only accept png or jpeg - contentType: image/png, image/jpeg - headers: - X-Rate-Limit-Limit: - description: The number of allowed requests in the current period - schema: - type: integer - forCoverage: - style: form - explode: false - allowReserved: true - forCoverage2: - style: spaceDelimited - explode: true - nested1: - contentType: multipart/form-data - encoding: - inner: {} - nested2: - contentType: multipart/mixed - prefixEncoding: - - {} - itemEncoding: {} - multipart/related: - schema: - type: array - itemEncoding: - contentType: text/plain - prefixEncoding: - - headers: - Content-Location: - schema: - type: string diff --git a/tests/schema/pass/mega.yaml b/tests/schema/pass/mega.yaml deleted file mode 100644 index 8304fbe199..0000000000 --- a/tests/schema/pass/mega.yaml +++ /dev/null @@ -1,62 +0,0 @@ -openapi: 3.2.0 -info: - summary: My API's summary - title: My API - version: 1.0.0 - license: - name: Apache 2.0 - identifier: Apache-2.0 -paths: - /: - get: - parameters: [] - /{pathTest}: {} -webhooks: - myWebhook: - $ref: '#/components/pathItems/myPathItem' - description: Overriding description -components: - securitySchemes: - mtls: - type: mutualTLS - schemas: - Foo: - type: object - properties: - type: - const: foo - pathItems: - myPathItem: - post: - requestBody: - required: true - content: - 'application/json': - schema: - externalDocs: - description: More docs! - url: https://example.com/elsewhere.html - type: object - properties: - type: - type: string - int: - type: integer - exclusiveMaximum: 100 - exclusiveMinimum: 0 - none: - type: 'null' - arr: - type: array - $comment: Array without items keyword - either: - type: ['string','null'] - discriminator: - propertyName: type - mapping: - foo: Foo - defaultMapping: Bar - x-extension: true - anyOf: - - $ref: "#/components/schemas/Foo" - myArbitraryKeyword: true diff --git a/tests/schema/pass/minimal_comp.yaml b/tests/schema/pass/minimal_comp.yaml deleted file mode 100644 index 8f81f7e05e..0000000000 --- a/tests/schema/pass/minimal_comp.yaml +++ /dev/null @@ -1,5 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: {} diff --git a/tests/schema/pass/minimal_hooks.yaml b/tests/schema/pass/minimal_hooks.yaml deleted file mode 100644 index 0e44257ad0..0000000000 --- a/tests/schema/pass/minimal_hooks.yaml +++ /dev/null @@ -1,5 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -webhooks: {} diff --git a/tests/schema/pass/minimal_paths.yaml b/tests/schema/pass/minimal_paths.yaml deleted file mode 100644 index c332bba18c..0000000000 --- a/tests/schema/pass/minimal_paths.yaml +++ /dev/null @@ -1,5 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: {} diff --git a/tests/schema/pass/non-oauth-scopes.yaml b/tests/schema/pass/non-oauth-scopes.yaml deleted file mode 100644 index 45506616b4..0000000000 --- a/tests/schema/pass/non-oauth-scopes.yaml +++ /dev/null @@ -1,19 +0,0 @@ -openapi: 3.2.0 -info: - title: Non-oAuth Scopes example - version: 1.0.0 -paths: - /users: - get: - security: - - bearerAuth: - - 'read:users' - - 'public' -components: - securitySchemes: - bearerAuth: - type: http - scheme: bearer - bearerFormat: jwt - description: 'note: non-oauth scopes are not defined at the securityScheme level' - diff --git a/tests/schema/pass/operation-object-example.yaml b/tests/schema/pass/operation-object-example.yaml deleted file mode 100644 index 1e5bac29f1..0000000000 --- a/tests/schema/pass/operation-object-example.yaml +++ /dev/null @@ -1,47 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /pets/{id}: - put: - tags: - - pet - summary: Updates a pet in the store with form data - operationId: updatePetWithForm - parameters: - - name: petId - in: path - description: ID of pet that needs to be updated - required: true - schema: - type: string - requestBody: - content: - application/x-www-form-urlencoded: - schema: - type: object - properties: - name: - description: Updated name of the pet - type: string - status: - description: Updated status of the pet - type: string - required: - - status - responses: - '200': - description: Pet updated. - content: - application/json: {} - application/xml: {} - '405': - description: Method Not Allowed - content: - application/json: {} - application/xml: {} - security: - - petstore_auth: - - write:pets - - read:pets \ No newline at end of file diff --git a/tests/schema/pass/parameter-object-examples.yaml b/tests/schema/pass/parameter-object-examples.yaml deleted file mode 100644 index 8a3db655ba..0000000000 --- a/tests/schema/pass/parameter-object-examples.yaml +++ /dev/null @@ -1,75 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /user/{username}: - parameters: - - name: token - in: header - description: token to be passed as a header - required: true - schema: - type: array - items: - type: integer - format: int64 - style: simple - - name: username - in: path - description: username to fetch - required: true - schema: - type: string - - name: id - in: query - description: ID of the object to fetch - required: false - schema: - type: array - items: - type: string - style: form - explode: true - - in: query - name: freeForm - schema: - type: object - additionalProperties: - type: integer - style: form - - in: query - name: coordinates - content: - application/json: - schema: - type: object - required: - - lat - - long - properties: - lat: - type: number - long: - type: number - - in: cookie - name: my_cookie1 - style: form - schema: {} - - in: cookie - name: my_cookie2 - style: cookie - schema: {} - /user: - parameters: - - in: querystring - name: json - content: - application/json: - schema: - # Allow an arbitrary JSON object to keep - # the example simple - type: object - example: - numbers: [1, 2] - flag: null diff --git a/tests/schema/pass/path-item-object-example.yaml b/tests/schema/pass/path-item-object-example.yaml deleted file mode 100644 index 0ecc2d64fa..0000000000 --- a/tests/schema/pass/path-item-object-example.yaml +++ /dev/null @@ -1,74 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /pets/{id}: - get: - description: Returns pets based on ID - summary: Find pets by ID - operationId: getPetsById - responses: - '200': - description: pet response - content: - '*/*': - schema: - type: array - items: - $ref: '#/components/schemas/Pet' - default: - description: error payload - content: - text/html: - schema: - $ref: '#/components/schemas/ErrorModel' - query: - description: Returns pets based on ID - summary: Find pets by ID - operationId: queryPetsById - responses: - '200': - description: pet response - content: - '*/*': - schema: - type: array - items: - $ref: '#/components/schemas/Pet' - default: - description: error payload - content: - text/html: - schema: - $ref: '#/components/schemas/ErrorModel' - parameters: - - name: id - in: path - description: ID of pet to use - required: true - schema: - type: array - items: - type: string - style: simple - additionalOperations: - COPY: - description: Copies pet information based on ID - summary: Copies pets by ID - operationId: copyPetsById - responses: - '200': - description: pet response - content: - '*/*': - schema: - type: array - items: - $ref: '#/components/schemas/Pet' - default: - description: error payload - content: - text/html: - schema: - $ref: '#/components/schemas/ErrorModel' \ No newline at end of file diff --git a/tests/schema/pass/path_item_servers_parameters.yaml b/tests/schema/pass/path_item_servers_parameters.yaml deleted file mode 100644 index 7cedc5d16c..0000000000 --- a/tests/schema/pass/path_item_servers_parameters.yaml +++ /dev/null @@ -1,112 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /things: - summary: Lots of things - servers: - - url: https://things.example.com - get: - summary: Get a list of things - externalDocs: - description: Find more info here - url: https://example.com - parameters: - - $ref: '#/components/parameters/biscuit' - summary: The maximum number of things to return - description: The maximum number of things to return - responses: - default: - description: A list of things - servers: - - url: https://things.example.com - post: - deprecated: false - requestBody: - $ref: '#/components/requestBodies/ThingRequestBody' - responses: - '201': - $ref: '#/components/responses/ThingResponse' - callbacks: - myCallback: - '{$request.query.queryUrl}': - post: - requestBody: - description: Callback payload - content: - application/json: - schema: - $ref: '#/components/schemas/SomePayload' - responses: - '200': - description: callback successfully processed - transactionCallback: - $ref: '#/components/callbacks/transactionCallback' - patch: {} - delete: {} - head: {} - options: {} - trace: {} -components: - callbacks: - transactionCallback: - 'http://notificationServer.com?transactionId={$request.body#/id}&email={$request.body#/email}': - post: - requestBody: - description: Callback payload - content: - application/json: - schema: - $ref: '#/components/schemas/SomePayload' - responses: - '200': - description: callback successfully processed - examples: - ThingExample: - summary: A thing - description: A thing - value: - id: 1 - name: Thing - links: - ThingLink: - description: A link to a thing - operationId: getThing - parameters: - thingId: '$response.body#/id' - server: - url: https://things.example.com - ThingyLink: - $ref: '#/components/links/ThingLink' - parameters: - limit: - name: limit - in: query - required: false - allowEmptyValue: false - allowReserved: false - deprecated: true - description: The maximum number of list items to return - schema: - type: integer - minimum: 0 - biscuit: - name: biscuit - in: cookie - style: form - schema: - type: string - requestBodies: - ThingRequestBody: - content: - application/json: - schema: - type: object - responses: - ThingResponse: - description: A thing - content: - application/json: - schema: - type: object diff --git a/tests/schema/pass/path_no_response.yaml b/tests/schema/pass/path_no_response.yaml deleted file mode 100644 index e4876799c9..0000000000 --- a/tests/schema/pass/path_no_response.yaml +++ /dev/null @@ -1,7 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /: - get: {} diff --git a/tests/schema/pass/path_var_empty_pathitem.yaml b/tests/schema/pass/path_var_empty_pathitem.yaml deleted file mode 100644 index e79b7cd4fe..0000000000 --- a/tests/schema/pass/path_var_empty_pathitem.yaml +++ /dev/null @@ -1,6 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /{var}: {} diff --git a/tests/schema/pass/paths-object-example.yaml b/tests/schema/pass/paths-object-example.yaml deleted file mode 100644 index 2ee08e581e..0000000000 --- a/tests/schema/pass/paths-object-example.yaml +++ /dev/null @@ -1,17 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /pets: - get: - description: Returns all pets from the system that the user has access to - responses: - '200': - description: A list of pets. - content: - application/json: - schema: - type: array - items: - $ref: '#/components/schemas/pet' \ No newline at end of file diff --git a/tests/schema/pass/request-body-examples.yaml b/tests/schema/pass/request-body-examples.yaml deleted file mode 100644 index 4da1d41bd4..0000000000 --- a/tests/schema/pass/request-body-examples.yaml +++ /dev/null @@ -1,34 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /something: - put: - requestBody: - description: user to add to the system - content: - application/json: - schema: - $ref: '#/components/schemas/User' - examples: - user: - summary: User example - externalValue: https://foo.bar/examples/user-example.json - application/xml: - schema: - $ref: '#/components/schemas/User' - examples: - user: - summary: User example in XML - externalValue: https://foo.bar/examples/user-example.xml - text/plain: - examples: - user: - summary: User example in plain text - externalValue: https://foo.bar/examples/user-example.txt - '*/*': - examples: - user: - summary: User example in other format - externalValue: https://foo.bar/examples/user-example.whatever \ No newline at end of file diff --git a/tests/schema/pass/response-object-examples.yaml b/tests/schema/pass/response-object-examples.yaml deleted file mode 100644 index f55d5733ed..0000000000 --- a/tests/schema/pass/response-object-examples.yaml +++ /dev/null @@ -1,43 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -components: - responses: - complex-object-array: - summary: Complex object array - description: A complex object array response - content: - application/json: - schema: - type: array - items: - $ref: '#/components/schemas/VeryComplexType' - simple-string: - description: A simple string response - content: - text/plain: - schema: - type: string - plain-text-with-headers: - description: A simple string response - content: - text/plain: - schema: - type: string - example: 'whoa!' - headers: - X-Rate-Limit-Limit: - description: The number of allowed requests in the current period - schema: - type: integer - X-Rate-Limit-Remaining: - description: The number of remaining requests in the current period - schema: - type: integer - X-Rate-Limit-Reset: - description: The number of seconds left in the current period - schema: - type: integer - no-return-value: - description: object created \ No newline at end of file diff --git a/tests/schema/pass/schema-object-deprecated-example-keyword.yaml b/tests/schema/pass/schema-object-deprecated-example-keyword.yaml deleted file mode 100644 index 969e66f283..0000000000 --- a/tests/schema/pass/schema-object-deprecated-example-keyword.yaml +++ /dev/null @@ -1,17 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: - /user: - parameters: - - in: query - name: example - schema: - # Allow an arbitrary JSON object to keep - # the example simple - type: object - # DEPRECATED: don't use example keyword inside Schema Object - example: - numbers: [1, 2] - flag: null diff --git a/tests/schema/pass/schema.yaml b/tests/schema/pass/schema.yaml deleted file mode 100644 index a6d72b9972..0000000000 --- a/tests/schema/pass/schema.yaml +++ /dev/null @@ -1,55 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: {} -components: - schemas: - model: - type: object - properties: - one: - description: type array - type: - - integer - - string - two: - description: type 'null' - type: "null" - three: - description: type array including 'null' - type: - - string - - "null" - four: - description: array with no items - type: array - five: - description: singular example - type: string - examples: - - exampleValue - six: - description: exclusiveMinimum true - exclusiveMinimum: 10 - seven: - description: exclusiveMinimum false - minimum: 10 - eight: - description: exclusiveMaximum true - exclusiveMaximum: 20 - nine: - description: exclusiveMaximum false - maximum: 20 - ten: - description: nullable string - type: - - string - - "null" - eleven: - description: x-nullable string - type: - - string - - "null" - twelve: - description: file/binary diff --git a/tests/schema/pass/security-scheme-object-examples.yaml b/tests/schema/pass/security-scheme-object-examples.yaml deleted file mode 100644 index d3472d5a32..0000000000 --- a/tests/schema/pass/security-scheme-object-examples.yaml +++ /dev/null @@ -1,69 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -security: - - basic: [] - - apiKey: [] - - JWT-bearer: [] - - mutualTLS: [] - - OAuth2: - - write:pets - - read:pets -components: - securitySchemes: - basic: - type: http - scheme: basic - apiKey: - type: apiKey - name: api-key - in: header - JWT-bearer: - type: http - scheme: bearer - bearerFormat: JWT - mutualTLS: - type: mutualTLS - description: Cert must be signed by example.com CA - OAuth2: - type: oauth2 - oauth2MetadataUrl: https://example.com/api/oauth/metadata - flows: - authorizationCode: - authorizationUrl: https://example.com/api/oauth/dialog - refreshUrl: https://example.com/api/oauth/refresh - tokenUrl: https://example.com/api/oauth/token - scopes: - write:pets: modify pets in your account - read:pets: read your pets - password: - tokenUrl: https://example.com/api/oauth/token - scopes: - read:pets: read your pets - refreshUrl: https://example.com/api/oauth/refresh - clientCredentials: - tokenUrl: https://example.com/api/oauth/token - scopes: - read:pets: read your pets - refreshUrl: https://example.com/api/oauth/refresh - deviceAuthorization: - deviceAuthorizationUrl: https://example.com/api/oauth/device - tokenUrl: https://example.com/api/oauth/token - scopes: - read:pets: read your pets - refreshUrl: https://example.com/api/oauth/refresh - OAuth2Old: - deprecated: true - type: oauth2 - flows: - implicit: - authorizationUrl: https://example.com/api/oauth/dialog - scopes: - read:pets: read your pets - refreshUrl: https://example.com/api/oauth/refresh - OpenIdConnect: - type: openIdConnect - openIdConnectUrl: https://example.com/api/oauth/openid - external: - $ref: 'https://example.com/api/openapi.json#/components/externalDocs/ThingExternalDocs' \ No newline at end of file diff --git a/tests/schema/pass/servers.yaml b/tests/schema/pass/servers.yaml deleted file mode 100644 index 07992113bf..0000000000 --- a/tests/schema/pass/servers.yaml +++ /dev/null @@ -1,26 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: {} -servers: - - url: /v1 - description: Run locally. - name: local - - url: https://production.com/v1 - description: Run on production server. - - url: https://{username}.gigantic-server.com:{port}/{basePath} - description: The production API server - variables: - username: - # note! no enum here means it is an open value - default: demo - description: A user-specific subdomain. Use `demo` for a free sandbox environment. - port: - enum: - - '8443' - - '443' - default: '8443' - basePath: - # open meaning there is the opportunity to use special base paths as assigned by the provider, default is `v2` - default: v2 \ No newline at end of file diff --git a/tests/schema/pass/specification-extensions.yaml b/tests/schema/pass/specification-extensions.yaml deleted file mode 100644 index 8148462f83..0000000000 --- a/tests/schema/pass/specification-extensions.yaml +++ /dev/null @@ -1,6 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: {} -x-tensions: specification extensions are prefixed with `x-` \ No newline at end of file diff --git a/tests/schema/pass/tag-object-example.yaml b/tests/schema/pass/tag-object-example.yaml deleted file mode 100644 index 6e740c8df0..0000000000 --- a/tests/schema/pass/tag-object-example.yaml +++ /dev/null @@ -1,25 +0,0 @@ -openapi: 3.2.0 -info: - title: API - version: 1.0.0 -paths: {} -tags: - - - name: account-updates - summary: Account Updates - description: Account update operations - kind: nav - - - name: partner - summary: Partner - description: Operations available to the partners network - parent: external - kind: audience - - - name: external - summary: External - description: Operations available to external consumers - kind: audience - externalDocs: - description: Find more info here - url: https://example.com diff --git a/tests/schema/pass/valid_schema_types.yaml b/tests/schema/pass/valid_schema_types.yaml deleted file mode 100644 index 43e7cdc782..0000000000 --- a/tests/schema/pass/valid_schema_types.yaml +++ /dev/null @@ -1,14 +0,0 @@ -openapi: 3.2.1 - -# this example shows that top-level schemaObjects MAY be booleans - -info: - title: API - version: 1.0.0 -components: - schemas: - anything_boolean: true - nothing_boolean: false - anything_object: {} - nothing_object: { not: {} } - diff --git a/tests/schema/pass/webhook-example.yaml b/tests/schema/pass/webhook-example.yaml deleted file mode 100644 index c0b505ac63..0000000000 --- a/tests/schema/pass/webhook-example.yaml +++ /dev/null @@ -1,35 +0,0 @@ -openapi: 3.2.0 -info: - title: Webhook Example - version: 1.0.0 -# Since OAS 3.1.0 the paths element isn't necessary. Now a valid OpenAPI Document can describe only paths, webhooks, or even only reusable components -webhooks: - # Each webhook needs a name - newPet: - # This is a Path Item Object, the only difference is that the request is initiated by the API provider - post: - requestBody: - description: Information about a new pet in the system - content: - application/json: - schema: - $ref: "#/components/schemas/Pet" - responses: - "200": - description: Return a 200 status to indicate that the data was received successfully - -components: - schemas: - Pet: - required: - - id - - name - properties: - id: - type: integer - format: int64 - name: - type: string - tag: - type: string - diff --git a/tests/schema/schema.test.mjs b/tests/schema/schema.test.mjs deleted file mode 100644 index ad42b15e71..0000000000 --- a/tests/schema/schema.test.mjs +++ /dev/null @@ -1,56 +0,0 @@ -import { readdirSync, readFileSync } from "node:fs"; -import YAML from "yaml"; -import { describe, test, expect } from "vitest"; -import { registerSchema } from "@hyperjump/json-schema-coverage/vitest"; -import registerOasSchema from "./oas-schema.mjs"; - -const parseYamlFromFile = (filePath) => { - const schemaYaml = readFileSync(filePath, "utf8"); - return YAML.parse(schemaYaml, { prettyErrors: true }); -}; - -await registerOasSchema(); -await registerSchema("./src/schemas/validation/schema.yaml"); -const fixtures = './tests/schema'; - -describe("v3.2", () => { - test("schema.yaml schema test", async () => { - // Files in the pass/fail folders get run against schema-base.yaml. - // This instance is instead run against schema.yaml. - const oad = { - openapi: "3.2.0", - info: { - title: "API", - version: "1.0.0" - }, - components: { - schemas: { - foo: {} - } - } - }; - await expect(oad).to.matchJsonSchema("./src/schemas/validation/schema.yaml"); // <-- "schema.yaml" instead of "schema-base.yaml" - }); - - describe("Pass", () => { - readdirSync(`${fixtures}/pass`, { withFileTypes: true }) - .filter((entry) => entry.isFile() && /\.yaml$/.test(entry.name)) - .forEach((entry) => { - test(entry.name, async () => { - const instance = parseYamlFromFile(`${fixtures}/pass/${entry.name}`); - await expect(instance).to.matchJsonSchema("./src/schemas/validation/schema-base.yaml"); - }); - }); - }); - - describe("Fail", () => { - readdirSync(`${fixtures}/fail`, { withFileTypes: true }) - .filter((entry) => entry.isFile() && /\.yaml$/.test(entry.name)) - .forEach((entry) => { - test(entry.name, async () => { - const instance = parseYamlFromFile(`${fixtures}/fail/${entry.name}`); - await expect(instance).to.not.matchJsonSchema("./src/schemas/validation/schema-base.yaml"); - }); - }); - }); -}); diff --git a/versions/3.2.0-editors.md b/versions/3.2.0-editors.md new file mode 100644 index 0000000000..fc5f990794 --- /dev/null +++ b/versions/3.2.0-editors.md @@ -0,0 +1,22 @@ +# OpenAPI Specification Editors + +## Active + +* Henry Andrews [@handrews](https://github.com/handrews) +* Jeremy Whitlock [@whitlockjc](https://github.com/whitlockjc) +* Karen Etheridge [@karenetheridge](https://github.com/karenetheridge) +* Lorna Mitchell [@lornajane](https://github.com/lornajane) +* Marsh Gardiner [@earth2marsh](https://github.com/earth2marsh) +* Miguel Quintero [@miqui](https://github.com/miqui) +* Mike Kistler [@mikekistler](https://github.com/mikekistler) +* Ralf Handl [@ralfhandl](https://github.com/ralfhandl) +* Vincent Biret [@baywet](https://github.com/baywet) + +## Emeritus + +* Ron Ratovsky [@webron](https://github.com/webron) +* Darrel Miller [@darrelmiller](https://github.com/darrelmiller) +* Mike Ralphson [@MikeRalphson](https://github.com/MikeRalphson) +* Uri Sarid [@usarid](https://github.com/usarid) +* Jason Harmon [@jharmn](https://github.com/jharmn) +* Tony Tam [@fehguy](https://github.com/fehguy) diff --git a/src/oas.md b/versions/3.2.0.md similarity index 100% rename from src/oas.md rename to versions/3.2.0.md From de2325ac03e6f45c8561998eee03b2b748dbb95e Mon Sep 17 00:00:00 2001 From: Lorna Mitchell Date: Fri, 19 Sep 2025 15:30:29 +0100 Subject: [PATCH 80/91] Set the publish date --- versions/3.2.0.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 0794707a16..6ecea10ce4 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -4805,8 +4805,8 @@ Certain fields allow the use of Markdown which can contain HTML including script | Version | Date | Notes | | ---- | ---- | ---- | -| 3.2.0 | TBD | Release of the OpenAPI Specification 3.2.0 | -| 3.1.2 | TBD | Patch release of the OpenAPI Specification 3.1.2 | +| 3.2.0 | 2025-09-19 | Release of the OpenAPI Specification 3.2.0 | +| 3.1.2 | 2025-09-19 | Patch release of the OpenAPI Specification 3.1.2 | | 3.1.1 | 2024-10-24 | Patch release of the OpenAPI Specification 3.1.1 | | 3.1.0 | 2021-02-15 | Release of the OpenAPI Specification 3.1.0 | | 3.1.0-rc1 | 2020-10-08 | rc1 of the 3.1 specification | From 36af85369a8b49e591f197c12026ff9e4f02d1d8 Mon Sep 17 00:00:00 2001 From: Lorna Mitchell Date: Fri, 19 Sep 2025 15:31:40 +0100 Subject: [PATCH 81/91] Set the publication date --- versions/3.1.2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions/3.1.2.md b/versions/3.1.2.md index 968b053e2d..43c2a04cfe 100644 --- a/versions/3.1.2.md +++ b/versions/3.1.2.md @@ -4259,7 +4259,7 @@ Certain fields allow the use of Markdown which can contain HTML including script | Version | Date | Notes | | ---- | ---- | ---- | -| 3.1.2 | TBD | Patch release of the OpenAPI Specification 3.1.2 | +| 3.1.2 | 2025-09-19 | Patch release of the OpenAPI Specification 3.1.2 | | 3.1.1 | 2024-10-24 | Patch release of the OpenAPI Specification 3.1.1 | | 3.1.0 | 2021-02-15 | Release of the OpenAPI Specification 3.1.0 | | 3.1.0-rc1 | 2020-10-08 | rc1 of the 3.1 specification | From f3718909c1530fce5d40bad927be9fd59cac5cdf Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Sat, 20 Sep 2025 19:48:32 +0200 Subject: [PATCH 82/91] Repair broken link in 3.2.0.md --- versions/3.2.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index 6ecea10ce4..b4ab5634f6 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -95,7 +95,7 @@ In addition to the required fields, at least one of the `components`, `paths`, o | Field Name | Type | Description | | ---- | :----: | ---- | | openapi | `string` | **REQUIRED**. This string MUST be the [version number](#versions-and-deprecation) of the OpenAPI Specification that the OpenAPI document uses. The `openapi` field SHOULD be used by tooling to interpret the OpenAPI document. This is _not_ related to the [`info.version`](#info-version) string, which describes the OpenAPI document's version. | -| $self | `string` | This string MUST be in the form of a URI reference as defined by [[RFC3986]] [Section 4.1](https://www.rfc-editor.org/rfc/rfc3986#section-4.1). The `$self` field provides the self-assigned URI of this document, which also serves as its base URI in accordance with [[RFC3986]] [Section 5.1.1](https://www.rfc-editor.org/rfc/rfc3986#section-5.1.1). Implementations MUST support identifying the targets of [API description URIs](#relative-references-in-api-description-uris) using the URI defined by this field when it is present. See [Establishing the Base URI](#establishing-the-base-uri) for the base URI behavior when `$self` is absent or relative, and see [Appendix F]((#appendix-f-examples-of-base-uri-determination-and-reference-resolution)) for examples of using `$self` to resolve references. | +| $self | `string` | This string MUST be in the form of a URI reference as defined by [[RFC3986]] [Section 4.1](https://www.rfc-editor.org/rfc/rfc3986#section-4.1). The `$self` field provides the self-assigned URI of this document, which also serves as its base URI in accordance with [[RFC3986]] [Section 5.1.1](https://www.rfc-editor.org/rfc/rfc3986#section-5.1.1). Implementations MUST support identifying the targets of [API description URIs](#relative-references-in-api-description-uris) using the URI defined by this field when it is present. See [Establishing the Base URI](#establishing-the-base-uri) for the base URI behavior when `$self` is absent or relative, and see [Appendix F](#appendix-f-examples-of-base-uri-determination-and-reference-resolution) for examples of using `$self` to resolve references. | | info | [Info Object](#info-object) | **REQUIRED**. Provides metadata about the API. The metadata MAY be used by tooling as required. | | jsonSchemaDialect | `string` | The default value for the `$schema` keyword within [Schema Objects](#schema-object) contained within this OAS document. This MUST be in the form of a URI. | | servers | [[Server Object](#server-object)] | An array of Server Objects, which provide connectivity information to a target server. If the `servers` field is not provided, or is an empty array, the default value would be an array consisting of a single [Server Object](#server-object) with a [url](#server-url) value of `/`. | From a36ae6b7cebce06fed786a33f6b00634c89615eb Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Wed, 24 Sep 2025 16:12:46 +0200 Subject: [PATCH 83/91] More broken links --- versions/3.2.0.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/versions/3.2.0.md b/versions/3.2.0.md index b4ab5634f6..0b04a6acd6 100644 --- a/versions/3.2.0.md +++ b/versions/3.2.0.md @@ -1099,7 +1099,7 @@ examples: ``` A querystring parameter using regular form encoding, but managed with a Media Type Object. -This shows spaces being handled per the `application/x-www-form-urlencoded` media type rules (encode as `+`) rather than the RFC6570 process (encode as `%20`); see [Appendix E](appendix-e-percent-encoding-and-form-media-types) for further guidance on this distinction. +This shows spaces being handled per the `application/x-www-form-urlencoded` media type rules (encode as `+`) rather than the RFC6570 process (encode as `%20`); see [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for further guidance on this distinction. Examples are shown at both the media type and parameter level to emphasize that, since `application/x-www-form-urlencoded` is suitable for use in query strings by definition, no further encoding or escaping is applied to the serialized media type value: ```yaml @@ -1692,7 +1692,7 @@ To upload multiple files, a `multipart` media type MUST be used as shown under [ ### Encoding Object -A single encoding definition applied to a single value, with the mapping of Encoding Objects to values determined by the [Media Type Object](@media-type-object) as described under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions). +A single encoding definition applied to a single value, with the mapping of Encoding Objects to values determined by the [Media Type Object](#media-type-object) as described under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions). See [Appendix B](#appendix-b-data-type-conversion) for a discussion of converting values of various types to string representations. @@ -1991,7 +1991,7 @@ multipart/mixed: As described in [[?RFC2557]], a set of resources making up a web page can be sent in a `multipart/related` payload, preserving links from the `text/html` document to subsidiary resources such as scripts, style sheets, and images by defining a `Content-Location` header for each page. The first part is used as the root resource (unless using `Content-ID`, which RFC2557 advises against and is forbidden in this example), so we use `prefixItems` and `prefixEncoding` to define that it must be an HTML resource, and then allow any of several different types of resources in any order to follow. -The `Content-Location` header is defined using `content: {text/plain: {...}}` to avoid percent-encoding its URI value; see [Appendix D](appendix-d-serializing-headers-and-cookies) for further details. +The `Content-Location` header is defined using `content: {text/plain: {...}}` to avoid percent-encoding its URI value; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for further details. ```yaml components: @@ -2051,7 +2051,7 @@ multipart/mixed: For `multipart/byteranges` [[RFC9110]] [Section 14.6](https://www.rfc-editor.org/rfc/rfc9110.html#section-14.6), a `Content-Range` header is required: -See [Appendix D](appendix-d-serializing-headers-and-cookies) for an explanation of why `content: {text/plain: {...}}` is used to describe the header value. +See [Appendix D](#appendix-d-serializing-headers-and-cookies) for an explanation of why `content: {text/plain: {...}}` is used to describe the header value. ```yaml multipart/byteranges: @@ -2789,7 +2789,7 @@ For HTTP messages, this is purely a serialization concern, and no more of a prob However, because examples and values modeled with `content` do not incorporate the header name, for these fields `Set-Cookie` MUST be handled by placing each value on a separate line, without the header name or the `:` delimiter. -Note also that any URI percent-encoding, base64 encoding, or other escaping MUST be performed prior to supplying the data to OAS tooling; see [Appendix D](appendix-d-serializing-headers-and-cookies) for details. +Note also that any URI percent-encoding, base64 encoding, or other escaping MUST be performed prior to supplying the data to OAS tooling; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for details. The following example shows two different ways to describe `Set-Cookie` headers that require cookies named `"lang"` and `"foo"`, as well as a `"urlSafeData"` cookie that is expected to be percent-encoded. The first uses `content` in order to show exactly how such examples are formatted, but also notes the limitations of schema constraints with multi-line text. The second shows the use of `style: "simple"`, which produces the same serialized example text (with each line corresponding to one `Set-Cookie:` line in the HTTP response), but allows schema constraints on each cookie; note that the percent-encoding is already applied in the `dataValue` field of the example: From 3f80caeefcbd3763756e78b4b9fea27426c5aadc Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Wed, 1 Oct 2025 09:28:11 +0200 Subject: [PATCH 84/91] main: adjust reviewers in respec workflow --- .github/workflows/respec.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/respec.yaml b/.github/workflows/respec.yaml index c7483a451a..81199c1bf5 100644 --- a/.github/workflows/respec.yaml +++ b/.github/workflows/respec.yaml @@ -47,7 +47,7 @@ jobs: delete-branch: true path: deploy labels: Housekeeping - reviewers: darrelmiller,webron,earth2marsh,lornajane,mikekistler,miqui,ralfhandl,handrews,karenetheridge + reviewers: earth2marsh,lornajane,mikekistler,miqui,ralfhandl,handrews,karenetheridge title: Update ReSpec-rendered specification versions commit-message: Update ReSpec-rendered specification versions signoff: true From 01fed7d268127cf262953d0864497038933d35a0 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Sat, 4 Oct 2025 18:48:08 +0200 Subject: [PATCH 85/91] sync dev with main via sync branch - create sync branch from dev - merge main into sync branch - restore src/* and tests/* from dev - commit & push - create PR if necessary --- .github/workflows/sync-main-to-dev.yaml | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/.github/workflows/sync-main-to-dev.yaml b/.github/workflows/sync-main-to-dev.yaml index d480254da8..5027794d6d 100644 --- a/.github/workflows/sync-main-to-dev.yaml +++ b/.github/workflows/sync-main-to-dev.yaml @@ -11,6 +11,7 @@ on: push: branches: - main + workflow_dispatch: {} jobs: sync-branch: @@ -25,22 +26,36 @@ jobs: - name: Checkout repository uses: actions/checkout@v5 + with: + fetch-depth: 0 + token: ${{ steps.generate-token.outputs.token }} - name: Create pull request id: pull_request shell: bash run: | - EXISTS=$(gh pr list --base $BASE --head $HEAD \ + git config user.name ${GITHUB_ACTOR} + git config user.email "a@b.c" + SYNC="$BASE-sync-with-$HEAD" + + git checkout -b $SYNC origin/$SYNC || git checkout -b $SYNC origin/$BASE + git merge origin/$HEAD -m "Merge $HEAD into $SYNC" + git checkout origin/dev src/* + git checkout origin/dev tests/* + git commit -m "Restored src/* and tests/*" || echo "" + git push -u origin $SYNC + + EXISTS=$(gh pr list --base $BASE --head $SYNC \ --json number --jq '.[] | .number') if [ ! -z "$EXISTS" ]; then - echo "PR #$EXISTS already wants to merge $HEAD into $BASE" + echo "PR #$EXISTS already wants to merge $SYNC into $BASE" exit 0 fi - gh pr create --base $BASE --head $HEAD \ + gh pr create --base $BASE --head $SYNC \ --label "Housekeeping" \ - --title "$BASE: update from $HEAD" \ - --body "Merge \`$HEAD\` into \`$BASE\`." + --title "$BASE: sync with $HEAD" \ + --body "Merge relevant changes from \`$HEAD\` into \`$BASE\`." env: GH_TOKEN: ${{ steps.generate-token.outputs.token }} HEAD: main From 82eca8b12e50a732a80b61cc72dc3ddd854a02b9 Mon Sep 17 00:00:00 2001 From: ralfhandl Date: Sat, 4 Oct 2025 20:43:47 +0000 Subject: [PATCH 86/91] Restored src/* and tests/* --- src/oas.md | 4626 +++++++++++++++++ src/schemas/validation/README.md | 69 + src/schemas/validation/dialect.yaml | 21 + src/schemas/validation/meta.yaml | 70 + src/schemas/validation/schema-base.yaml | 20 + src/schemas/validation/schema.yaml | 974 ++++ tests/schema/fail/invalid_schema_types.yaml | 13 + tests/schema/fail/no_containers.yaml | 7 + tests/schema/fail/server_enum_empty.yaml | 14 + tests/schema/fail/servers.yaml | 11 + tests/schema/fail/unknown_container.yaml | 8 + tests/schema/pass/comp_pathitems.yaml | 6 + tests/schema/pass/info_summary.yaml | 6 + tests/schema/pass/json_schema_dialect.yaml | 15 + tests/schema/pass/license_identifier.yaml | 9 + tests/schema/pass/mega.yaml | 48 + tests/schema/pass/minimal_comp.yaml | 5 + tests/schema/pass/minimal_hooks.yaml | 5 + tests/schema/pass/minimal_paths.yaml | 5 + tests/schema/pass/non-oauth-scopes.yaml | 19 + tests/schema/pass/path_no_response.yaml | 7 + .../schema/pass/path_var_empty_pathitem.yaml | 6 + tests/schema/pass/schema.yaml | 55 + tests/schema/pass/servers.yaml | 10 + tests/schema/pass/valid_schema_types.yaml | 14 + tests/schema/pass/webhook-example.yaml | 35 + tests/schema/schema.test.mjs | 38 + 27 files changed, 6116 insertions(+) create mode 100644 src/oas.md create mode 100644 src/schemas/validation/README.md create mode 100644 src/schemas/validation/dialect.yaml create mode 100644 src/schemas/validation/meta.yaml create mode 100644 src/schemas/validation/schema-base.yaml create mode 100644 src/schemas/validation/schema.yaml create mode 100644 tests/schema/fail/invalid_schema_types.yaml create mode 100644 tests/schema/fail/no_containers.yaml create mode 100644 tests/schema/fail/server_enum_empty.yaml create mode 100644 tests/schema/fail/servers.yaml create mode 100644 tests/schema/fail/unknown_container.yaml create mode 100644 tests/schema/pass/comp_pathitems.yaml create mode 100644 tests/schema/pass/info_summary.yaml create mode 100644 tests/schema/pass/json_schema_dialect.yaml create mode 100644 tests/schema/pass/license_identifier.yaml create mode 100644 tests/schema/pass/mega.yaml create mode 100644 tests/schema/pass/minimal_comp.yaml create mode 100644 tests/schema/pass/minimal_hooks.yaml create mode 100644 tests/schema/pass/minimal_paths.yaml create mode 100644 tests/schema/pass/non-oauth-scopes.yaml create mode 100644 tests/schema/pass/path_no_response.yaml create mode 100644 tests/schema/pass/path_var_empty_pathitem.yaml create mode 100644 tests/schema/pass/schema.yaml create mode 100644 tests/schema/pass/servers.yaml create mode 100644 tests/schema/pass/valid_schema_types.yaml create mode 100644 tests/schema/pass/webhook-example.yaml create mode 100644 tests/schema/schema.test.mjs diff --git a/src/oas.md b/src/oas.md new file mode 100644 index 0000000000..b2db701c19 --- /dev/null +++ b/src/oas.md @@ -0,0 +1,4626 @@ +# OpenAPI Specification + +## Version 3.1.1 + +The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [BCP 14](https://tools.ietf.org/html/bcp14) [RFC2119](https://tools.ietf.org/html/rfc2119) [RFC8174](https://tools.ietf.org/html/rfc8174) when, and only when, they appear in all capitals, as shown here. + +This document is licensed under [The Apache License, Version 2.0](https://www.apache.org/licenses/LICENSE-2.0.html). + +## Introduction + +The OpenAPI Specification (OAS) defines a standard, language-agnostic interface to HTTP APIs which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection. When properly defined, a consumer can understand and interact with the remote service with a minimal amount of implementation logic. + +An OpenAPI Description can then be used by documentation generation tools to display the API, code generation tools to generate servers and clients in various programming languages, testing tools, and many other use cases. + +For examples of OpenAPI usage and additional documentation, please visit [[?OpenAPI-Learn]]. + +For extension registries and other specifications published by the OpenAPI Initiative, as well as the authoritative rendering of this specification, please visit [spec.openapis.org](https://spec.openapis.org/). + +## Definitions + +### OpenAPI Description + +An OpenAPI Description (OAD) formally describes the surface of an API and its semantics. It is composed of an [entry document](#openapi-description-structure), which must be an OpenAPI Document, and any/all of its referenced documents. An OAD uses and conforms to the OpenAPI Specification, and MUST contain at least one [paths](#paths-object) field, [components](#oas-components) field, or [webhooks](#oas-webhooks) field. + +### OpenAPI Document + +An OpenAPI Document is a single JSON or YAML document that conforms to the OpenAPI Specification. An OpenAPI Document compatible with OAS 3.\*.\* contains a required [`openapi`](#oas-version) field which designates the version of the OAS that it uses. + +### Schema + +A "schema" is a formal description of syntax and structure. +This document serves as the [schema](#schema) for the OpenAPI Specification format; a non-authoritative JSON Schema based on this document is also provided on [spec.openapis.org](https://spec.openapis.org) for informational purposes. +This specification also _uses_ schemas in the form of the [Schema Object](#schema-object). + +### Object + +When capitalized, the word "Object" refers to any of the Objects that are named by section headings in this document. + +### Path Templating + +Path templating refers to the usage of template expressions, delimited by curly braces (`{}`), to mark a section of a URL path as replaceable using path parameters. + +Each template expression in the path MUST correspond to a path parameter that is included in the [Path Item](#path-item-object) itself and/or in each of the Path Item's [Operations](#operation-object). An exception is if the path item is empty, for example due to ACL constraints, matching path parameters are not required. + +The value for these path parameters MUST NOT contain any unescaped "generic syntax" characters described by [RFC3986](https://tools.ietf.org/html/rfc3986#section-3): forward slashes (`/`), question marks (`?`), or hashes (`#`). + +### Media Types + +Media type definitions are spread across several resources. +The media type definitions SHOULD be in compliance with [RFC6838](https://tools.ietf.org/html/rfc6838). + +Some examples of possible media type definitions: + +```text + text/plain; charset=utf-8 + application/json + application/vnd.github+json + application/vnd.github.v3+json + application/vnd.github.v3.raw+json + application/vnd.github.v3.text+json + application/vnd.github.v3.html+json + application/vnd.github.v3.full+json + application/vnd.github.v3.diff + application/vnd.github.v3.patch +``` + +### HTTP Status Codes + +The HTTP Status Codes are used to indicate the status of the executed operation. +Status codes SHOULD be selected from the available status codes registered in the [IANA Status Code Registry](https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml). + +### Case Sensitivity + +As most field names and values in the OpenAPI Specification are case-sensitive, this document endeavors to call out any case-insensitive names and values. +However, the case sensitivity of field names and values that map directly to HTTP concepts follow the case sensitivity rules of HTTP, even if this document does not make a note of every concept. + +### Undefined and Implementation-Defined Behavior + +This specification deems certain situations to have either _undefined_ or _implementation-defined_ behavior. + +Behavior described as _undefined_ is likely, at least in some circumstances, to result in outcomes that contradict the specification. +This description is used when detecting the contradiction is impossible or impractical. +Implementations MAY support undefined scenarios for historical reasons, including ambiguous text in prior versions of the specification. +This support might produce correct outcomes in many cases, but relying on it is NOT RECOMMENDED as there is no guarantee that it will work across all tools or with future specification versions, even if those versions are otherwise strictly compatible with this one. + +Behavior described as _implementation-defined_ allows implementations to choose which of several different-but-compliant approaches to a requirement to implement. +This documents ambiguous requirements that API description authors are RECOMMENDED to avoid in order to maximize interoperability. +Unlike undefined behavior, it is safe to rely on implementation-defined behavior if _and only if_ it can be guaranteed that all relevant tools support the same behavior. + +## Specification + +### Versions + +The OpenAPI Specification is versioned using a `major`.`minor`.`patch` versioning scheme. The `major`.`minor` portion of the version string (for example `3.1`) SHALL designate the OAS feature set. _`.patch`_ versions address errors in, or provide clarifications to, this document, not the feature set. Tooling which supports OAS 3.1 SHOULD be compatible with all OAS 3.1.\* versions. The patch version SHOULD NOT be considered by tooling, making no distinction between `3.1.0` and `3.1.1` for example. + +Occasionally, non-backwards compatible changes may be made in `minor` versions of the OAS where impact is believed to be low relative to the benefit provided. + +### Format + +An OpenAPI Document that conforms to the OpenAPI Specification is itself a JSON object, which may be represented either in JSON or YAML format. + +For example, if a field has an array value, the JSON array representation will be used: + +```json +{ + "field": [1, 2, 3] +} +``` + +All field names in the specification are **case sensitive**. +This includes all fields that are used as keys in a map, except where explicitly noted that keys are **case insensitive**. + +The [schema](#schema) exposes two types of fields: _fixed fields_, which have a declared name, and _patterned fields_, which have a declared pattern for the field name. + +Patterned fields MUST have unique names within the containing object. + +In order to preserve the ability to round-trip between YAML and JSON formats, YAML version [1.2](https://yaml.org/spec/1.2/spec.html) is RECOMMENDED along with some additional constraints: + +* Tags MUST be limited to those allowed by [YAML's JSON schema ruleset](https://yaml.org/spec/1.2/spec.html#id2803231), which defines a subset of the YAML syntax and is unrelated to [[JSON-Schema-2020-12|JSON Schema]]. +* Keys used in YAML maps MUST be limited to a scalar string, as defined by the [YAML Failsafe schema ruleset](https://yaml.org/spec/1.2/spec.html#id2802346). + +**Note:** While APIs may be described by OpenAPI Descriptions in either YAML or JSON format, the API request and response bodies and other content are not required to be JSON or YAML. + +### OpenAPI Description Structure + +An OpenAPI Description (OAD) MAY be made up of a single JSON or YAML document or be divided into multiple, connected parts at the discretion of the author. In the latter case, [Reference Object](#reference-object), [Path Item Object](#path-item-object) and [Schema Object](#schema-object) `$ref` fields, as well as the [Link Object](#link-object) `operationRef` field, and the URI form of the [Discriminator Object](#discriminator-object) `mapping` field, are used to identify the referenced elements. + +In a multi-document OAD, the document containing the OpenAPI Object where parsing begins is known as that OAD's **entry document**. + +It is RECOMMENDED that the entry document of an OAD be named: `openapi.json` or `openapi.yaml`. + +#### Parsing Documents + +In order to properly handle [Schema Objects](#schema-object), OAS 3.1 inherits the parsing requirements of [JSON Schema Specification Draft 2020-12](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-9), with appropriate modifications regarding base URIs as specified in [Relative References In URIs](#relative-references-in-api-description-uris). + +This includes a requirement to parse complete documents before deeming a Schema Object reference to be unresolvable, in order to detect keywords that might provide the reference target or impact the determination of the appropriate base URI. + +Implementations MAY support complete-document parsing in any of the following ways: + +* Detecting OpenAPI or JSON Schema documents using media types +* Detecting OpenAPI documents through the root `openapi` field +* Detecting JSON Schema documents through detecting keywords or otherwise successfully parsing the document in accordance with the JSON Schema specification +* Detecting a document containing a referenceable Object at its root based on the expected type of the reference +* Allowing users to configure the type of documents that might be loaded due to a reference to a non-root Object + +Implementations that parse referenced fragments of OpenAPI content without regard for the content of the rest of the containing document will miss keywords that change the meaning and behavior of the reference target. +In particular, failing to take into account keywords that change the base URI introduces security risks by causing references to resolve to unintended URIs, with unpredictable results. +While some implementations support this sort of parsing due to the requirements of past versions of this specification, in version 3.1, the result of parsing fragments in isolation is _undefined_ and likely to contradict the requirements of this specification. + +While it is possible to structure certain OpenAPI Descriptions to ensure that they will behave correctly when references are parsed as isolated fragments, depending on this is NOT RECOMMENDED. +This specification does not explicitly enumerate the conditions under which such behavior is safe and provides no guarantee for continued safety in any future versions of the OAS. + +A special case of parsing fragments of OAS content would be if such fragments are embedded in another format, referred to as an _embedding format_ with respect to the OAS. +Note that the OAS itself is an embedding format with respect to JSON Schema, which is embedded as Schema Objects. +It is the responsibility of an embedding format to define how to parse embedded content, and OAS implementations that do not document support for an embedding format cannot be expected to parse embedded OAS content correctly. + +#### Structural Interoperability + +JSON or YAML objects within an OAD are interpreted as specific Objects (such as [Operation Objects](#operation-object), [Response Objects](#response-object), [Reference Objects](#reference-object), etc.) based on their context. Depending on how references are arranged, a given JSON or YAML object can be interpreted in multiple different contexts: + +* As the root object of the [entry document](#openapi-description-structure), which is always interpreted as an OpenAPI Object +* As the Object type implied by its parent Object within the document +* As a reference target, with the Object type matching the reference source's context + +If the same JSON/YAML object is parsed multiple times and the respective contexts require it to be parsed as _different_ Object types, the resulting behavior is _implementation defined_, and MAY be treated as an error if detected. An example would be referencing an empty Schema Object under `#/components/schemas` where a Path Item Object is expected, as an empty object is valid for both types. For maximum interoperability, it is RECOMMENDED that OpenAPI Description authors avoid such scenarios. + +#### Resolving Implicit Connections + +Several features of this specification require resolution of non-URI-based connections to some other part of the OpenAPI Description (OAD). + +These connections are unambiguously resolved in single-document OADs, but the resolution process in multi-document OADs is _implementation-defined_, within the constraints described in this section. +In some cases, an unambiguous URI-based alternative is available, and OAD authors are RECOMMENDED to always use the alternative: + +| Source | Target | Alternative | +| ---- | ---- | ---- | +| [Security Requirement Object](#security-requirement-object) `{name}` | [Security Scheme Object](#security-scheme-object) name under the [Components Object](#components-object) | _n/a_ | +| [Discriminator Object](#discriminator-object) `mapping` _(implicit, or explicit name syntax)_ | [Schema Object](#schema-object) name under the Components Object | `mapping` _(explicit URI syntax)_ | +| [Operation Object](#operation-object) `tags` | [Tag Object](#tag-object) `name` (in the [OpenAPI Object](#openapi-object)'s `tags` array) | _n/a_ | +| [Link Object](#link-object) `operationId` | [Path Item Object](#path-item-object) `operationId` | `operationRef` | + +A fifth implicit connection involves appending the templated URL paths of the [Paths Object](#paths-object) to the appropriate [Server Object](#server-object)'s `url` field. +This is unambiguous because only the entry document's Paths Object contributes URLs to the described API. + +It is RECOMMENDED to consider all Operation Objects from all parsed documents when resolving any Link Object `operationId`. +This requires parsing all referenced documents prior to determining an `operationId` to be unresolvable. + +The implicit connections in the Security Requirement Object and Discriminator Object rely on the _component name_, which is the name of the property holding the component in the appropriately typed sub-object of the Components Object. +For example, the component name of the Schema Object at `#/components/schemas/Foo` is `Foo`. +The implicit connection of `tags` in the Operation Object uses the `name` field of Tag Objects, which (like the Components Object) are found under the root OpenAPI Object. +This means resolving component names and tag names both depend on starting from the correct OpenAPI Object. + +For resolving component and tag name connections from a referenced (non-entry) document, it is RECOMMENDED that tools resolve from the entry document, rather than the current document. +This allows Security Scheme Objects and Tag Objects to be defined next to the API's deployment information (the top-level array of Server Objects), and treated as an interface for referenced documents to access. + +The interface approach can also work for Discriminator Objects and Schema Objects, but it is also possible to keep the Discriminator Object's behavior within a single document using the relative URI-reference syntax of `mapping`. + +There are no URI-based alternatives for the Security Requirement Object or for the Operation Object's `tags` field. +These limitations are expected to be addressed in a future release. + +See [Appendix F: Resolving Security Requirements in a Referenced Document](#appendix-f-resolving-security-requirements-in-a-referenced-document) for an example of the possible resolutions, including which one is recommended by this section. +The behavior for Discrimator Object non-URI mappings and for the Operation Object's `tags` field operate on the same principles. + +Note that no aspect of implicit connection resolution changes how [URIs are resolved](#relative-references-in-api-description-uris), or restricts their possible targets. + +### Data Types + +Data types in the OAS are based on the types defined by the [JSON Schema Validation Specification Draft 2020-12](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00#section-6.1.1): +"null", "boolean", "object", "array", "number", "string", or "integer". +Models are defined using the [Schema Object](#schema-object), which is a superset of the JSON Schema Specification Draft 2020-12. + +JSON Schema keywords and `format` values operate on JSON "instances" which may be one of the six JSON data types, "null", "boolean", "object", "array", "number", or "string", with certain keywords and formats only applying to a specific type. For example, the `pattern` keyword and the `date-time` format only apply to strings, and treat any instance of the other five types as _automatically valid._ This means JSON Schema keywords and formats do **NOT** implicitly require the expected type. Use the `type` keyword to explicitly constrain the type. + +Note that the `type` keyword allows `"integer"` as a value for convenience, but keyword and format applicability does not recognize integers as being of a distinct JSON type from other numbers because [[RFC7159|JSON]] itself does not make that distinction. Since there is no distinct JSON integer type, JSON Schema defines integers mathematically. This means that both `1` and `1.0` are [equivalent](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-4.2.2), and are both considered to be integers. + +#### Data Type Format + +As defined by the [JSON Schema Validation specification](https://tools.ietf.org/html/draft-bhutton-json-schema-validation-00#section-7.3), data types can have an optional modifier keyword: `format`. As described in that specification, `format` is treated as a non-validating annotation by default; the ability to validate `format` varies across implementations. + +The OpenAPI Initiative also hosts a [Format Registry](https://spec.openapis.org/registry/format/) for formats defined by OAS users and other specifications. Support for any registered format is strictly OPTIONAL, and support for one registered format does not imply support for any others. + +Types that are not accompanied by a `format` keyword follow the type definition in the JSON Schema. Tools that do not recognize a specific `format` MAY default back to the `type` alone, as if the `format` is not specified. +For the purpose of [JSON Schema validation](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00#section-7.1), each format should specify the set of JSON data types for which it applies. In this registry, these types are shown in the "JSON Data Type" column. + +The formats defined by the OAS are: + +| `format` | JSON Data Type | Comments | +| ---- | ---- | ---- | +| `int32` | number | signed 32 bits | +| `int64` | number | signed 64 bits (a.k.a long) | +| `float` | number | | +| `double` | number | | +| `password` | string | A hint to obscure the value. | + +As noted under [Data Type](#data-types), both `type: number` and `type: integer` are considered to be numbers in the data model. + +#### Working with Binary Data + +The OAS can describe either _raw_ or _encoded_ binary data. + +* **raw binary** is used where unencoded binary data is allowed, such as when sending a binary payload as the entire HTTP message body, or as part of a `multipart/*` payload that allows binary parts +* **encoded binary** is used where binary data is embedded in a text-only format such as `application/json` or `application/x-www-form-urlencoded` (either as a message body or in the URL query string). + +In the following table showing how to use Schema Object keywords for binary data, we use `image/png` as an example binary media type. Any binary media type, including `application/octet-stream`, is sufficient to indicate binary content. + +| Keyword | Raw | Encoded | Comments | +| ---- | ---- | ---- | ---- | +| `type` | _omit_ | `string` | raw binary is [outside of `type`](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-4.2.3) | +| `contentMediaType` | `image/png` | `image/png` | can sometimes be omitted if redundant (see below) | +| `contentEncoding` | _omit_ | `base64` or `base64url` | other encodings are [allowed](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00#section-8.3) | + +Note that the encoding indicated by `contentEncoding`, which inflates the size of data in order to represent it as 7-bit ASCII text, is unrelated to HTTP's `Content-Encoding` header, which indicates whether and how a message body has been compressed and is applied after all content serialization described in this section has occurred. Since HTTP allows unencoded binary message bodies, there is no standardized HTTP header for indicating base64 or similar encoding of an entire message body. + +Using a `contentEncoding` of `base64url` ensures that URL encoding (as required in the query string and in message bodies of type `application/x-www-form-urlencoded`) does not need to further encode any part of the already-encoded binary data. + +The `contentMediaType` keyword is redundant if the media type is already set: + +* as the key for a [MediaType Object](#media-type-object) +* in the `contentType` field of an [Encoding Object](#encoding-object) + +If the [Schema Object](#schema-object) will be processed by a non-OAS-aware JSON Schema implementation, it may be useful to include `contentMediaType` even if it is redundant. However, if `contentMediaType` contradicts a relevant Media Type Object or Encoding Object, then `contentMediaType` SHALL be ignored. + +The `maxLength` keyword MAY be used to set an expected upper bound on the length of a streaming payload. The keyword can be applied to either string data, including encoded binary data, or to unencoded binary data. For unencoded binary, the length is the number of octets. + +##### Migrating binary descriptions from OAS 3.0 + +The following table shows how to migrate from OAS 3.0 binary data descriptions, continuing to use `image/png` as the example binary media type: + +| OAS < 3.1 | OAS 3.1 | Comments | +| ---- | ---- | ---- | +| type: string
format: binary | contentMediaType: image/png | if redundant, can be omitted, often resulting in an empty [Schema Object](#schema-object) | +| type: string
format: byte | type: string
contentMediaType: image/png
contentEncoding: base64 | note that `base64url` can be used to avoid re-encoding the base64 string to be URL-safe | + +### Rich Text Formatting + +Throughout the specification `description` fields are noted as supporting CommonMark markdown formatting. +Where OpenAPI tooling renders rich text it MUST support, at a minimum, markdown syntax as described by [CommonMark 0.27](https://spec.commonmark.org/0.27/). Tooling MAY choose to ignore some CommonMark or extension features to address security concerns. + +While the framing of CommonMark 0.27 as a minimum requirement means that tooling MAY choose to implement extensions on top of it, note that any such extensions are by definition implementation-defined and will not be interoperable. +OpenAPI Description authors SHOULD consider how text using such extensions will be rendered by tools that offer only the minimum support. + +### Relative References in API Description URIs + +URIs used as references within an OpenAPI Description, or to external documentation or other supplementary information such as a license, are resolved as _identifiers_, and described by this specification as **_URIs_**. +As noted under [Parsing Documents](#parsing-documents), this specification inherits JSON Schema Specification Draft 2020-12's requirements for [loading documents](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-9) and associating them with their expected URIs, which might not match their current location. +This feature is used both for working in development or test environments without having to change the URIs, and for working within restrictive network configurations or security policies. + +Note that some URI fields are named `url` for historical reasons, but the descriptive text for those fields uses the correct "URI" terminology. + +Unless specified otherwise, all fields that are URIs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). + +Relative references in [Schema Objects](#schema-object), including any that appear as `$id` values, use the nearest parent `$id` as a Base URI, as described by [JSON Schema Specification Draft 2020-12](https://tools.ietf.org/html/draft-bhutton-json-schema-00#section-8.2). + +Relative URI references in other Objects, and in Schema Objects where no parent schema contains an `$id`, MUST be resolved using the referring document's base URI, which is determined in accordance with [[RFC3986]] [Section 5.1.2 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.2). +In practice, this is usually the retrieval URI of the document, which MAY be determined based on either its current actual location or a user-supplied expected location. + +If a URI contains a fragment identifier, then the fragment should be resolved per the fragment resolution mechanism of the referenced document. If the representation of the referenced document is JSON or YAML, then the fragment identifier SHOULD be interpreted as a JSON-Pointer as per [RFC6901](https://tools.ietf.org/html/rfc6901). + +Relative references in CommonMark hyperlinks are resolved in their rendered context, which might differ from the context of the API description. + +### Relative References in API URLs + +API endpoints are by definition accessed as locations, and are described by this specification as **_URLs_**. + +Unless specified otherwise, all fields that are URLs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). +Unless specified otherwise, relative references are resolved using the URLs defined in the [Server Object](#server-object) as a Base URL. Note that these themselves MAY be relative to the referring document. + +### Schema + +This section describes the structure of the OpenAPI Description format. +This text is the only normative description of the format. +A JSON Schema is hosted on [spec.openapis.org](https://spec.openapis.org) for informational purposes. +If the JSON Schema differs from this section, then this section MUST be considered authoritative. + +In the following description, if a field is not explicitly **REQUIRED** or described with a MUST or SHALL, it can be considered OPTIONAL. + +#### OpenAPI Object + +This is the root object of the [OpenAPI Description](#openapi-description). + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| openapi | `string` | **REQUIRED**. This string MUST be the [version number](#versions) of the OpenAPI Specification that the OpenAPI Document uses. The `openapi` field SHOULD be used by tooling to interpret the OpenAPI Document. This is _not_ related to the API [`info.version`](#info-version) string. | +| info | [Info Object](#info-object) | **REQUIRED**. Provides metadata about the API. The metadata MAY be used by tooling as required. | +| jsonSchemaDialect | `string` | The default value for the `$schema` keyword within [Schema Objects](#schema-object) contained within this OAS document. This MUST be in the form of a URI. | +| servers | [[Server Object](#server-object)] | An array of Server Objects, which provide connectivity information to a target server. If the `servers` field is not provided, or is an empty array, the default value would be a [Server Object](#server-object) with a [url](#server-url) value of `/`. | +| paths | [Paths Object](#paths-object) | The available paths and operations for the API. | +| webhooks | Map[`string`, [Path Item Object](#path-item-object)] | The incoming webhooks that MAY be received as part of this API and that the API consumer MAY choose to implement. Closely related to the `callbacks` feature, this section describes requests initiated other than by an API call, for example by an out of band registration. The key name is a unique string to refer to each webhook, while the (optionally referenced) Path Item Object describes a request that may be initiated by the API provider and the expected responses. An [example](https://learn.openapis.org/examples/v3.1/webhook-example.html) is available. | +| components | [Components Object](#components-object) | An element to hold various Objects for the OpenAPI Description. | +| security | [[Security Requirement Object](#security-requirement-object)] | A declaration of which security mechanisms can be used across the API. The list of values includes alternative Security Requirement Objects that can be used. Only one of the Security Requirement Objects need to be satisfied to authorize a request. Individual operations can override this definition. The list can be incomplete, up to being empty or absent. To make security explicitly optional, an empty security requirement (`{}`) can be included in the array. | +| tags | [[Tag Object](#tag-object)] | A list of tags used by the OpenAPI Description with additional metadata. The order of the tags can be used to reflect on their order by the parsing tools. Not all tags that are used by the [Operation Object](#operation-object) must be declared. The tags that are not declared MAY be organized randomly or based on the tools' logic. Each tag name in the list MUST be unique. | +| externalDocs | [External Documentation Object](#external-documentation-object) | Additional external documentation. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +#### Info Object + +The object provides metadata about the API. +The metadata MAY be used by the clients if needed, and MAY be presented in editing or documentation generation tools for convenience. + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| title | `string` | **REQUIRED**. The title of the API. | +| summary | `string` | A short summary of the API. | +| description | `string` | A description of the API. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | +| termsOfService | `string` | A URI for the Terms of Service for the API. This MUST be in the form of a URI. | +| contact | [Contact Object](#contact-object) | The contact information for the exposed API. | +| license | [License Object](#license-object) | The license information for the exposed API. | +| version | `string` | **REQUIRED**. The version of the OpenAPI Document (which is distinct from the [OpenAPI Specification version](#oas-version) or the version of the API being described or the version of the OpenAPI Description). | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +##### Info Object Example + +```json +{ + "title": "Example Pet Store App", + "summary": "A pet store manager.", + "description": "This is an example server for a pet store.", + "termsOfService": "https://example.com/terms/", + "contact": { + "name": "API Support", + "url": "https://www.example.com/support", + "email": "support@example.com" + }, + "license": { + "name": "Apache 2.0", + "url": "https://www.apache.org/licenses/LICENSE-2.0.html" + }, + "version": "1.0.1" +} +``` + +```yaml +title: Example Pet Store App +summary: A pet store manager. +description: This is an example server for a pet store. +termsOfService: https://example.com/terms/ +contact: + name: API Support + url: https://www.example.com/support + email: support@example.com +license: + name: Apache 2.0 + url: https://www.apache.org/licenses/LICENSE-2.0.html +version: 1.0.1 +``` + +#### Contact Object + +Contact information for the exposed API. + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| name | `string` | The identifying name of the contact person/organization. | +| url | `string` | The URI for the contact information. This MUST be in the form of a URI. | +| email | `string` | The email address of the contact person/organization. This MUST be in the form of an email address. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +##### Contact Object Example + +```json +{ + "name": "API Support", + "url": "https://www.example.com/support", + "email": "support@example.com" +} +``` + +```yaml +name: API Support +url: https://www.example.com/support +email: support@example.com +``` + +#### License Object + +License information for the exposed API. + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| name | `string` | **REQUIRED**. The license name used for the API. | +| identifier | `string` | An [SPDX](https://spdx.org/licenses/) license expression for the API. The `identifier` field is mutually exclusive of the `url` field. | +| url | `string` | A URI for the license used for the API. This MUST be in the form of a URI. The `url` field is mutually exclusive of the `identifier` field. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +##### License Object Example + +```json +{ + "name": "Apache 2.0", + "identifier": "Apache-2.0" +} +``` + +```yaml +name: Apache 2.0 +identifier: Apache-2.0 +``` + +#### Server Object + +An object representing a Server. + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| url | `string` | **REQUIRED**. A URL to the target host. This URL supports Server Variables and MAY be relative, to indicate that the host location is relative to the location where the document containing the Server Object is being served. Variable substitutions will be made when a variable is named in `{`braces`}`. | +| description | `string` | An optional string describing the host designated by the URL. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | +| variables | Map[`string`, [Server Variable Object](#server-variable-object)] | A map between a variable name and its value. The value is used for substitution in the server's URL template. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +##### Server Object Example + +A single server would be described as: + +```json +{ + "url": "https://development.gigantic-server.com/v1", + "description": "Development server" +} +``` + +```yaml +url: https://development.gigantic-server.com/v1 +description: Development server +``` + +The following shows how multiple servers can be described, for example, at the OpenAPI Object's [`servers`](#oas-servers): + +```json +{ + "servers": [ + { + "url": "https://development.gigantic-server.com/v1", + "description": "Development server" + }, + { + "url": "https://staging.gigantic-server.com/v1", + "description": "Staging server" + }, + { + "url": "https://api.gigantic-server.com/v1", + "description": "Production server" + } + ] +} +``` + +```yaml +servers: + - url: https://development.gigantic-server.com/v1 + description: Development server + - url: https://staging.gigantic-server.com/v1 + description: Staging server + - url: https://api.gigantic-server.com/v1 + description: Production server +``` + +The following shows how variables can be used for a server configuration: + +```json +{ + "servers": [ + { + "url": "https://{username}.gigantic-server.com:{port}/{basePath}", + "description": "The production API server", + "variables": { + "username": { + "default": "demo", + "description": "A user-specific subdomain. Use `demo` for a free sandbox environment." + }, + "port": { + "enum": ["8443", "443"], + "default": "8443" + }, + "basePath": { + "default": "v2" + } + } + } + ] +} +``` + +```yaml +servers: + - url: https://{username}.gigantic-server.com:{port}/{basePath} + description: The production API server + variables: + username: + # note! no enum here means it is an open value + default: demo + description: A user-specific subdomain. Use `demo` for a free sandbox environment. + port: + enum: + - '8443' + - '443' + default: '8443' + basePath: + # open meaning there is the opportunity to use special base paths as assigned by the provider, default is `v2` + default: v2 +``` + +#### Server Variable Object + +An object representing a Server Variable for server URL template substitution. + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| enum | [`string`] | An enumeration of string values to be used if the substitution options are from a limited set. The array MUST NOT be empty. | +| default | `string` | **REQUIRED**. The default value to use for substitution, which SHALL be sent if an alternate value is _not_ supplied. If the [`enum`](#server-variable-enum) is defined, the value MUST exist in the enum's values. Note that this behavior is different from the [Schema Object](#schema-object)'s `default` keyword, which documents the receiver's behavior rather than inserting the value into the data. | +| description | `string` | An optional description for the server variable. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +#### Components Object + +Holds a set of reusable objects for different aspects of the OAS. +All objects defined within the Components Object will have no effect on the API unless they are explicitly referenced from outside the Components Object. + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :---- | ---- | +| schemas | Map[`string`, [Schema Object](#schema-object)] | An object to hold reusable [Schema Objects](#schema-object). | +| responses | Map[`string`, [Response Object](#response-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Response Objects](#response-object). | +| parameters | Map[`string`, [Parameter Object](#parameter-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Parameter Objects](#parameter-object). | +| examples | Map[`string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Example Objects](#example-object). | +| requestBodies | Map[`string`, [Request Body Object](#request-body-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Request Body Objects](#request-body-object). | +| headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Header Objects](#header-object). | +| securitySchemes | Map[`string`, [Security Scheme Object](#security-scheme-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Security Scheme Objects](#security-scheme-object). | +| links | Map[`string`, [Link Object](#link-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Link Objects](#link-object). | +| callbacks | Map[`string`, [Callback Object](#callback-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Callback Objects](#callback-object). | +| pathItems | Map[`string`, [Path Item Object](#path-item-object)] | An object to hold reusable [Path Item Objects](#path-item-object). | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +All the fixed fields declared above are objects that MUST use keys that match the regular expression: `^[a-zA-Z0-9\.\-_]+$`. + +Field Name Examples: + +```text +User +User_1 +User_Name +user-name +my.org.User +``` + +##### Components Object Example + +```json +"components": { + "schemas": { + "GeneralError": { + "type": "object", + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + } + }, + "Category": { + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + }, + "Tag": { + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + }, + "parameters": { + "skipParam": { + "name": "skip", + "in": "query", + "description": "number of items to skip", + "required": true, + "schema": { + "type": "integer", + "format": "int32" + } + }, + "limitParam": { + "name": "limit", + "in": "query", + "description": "max records to return", + "required": true, + "schema" : { + "type": "integer", + "format": "int32" + } + } + }, + "responses": { + "NotFound": { + "description": "Entity not found." + }, + "IllegalInput": { + "description": "Illegal input for operation." + }, + "GeneralError": { + "description": "General Error", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + }, + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "api-key", + "in": "header" + }, + "petstore_auth": { + "type": "oauth2", + "flows": { + "implicit": { + "authorizationUrl": "https://example.org/api/oauth/dialog", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + } + } + } + } +} +``` + +```yaml +components: + schemas: + GeneralError: + type: object + properties: + code: + type: integer + format: int32 + message: + type: string + Category: + type: object + properties: + id: + type: integer + format: int64 + name: + type: string + Tag: + type: object + properties: + id: + type: integer + format: int64 + name: + type: string + parameters: + skipParam: + name: skip + in: query + description: number of items to skip + required: true + schema: + type: integer + format: int32 + limitParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer + format: int32 + responses: + NotFound: + description: Entity not found. + IllegalInput: + description: Illegal input for operation. + GeneralError: + description: General Error + content: + application/json: + schema: + $ref: '#/components/schemas/GeneralError' + securitySchemes: + api_key: + type: apiKey + name: api-key + in: header + petstore_auth: + type: oauth2 + flows: + implicit: + authorizationUrl: https://example.org/api/oauth/dialog + scopes: + write:pets: modify pets in your account + read:pets: read your pets +``` + +#### Paths Object + +Holds the relative paths to the individual endpoints and their operations. +The path is appended to the URL from the [Server Object](#server-object) in order to construct the full URL. The Paths Object MAY be empty, due to [Access Control List (ACL) constraints](#security-filtering). + +##### Patterned Fields + +| Field Pattern | Type | Description | +| ---- | :----: | ---- | +| /{path} | [Path Item Object](#path-item-object) | A relative path to an individual endpoint. The field name MUST begin with a forward slash (`/`). The path is **appended** (no relative URL resolution) to the expanded URL from the [Server Object](#server-object)'s `url` field in order to construct the full URL. [Path templating](#path-templating) is allowed. When matching URLs, concrete (non-templated) paths would be matched before their templated counterparts. Templated paths with the same hierarchy but different templated names MUST NOT exist as they are identical. In case of ambiguous matching, it's up to the tooling to decide which one to use. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +##### Path Templating Matching + +Assuming the following paths, the concrete definition, `/pets/mine`, will be matched first if used: + +```text + /pets/{petId} + /pets/mine +``` + +The following paths are considered identical and invalid: + +```text + /pets/{petId} + /pets/{name} +``` + +The following may lead to ambiguous resolution: + +```text + /{entity}/me + /books/{id} +``` + +##### Paths Object Example + +```json +{ + "/pets": { + "get": { + "description": "Returns all pets from the system that the user has access to", + "responses": { + "200": { + "description": "A list of pets.", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "$ref": "#/components/schemas/pet" + } + } + } + } + } + } + } + } +} +``` + +```yaml +/pets: + get: + description: Returns all pets from the system that the user has access to + responses: + '200': + description: A list of pets. + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/pet' +``` + +#### Path Item Object + +Describes the operations available on a single path. +A Path Item MAY be empty, due to [ACL constraints](#security-filtering). +The path itself is still exposed to the documentation viewer but they will not know which operations and parameters are available. + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| $ref | `string` | Allows for a referenced definition of this path item. The value MUST be in the form of a URI, and the referenced structure MUST be in the form of a [Path Item Object](#path-item-object). In case a Path Item Object field appears both in the defined object and the referenced object, the behavior is undefined. See the rules for resolving [Relative References](#relative-references-in-api-description-uris).

_**Note:** The behavior of `$ref` with adjacent properties is likely to change in future versions of this specification to bring it into closer alignment with the behavior of the [Reference Object](#reference-object)._ | +| summary | `string` | An optional string summary, intended to apply to all operations in this path. | +| description | `string` | An optional string description, intended to apply to all operations in this path. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | +| get | [Operation Object](#operation-object) | A definition of a GET operation on this path. | +| put | [Operation Object](#operation-object) | A definition of a PUT operation on this path. | +| post | [Operation Object](#operation-object) | A definition of a POST operation on this path. | +| delete | [Operation Object](#operation-object) | A definition of a DELETE operation on this path. | +| options | [Operation Object](#operation-object) | A definition of a OPTIONS operation on this path. | +| head | [Operation Object](#operation-object) | A definition of a HEAD operation on this path. | +| patch | [Operation Object](#operation-object) | A definition of a PATCH operation on this path. | +| trace | [Operation Object](#operation-object) | A definition of a TRACE operation on this path. | +| servers | [[Server Object](#server-object)] | An alternative `servers` array to service all operations in this path. If a `servers` array is specified at the [OpenAPI Object](#oas-servers) level, it will be overridden by this value. | +| parameters | [[Parameter Object](#parameter-object) \| [Reference Object](#reference-object)] | A list of parameters that are applicable for all the operations described under this path. These parameters can be overridden at the operation level, but cannot be removed there. The list MUST NOT include duplicated parameters. A unique parameter is defined by a combination of a [name](#parameter-name) and [location](#parameter-in). The list can use the [Reference Object](#reference-object) to link to parameters that are defined in the [OpenAPI Object's `components.parameters`](#components-parameters). | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +##### Path Item Object Example + +```json +{ + "get": { + "description": "Returns pets based on ID", + "summary": "Find pets by ID", + "operationId": "getPetsById", + "responses": { + "200": { + "description": "pet response", + "content": { + "*/*": { + "schema": { + "type": "array", + "items": { + "$ref": "#/components/schemas/Pet" + } + } + } + } + }, + "default": { + "description": "error payload", + "content": { + "text/html": { + "schema": { + "$ref": "#/components/schemas/ErrorModel" + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of pet to use", + "required": true, + "schema": { + "type": "array", + "items": { + "type": "string" + } + }, + "style": "simple" + } + ] +} +``` + +```yaml +get: + description: Returns pets based on ID + summary: Find pets by ID + operationId: getPetsById + responses: + '200': + description: pet response + content: + '*/*': + schema: + type: array + items: + $ref: '#/components/schemas/Pet' + default: + description: error payload + content: + text/html: + schema: + $ref: '#/components/schemas/ErrorModel' +parameters: + - name: id + in: path + description: ID of pet to use + required: true + schema: + type: array + items: + type: string + style: simple +``` + +#### Operation Object + +Describes a single API operation on a path. + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| tags | [`string`] | A list of tags for API documentation control. Tags can be used for logical grouping of operations by resources or any other qualifier. | +| summary | `string` | A short summary of what the operation does. | +| description | `string` | A verbose explanation of the operation behavior. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | +| externalDocs | [External Documentation Object](#external-documentation-object) | Additional external documentation for this operation. | +| operationId | `string` | Unique string used to identify the operation. The id MUST be unique among all operations described in the API. The operationId value is **case-sensitive**. Tools and libraries MAY use the operationId to uniquely identify an operation, therefore, it is RECOMMENDED to follow common programming naming conventions. | +| parameters | [[Parameter Object](#parameter-object) \| [Reference Object](#reference-object)] | A list of parameters that are applicable for this operation. If a parameter is already defined at the [Path Item](#path-item-parameters), the new definition will override it but can never remove it. The list MUST NOT include duplicated parameters. A unique parameter is defined by a combination of a [name](#parameter-name) and [location](#parameter-in). The list can use the [Reference Object](#reference-object) to link to parameters that are defined in the [OpenAPI Object's `components.parameters`](#components-parameters). | +| requestBody | [Request Body Object](#request-body-object) \| [Reference Object](#reference-object) | The request body applicable for this operation. The `requestBody` is fully supported in HTTP methods where the HTTP 1.1 specification [RFC7231](https://tools.ietf.org/html/rfc7231#section-4.3.1) has explicitly defined semantics for request bodies. In other cases where the HTTP spec is vague (such as [GET](https://tools.ietf.org/html/rfc7231#section-4.3.1), [HEAD](https://tools.ietf.org/html/rfc7231#section-4.3.2) and [DELETE](https://tools.ietf.org/html/rfc7231#section-4.3.5)), `requestBody` is permitted but does not have well-defined semantics and SHOULD be avoided if possible. | +| responses | [Responses Object](#responses-object) | The list of possible responses as they are returned from executing this operation. | +| callbacks | Map[`string`, [Callback Object](#callback-object) \| [Reference Object](#reference-object)] | A map of possible out-of band callbacks related to the parent operation. The key is a unique identifier for the Callback Object. Each value in the map is a [Callback Object](#callback-object) that describes a request that may be initiated by the API provider and the expected responses. | +| deprecated | `boolean` | Declares this operation to be deprecated. Consumers SHOULD refrain from usage of the declared operation. Default value is `false`. | +| security | [[Security Requirement Object](#security-requirement-object)] | A declaration of which security mechanisms can be used for this operation. The list of values includes alternative Security Requirement Objects that can be used. Only one of the Security Requirement Objects need to be satisfied to authorize a request. To make security optional, an empty security requirement (`{}`) can be included in the array. This definition overrides any declared top-level [`security`](#oas-security). To remove a top-level security declaration, an empty array can be used. | +| servers | [[Server Object](#server-object)] | An alternative `servers` array to service this operation. If a `servers` array is specified at the [Path Item Object](#path-item-servers) or [OpenAPI Object](#oas-servers) level, it will be overridden by this value. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +##### Operation Object Example + +```json +{ + "tags": ["pet"], + "summary": "Updates a pet in the store with form data", + "operationId": "updatePetWithForm", + "parameters": [ + { + "name": "petId", + "in": "path", + "description": "ID of pet that needs to be updated", + "required": true, + "schema": { + "type": "string" + } + } + ], + "requestBody": { + "content": { + "application/x-www-form-urlencoded": { + "schema": { + "type": "object", + "properties": { + "name": { + "description": "Updated name of the pet", + "type": "string" + }, + "status": { + "description": "Updated status of the pet", + "type": "string" + } + }, + "required": ["status"] + } + } + } + }, + "responses": { + "200": { + "description": "Pet updated.", + "content": { + "application/json": {}, + "application/xml": {} + } + }, + "405": { + "description": "Method Not Allowed", + "content": { + "application/json": {}, + "application/xml": {} + } + } + }, + "security": [ + { + "petstore_auth": ["write:pets", "read:pets"] + } + ] +} +``` + +```yaml +tags: + - pet +summary: Updates a pet in the store with form data +operationId: updatePetWithForm +parameters: + - name: petId + in: path + description: ID of pet that needs to be updated + required: true + schema: + type: string +requestBody: + content: + application/x-www-form-urlencoded: + schema: + type: object + properties: + name: + description: Updated name of the pet + type: string + status: + description: Updated status of the pet + type: string + required: + - status +responses: + '200': + description: Pet updated. + content: + application/json: {} + application/xml: {} + '405': + description: Method Not Allowed + content: + application/json: {} + application/xml: {} +security: + - petstore_auth: + - write:pets + - read:pets +``` + +#### External Documentation Object + +Allows referencing an external resource for extended documentation. + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| description | `string` | A description of the target documentation. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | +| url | `string` | **REQUIRED**. The URI for the target documentation. This MUST be in the form of a URI. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +##### External Documentation Object Example + +```json +{ + "description": "Find more info here", + "url": "https://example.com" +} +``` + +```yaml +description: Find more info here +url: https://example.com +``` + +#### Parameter Object + +Describes a single operation parameter. + +A unique parameter is defined by a combination of a [name](#parameter-name) and [location](#parameter-in). + +See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a detailed examination of percent-encoding concerns, including interactions with the `application/x-www-form-urlencoded` query string format. + +##### Parameter Locations + +There are four possible parameter locations specified by the `in` field: + +* path - Used together with [Path Templating](#path-templating), where the parameter value is actually part of the operation's URL. This does not include the host or base path of the API. For example, in `/items/{itemId}`, the path parameter is `itemId`. +* query - Parameters that are appended to the URL. For example, in `/items?id=###`, the query parameter is `id`. +* header - Custom headers that are expected as part of the request. Note that [RFC7230](https://tools.ietf.org/html/rfc7230#section-3.2) states header names are case insensitive. +* cookie - Used to pass a specific cookie value to the API. + +##### Fixed Fields + +The rules for serialization of the parameter are specified in one of two ways. +Parameter Objects MUST include either a `content` field or a `schema` field, but not both. +See [Appendix B](#appendix-b-data-type-conversion) for a discussion of converting values of various types to string representations. + +###### Common Fixed Fields + +These fields MAY be used with either `content` or `schema`. + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| name | `string` | **REQUIRED**. The name of the parameter. Parameter names are _case sensitive_.
  • If [`in`](#parameter-in) is `"path"`, the `name` field MUST correspond to a template expression occurring within the [path](#paths-path) field in the [Paths Object](#paths-object). See [Path Templating](#path-templating) for further information.
  • If [`in`](#parameter-in) is `"header"` and the `name` field is `"Accept"`, `"Content-Type"` or `"Authorization"`, the parameter definition SHALL be ignored.
  • For all other cases, the `name` corresponds to the parameter name used by the [`in`](#parameter-in) field.
| +| in | `string` | **REQUIRED**. The location of the parameter. Possible values are `"query"`, `"header"`, `"path"` or `"cookie"`. | +| description | `string` | A brief description of the parameter. This could contain examples of use. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | +| required | `boolean` | Determines whether this parameter is mandatory. If the [parameter location](#parameter-in) is `"path"`, this field is **REQUIRED** and its value MUST be `true`. Otherwise, the field MAY be included and its default value is `false`. | +| deprecated | `boolean` | Specifies that a parameter is deprecated and SHOULD be transitioned out of usage. Default value is `false`. | +| allowEmptyValue | `boolean` | If `true`, clients MAY pass a zero-length string value in place of parameters that would otherwise be omitted entirely, which the server SHOULD interpret as the parameter being unused. Default value is `false`. If [`style`](#parameter-style) is used, and if [behavior is _n/a_ (cannot be serialized)](#style-examples), the value of `allowEmptyValue` SHALL be ignored. Interactions between this field and the parameter's [Schema Object](#schema-object) are implementation-defined. This field is valid only for `query` parameters. Use of this field is NOT RECOMMENDED, and it is likely to be removed in a later revision. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +Note that while `"Cookie"` as a `name` is not forbidden if `in` is `"header"`, the effect of defining a cookie parameter that way is undefined; use `in: "cookie"` instead. + +###### Fixed Fields for use with `schema` + +For simpler scenarios, a [`schema`](#parameter-schema) and [`style`](#parameter-style) can describe the structure and syntax of the parameter. +When `example` or `examples` are provided in conjunction with the `schema` field, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the parameter. +The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. + +Serializing with `schema` is NOT RECOMMENDED for `in: "cookie"` parameters, `in: "header"` parameters that use HTTP header parameters (name=value pairs following a `;`) in their values, or `in: "header"` parameters where values might have non-URL-safe characters; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for details. + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| style | `string` | Describes how the parameter value will be serialized depending on the type of the parameter value. Default values (based on value of `in`): for `"query"` - `"form"`; for `"path"` - `"simple"`; for `"header"` - `"simple"`; for `"cookie"` - `"form"`. | +| explode | `boolean` | When this is true, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters this field has no effect. When [`style`](#parameter-style) is `"form"`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. | +| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#section-3.4) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. This field only applies to parameters with an `in` value of `query`. The default value is `false`. | +| schema | [Schema Object](#schema-object) | The schema defining the type used for the parameter. | +| example | Any | Example of the parameter's potential value; see [Working With Examples](#working-with-examples). | +| examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the parameter's potential value; see [Working With Examples](#working-with-examples). | + +See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc6570-based-serialization) for additional guidance. + +###### Fixed Fields for use with `content` + +For more complex scenarios, the [`content`](#parameter-content) field can define the media type and schema of the parameter, as well as give examples of its use. +Using `content` with a `text/plain` media type is RECOMMENDED for `in: "header"` and `in: "cookie"` parameters where the `schema` strategy is not appropriate. + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| content | Map[`string`, [Media Type Object](#media-type-object)] | A map containing the representations for the parameter. The key is the media type and the value describes it. The map MUST only contain one entry. | + +##### Style Values + +In order to support common ways of serializing simple parameters, a set of `style` values are defined. + +| `style` | [`type`](#data-types) | `in` | Comments | +| ---- | ---- | ---- | ---- | +| matrix | `primitive`, `array`, `object` | `path` | Path-style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.7) | +| label | `primitive`, `array`, `object` | `path` | Label style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.5) | +| simple | `primitive`, `array`, `object` | `path`, `header` | Simple style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.2). This option replaces `collectionFormat` with a `csv` value from OpenAPI 2.0. | +| form | `primitive`, `array`, `object` | `query`, `cookie` | Form style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.8). This option replaces `collectionFormat` with a `csv` (when `explode` is false) or `multi` (when `explode` is true) value from OpenAPI 2.0. | +| spaceDelimited | `array`, `object` | `query` | Space separated array values or object properties and values. This option replaces `collectionFormat` equal to `ssv` from OpenAPI 2.0. | +| pipeDelimited | `array`, `object` | `query` | Pipe separated array values or object properties and values. This option replaces `collectionFormat` equal to `pipes` from OpenAPI 2.0. | +| deepObject | `object` | `query` | Allows objects with scalar properties to be represented using form parameters. The representation of array or object properties is not defined. | + +See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a discussion of percent-encoding, including when delimiters need to be percent-encoded and options for handling collisions with percent-encoded data. + +##### Style Examples + +Assume a parameter named `color` has one of the following values: + +```js + string -> "blue" + array -> ["blue", "black", "brown"] + object -> { "R": 100, "G": 200, "B": 150 } +``` + +The following table shows examples, as would be shown with the `example` or `examples` keywords, of the different serializations for each value. + +* The value _empty_ denotes the empty string, and is unrelated to the `allowEmptyValue` field +* The behavior of combinations marked _n/a_ is undefined +* The `undefined` column replaces the `empty` column in previous versions of this specification in order to better align with [RFC6570](https://www.rfc-editor.org/rfc/rfc6570.html#section-2.3) terminology, which describes certain values including but not limited to `null` as "undefined" values with special handling; notably, the empty string is _not_ undefined +* For `form` and the non-RFC6570 query string styles `spaceDelimited`, `pipeDelimited`, and `deepObject`, each example is shown prefixed with `?` as if it were the only query parameter; see [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more information on constructing query strings from multiple parameters, and [Appendix D](#appendix-d-serializing-headers-and-cookies) for warnings regarding `form` and cookie parameters +* Note that the `?` prefix is not appropriate for serializing `application/x-www-form-urlencoded` HTTP message bodies, and MUST be stripped or (if constructing the string manually) not added when used in that context; see the [Encoding Object](#encoding-object) for more information +* The examples are percent-encoded as required by RFC6570 and RFC3986; see [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding concerns, including why unencoded `|` (`%7C`), `[` (`%5B`), and `]` (`%5D`) seem to work in some environments despite not being compliant. + +| [`style`](#style-values) | `explode` | `undefined` | `string` | `array` | `object` | +| ---- | ---- | ---- | ---- | ---- | ---- | +| matrix | false | ;color | ;color=blue | ;color=blue,black,brown | ;color=R,100,G,200,B,150 | +| matrix | true | ;color | ;color=blue | ;color=blue;color=black;color=brown | ;R=100;G=200;B=150 | +| label | false | . | .blue | .blue,black,brown | .R,100,G,200,B,150 | +| label | true | . | .blue | .blue.black.brown | .R=100.G=200.B=150 | +| simple | false | _empty_ | blue | blue,black,brown | R,100,G,200,B,150 | +| simple | true | _empty_ | blue | blue,black,brown | R=100,G=200,B=150 | +| form | false | ?color= | ?color=blue | ?color=blue,black,brown | ?color=R,100,G,200,B,150 | +| form | true | ?color= | ?color=blue | ?color=blue&color=black&color=brown | ?R=100&G=200&B=150 | +| spaceDelimited | false | _n/a_ | _n/a_ | ?color=blue%20black%20brown | ?color=R%20100%20G%20200%20B%20150 | +| spaceDelimited | true | _n/a_ | _n/a_ | _n/a_ | _n/a_ | +| pipeDelimited | false | _n/a_ | _n/a_ | ?color=blue%7Cblack%7Cbrown | ?color=R%7C100%7CG%7C200%7CB%7C150 | +| pipeDelimited | true | _n/a_ | _n/a_ | _n/a_ | _n/a_ | +| deepObject | false | _n/a_ | _n/a_ | _n/a_ | _n/a_ | +| deepObject | true | _n/a_ | _n/a_ | _n/a_ | ?color%5BR%5D=100&color%5BG%5D=200&color%5BB%5D=150 | + +##### Parameter Object Examples + +A header parameter with an array of 64-bit integer numbers: + +```json +{ + "name": "token", + "in": "header", + "description": "token to be passed as a header", + "required": true, + "schema": { + "type": "array", + "items": { + "type": "integer", + "format": "int64" + } + }, + "style": "simple" +} +``` + +```yaml +name: token +in: header +description: token to be passed as a header +required: true +schema: + type: array + items: + type: integer + format: int64 +style: simple +``` + +A path parameter of a string value: + +```json +{ + "name": "username", + "in": "path", + "description": "username to fetch", + "required": true, + "schema": { + "type": "string" + } +} +``` + +```yaml +name: username +in: path +description: username to fetch +required: true +schema: + type: string +``` + +An optional query parameter of a string value, allowing multiple values by repeating the query parameter: + +```json +{ + "name": "id", + "in": "query", + "description": "ID of the object to fetch", + "required": false, + "schema": { + "type": "array", + "items": { + "type": "string" + } + }, + "style": "form", + "explode": true +} +``` + +```yaml +name: id +in: query +description: ID of the object to fetch +required: false +schema: + type: array + items: + type: string +style: form +explode: true +``` + +A free-form query parameter, allowing undefined parameters of a specific type: + +```json +{ + "in": "query", + "name": "freeForm", + "schema": { + "type": "object", + "additionalProperties": { + "type": "integer" + } + }, + "style": "form" +} +``` + +```yaml +in: query +name: freeForm +schema: + type: object + additionalProperties: + type: integer +style: form +``` + +A complex parameter using `content` to define serialization: + +```json +{ + "in": "query", + "name": "coordinates", + "content": { + "application/json": { + "schema": { + "type": "object", + "required": ["lat", "long"], + "properties": { + "lat": { + "type": "number" + }, + "long": { + "type": "number" + } + } + } + } + } +} +``` + +```yaml +in: query +name: coordinates +content: + application/json: + schema: + type: object + required: + - lat + - long + properties: + lat: + type: number + long: + type: number +``` + +#### Request Body Object + +Describes a single request body. + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| description | `string` | A brief description of the request body. This could contain examples of use. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | +| content | Map[`string`, [Media Type Object](#media-type-object)] | **REQUIRED**. The content of the request body. The key is a media type or [media type range](https://tools.ietf.org/html/rfc7231#appendix-D) and the value describes it. For requests that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | +| required | `boolean` | Determines if the request body is required in the request. Defaults to `false`. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +##### Request Body Examples + +A request body with a referenced schema definition. + +```json +{ + "description": "user to add to the system", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/User" + }, + "examples": { + "user": { + "summary": "User Example", + "externalValue": "https://foo.bar/examples/user-example.json" + } + } + }, + "application/xml": { + "schema": { + "$ref": "#/components/schemas/User" + }, + "examples": { + "user": { + "summary": "User example in XML", + "externalValue": "https://foo.bar/examples/user-example.xml" + } + } + }, + "text/plain": { + "examples": { + "user": { + "summary": "User example in Plain text", + "externalValue": "https://foo.bar/examples/user-example.txt" + } + } + }, + "*/*": { + "examples": { + "user": { + "summary": "User example in other format", + "externalValue": "https://foo.bar/examples/user-example.whatever" + } + } + } + } +} +``` + +```yaml +description: user to add to the system +content: + application/json: + schema: + $ref: '#/components/schemas/User' + examples: + user: + summary: User example + externalValue: https://foo.bar/examples/user-example.json + application/xml: + schema: + $ref: '#/components/schemas/User' + examples: + user: + summary: User example in XML + externalValue: https://foo.bar/examples/user-example.xml + text/plain: + examples: + user: + summary: User example in plain text + externalValue: https://foo.bar/examples/user-example.txt + '*/*': + examples: + user: + summary: User example in other format + externalValue: https://foo.bar/examples/user-example.whatever +``` + +#### Media Type Object + +Each Media Type Object provides schema and examples for the media type identified by its key. + +When `example` or `examples` are provided, the example SHOULD match the specified schema and be in the correct format as specified by the media type and its encoding. +The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. +See [Working With Examples](#working-with-examples) for further guidance regarding the different ways of specifying examples, including non-JSON/YAML values. + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| schema | [Schema Object](#schema-object) | The schema defining the content of the request, response, parameter, or header. | +| example | Any | Example of the media type; see [Working With Examples](#working-with-examples). | +| examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the media type; see [Working With Examples](#working-with-examples). | +| encoding | Map[`string`, [Encoding Object](#encoding-object)] | A map between a property name and its encoding information. The key, being the property name, MUST exist in the schema as a property. The `encoding` field SHALL only apply to [Request Body Objects](#request-body-object), and only when the media type is `multipart` or `application/x-www-form-urlencoded`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +##### Media Type Examples + +```json +{ + "application/json": { + "schema": { + "$ref": "#/components/schemas/Pet" + }, + "examples": { + "cat": { + "summary": "An example of a cat", + "value": { + "name": "Fluffy", + "petType": "Cat", + "color": "White", + "gender": "male", + "breed": "Persian" + } + }, + "dog": { + "summary": "An example of a dog with a cat's name", + "value": { + "name": "Puma", + "petType": "Dog", + "color": "Black", + "gender": "Female", + "breed": "Mixed" + } + }, + "frog": { + "$ref": "#/components/examples/frog-example" + } + } + } +} +``` + +```yaml +application/json: + schema: + $ref: '#/components/schemas/Pet' + examples: + cat: + summary: An example of a cat + value: + name: Fluffy + petType: Cat + color: White + gender: male + breed: Persian + dog: + summary: An example of a dog with a cat's name + value: + name: Puma + petType: Dog + color: Black + gender: Female + breed: Mixed + frog: + $ref: '#/components/examples/frog-example' +``` + +##### Considerations for File Uploads + +In contrast to OpenAPI 2.0, `file` input/output content in OAS 3.x is described with the same semantics as any other schema type. + +In contrast to OAS 3.0, the `format` keyword has no effect on the content-encoding of the schema in OAS 3.1. Instead, JSON Schema's `contentEncoding` and `contentMediaType` keywords are used. See [Working With Binary Data](#working-with-binary-data) for how to model various scenarios with these keywords, and how to migrate from the previous `format` usage. + +Examples: + +Content transferred in binary (octet-stream) MAY omit `schema`: + +```yaml +# a PNG image as a binary file: +content: + image/png: {} +``` + +```yaml +# an arbitrary binary file: +content: + application/octet-stream: {} +``` + +```yaml +# arbitrary JSON without constraints beyond being syntactically valid: +content: + application/json: {} +``` + +These examples apply to either input payloads of file uploads or response payloads. + +A `requestBody` for submitting a file in a `POST` operation may look like the following example: + +```yaml +requestBody: + content: + application/octet-stream: {} +``` + +In addition, specific media types MAY be specified: + +```yaml +# multiple, specific media types may be specified: +requestBody: + content: + # a binary file of type png or jpeg + image/jpeg: {} + image/png: {} +``` + +To upload multiple files, a `multipart` media type MUST be used as shown under [Example: Multipart Form with Multiple Files](#example-multipart-form-with-multiple-files). + +##### Support for x-www-form-urlencoded Request Bodies + +See [Encoding the `x-www-form-urlencoded` Media Type](#encoding-the-x-www-form-urlencoded-media-type) for guidance and examples, both with and without the `encoding` field. + +##### Special Considerations for `multipart` Content + +See [Encoding `multipart` Media Types](#encoding-multipart-media-types) for further guidance and examples, both with and without the `encoding` field. + +#### Encoding Object + +A single encoding definition applied to a single schema property. +See [Appendix B](#appendix-b-data-type-conversion) for a discussion of converting values of various types to string representations. + +Properties are correlated with `multipart` parts using the [`name` parameter](https://www.rfc-editor.org/rfc/rfc7578#section-4.2) of `Content-Disposition: form-data`, and with `application/x-www-form-urlencoded` using the query string parameter names. +In both cases, their order is implementation-defined. + +See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a detailed examination of percent-encoding concerns for form media types. + +##### Fixed Fields + +###### Common Fixed Fields + +These fields MAY be used either with or without the RFC6570-style serialization fields defined in the next section below. + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| contentType | `string` | The `Content-Type` for encoding a specific property. The value is a comma-separated list, each element of which is either a specific media type (e.g. `image/png`) or a wildcard media type (e.g. `image/*`). Default value depends on the property type as shown in the table below. | +| headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | A map allowing additional information to be provided as headers. `Content-Type` is described separately and SHALL be ignored in this section. This field SHALL be ignored if the request body media type is not a `multipart`. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +The default values for `contentType` are as follows, where an _n/a_ in the `contentEncoding` column means that the presence or value of `contentEncoding` is irrelevant: + +| `type` | `contentEncoding` | Default `contentType` | +| ---- | ---- | ---- | +| [_absent_](#working-with-binary-data) | _n/a_ | `application/octet-stream` | +| `string` | _present_ | `application/octet-stream` | +| `string` | _absent_ | `text/plain` | +| `number`, `integer`, or `boolean` | _n/a_ | `text/plain` | +| `object` | _n/a_ | `application/json` | +| `array` | _n/a_ | according to the `type` of the `items` schema | + +Determining how to handle a `type` value of `null` depends on how `null` values are being serialized. +If `null` values are entirely omitted, then the `contentType` is irrelevant. +See [Appendix B](#appendix-b-data-type-conversion) for a discussion of data type conversion options. + +###### Fixed Fields for RFC6570-style Serialization + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameter-object) for details on the [`style`](#parameter-style) field. The behavior follows the same values as `query` parameters, including default values. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | +| explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this field has no effect. When [`style`](#encoding-style) is `"form"`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | +| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#section-3.4) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. The default value is `false`. This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | + +See also [Appendix C: Using RFC6570 Implementations](#appendix-c-using-rfc6570-based-serialization) for additional guidance, including on difficulties caused by the interaction between RFC6570's percent-encoding rules and the `multipart/form-data` media type. + +Note that the presence of at least one of `style`, `explode`, or `allowReserved` with an explicit value is equivalent to using `schema` with `in: "query"` Parameter Objects. +The absence of all three of those fields is the equivalent of using `content`, but with the media type specified in `contentType` rather than through a Media Type Object. + +##### Encoding the `x-www-form-urlencoded` Media Type + +To submit content using form url encoding via [RFC1866](https://tools.ietf.org/html/rfc1866), use the `application/x-www-form-urlencoded` media type in the [Media Type Object](#media-type-object) under the [Request Body Object](#request-body-object). +This configuration means that the request body MUST be encoded per [RFC1866](https://tools.ietf.org/html/rfc1866) when passed to the server, after any complex objects have been serialized to a string representation. + +See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a detailed examination of percent-encoding concerns for form media types. + +###### Example: URL Encoded Form with JSON Values + +When there is no [`encoding`](#media-type-encoding) field, the serialization strategy is based on the Encoding Object's default values: + +```yaml +requestBody: + content: + application/x-www-form-urlencoded: + schema: + type: object + properties: + id: + type: string + format: uuid + address: + # complex types are stringified to support RFC 1866 + type: object + properties: {} +``` + +With this example, consider an `id` of `f81d4fae-7dec-11d0-a765-00a0c91e6bf6` and a US-style address (with ZIP+4) as follows: + +```json +{ + "streetAddress": "123 Example Dr.", + "city": "Somewhere", + "state": "CA", + "zip": "99999+1234" +} +``` + +Assuming the most compact representation of the JSON value (with unnecessary whitespace removed), we would expect to see the following request body, where space characters have been replaced with `+` and `+`, `"`, `{`, and `}` have been percent-encoded to `%2B`, `%22`, `%7B`, and `%7D`, respectively: + +```uri +id=f81d4fae-7dec-11d0-a765-00a0c91e6bf6&address=%7B%22streetAddress%22:%22123+Example+Dr.%22,%22city%22:%22Somewhere%22,%22state%22:%22CA%22,%22zip%22:%2299999%2B1234%22%7D +``` + +Note that the `id` keyword is treated as `text/plain` per the [Encoding Object](#encoding-object)'s default behavior, and is serialized as-is. +If it were treated as `application/json`, then the serialized value would be a JSON string including quotation marks, which would be percent-encoded as `%22`. + +Here is the `id` parameter (without `address`) serialized as `application/json` instead of `text/plain`, and then encoded per RFC1866: + +```uri +id=%22f81d4fae-7dec-11d0-a765-00a0c91e6bf6%22 +``` + +###### Example: URL Encoded Form with Binary Values + +Note that `application/x-www-form-urlencoded` is a text format, which requires base64-encoding any binary data: + +```YAML +requestBody: + content: + application/x-www-form-urlencoded: + schema: + type: object + properties: + name: + type: string + icon: + # The default with "contentEncoding" is application/octet-stream, + # so we need to set image media type(s) in the Encoding Object. + type: string + contentEncoding: base64url + encoding: + icon: + contentType: image/png, image/jpeg +``` + +Given a name of `example` and a solid red 2x2-pixel PNG for `icon`, this +would produce a request body of: + +```uri +name=example&icon=iVBORw0KGgoAAAANSUhEUgAAAAIAAAACCAIAAAD91JpzAAAABGdBTUEAALGPC_xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAqADAAQAAAABAAAAAgAAAADO0J6QAAAAEElEQVQIHWP8zwACTGCSAQANHQEDqtPptQAAAABJRU5ErkJggg%3D%3D +``` + +Note that the `=` padding characters at the end need to be percent-encoded, even with the "URL safe" `contentEncoding: base64url`. +Some base64-decoding implementations may be able to use the string without the padding per [RFC4648](https://datatracker.ietf.org/doc/html/rfc4648#section-3.2). +However, this is not guaranteed, so it may be more interoperable to keep the padding and rely on percent-decoding. + +##### Encoding `multipart` Media Types + +It is common to use `multipart/form-data` as a `Content-Type` when transferring forms as request bodies. In contrast to OpenAPI 2.0, a `schema` is REQUIRED to define the input parameters to the operation when using `multipart` content. This supports complex structures as well as supporting mechanisms for multiple file uploads. + +The `form-data` disposition and its `name` parameter are mandatory for `multipart/form-data` ([RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.2)). +Array properties are handled by applying the same `name` to multiple parts, as is recommended by [RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. +See [RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-5) for guidance regarding non-ASCII part names. + +Various other `multipart` types, most notable `multipart/mixed` ([RFC2046](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1.3)) neither require nor forbid specific `Content-Disposition` values, which means care must be taken to ensure that any values used are supported by all relevant software. +It is not currently possible to correlate schema properties with unnamed, ordered parts in media types such as `multipart/mixed`, but implementations MAY choose to support such types when `Content-Disposition: form-data` is used with a `name` parameter. + +Note that there are significant restrictions on what headers can be used with `multipart` media types in general ([RFC2046](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1)) and `multi-part/form-data` in particular ([RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.8)). + +Note also that `Content-Transfer-Encoding` is deprecated for `multipart/form-data` ([RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.7)) where binary data is supported, as it is in HTTP. + ++Using `contentEncoding` for a multipart field is equivalent to specifying an [Encoding Object](#encoding-object) with a `headers` field containing `Content-Transfer-Encoding` with a schema that requires the value used in `contentEncoding`. ++If `contentEncoding` is used for a multipart field that has an Encoding Object with a `headers` field containing `Content-Transfer-Encoding` with a schema that disallows the value from `contentEncoding`, the result is undefined for serialization and parsing. + +Note that as stated in [Working with Binary Data](#working-with-binary-data), if the Encoding Object's `contentType`, whether set explicitly or implicitly through its default value rules, disagrees with the `contentMediaType` in a Schema Object, the `contentMediaType` SHALL be ignored. +Because of this, and because the Encoding Object's `contentType` defaulting rules do not take the Schema Object's`contentMediaType` into account, the use of `contentMediaType` with an Encoding Object is NOT RECOMMENDED. + +See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a detailed examination of percent-encoding concerns for form media types. + +###### Example: Basic Multipart Form + +When the `encoding` field is _not_ used, the encoding is determined by the Encoding Object's defaults: + +```yaml +requestBody: + content: + multipart/form-data: + schema: + type: object + properties: + id: + # default for primitives without a special format is text/plain + type: string + format: uuid + profileImage: + # default for string with binary format is `application/octet-stream` + type: string + format: binary + addresses: + # default for arrays is based on the type in the `items` + # subschema, which is an object, so `application/json` + type: array + items: + $ref: '#/components/schemas/Address' +``` + +###### Example: Multipart Form with Encoding Objects + +Using `encoding`, we can set more specific types for binary data, or non-JSON formats for complex values. +We can also describe headers for each part: + +```yaml +requestBody: + content: + multipart/form-data: + schema: + type: object + properties: + id: + # default is `text/plain` + type: string + format: uuid + addresses: + # default based on the `items` subschema would be + # `application/json`, but we want these address objects + # serialized as `application/xml` instead + description: addresses in XML format + type: array + items: + $ref: '#/components/schemas/Address' + profileImage: + # default is application/octet-stream, but we can declare + # a more specific image type or types + type: string + format: binary + encoding: + addresses: + # require XML Content-Type in utf-8 encoding + # This is applied to each address part corresponding + # to each address in he array + contentType: application/xml; charset=utf-8 + profileImage: + # only accept png or jpeg + contentType: image/png, image/jpeg + headers: + X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + schema: + type: integer +``` + +###### Example: Multipart Form with Multiple Files + +In accordance with [RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3), multiple files for a single form field are uploaded using the same name (`file` in this example) for each file's part: + +```yaml +requestBody: + content: + multipart/form-data: + schema: + properties: + # The property name 'file' will be used for all files. + file: + type: array + items: {} +``` + +As seen in the [Encoding Object's `contentType` field documentation](#encoding-content-type), the empty schema for `items` indicates a media type of `application/octet-stream`. + +#### Responses Object + +A container for the expected responses of an operation. +The container maps a HTTP response code to the expected response. + +The documentation is not necessarily expected to cover all possible HTTP response codes because they may not be known in advance. +However, documentation is expected to cover a successful operation response and any known errors. + +The `default` MAY be used as a default Response Object for all HTTP codes +that are not covered individually by the Responses Object. + +The Responses Object MUST contain at least one response code, and if only one +response code is provided it SHOULD be the response for a successful operation +call. + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| default | [Response Object](#response-object) \| [Reference Object](#reference-object) | The documentation of responses other than the ones declared for specific HTTP response codes. Use this field to cover undeclared responses. | + +##### Patterned Fields + +| Field Pattern | Type | Description | +| ---- | :----: | ---- | +| [HTTP Status Code](#http-status-codes) | [Response Object](#response-object) \| [Reference Object](#reference-object) | Any [HTTP status code](#http-status-codes) can be used as the property name, but only one property per code, to describe the expected response for that HTTP status code. This field MUST be enclosed in quotation marks (for example, "200") for compatibility between JSON and YAML. To define a range of response codes, this field MAY contain the uppercase wildcard character `X`. For example, `2XX` represents all response codes between `200` and `299`. Only the following range definitions are allowed: `1XX`, `2XX`, `3XX`, `4XX`, and `5XX`. If a response is defined using an explicit code, the explicit code definition takes precedence over the range definition for that code. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +##### Responses Object Example + +A 200 response for a successful operation and a default response for others (implying an error): + +```json +{ + "200": { + "description": "a pet to be returned", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/Pet" + } + } + } + }, + "default": { + "description": "Unexpected error", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ErrorModel" + } + } + } + } +} +``` + +```yaml +'200': + description: a pet to be returned + content: + application/json: + schema: + $ref: '#/components/schemas/Pet' +default: + description: Unexpected error + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorModel' +``` + +#### Response Object + +Describes a single response from an API operation, including design-time, static +`links` to operations based on the response. + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| description | `string` | **REQUIRED**. A description of the response. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | +| headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | Maps a header name to its definition. [RFC7230](https://tools.ietf.org/html/rfc7230#section-3.2) states header names are case insensitive. If a response header is defined with the name `"Content-Type"`, it SHALL be ignored. | +| content | Map[`string`, [Media Type Object](#media-type-object)] | A map containing descriptions of potential response payloads. The key is a media type or [media type range](https://tools.ietf.org/html/rfc7231#appendix-D) and the value describes it. For responses that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | +| links | Map[`string`, [Link Object](#link-object) \| [Reference Object](#reference-object)] | A map of operations links that can be followed from the response. The key of the map is a short name for the link, following the naming constraints of the names for [Component Objects](#components-object). | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +##### Response Object Examples + +Response of an array of a complex type: + +```json +{ + "description": "A complex object array response", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "$ref": "#/components/schemas/VeryComplexType" + } + } + } + } +} +``` + +```yaml +description: A complex object array response +content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/VeryComplexType' +``` + +Response with a string type: + +```json +{ + "description": "A simple string response", + "content": { + "text/plain": { + "schema": { + "type": "string" + } + } + } +} +``` + +```yaml +description: A simple string response +content: + text/plain: + schema: + type: string +``` + +Plain text response with headers: + +```json +{ + "description": "A simple string response", + "content": { + "text/plain": { + "schema": { + "type": "string" + }, + "example": "whoa!" + } + }, + "headers": { + "X-Rate-Limit-Limit": { + "description": "The number of allowed requests in the current period", + "schema": { + "type": "integer" + } + }, + "X-Rate-Limit-Remaining": { + "description": "The number of remaining requests in the current period", + "schema": { + "type": "integer" + } + }, + "X-Rate-Limit-Reset": { + "description": "The number of seconds left in the current period", + "schema": { + "type": "integer" + } + } + } +} +``` + +```yaml +description: A simple string response +content: + text/plain: + schema: + type: string + example: 'whoa!' +headers: + X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + schema: + type: integer + X-Rate-Limit-Remaining: + description: The number of remaining requests in the current period + schema: + type: integer + X-Rate-Limit-Reset: + description: The number of seconds left in the current period + schema: + type: integer +``` + +Response with no return value: + +```json +{ + "description": "object created" +} +``` + +```yaml +description: object created +``` + +#### Callback Object + +A map of possible out-of band callbacks related to the parent operation. +Each value in the map is a [Path Item Object](#path-item-object) that describes a set of requests that may be initiated by the API provider and the expected responses. +The key value used to identify the Path Item Object is an expression, evaluated at runtime, that identifies a URL to use for the callback operation. + +To describe incoming requests from the API provider independent from another API call, use the [`webhooks`](#oas-webhooks) field. + +##### Patterned Fields + +| Field Pattern | Type | Description | +| ---- | :----: | ---- | +| {expression} | [Path Item Object](#path-item-object) | A Path Item Object used to define a callback request and expected responses. A [complete example](https://learn.openapis.org/examples/v3.0/callback-example.html) is available. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +##### Key Expression + +The key that identifies the [Path Item Object](#path-item-object) is a [runtime expression](#runtime-expressions) that can be evaluated in the context of a runtime HTTP request/response to identify the URL to be used for the callback request. +A simple example might be `$request.body#/url`. +However, using a [runtime expression](#runtime-expressions) the complete HTTP message can be accessed. +This includes accessing any part of a body that a JSON Pointer [RFC6901](https://tools.ietf.org/html/rfc6901) can reference. + +For example, given the following HTTP request: + +```http +POST /subscribe/myevent?queryUrl=https://clientdomain.com/stillrunning HTTP/1.1 +Host: example.org +Content-Type: application/json +Content-Length: 188 + +{ + "failedUrl": "https://clientdomain.com/failed", + "successUrls": [ + "https://clientdomain.com/fast", + "https://clientdomain.com/medium", + "https://clientdomain.com/slow" + ] +} +``` + +resulting in: + +```http +201 Created +Location: https://example.org/subscription/1 +``` + +The following examples show how the various expressions evaluate, assuming the callback operation has a path parameter named `eventType` and a query parameter named `queryUrl`. + +| Expression | Value | +| ---- | :---- | +| $url | | +| $method | POST | +| $request.path.eventType | myevent | +| $request.query.queryUrl | | +| $request.header.content-type | application/json | +| $request.body#/failedUrl | | +| $request.body#/successUrls/1 | | +| $response.header.Location | | + +##### Callback Object Examples + +The following example uses the user provided `queryUrl` query string parameter to define the callback URL. This is similar to a [webhook](#oas-webhooks), but differs in that the callback only occurs because of the initial request that sent the `queryUrl`. + +```yaml +myCallback: + '{$request.query.queryUrl}': + post: + requestBody: + description: Callback payload + content: + application/json: + schema: + $ref: '#/components/schemas/SomePayload' + responses: + '200': + description: callback successfully processed +``` + +The following example shows a callback where the server is hard-coded, but the query string parameters are populated from the `id` and `email` property in the request body. + +```yaml +transactionCallback: + 'http://notificationServer.com?transactionId={$request.body#/id}&email={$request.body#/email}': + post: + requestBody: + description: Callback payload + content: + application/json: + schema: + $ref: '#/components/schemas/SomePayload' + responses: + '200': + description: callback successfully processed +``` + +#### Example Object + +An object grouping an internal or external example value with basic `summary` and `description` metadata. +This object is typically used in fields named `examples` (plural), and is a [referenceable](#reference-object) alternative to older `example` (singular) fields that do not support referencing or metadata. + +Examples allow demonstration of the usage of properties, parameters and objects within OpenAPI. + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| summary | `string` | Short description for the example. | +| description | `string` | Long description for the example. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | +| value | Any | Embedded literal example. The `value` field and `externalValue` field are mutually exclusive. To represent examples of media types that cannot naturally represented in JSON or YAML, use a string value to contain the example, escaping where necessary. | +| externalValue | `string` | A URI that identifies the literal example. This provides the capability to reference examples that cannot easily be included in JSON or YAML documents. The `value` field and `externalValue` field are mutually exclusive. See the rules for resolving [Relative References](#relative-references-in-api-description-uris). | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +In all cases, the example value SHOULD be compatible with the schema of its associated value. +Tooling implementations MAY choose to validate compatibility automatically, and reject the example value(s) if incompatible. + +##### Working with Examples + +Example Objects can be used in both [Parameter Objects](#parameter-object) and [Media Type Objects](#media-type-object). +In both Objects, this is done through the `examples` (plural) field. +However, there are several other ways to provide examples: The `example` (singular) field that is mutually exclusive with `examples` in both Objects, and two keywords (the deprecated singular `example` and the current plural `examples`, which takes an array of examples) in the [Schema Object](#schema-object) that appears in the `schema` field of both Objects. +Each of these fields has slightly different considerations. + +The Schema Object's fields are used to show example values without regard to how they might be formatted as parameters or within media type representations. +The `examples` array is part of JSON Schema and is the preferred way to include examples in the Schema Object, while `example` is retained purely for compatibility with older versions of the OpenAPI Specification. + +The mutually exclusive fields in the Parameter or Media Type Objects are used to show example values which SHOULD both match the schema and be formatted as they would appear as a serialized parameter or within a media type representation. +The exact serialization and encoding is determined by various fields in the Parameter Object, or in the Media Type Object's [Encoding Object](#encoding-object). +Because examples using these fields represent the final serialized form of the data, they SHALL _override_ any `example` in the corresponding Schema Object. + +The singular `example` field in the Parameter or Media Type Object is concise and convenient for simple examples, but does not offer any other advantages over using Example Objects under `examples`. + +Some examples cannot be represented directly in JSON or YAML. +For all three ways of providing examples, these can be shown as string values with any escaping necessary to make the string valid in the JSON or YAML format of documents that comprise the OpenAPI Description. +With the Example Object, such values can alternatively be handled through the `externalValue` field. + +##### Example Object Examples + +In a request body: + +```yaml +requestBody: + content: + 'application/json': + schema: + $ref: '#/components/schemas/Address' + examples: + foo: + summary: A foo example + value: + foo: bar + bar: + summary: A bar example + value: + bar: baz + application/xml: + examples: + xmlExample: + summary: This is an example in XML + externalValue: https://example.org/examples/address-example.xml + text/plain: + examples: + textExample: + summary: This is a text example + externalValue: https://foo.bar/examples/address-example.txt +``` + +In a parameter: + +```yaml +parameters: + - name: zipCode + in: query + schema: + type: string + format: zip-code + examples: + zip-example: + $ref: '#/components/examples/zip-example' +``` + +In a response: + +```yaml +responses: + '200': + description: your car appointment has been booked + content: + application/json: + schema: + $ref: '#/components/schemas/SuccessResponse' + examples: + confirmation-success: + $ref: '#/components/examples/confirmation-success' +``` + +Two different uses of JSON strings: + +First, a request or response body that is just a JSON string (not an object containing a string): + +```json +"application/json": { + "schema": { + "type": "string" + }, + "examples": { + "jsonBody": { + "description": "A body of just the JSON string \"json\"", + "value": "json" + } + } +} +``` + +```yaml +application/json: + schema: + type: string + examples: + jsonBody: + description: 'A body of just the JSON string "json"' + value: json +``` + +In the above example, we can just show the JSON string (or any JSON value) as-is, rather than stuffing a serialized JSON value into a JSON string, which would have looked like `"\"json\""`. + +In contrast, a JSON string encoded inside of a URL-style form body: + +```json +"application/x-www-form-urlencoded": { + "schema": { + "type": "object", + "properties": { + "jsonValue": { + "type": "string" + } + } + }, + "encoding": { + "jsonValue": { + "contentType": "application/json" + } + }, + "examples": { + "jsonFormValue": { + "description": "The JSON string \"json\" as a form value", + "value": "jsonValue=%22json%22" + } + } +} +``` + +```yaml +application/x-www-form-urlencoded: + schema: + type: object + properties: + jsonValue: + type: string + encoding: + jsonValue: + contentType: application/json + examples: + jsonFormValue: + description: 'The JSON string "json" as a form value' + value: jsonValue=%22json%22 +``` + +In this example, the JSON string had to be serialized before encoding it into the URL form value, so the example includes the quotation marks that are part of the JSON serialization, which are then URL percent-encoded. + +#### Link Object + +The Link Object represents a possible design-time link for a response. +The presence of a link does not guarantee the caller's ability to successfully invoke it, rather it provides a known relationship and traversal mechanism between responses and other operations. + +Unlike _dynamic_ links (i.e. links provided **in** the response payload), the OAS linking mechanism does not require link information in the runtime response. + +For computing links and providing instructions to execute them, a [runtime expression](#runtime-expressions) is used for accessing values in an operation and using them as parameters while invoking the linked operation. + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| operationRef | `string` | A URI reference to an OAS operation. This field is mutually exclusive of the `operationId` field, and MUST point to an [Operation Object](#operation-object). Relative `operationRef` values MAY be used to locate an existing [Operation Object](#operation-object) in the OpenAPI Description. | +| operationId | `string` | The name of an _existing_, resolvable OAS operation, as defined with a unique `operationId`. This field is mutually exclusive of the `operationRef` field. | +| parameters | Map[`string`, Any \| [{expression}](#runtime-expressions)] | A map representing parameters to pass to an operation as specified with `operationId` or identified via `operationRef`. The key is the parameter name to be used (optionally qualified with the parameter location, e.g. `path.id` for an `id` parameter in the path), whereas the value can be a constant or an expression to be evaluated and passed to the linked operation. | +| requestBody | Any \| [{expression}](#runtime-expressions) | A literal value or [{expression}](#runtime-expressions) to use as a request body when calling the target operation. | +| description | `string` | A description of the link. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | +| server | [Server Object](#server-object) | A server object to be used by the target operation. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +A linked operation MUST be identified using either an `operationRef` or `operationId`. +The identified or reference operation MUST be unique, and in the case of an `operationId`, it MUST be resolved within the scope of the OpenAPI Description (OAD). +Because of the potential for name clashes, the `operationRef` syntax is preferred for multi-document OADs. +However, because use of an operation depends on its URL path template in the [Paths Object](#paths-object), operations from any [Path Item Object](#path-item-object) that is referenced multiple times within the OAD cannot be resolved unambiguously. +In such ambiguous cases, the resulting behavior is implementation-defined and MAY result in an error. + +Note that it is not possible to provide a constant value to `parameters` that matches the syntax of a runtime expression. +It is possible to have ambiguous parameter names, e.g. `name: "id", in: "path"` and `name: "path.id", in: "query"`; this is NOT RECOMMENDED and the behavior is implementation-defined, however implementations SHOULD prefer the qualified interpretation (`path.id` as a path parameter), as the names can always be qualified to disambiguate them (e.g. using `query.path.id` for the query parameter). + +##### Examples + +Computing a link from a request operation where the `$request.path.id` is used to pass a request parameter to the linked operation. + +```yaml +paths: + /users/{id}: + parameters: + - name: id + in: path + required: true + description: the user identifier, as userId + schema: + type: string + get: + responses: + '200': + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: # the unique user id + type: string + format: uuid + links: + address: + # the target link operationId + operationId: getUserAddress + parameters: + # get the `id` field from the request path parameter named `id` + userid: $request.path.id + # the path item of the linked operation + /users/{userid}/address: + parameters: + - name: userid + in: path + required: true + description: the user identifier, as userId + schema: + type: string + # linked operation + get: + operationId: getUserAddress + responses: + '200': + description: the user's address +``` + +When a runtime expression fails to evaluate, no parameter value is passed to the target operation. + +Values from the response body can be used to drive a linked operation. + +```yaml +links: + address: + operationId: getUserAddressByUUID + parameters: + # get the `uuid` field from the `uuid` field in the response body + userUuid: $response.body#/uuid +``` + +Clients follow all links at their discretion. +Neither permissions nor the capability to make a successful call to that link is guaranteed +solely by the existence of a relationship. + +##### `operationRef` Examples + +As references to `operationId` MAY NOT be possible (the `operationId` is an optional +field in an [Operation Object](#operation-object)), references MAY also be made through a relative `operationRef`: + +```yaml +links: + UserRepositories: + # returns array of '#/components/schemas/repository' + operationRef: '#/paths/~12.0~1repositories~1%7Busername%7D/get' + parameters: + username: $response.body#/username +``` + +or a URI `operationRef`: + +```yaml +links: + UserRepositories: + # returns array of '#/components/schemas/repository' + operationRef: https://na2.gigantic-server.com/#/paths/~12.0~1repositories~1%7Busername%7D/get + parameters: + username: $response.body#/username +``` + +Note that in the use of `operationRef` the _escaped forward-slash_ is necessary when +using JSON Pointer, and it is necessary to URL-encode `{` and `}` as `%7B` and `%7D`, respectively, when using JSON Pointer as URI fragments. + +##### Runtime Expressions + +Runtime expressions allow defining values based on information that will only be available within the HTTP message in an actual API call. +This mechanism is used by [Link Objects](#link-object) and [Callback Objects](#callback-object). + +The runtime expression is defined by the following [ABNF](https://tools.ietf.org/html/rfc5234) syntax + +```abnf + expression = "$url" / "$method" / "$statusCode" / "$request." source / "$response." source + source = header-reference / query-reference / path-reference / body-reference + header-reference = "header." token + query-reference = "query." name + path-reference = "path." name + body-reference = "body" ["#" json-pointer ] + json-pointer = *( "/" reference-token ) + reference-token = *( unescaped / escaped ) + unescaped = %x00-2E / %x30-7D / %x7F-10FFFF + ; %x2F ('/') and %x7E ('~') are excluded from 'unescaped' + escaped = "~" ( "0" / "1" ) + ; representing '~' and '/', respectively + name = *( CHAR ) + token = 1*tchar + tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." + / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA +``` + +Here, `json-pointer` is taken from [RFC6901](https://tools.ietf.org/html/rfc6901), `char` from [RFC7159](https://tools.ietf.org/html/rfc7159#section-7) and `token` from [RFC7230](https://tools.ietf.org/html/rfc7230#section-3.2.6). + +The `name` identifier is case-sensitive, whereas `token` is not. + +The table below provides examples of runtime expressions and examples of their use in a value: + +##### Examples + +| Source Location | example expression | notes | +| ---- | :---- | :---- | +| HTTP Method | `$method` | The allowable values for the `$method` will be those for the HTTP operation. | +| Requested media type | `$request.header.accept` | | +| Request parameter | `$request.path.id` | Request parameters MUST be declared in the `parameters` section of the parent operation or they cannot be evaluated. This includes request headers. | +| Request body property | `$request.body#/user/uuid` | In operations which accept payloads, references may be made to portions of the `requestBody` or the entire body. | +| Request URL | `$url` | | +| Response value | `$response.body#/status` | In operations which return payloads, references may be made to portions of the response body or the entire body. | +| Response header | `$response.header.Server` | Single header values only are available | + +Runtime expressions preserve the type of the referenced value. +Expressions can be embedded into string values by surrounding the expression with `{}` curly braces. + +#### Header Object + +Describes a single header for [HTTP responses](#response-headers) and for [individual parts in `multipart` representations](#encoding-headers); see the relevant [Response Object](#response-object) and [Encoding Object](#encoding-object) documentation for restrictions on which headers can be described. + +The Header Object follows the structure of the [Parameter Object](#parameter-object), including determining its serialization strategy based on whether `schema` or `content` is present, with the following changes: + +1. `name` MUST NOT be specified, it is given in the corresponding `headers` map. +1. `in` MUST NOT be specified, it is implicitly in `header`. +1. All traits that are affected by the location MUST be applicable to a location of `header` (for example, [`style`](#parameter-style)). This means that `allowEmptyValue` and `allowReserved` MUST NOT be used, and `style`, if used, MUST be limited to `"simple"`. + +##### Fixed Fields + +###### Common Fixed Fields + +These fields MAY be used with either `content` or `schema`. + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| description | `string` | A brief description of the header. This could contain examples of use. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | +| required | `boolean` | Determines whether this header is mandatory. The default value is `false`. | +| deprecated | `boolean` | Specifies that the header is deprecated and SHOULD be transitioned out of usage. Default value is `false`. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +###### Fixed Fields for use with `schema` + +For simpler scenarios, a [`schema`](#header-schema) and [`style`](#header-style) can describe the structure and syntax of the header. +When `example` or `examples` are provided in conjunction with the `schema` field, the example MUST follow the prescribed serialization strategy for the header. + +Serializing with `schema` is NOT RECOMMENDED for headers with parameters (name=value pairs following a `;`) in their values, or where values might have non-URL-safe characters; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for details. + +When `example` or `examples` are provided in conjunction with the `schema` field, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the header. +The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| style | `string` | Describes how the header value will be serialized. The default (and only legal value for headers) is `"simple"`. | +| explode | `boolean` | When this is true, header values of type `array` or `object` generate a single header whose value is a comma-separated list of the array items or key-value pairs of the map, see [Style Examples](#style-examples). For other data types this field has no effect. The default value is `false`. | +| schema | [Schema Object](#schema-object) \| [Reference Object](#reference-object) | The schema defining the type used for the header. | +| example | Any | Example of the header's potential value; see [Working With Examples](#working-with-examples). | +| examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the header's potential value; see [Working With Examples](#working-with-examples). | + +See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc6570-based-serialization) for additional guidance. + +###### Fixed Fields for use with `content` + +For more complex scenarios, the [`content`](#header-content) field can define the media type and schema of the header, as well as give examples of its use. +Using `content` with a `text/plain` media type is RECOMMENDED for headers where the `schema` strategy is not appropriate. + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| content | Map[`string`, [Media Type Object](#media-type-object)] | A map containing the representations for the header. The key is the media type and the value describes it. The map MUST only contain one entry. | + +##### Header Object Example + +A simple header of type `integer`: + +```json +"X-Rate-Limit-Limit": { + "description": "The number of allowed requests in the current period", + "schema": { + "type": "integer" + } +} +``` + +```yaml +X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + schema: + type: integer +``` + +Requiring that a strong `ETag` header (with a value starting with `"` rather than `W/`) is present. Note the use of `content`, because using `schema` and `style` would require the `"` to be percent-encoded as `%22`: + +```json +"ETag": { + "required": true, + "content": { + "text/plain": { + "schema": { + "type": "string", + "pattern": "^\"" + } + } + } +} +``` + +```yaml +ETag: + required: true + content: + text/plain: + schema: + type: string + pattern: ^" +``` + +#### Tag Object + +Adds metadata to a single tag that is used by the [Operation Object](#operation-object). +It is not mandatory to have a Tag Object per tag defined in the Operation Object instances. + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| name | `string` | **REQUIRED**. The name of the tag. | +| description | `string` | A description for the tag. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | +| externalDocs | [External Documentation Object](#external-documentation-object) | Additional external documentation for this tag. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +##### Tag Object Example + +```json +{ + "name": "pet", + "description": "Pets operations" +} +``` + +```yaml +name: pet +description: Pets operations +``` + +#### Reference Object + +A simple object to allow referencing other components in the OpenAPI Description, internally and externally. + +The `$ref` string value contains a URI [RFC3986](https://tools.ietf.org/html/rfc3986), which identifies the value being referenced. + +See the rules for resolving [Relative References](#relative-references-in-api-description-uris). + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| $ref | `string` | **REQUIRED**. The reference identifier. This MUST be in the form of a URI. | +| summary | `string` | A short summary which by default SHOULD override that of the referenced component. If the referenced object-type does not allow a `summary` field, then this field has no effect. | +| description | `string` | A description which by default SHOULD override that of the referenced component. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. If the referenced object-type does not allow a `description` field, then this field has no effect. | + +This object cannot be extended with additional properties, and any properties added SHALL be ignored. + +Note that this restriction on additional properties is a difference between Reference Objects and [Schema Objects](#schema-object) that contain a `$ref` keyword. + +##### Reference Object Example + +```json +{ + "$ref": "#/components/schemas/Pet" +} +``` + +```yaml +$ref: '#/components/schemas/Pet' +``` + +##### Relative Schema Document Example + +```json +{ + "$ref": "Pet.json" +} +``` + +```yaml +$ref: Pet.yaml +``` + +##### Relative Documents with Embedded Schema Example + +```json +{ + "$ref": "definitions.json#/Pet" +} +``` + +```yaml +$ref: definitions.yaml#/Pet +``` + +#### Schema Object + +The Schema Object allows the definition of input and output data types. +These types can be objects, but also primitives and arrays. This object is a superset of the [JSON Schema Specification Draft 2020-12](https://tools.ietf.org/html/draft-bhutton-json-schema-00). The empty schema (which allows any instance to validate) MAY be represented by the boolean value `true` and a schema which allows no instance to validate MAY be represented by the boolean value `false`. + +For more information about the keywords, see [JSON Schema Core](https://tools.ietf.org/html/draft-bhutton-json-schema-00) and [JSON Schema Validation](https://tools.ietf.org/html/draft-bhutton-json-schema-validation-00). + +Unless stated otherwise, the keyword definitions follow those of JSON Schema and do not add any additional semantics; this includes keywords such as `$schema`, `$id`, `$ref`, and `$dynamicRef` being URIs rather than URLs. +Where JSON Schema indicates that behavior is defined by the application (e.g. for annotations), OAS also defers the definition of semantics to the application consuming the OpenAPI document. + +##### JSON Schema Keywords + +The OpenAPI Schema Object [dialect](https://tools.ietf.org/html/draft-bhutton-json-schema-00#section-4.3.3) is defined as requiring the [OAS base vocabulary](#base-vocabulary), in addition to the vocabularies as specified in the JSON Schema Specification Draft 2020-12 [general purpose meta-schema](https://tools.ietf.org/html/draft-bhutton-json-schema-00#section-8). + +The OpenAPI Schema Object dialect for this version of the specification is identified by the URI `https://spec.openapis.org/oas/3.1/dialect/base` (the "OAS dialect schema id"). + +The following keywords are taken from the JSON Schema specification but their definitions have been extended by the OAS: + +* description - [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. +* format - See [Data Type Formats](#data-type-format) for further details. While relying on JSON Schema's defined formats, the OAS offers a few additional predefined formats. + +In addition to the JSON Schema keywords comprising the OAS dialect, the Schema Object supports keywords from any other vocabularies, or entirely arbitrary properties. + +JSON Schema implementations MAY choose to treat keywords defined by the OpenAPI Specification's base vocabulary as [unknown keywords](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-4.3.1), due to its inclusion in the OAS dialect with a [`$vocabulary`](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-8.1.2) value of `false`. +The OAS base vocabulary is comprised of the following keywords: + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| discriminator | [Discriminator Object](#discriminator-object) | Adds support for polymorphism. The discriminator is used to determine which of a set of schemas a payload is expected to satisfy. See [Composition and Inheritance](#composition-and-inheritance-polymorphism) for more details. | +| xml | [XML Object](#xml-object) | This MAY be used only on property schemas. It has no effect on root schemas. Adds additional metadata to describe the XML representation of this property. | +| externalDocs | [External Documentation Object](#external-documentation-object) | Additional external documentation for this schema. | +| example | Any | A free-form field to include an example of an instance for this schema. To represent examples that cannot be naturally represented in JSON or YAML, a string value can be used to contain the example with escaping where necessary.

**Deprecated:** The `example` field has been deprecated in favor of the JSON Schema `examples` keyword. Use of `example` is discouraged, and later versions of this specification may remove it. | + +This object MAY be extended with [Specification Extensions](#specification-extensions), though as noted, additional properties MAY omit the `x-` prefix within this object. + +##### Extended Validation with Annotations + +JSON Schema Draft 2020-12 supports [collecting annotations](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-7.7.1), including [treating unrecognized keywords as annotations](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-6.5). +OAS implementations MAY use such annotations, including [extensions](https://spec.openapis.org/registry/extension/) not recognized as part of a declared JSON Schema vocabulary, as the basis for further validation. +Note that JSON Schema Draft 2020-12 does not require an `x-` prefix for extensions. + +###### Non-validating constraint keywords + +The [`format` keyword (when using default format-annotation vocabulary)](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00#section-7.2.1) and the [`contentMediaType`, `contentEncoding`, and `contentSchema` keywords](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00#section-8.2) define constraints on the data, but are treated as annotations instead of being validated directly. +Extended validation is one way that these constraints MAY be enforced. + +###### Validating `readOnly` and `writeOnly` + +The `readOnly` and `writeOnly` keywords are annotations, as JSON Schema is not aware of how the data it is validating is being used. +Validation of these keywords MAY be done by checking the annotation, the read or write direction, and (if relevant) the current value of the field. +[JSON Schema Validation Draft 2020-12 §9.4](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00#section-9.4) defines the expectations of these keywords, including that a resource (described as the "owning authority") MAY either ignore a `readOnly` field or treat it as an error. + +Fields that are both required and read-only are an example of when it is beneficial to ignore a `readOnly: true` constraint in a PUT, particularly if the value has not been changed. +This allows correctly requiring the field on a GET and still using the same representation and schema with PUT. +Even when read-only fields are not required, stripping them is burdensome for clients, particularly when the JSON data is complex or deeply nested. + +Note that the behavior of `readOnly` in particular differs from that specified by version 3.0 of this specification. + +##### Data Modeling Techniques + +###### Composition and Inheritance (Polymorphism) + +The OpenAPI Specification allows combining and extending model definitions using the `allOf` keyword of JSON Schema, in effect offering model composition. +`allOf` takes an array of object definitions that are validated _independently_ but together compose a single object. + +While composition offers model extensibility, it does not imply a hierarchy between the models. +To support polymorphism, the OpenAPI Specification adds the [`discriminator`](#schema-discriminator) field. +When used, the `discriminator` indicates the name of the property that hints which schema definition is expected to validate the structure of the model. +As such, the `discriminator` field MUST be a required field. +There are two ways to define the value of a discriminator for an inheriting instance. + +* Use the schema name. +* [Override the schema name](#discriminator-mapping) by overriding the property with a new value. If a new value exists, this takes precedence over the schema name. + +###### Generic (Template) Data Structures + +Implementations MAY support defining generic or template data structures using JSON Schema's dynamic referencing feature: + +* `$dynamicAnchor` identifies a set of possible schemas (including a default placeholder schema) to which a `$dynamicRef` can resolve +* `$dynamicRef` resolves to the first matching `$dynamicAnchor` encountered on its path from the schema entry point to the reference, as described in the JSON Schema specification + +An example is included in the "Schema Object Examples" section below, and further information can be found on the Learn OpenAPI site's ["Dynamic References"](https://learn.openapis.org/referencing/dynamic.html) page. + +###### Annotated Enumerations + +The Schema Object's `enum` keyword does not allow associating descriptions or other information with individual values. + +Implementations MAY support recognizing a `oneOf` or `anyOf` where each subschema in the keyword's array consists of a `const` keyword and annotations such as `title` or `description` as an enumerated type with additional information. The exact behavior of this pattern beyond what is required by JSON Schema is implementation-defined. + +###### XML Modeling + +The [xml](#schema-xml) field allows extra definitions when translating the JSON definition to XML. +The [XML Object](#xml-object) contains additional information about the available options. + +##### Specifying Schema Dialects + +It is important for tooling to be able to determine which dialect or meta-schema any given resource wishes to be processed with: JSON Schema Core, JSON Schema Validation, OpenAPI Schema dialect, or some custom meta-schema. + +The `$schema` keyword MAY be present in any Schema Object that is a [schema resource root](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-4.3.5), and if present MUST be used to determine which dialect should be used when processing the schema. This allows use of Schema Objects which comply with other drafts of JSON Schema than the default Draft 2020-12 support. Tooling MUST support the OAS dialect schema id, and MAY support additional values of `$schema`. + +To allow use of a different default `$schema` value for all Schema Objects contained within an OAS document, a `jsonSchemaDialect` value may be set within the OpenAPI Object. If this default is not set, then the OAS dialect schema id MUST be used for these Schema Objects. The value of `$schema` within a resource root Schema Object always overrides any default. + +For standalone JSON Schema documents that do not set `$schema`, or for Schema Objects in OpenAPI description documents that are _not_ [complete documents](#openapi-description-structure), the dialect SHOULD be assumed to be the OAS dialect. +However, for maximum interoperability, it is RECOMMENDED that OpenAPI description authors explicitly set the dialect through `$schema` in such documents. + +##### Schema Object Examples + +###### Primitive Example + +```json +{ + "type": "string", + "format": "email" +} +``` + +```yaml +type: string +format: email +``` + +###### Simple Model + +```json +{ + "type": "object", + "required": ["name"], + "properties": { + "name": { + "type": "string" + }, + "address": { + "$ref": "#/components/schemas/Address" + }, + "age": { + "type": "integer", + "format": "int32", + "minimum": 0 + } + } +} +``` + +```yaml +type: object +required: + - name +properties: + name: + type: string + address: + $ref: '#/components/schemas/Address' + age: + type: integer + format: int32 + minimum: 0 +``` + +###### Model with Map/Dictionary Properties + +For a simple string to string mapping: + +```json +{ + "type": "object", + "additionalProperties": { + "type": "string" + } +} +``` + +```yaml +type: object +additionalProperties: + type: string +``` + +For a string to model mapping: + +```json +{ + "type": "object", + "additionalProperties": { + "$ref": "#/components/schemas/ComplexModel" + } +} +``` + +```yaml +type: object +additionalProperties: + $ref: '#/components/schemas/ComplexModel' +``` + +###### Model with Annotated Enumeration + +```json +{ + "oneOf": [ + { + "const": "RGB", + "title": "Red, Green, Blue", + "description": "Specify colors with the red, green, and blue additive color model" + }, + { + "const": "CMYK", + "title": "Cyan, Magenta, Yellow, Black", + "description": "Specify colors with the cyan, magenta, yellow, and black subtractive color model" + } + ] +} +``` + +```yaml +oneOf: + - const: RGB + title: Red, Green, Blue + description: Specify colors with the red, green, and blue additive color model + - const: CMYK + title: Cyan, Magenta, Yellow, Black + description: Specify colors with the cyan, magenta, yellow, and black subtractive color model +``` + +###### Model with Example + +```json +{ + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + }, + "required": ["name"], + "examples": [ + { + "name": "Puma", + "id": 1 + } + ] +} +``` + +```yaml +type: object +properties: + id: + type: integer + format: int64 + name: + type: string +required: + - name +examples: + - name: Puma + id: 1 +``` + +###### Models with Composition + +```json +{ + "components": { + "schemas": { + "ErrorModel": { + "type": "object", + "required": ["message", "code"], + "properties": { + "message": { + "type": "string" + }, + "code": { + "type": "integer", + "minimum": 100, + "maximum": 600 + } + } + }, + "ExtendedErrorModel": { + "allOf": [ + { + "$ref": "#/components/schemas/ErrorModel" + }, + { + "type": "object", + "required": ["rootCause"], + "properties": { + "rootCause": { + "type": "string" + } + } + } + ] + } + } + } +} +``` + +```yaml +components: + schemas: + ErrorModel: + type: object + required: + - message + - code + properties: + message: + type: string + code: + type: integer + minimum: 100 + maximum: 600 + ExtendedErrorModel: + allOf: + - $ref: '#/components/schemas/ErrorModel' + - type: object + required: + - rootCause + properties: + rootCause: + type: string +``` + +###### Models with Polymorphism Support + +```json +{ + "components": { + "schemas": { + "Pet": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "name": { + "type": "string" + }, + "petType": { + "type": "string" + } + }, + "required": ["name", "petType"] + }, + "Cat": { + "description": "A representation of a cat. Note that `Cat` will be used as the discriminating value.", + "allOf": [ + { + "$ref": "#/components/schemas/Pet" + }, + { + "type": "object", + "properties": { + "huntingSkill": { + "type": "string", + "description": "The measured skill for hunting", + "default": "lazy", + "enum": ["clueless", "lazy", "adventurous", "aggressive"] + } + }, + "required": ["huntingSkill"] + } + ] + }, + "Dog": { + "description": "A representation of a dog. Note that `Dog` will be used as the discriminating value.", + "allOf": [ + { + "$ref": "#/components/schemas/Pet" + }, + { + "type": "object", + "properties": { + "packSize": { + "type": "integer", + "format": "int32", + "description": "the size of the pack the dog is from", + "default": 0, + "minimum": 0 + } + }, + "required": ["packSize"] + } + ] + } + } + } +} +``` + +```yaml +components: + schemas: + Pet: + type: object + discriminator: + propertyName: petType + properties: + name: + type: string + petType: + type: string + required: + - name + - petType + Cat: # "Cat" will be used as the discriminating value + description: A representation of a cat + allOf: + - $ref: '#/components/schemas/Pet' + - type: object + properties: + huntingSkill: + type: string + description: The measured skill for hunting + enum: + - clueless + - lazy + - adventurous + - aggressive + required: + - huntingSkill + Dog: # "Dog" will be used as the discriminating value + description: A representation of a dog + allOf: + - $ref: '#/components/schemas/Pet' + - type: object + properties: + packSize: + type: integer + format: int32 + description: the size of the pack the dog is from + default: 0 + minimum: 0 + required: + - packSize +``` + +###### Generic Data Structure Model + +```JSON +{ + "components": { + "schemas": { + "genericArrayComponent": { + "$id": "fully_generic_array", + "type": "array", + "items": { + "$dynamicRef": "#generic-array" + }, + "$defs": { + "allowAll": { + "$dynamicAnchor": "generic-array" + } + } + }, + "numberArray": { + "$id": "array_of_numbers", + "$ref": "fully_generic_array", + "$defs": { + "numbersOnly": { + "$dynamicAnchor": "generic-array", + "type": "number" + } + } + }, + "stringArray": { + "$id": "array_of_strings", + "$ref": "fully_generic_array", + "$defs": { + "stringsOnly": { + "$dynamicAnchor": "generic-array", + "type": "string" + } + } + }, + "objWithTypedArray": { + "$id": "obj_with_typed_array", + "type": "object", + "required": ["dataType", "data"], + "properties": { + "dataType": { + "enum": ["string", "number"] + } + }, + "oneOf": [{ + "properties": { + "dataType": {"const": "string"}, + "data": {"$ref": "array_of_strings"} + } + }, { + "properties": { + "dataType": {"const": "number"}, + "data": {"$ref": "array_of_numbers"} + } + }] + } + } + } +} +``` + +```YAML +components: + schemas: + genericArrayComponent: + $id: fully_generic_array + type: array + items: + $dynamicRef: '#generic-array' + $defs: + allowAll: + $dynamicAnchor: generic-array + numberArray: + $id: array_of_numbers + $ref: fully_generic_array + $defs: + numbersOnly: + $dynamicAnchor: generic-array + type: number + stringArray: + $id: array_of_strings + $ref: fully_generic_array + $defs: + stringsOnly: + $dynamicAnchor: generic-array + type: string + objWithTypedArray: + $id: obj_with_typed_array + type: object + required: + - dataType + - data + properties: + dataType: + enum: + - string + - number + oneOf: + - properties: + dataType: + const: string + data: + $ref: array_of_strings + - properties: + dataType: + const: number + data: + $ref: array_of_numbers +``` + +#### Discriminator Object + +When request bodies or response payloads may be one of a number of different schemas, a Discriminator Object gives a hint about the expected schema of the document. +This hint can be used to aid in serialization, deserialization, and validation. +The Discriminator Object does this by implicitly or explicitly associating the possible values of a named property with alternative schemas. + +Note that `discriminator` MUST NOT change the validation outcome of the schema. + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| propertyName | `string` | **REQUIRED**. The name of the property in the payload that will hold the discriminating value. This property SHOULD be required in the payload schema, as the behavior when the property is absent is undefined. | +| mapping | Map[`string`, `string`] | An object to hold mappings between payload values and schema names or URI references. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +##### Conditions for Using the Discriminator Object + +The Discriminator Object is legal only when using one of the composite keywords `oneOf`, `anyOf`, `allOf`. + +In both the `oneOf` and `anyOf` use cases, where those keywords are adjacent to `discriminator`, all possible schemas MUST be listed explicitly. + +To avoid redundancy, the discriminator MAY be added to a parent schema definition, and all schemas building on the parent schema via an `allOf` construct may be used as an alternate schema. + +The `allOf` form of `discriminator` is _only_ useful for non-validation use cases; validation with the parent schema with this form of `discriminator` _does not_ perform a search for child schemas or use them in validation in any way. +This is because `discriminator` cannot change the validation outcome, and no standard JSON Schema keyword connects the parent schema to the child schemas. + +The behavior of any configuration of `oneOf`, `anyOf`, `allOf` and `discriminator` that is not described above is undefined. + +##### Options for Mapping Values to Schemas + +The value of the property named in `propertyName` is used as the name of the associated schema under the [Components Object](#components-object), _unless_ a `mapping` is present for that value. +The `mapping` entry maps a specific property value to either a different schema component name, or to a schema identified by a URI. +When using implicit or explicit schema component names, inline `oneOf` or `anyOf` subschemas are not considered. +The behavior of a `mapping` value that is both a valid schema name and a valid relative URI reference is implementation-defined, but it is RECOMMENDED that it be treated as a schema name. +To ensure that an ambiguous value (e.g. `"foo"`) is treated as a relative URI reference by all implementations, authors MUST prefix it with the `"."` path segment (e.g. `"./foo"`). + +Mapping keys MUST be string values, but tooling MAY convert response values to strings for comparison. +However, the exact nature of such conversions are implementation-defined. + +##### Examples + +For these examples, assume all schemas are in the [entry document](#openapi-description-structure) of the OAD; for handling of `discriminator` in referenced documents see [Resolving Implicit Connections](#resolving-implicit-connections). + +In OAS 3.x, a response payload MAY be described to be exactly one of any number of types: + +```yaml +MyResponseType: + oneOf: + - $ref: '#/components/schemas/Cat' + - $ref: '#/components/schemas/Dog' + - $ref: '#/components/schemas/Lizard' +``` + +which means the payload _MUST_, by validation, match exactly one of the schemas described by `Cat`, `Dog`, or `Lizard`. Deserialization of a `oneOf` can be a costly operation, as it requires determining which schema matches the payload and thus should be used in deserialization. This problem also exists for `anyOf` schemas. A `discriminator` MAY be used as a "hint" to improve the efficiency of selection of the matching schema. The `discriminator` field cannot change the validation result of the `oneOf`, it can only help make the deserialization more efficient and provide better error messaging. We can specify the exact field that tells us which schema is expected to match the instance: + +```yaml +MyResponseType: + oneOf: + - $ref: '#/components/schemas/Cat' + - $ref: '#/components/schemas/Dog' + - $ref: '#/components/schemas/Lizard' + discriminator: + propertyName: petType +``` + +The expectation now is that a property with name `petType` _MUST_ be present in the response payload, and the value will correspond to the name of a schema defined in the OpenAPI Description. Thus the response payload: + +```json +{ + "id": 12345, + "petType": "Cat" +} +``` + +will indicate that the `Cat` schema is expected to match this payload. + +In scenarios where the value of the `discriminator` field does not match the schema name or implicit mapping is not possible, an optional `mapping` definition MAY be used: + +```yaml +MyResponseType: + oneOf: + - $ref: '#/components/schemas/Cat' + - $ref: '#/components/schemas/Dog' + - $ref: '#/components/schemas/Lizard' + - $ref: https://gigantic-server.com/schemas/Monster/schema.json + discriminator: + propertyName: petType + mapping: + dog: '#/components/schemas/Dog' + monster: https://gigantic-server.com/schemas/Monster/schema.json +``` + +Here the discriminating value of `dog` will map to the schema `#/components/schemas/Dog`, rather than the default (implicit) value of `#/components/schemas/dog`. If the discriminating value does not match an implicit or explicit mapping, no schema can be determined and validation SHOULD fail. + +When used in conjunction with the `anyOf` construct, the use of the discriminator can avoid ambiguity for serializers/deserializers where multiple schemas may satisfy a single payload. + +This example shows the `allOf` usage, which avoids needing to reference all child schemas in the parent: + +```yaml +components: + schemas: + Pet: + type: object + required: + - petType + properties: + petType: + type: string + discriminator: + propertyName: petType + mapping: + dog: Dog + Cat: + allOf: + - $ref: '#/components/schemas/Pet' + - type: object + # all other properties specific to a `Cat` + properties: + name: + type: string + Dog: + allOf: + - $ref: '#/components/schemas/Pet' + - type: object + # all other properties specific to a `Dog` + properties: + bark: + type: string + Lizard: + allOf: + - $ref: '#/components/schemas/Pet' + - type: object + # all other properties specific to a `Lizard` + properties: + lovesRocks: + type: boolean +``` + +Validated against the `Pet` schema, a payload like this: + +```json +{ + "petType": "Cat", + "name": "Misty" +} +``` + +will indicate that the `#/components/schemas/Cat` schema is expected to match. Likewise this payload: + +```json +{ + "petType": "dog", + "bark": "soft" +} +``` + +will map to `#/components/schemas/Dog` because the `dog` entry in the `mapping` element maps to `Dog` which is the schema name for `#/components/schemas/Dog`. + +#### XML Object + +A metadata object that allows for more fine-tuned XML model definitions. + +When using arrays, XML element names are _not_ inferred (for singular/plural forms) and the `name` field SHOULD be used to add that information. +See examples for expected behavior. + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| name | `string` | Replaces the name of the element/attribute used for the described schema property. When defined within `items`, it will affect the name of the individual XML elements within the list. When defined alongside `type` being `"array"` (outside the `items`), it will affect the wrapping element if and only if `wrapped` is `true`. If `wrapped` is `false`, it will be ignored. | +| namespace | `string` | The URI of the namespace definition. Value MUST be in the form of a non-relative URI. | +| prefix | `string` | The prefix to be used for the [name](#xml-name). | +| attribute | `boolean` | Declares whether the property definition translates to an attribute instead of an element. Default value is `false`. | +| wrapped | `boolean` | MAY be used only for an array definition. Signifies whether the array is wrapped (for example, ``) or unwrapped (``). Default value is `false`. The definition takes effect only when defined alongside `type` being `"array"` (outside the `items`). | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +The `namespace` field is intended to match the syntax of [XML namespaces](https://www.w3.org/TR/xml-names11/), although there are a few caveats: + +* Versions 3.1.0, 3.0.3, and earlier of this specification erroneously used the term "absolute URI" instead of "non-relative URI", so authors using namespaces that include a fragment should check tooling support carefully. +* XML allows but discourages relative URI-references, while this specification outright forbids them. +* XML 1.1 allows IRIs ([RFC3987](https://datatracker.ietf.org/doc/html/rfc3987)) as namespaces, and specifies that namespaces are compared without any encoding or decoding, which means that IRIs encoded to meet this specification's URI syntax requirement cannot be compared to IRIs as-is. + +##### XML Object Examples + +Each of the following examples represent the value of the `properties` keyword in a [Schema Object](#schema-object) that is omitted for brevity. +The JSON and YAML representations of the `properties` value are followed by an example XML representation produced for the single property shown. + +###### No XML Element + +Basic string property: + +```json +{ + "animals": { + "type": "string" + } +} +``` + +```yaml +animals: + type: string +``` + +```xml +... +``` + +Basic string array property ([`wrapped`](#xml-wrapped) is `false` by default): + +```json +{ + "animals": { + "type": "array", + "items": { + "type": "string" + } + } +} +``` + +```yaml +animals: + type: array + items: + type: string +``` + +```xml +... +... +... +``` + +###### XML Name Replacement + +```json +{ + "animals": { + "type": "string", + "xml": { + "name": "animal" + } + } +} +``` + +```yaml +animals: + type: string + xml: + name: animal +``` + +```xml +... +``` + +###### XML Attribute, Prefix and Namespace + +In this example, a full model definition is shown. + +```json +{ + "Person": { + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "int32", + "xml": { + "attribute": true + } + }, + "name": { + "type": "string", + "xml": { + "namespace": "https://example.com/schema/sample", + "prefix": "sample" + } + } + } + } +} +``` + +```yaml +Person: + type: object + properties: + id: + type: integer + format: int32 + xml: + attribute: true + name: + type: string + xml: + namespace: https://example.com/schema/sample + prefix: sample +``` + +```xml + + example + +``` + +###### XML Arrays + +Changing the element names: + +```json +{ + "animals": { + "type": "array", + "items": { + "type": "string", + "xml": { + "name": "animal" + } + } + } +} +``` + +```yaml +animals: + type: array + items: + type: string + xml: + name: animal +``` + +```xml +value +value +``` + +The external `name` field has no effect on the XML: + +```json +{ + "animals": { + "type": "array", + "items": { + "type": "string", + "xml": { + "name": "animal" + } + }, + "xml": { + "name": "aliens" + } + } +} +``` + +```yaml +animals: + type: array + items: + type: string + xml: + name: animal + xml: + name: aliens +``` + +```xml +value +value +``` + +Even when the array is wrapped, if a name is not explicitly defined, the same name will be used both internally and externally: + +```json +{ + "animals": { + "type": "array", + "items": { + "type": "string" + }, + "xml": { + "wrapped": true + } + } +} +``` + +```yaml +animals: + type: array + items: + type: string + xml: + wrapped: true +``` + +```xml + + value + value + +``` + +To overcome the naming problem in the example above, the following definition can be used: + +```json +{ + "animals": { + "type": "array", + "items": { + "type": "string", + "xml": { + "name": "animal" + } + }, + "xml": { + "wrapped": true + } + } +} +``` + +```yaml +animals: + type: array + items: + type: string + xml: + name: animal + xml: + wrapped: true +``` + +```xml + + value + value + +``` + +Affecting both internal and external names: + +```json +{ + "animals": { + "type": "array", + "items": { + "type": "string", + "xml": { + "name": "animal" + } + }, + "xml": { + "name": "aliens", + "wrapped": true + } + } +} +``` + +```yaml +animals: + type: array + items: + type: string + xml: + name: animal + xml: + name: aliens + wrapped: true +``` + +```xml + + value + value + +``` + +If we change the external element but not the internal ones: + +```json +{ + "animals": { + "type": "array", + "items": { + "type": "string" + }, + "xml": { + "name": "aliens", + "wrapped": true + } + } +} +``` + +```yaml +animals: + type: array + items: + type: string + xml: + name: aliens + wrapped: true +``` + +```xml + + value + value + +``` + +#### Security Scheme Object + +Defines a security scheme that can be used by the operations. + +Supported schemes are HTTP authentication, an API key (either as a header, a cookie parameter or as a query parameter), mutual TLS (use of a client certificate), OAuth2's common flows (implicit, password, client credentials and authorization code) as defined in [RFC6749](https://tools.ietf.org/html/rfc6749), and [[OpenID-Connect-Core]]. +Please note that as of 2020, the implicit flow is about to be deprecated by [OAuth 2.0 Security Best Current Practice](https://tools.ietf.org/html/draft-ietf-oauth-security-topics). Recommended for most use cases is Authorization Code Grant flow with PKCE. + +##### Fixed Fields + +| Field Name | Type | Applies To | Description | +| ---- | :----: | ---- | ---- | +| type | `string` | Any | **REQUIRED**. The type of the security scheme. Valid values are `"apiKey"`, `"http"`, `"mutualTLS"`, `"oauth2"`, `"openIdConnect"`. | +| description | `string` | Any | A description for security scheme. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | +| name | `string` | `apiKey` | **REQUIRED**. The name of the header, query or cookie parameter to be used. | +| in | `string` | `apiKey` | **REQUIRED**. The location of the API key. Valid values are `"query"`, `"header"`, or `"cookie"`. | +| scheme | `string` | `http` | **REQUIRED**. The name of the HTTP Authentication scheme to be used in the [Authorization header as defined in RFC7235](https://tools.ietf.org/html/rfc7235#section-5.1). The values used SHOULD be registered in the [IANA Authentication Scheme registry](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml). The value is case-insensitive, as defined in [RFC7235](https://datatracker.ietf.org/doc/html/rfc7235#section-2.1). | +| bearerFormat | `string` | `http` (`"bearer"`) | A hint to the client to identify how the bearer token is formatted. Bearer tokens are usually generated by an authorization server, so this information is primarily for documentation purposes. | +| flows | [OAuth Flows Object](#oauth-flows-object) | `oauth2` | **REQUIRED**. An object containing configuration information for the flow types supported. | +| openIdConnectUrl | `string` | `openIdConnect` | **REQUIRED**. [Well-known URL](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) to discover the [[OpenID-Connect-Discovery]] [provider metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +##### Security Scheme Object Examples + +###### Basic Authentication Example + +```json +{ + "type": "http", + "scheme": "basic" +} +``` + +```yaml +type: http +scheme: basic +``` + +###### API Key Example + +```json +{ + "type": "apiKey", + "name": "api-key", + "in": "header" +} +``` + +```yaml +type: apiKey +name: api-key +in: header +``` + +###### JWT Bearer Example + +```json +{ + "type": "http", + "scheme": "bearer", + "bearerFormat": "JWT" +} +``` + +```yaml +type: http +scheme: bearer +bearerFormat: JWT +``` + +###### MutualTLS Example + +```json +{ + "type": "mutualTLS", + "description": "Cert must be signed by example.com CA" +} +``` + +```yaml +type: mutualTLS +description: Cert must be signed by example.com CA +``` + +###### Implicit OAuth2 Example + +```json +{ + "type": "oauth2", + "flows": { + "implicit": { + "authorizationUrl": "https://example.com/api/oauth/dialog", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + } + } +} +``` + +```yaml +type: oauth2 +flows: + implicit: + authorizationUrl: https://example.com/api/oauth/dialog + scopes: + write:pets: modify pets in your account + read:pets: read your pets +``` + +#### OAuth Flows Object + +Allows configuration of the supported OAuth Flows. + +##### Fixed Fields + +| Field Name | Type | Description | +| ---- | :----: | ---- | +| implicit | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Implicit flow | +| password | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Resource Owner Password flow | +| clientCredentials | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Client Credentials flow. Previously called `application` in OpenAPI 2.0. | +| authorizationCode | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Authorization Code flow. Previously called `accessCode` in OpenAPI 2.0. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +#### OAuth Flow Object + +Configuration details for a supported OAuth Flow + +##### Fixed Fields + +| Field Name | Type | Applies To | Description | +| ---- | :----: | ---- | ---- | +| authorizationUrl | `string` | `oauth2` (`"implicit"`, `"authorizationCode"`) | **REQUIRED**. The authorization URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | +| tokenUrl | `string` | `oauth2` (`"password"`, `"clientCredentials"`, `"authorizationCode"`) | **REQUIRED**. The token URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | +| refreshUrl | `string` | `oauth2` | The URL to be used for obtaining refresh tokens. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | +| scopes | Map[`string`, `string`] | `oauth2` | **REQUIRED**. The available scopes for the OAuth2 security scheme. A map between the scope name and a short description for it. The map MAY be empty. | + +This object MAY be extended with [Specification Extensions](#specification-extensions). + +##### OAuth Flow Object Example + +```JSON +{ + "type": "oauth2", + "flows": { + "implicit": { + "authorizationUrl": "https://example.com/api/oauth/dialog", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + }, + "authorizationCode": { + "authorizationUrl": "https://example.com/api/oauth/dialog", + "tokenUrl": "https://example.com/api/oauth/token", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + } + } +} +``` + +```yaml +type: oauth2 +flows: + implicit: + authorizationUrl: https://example.com/api/oauth/dialog + scopes: + write:pets: modify pets in your account + read:pets: read your pets + authorizationCode: + authorizationUrl: https://example.com/api/oauth/dialog + tokenUrl: https://example.com/api/oauth/token + scopes: + write:pets: modify pets in your account + read:pets: read your pets +``` + +#### Security Requirement Object + +Lists the required security schemes to execute this operation. +The name used for each property MUST correspond to a security scheme declared in the [Security Schemes](#security-scheme-object) under the [Components Object](#components-object). + +A Security Requirement Object MAY refer to multiple security schemes in which case all schemes MUST be satisfied for a request to be authorized. +This enables support for scenarios where multiple query parameters or HTTP headers are required to convey security information. + +When the `security` field is defined on the [OpenAPI Object](#openapi-object) or [Operation Object](#operation-object) and contains multiple Security Requirement Objects, only one of the entries in the list needs to be satisfied to authorize the request. +This enables support for scenarios where the API allows multiple, independent security schemes. + +An empty Security Requirement Object (`{}`) indicates anonymous access is supported. + +##### Patterned Fields + +| Field Pattern | Type | Description | +| ---- | :----: | ---- | +| {name} | [`string`] | Each name MUST correspond to a security scheme which is declared in the [Security Schemes](#security-scheme-object) under the [Components Object](#components-object). If the security scheme is of type `"oauth2"` or `"openIdConnect"`, then the value is a list of scope names required for the execution, and the list MAY be empty if authorization does not require a specified scope. For other security scheme types, the array MAY contain a list of role names which are required for the execution, but are not otherwise defined or exchanged in-band. | + +##### Security Requirement Object Examples + +See also [Appendix F: Resolving Security Requirements in a Referenced Document](#appendix-f-resolving-security-requirements-in-a-referenced-document) for an example using Security Requirement Objects in multi-document OpenAPI Descriptions. + +###### Non-OAuth2 Security Requirement + +```json +{ + "api_key": [] +} +``` + +```yaml +api_key: [] +``` + +###### OAuth2 Security Requirement + +```json +{ + "petstore_auth": ["write:pets", "read:pets"] +} +``` + +```yaml +petstore_auth: + - write:pets + - read:pets +``` + +###### Optional OAuth2 Security + +Optional OAuth2 security as would be defined in an OpenAPI Object or an Operation Object: + +```json +{ + "security": [ + {}, + { + "petstore_auth": ["write:pets", "read:pets"] + } + ] +} +``` + +```yaml +security: + - {} + - petstore_auth: + - write:pets + - read:pets +``` + +### Specification Extensions + +While the OpenAPI Specification tries to accommodate most use cases, additional data can be added to extend the specification at certain points. + +The extensions properties are implemented as patterned fields that are always prefixed by `x-`. + +| Field Pattern | Type | Description | +| ---- | :--: | ---- | +| ^x- | Any | Allows extensions to the OpenAPI Schema. The field name MUST begin with `x-`, for example, `x-internal-id`. Field names beginning `x-oai-` and `x-oas-` are reserved for uses defined by the [OpenAPI Initiative](https://www.openapis.org/). The value can be any valid JSON value (`null`, a primitive, an array, or an object.) | + +The OpenAPI Initiative maintains several [[OpenAPI-Registry|extension registries]], including registries for [individual extension keywords](https://spec.openapis.org/registry/extension/) and [extension keyword namespaces](https://spec.openapis.org/registry/namespace/). + +Extensions are one of the best ways to prove the viability of proposed additions to the specification. +It is therefore RECOMMENDED that implementations be designed for extensibility to support community experimentation. + +Support for any one extension is OPTIONAL, and support for one extension does not imply support for others. + +### Security Filtering + +Some objects in the OpenAPI Specification MAY be declared and remain empty, or be completely removed, even though they are inherently the core of the API documentation. + +The reasoning is to allow an additional layer of access control over the documentation. +While not part of the specification itself, certain libraries MAY choose to allow access to parts of the documentation based on some form of authentication/authorization. + +Two examples of this: + +1. The [Paths Object](#paths-object) MAY be present but empty. It may be counterintuitive, but this may tell the viewer that they got to the right place, but can't access any documentation. They would still have access to at least the [Info Object](#info-object) which may contain additional information regarding authentication. +2. The [Path Item Object](#path-item-object) MAY be empty. In this case, the viewer will be aware that the path exists, but will not be able to see any of its operations or parameters. This is different from hiding the path itself from the [Paths Object](#paths-object), because the user will be aware of its existence. This allows the documentation provider to finely control what the viewer can see. + +## Security Considerations + +### OpenAPI Description Formats + +OpenAPI Descriptions use a combination of JSON, YAML, and JSON Schema, and therefore share their security considerations: + +* [JSON](https://www.iana.org/assignments/media-types/application/json) +* [YAML](https://www.iana.org/assignments/media-types/application/yaml) +* [JSON Schema Core](https://tools.ietf.org/html/draft-bhutton-json-schema-00#section-13) +* [JSON Schema Validation](https://tools.ietf.org/html/draft-bhutton-json-schema-validation-00#section-10) + +### Tooling and Usage Scenarios + +In addition, OpenAPI Descriptions are processed by a wide variety of tooling for numerous different purposes, such as client code generation, documentation generation, server side routing, and API testing. OpenAPI Description authors must consider the risks of the scenarios where the OpenAPI Description may be used. + +### Security Schemes + +An OpenAPI Description describes the security schemes used to protect the resources it defines. The security schemes available offer varying degrees of protection. Factors such as the sensitivity of the data and the potential impact of a security breach should guide the selection of security schemes for the API resources. Some security schemes, such as basic auth and OAuth Implicit flow, are supported for compatibility with existing APIs. However, their inclusion in OpenAPI does not constitute an endorsement of their use, particularly for highly sensitive data or operations. + +### Handling External Resources + +OpenAPI Descriptions may contain references to external resources that may be dereferenced automatically by consuming tools. External resources may be hosted on different domains that may be untrusted. + +### Handling Reference Cycles + +References in an OpenAPI Description may cause a cycle. Tooling must detect and handle cycles to prevent resource exhaustion. + +### Markdown and HTML Sanitization + +Certain fields allow the use of Markdown which can contain HTML including script. It is the responsibility of tooling to appropriately sanitize the Markdown. + +## Appendix A: Revision History + +| Version | Date | Notes | +| ---- | ---- | ---- | +| 3.1.1 | 2024-10-24 | Patch release of the OpenAPI Specification 3.1.1 | +| 3.1.0 | 2021-02-15 | Release of the OpenAPI Specification 3.1.0 | +| 3.1.0-rc1 | 2020-10-08 | rc1 of the 3.1 specification | +| 3.1.0-rc0 | 2020-06-18 | rc0 of the 3.1 specification | +| 3.0.4 | 2024-10-24 | Patch release of the OpenAPI Specification 3.0.4 | +| 3.0.3 | 2020-02-20 | Patch release of the OpenAPI Specification 3.0.3 | +| 3.0.2 | 2018-10-08 | Patch release of the OpenAPI Specification 3.0.2 | +| 3.0.1 | 2017-12-06 | Patch release of the OpenAPI Specification 3.0.1 | +| 3.0.0 | 2017-07-26 | Release of the OpenAPI Specification 3.0.0 | +| 3.0.0-rc2 | 2017-06-16 | rc2 of the 3.0 specification | +| 3.0.0-rc1 | 2017-04-27 | rc1 of the 3.0 specification | +| 3.0.0-rc0 | 2017-02-28 | Implementer's Draft of the 3.0 specification | +| 2.0 | 2015-12-31 | Donation of Swagger 2.0 to the OpenAPI Initiative | +| 2.0 | 2014-09-08 | Release of Swagger 2.0 | +| 1.2 | 2014-03-14 | Initial release of the formal document. | +| 1.1 | 2012-08-22 | Release of Swagger 1.1 | +| 1.0 | 2011-08-10 | First release of the Swagger Specification | + +## Appendix B: Data Type Conversion + +Serializing typed data to plain text, which can occur in `text/plain` message bodies or `multipart` parts, as well as in the `application/x-www-form-urlencoded` format in either URL query strings or message bodies, involves significant implementation- or application-defined behavior. + +[Schema Objects](#schema-object) validate data based on the [JSON Schema data model](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-4.2.1), which only recognizes four primitive data types: strings (which are [only broadly interoperable as UTF-8](https://datatracker.ietf.org/doc/html/rfc7159#section-8.1)), numbers, booleans, and `null`. +Notably, integers are not a distinct type from other numbers, with `type: "integer"` being a convenience defined mathematically, rather than based on the presence or absence of a decimal point in any string representation. + +The [Parameter Object](#parameter-object), [Header Object](#header-object), and [Encoding Object](#encoding-object) offer features to control how to arrange values from array or object types. +They can also be used to control how strings are further encoded to avoid reserved or illegal characters. +However, there is no general-purpose specification for converting schema-validated non-UTF-8 primitive data types (or entire arrays or objects) to strings. + +Two cases do offer standards-based guidance: + +* [RFC3987](https://datatracker.ietf.org/doc/html/rfc3987#section-3.1) provides guidance for converting non-Unicode strings to UTF-8, particularly in the context of URIs (and by extension, the form media types which use the same encoding rules) +* [RFC6570](https://www.rfc-editor.org/rfc/rfc6570#section-2.3) specifies which values, including but not limited to `null`, are considered _undefined_ and therefore treated specially in the expansion process when serializing based on that specification + +Implementations of RFC6570 often have their own conventions for converting non-string values, but these are implementation-specific and not defined by the RFC itself. +This is one reason for the OpenAPI Specification to leave these conversions as implementation-defined: It allows using RFC6570 implementations regardless of how they choose to perform the conversions. + +To control the serialization of numbers, booleans, and `null` (or other values RFC6570 deems to be undefined) more precisely, schemas can be defined as `type: "string"` and constrained using `pattern`, `enum`, `format`, and other keywords to communicate how applications must pre-convert their data prior to schema validation. +The resulting strings would not require any further type conversion. + +The `format` keyword can assist in serialization. +Some formats (such as `date-time`) are unambiguous, while others (such as [`decimal`](https://spec.openapis.org/registry/format/decimal.html) in the [Format Registry](https://spec.openapis.org/registry/format/)) are less clear. +However, care must be taken with `format` to ensure that the specific formats are supported by all relevant tools as unrecognized formats are ignored. + +Requiring input as pre-formatted, schema-validated strings also improves round-trip interoperability as not all programming languages and environments support the same data types. + +## Appendix C: Using RFC6570-Based Serialization + +Serialization is defined in terms of [RFC6570](https://www.rfc-editor.org/rfc/rfc6570) URI Templates in three scenarios: + +| Object | Condition | +| ---- | ---- | +| [Parameter Object](#parameter-object) | When `schema` is present | +| [Header Object](#header-object) | When `schema` is present | +| [Encoding Object](#encoding-object) | When encoding for `application/x-www-form-urlencoded` and any of `style`, `explode`, or `allowReserved` are used | + +Implementations of this specification MAY use an implementation of RFC6570 to perform variable expansion, however, some caveats apply. + +Note that when using `style: "form"` RFC6570 expansion to produce an `application/x-www-form-urlencoded` HTTP message body, it is necessary to remove the `?` prefix that is produced to satisfy the URI query string syntax. + +When using `style` and similar keywords to produce a `multipart/form-data` body, the query string names are placed in the `name` parameter of the `Content-Disposition` part header, and the values are placed in the corresponding part body; the `?`, `=`, and `&` characters are not used. +Note that while [RFC7578](https://datatracker.ietf.org/doc/html/rfc7578) allows using [[RFC3986]] percent-encoding in "file names", it does not otherwise address the use of percent-encoding within the format. +RFC7578 discusses character set and encoding issues for `multipart/form-data` in detail, and it is RECOMMENDED that OpenAPI Description authors read this guidance carefully before deciding to use RFC6570-based serialization with this media type. + +Note also that not all RFC6570 implementations support all four levels of operators, all of which are needed to fully support the OpenAPI Specification's usage. +Using an implementation with a lower level of support will require additional manual construction of URI Templates to work around the limitations. + +### Equivalences Between Fields and RFC6570 Operators + +Certain field values translate to RFC6570 [operators](https://datatracker.ietf.org/doc/html/rfc6570#section-2.2) (or lack thereof): + +| field | value | equivalent | +| ---- | ---- | ---- | +| style | `"simple"` | _n/a_ | +| style | `"matrix"` | `;` prefix operator | +| style | `"label"` | `.` prefix operator | +| style | `"form"` | `?` prefix operator | +| allowReserved | `false` | _n/a_ | +| allowReserved | `true` | `+` prefix operator | +| explode | `false` | _n/a_ | +| explode | `true` | `*` modifier suffix | + +Multiple `style: "form"` parameters are equivalent to a single RFC6570 [variable list](https://www.rfc-editor.org/rfc/rfc6570#section-2.2) using the `?` prefix operator: + +```YAML +parameters: +- name: foo + in: query + schema: + type: object + explode: true +- name: bar + in: query + schema: + type: string +``` + +This example is equivalent to RFC6570's `{?foo*,bar}`, and **NOT** `{?foo*}{&bar}`. The latter is problematic because if `foo` is not defined, the result will be an invalid URI. +The `&` prefix operator has no equivalent in the Parameter Object. + +Note that RFC6570 does not specify behavior for compound values beyond the single level addressed by `explode`. The result of using objects or arrays where no behavior is clearly specified for them is implementation-defined. + +### Delimiters in Parameter Values + +Delimiters used by RFC6570 expansion, such as the `,` used to join arrays or object values with `style: "simple"`, are all automatically percent-encoded as long as `allowReserved` is `false`. +Note that since RFC6570 does not define a way to parse variables based on a URI Template, users must take care to first split values by delimiter before percent-decoding values that might contain the delimiter character. + +When `allowReserved` is `true`, both percent-encoding (prior to joining values with a delimiter) and percent-decoding (after splitting on the delimiter) must be done manually at the correct time. + +See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for additional guidance on handling delimiters for `style` values with no RFC6570 equivalent that already need to be percent-encoded when used as delimiters. + +### Non-RFC6570 Field Values and Combinations + +Configurations with no direct [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570) equivalent SHOULD also be handled according to RFC6570. +Implementations MAY create a properly delimited URI Template with variables for individual names and values using RFC6570 regular or reserved expansion (based on `allowReserved`). + +This includes: + +* the styles `pipeDelimited`, `spaceDelimited`, and `deepObject`, which have no equivalents at all +* the combination of the style `form` with `allowReserved: true`, which is not allowed because only one prefix operator can be used at a time +* any parameter name that is not a legal RFC6570 variable name + +The Parameter Object's `name` field has a much more permissive syntax than RFC6570 [variable name syntax](https://www.rfc-editor.org/rfc/rfc6570#section-2.3). +A parameter name that includes characters outside of the allowed RFC6570 variable character set MUST be percent-encoded before it can be used in a URI Template. + +### Examples + +Let's say we want to use the following data in a form query string, where `formulas` is exploded, and `words` is not: + +```YAML +formulas: + a: x+y + b: x/y + c: x^y +words: +- math +- is +- fun +``` + +#### RFC6570-Equivalent Expansion + +This array of Parameter Objects uses regular `style: "form"` expansion, fully supported by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570): + +```YAML +parameters: +- name: formulas + in: query + schema: + type: object + additionalProperties: + type: string + explode: true +- name: words + in: query + schema: + type: array + items: + type: string +``` + +This translates to the following URI Template: + +```uritemplate +{?formulas*,words} +``` + +when expanded with the data given earlier, we get: + +```uri +?a=x%2By&b=x%2Fy&c=x%5Ey&words=math,is,fun +``` + +#### Expansion with Non-RFC6570-Supported Options + +But now let's say that (for some reason), we really want that `/` in the `b` formula to show up as-is in the query string, and we want our words to be space-separated like in a written phrase. +To do that, we'll add `allowReserved: true` to `formulas`, and change to `style: "spaceDelimited"` for `words`: + +```YAML +parameters: +- name: formulas + in: query + schema: + type: object + additionalProperties: + type: string + explode: true + allowReserved: true +- name: words + in: query + style: spaceDelimited + explode: false + schema: + type: array + items: + type: string +``` + +We can't combine the `?` and `+` RFC6570 [prefixes](https://datatracker.ietf.org/doc/html/rfc6570#section-2.4.1), and there's no way with RFC6570 to replace the `,` separator with a space character. +So we need to restructure the data to fit a manually constructed URI Template that passes all of the pieces through the right sort of expansion. + +Here is one such template, using a made-up convention of `words.0` for the first entry in the words value, `words.1` for the second, and `words.2` for the third: + +```uritemplate +?a={+a}&b={+b}&c={+c}&words={words.0} {words.1} {words.2} +``` + +RFC6570 [mentions](https://www.rfc-editor.org/rfc/rfc6570.html#section-2.4.2) the use of `.` "to indicate name hierarchy in substructures," but does not define any specific naming convention or behavior for it. +Since the `.` usage is not automatic, we'll need to construct an appropriate input structure for this new template. + +We'll also need to pre-process the values for `formulas` because while `/` and most other reserved characters are allowed in the query string by RFC3986, `[`, `]`, and `#` [are not](https://datatracker.ietf.org/doc/html/rfc3986#appendix-A), and `&`, `=`, and `+` all have [special behavior](https://www.rfc-editor.org/rfc/rfc1866#section-8.2.1) in the `application/x-www-form-urlencoded` format, which is what we are using in the query string. + +Setting `allowReserved: true` does _not_ make reserved characters that are not allowed in URIs allowed, it just allows them to be _passed through expansion unchanged._ +Therefore, any tooling still needs to percent-encode those characters because reserved expansion will not do it, but it _will_ leave the percent-encoded triples unchanged. +See also [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for further guidance on percent-encoding and form media types, including guidance on handling the delimiter characters for `spaceDelimited`, `pipeDelimited`, and `deepObject` in parameter names and values. + +So here is our data structure that arranges the names and values to suit the template above, where values for `formulas` have `[]#&=+` pre-percent encoded (although only `+` appears in this example): + +```YAML +a: x%2By +b: x/y +c: x^y +words.0: math +words.1: is +words.2: fun +``` + +Expanding our manually assembled template with our restructured data yields the following query string: + +```uri +?a=x%2By&b=x/y&c=x%5Ey&words=math%20is%20fun +``` + +The `/` and the pre-percent-encoded `%2B` have been left alone, but the disallowed `^` character (inside a value) and space characters (in the template but outside of the expanded variables) were percent-encoded. + +#### Undefined Values and Manual URI Template Construction + +Care must be taken when manually constructing templates to handle the values that RFC6570 [considers to be _undefined_](https://datatracker.ietf.org/doc/html/rfc6570#section-2.3) correctly: + +```YAML +formulas: {} +words: +- hello +- world +``` + +Using this data with our original RFC6570-friendly URI Template, `{?formulas*,words}`, produces the following: + +```uri +?words=hello,world +``` + +This means that the manually constructed URI Template and restructured data need to leave out the `formulas` object entirely so that the `words` parameter is the first and only parameter in the query string. + +Restructured data: + +```YAML +words.0: hello +words.1: world +``` + +Manually constructed URI Template: + +```uritemplate +?words={words.0} {words.1} +``` + +Result: + +```uri +?words=hello%20world +``` + +#### Illegal Variable Names as Parameter Names + +In this example, the heart emoji is not legal in URI Template names (or URIs): + +```YAML +parameters: +- name: ❤️ + in: query + schema: + type: string +``` + +We can't just pass `❤️: "love!"` to an RFC6570 implementation. +Instead, we have to pre-percent-encode the name (which is a six-octet UTF-8 sequence) in both the data and the URI Template: + +```YAML +"%E2%9D%A4%EF%B8%8F": love! +``` + +```uritemplate +{?%E2%9D%A4%EF%B8%8F} +``` + +This will expand to the result: + +```uri +?%E2%9D%A4%EF%B8%8F=love%21 +``` + +## Appendix D: Serializing Headers and Cookies + +[RFC6570](https://www.rfc-editor.org/rfc/rfc6570)'s percent-encoding behavior is not always appropriate for `in: "header"` and `in: "cookie"` parameters. +In many cases, it is more appropriate to use `content` with a media type such as `text/plain` and require the application to assemble the correct string. + +For both [RFC6265](https://www.rfc-editor.org/rfc/rfc6265) cookies and HTTP headers using the [RFC8941](https://www.rfc-editor.org/rfc/rfc8941) structured fields syntax, non-ASCII content is handled using base64 encoding (`contentEncoding: "base64"`). +Note that the standard base64-encoding alphabet includes non-URL-safe characters that are percent-encoded by RFC6570 expansion; serializing values through both encodings is NOT RECOMMENDED. +While `contentEncoding` also supports the `base64url` encoding, which is URL-safe, the header and cookie RFCs do not mention this encoding. + +Most HTTP headers predate the structured field syntax, and a comprehensive assessment of their syntax and encoding rules is well beyond the scope of this specification. +While [RFC8187](https://www.rfc-editor.org/rfc/rfc8187) recommends percent-encoding HTTP (header or trailer) field parameters, these parameters appear after a `;` character. +With `style: "simple"`, that delimiter would itself be percent-encoded, violating the general HTTP field syntax. + +Using `style: "form"` with `in: "cookie"` is ambiguous for a single value, and incorrect for multiple values. +This is true whether the multiple values are the result of using `explode: true` or not. + +This style is specified to be equivalent to RFC6570 form expansion which includes the `?` character (see [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more details), which is not part of the cookie syntax. +However, examples of this style in past versions of this specification have not included the `?` prefix, suggesting that the comparison is not exact. +Because implementations that rely on an RFC6570 implementation and those that perform custom serialization based on the style example will produce different results, it is implementation-defined as to which of the two results is correct. + +For multiple values, `style: "form"` is always incorrect as name=value pairs in cookies are delimited by `;` (a semicolon followed by a space character) rather than `&`. + +## Appendix E: Percent-Encoding and Form Media Types + +_**NOTE:** In this section, the `application/x-www-form-urlencoded` and `multipart/form-data` media types are abbreviated as `form-urlencoded` and `form-data`, respectively, for readability._ + +Percent-encoding is used in URIs and media types that derive their syntax from URIs. +This process is concerned with three sets of characters, the names of which vary among specifications but are defined as follows for the purposes of this section: + +* _unreserved_ characters do not need to be percent-encoded; while it is safe to percent-encode them, doing so produces a URI that is [not normalized](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.2) +* _reserved_ characters either have special behavior in the URI syntax (such as delimiting components) or are reserved for other specifications that need to define special behavior (e.g. `form-urlencoded` defines special behavior for `=`, `&`, and `+`) +* _unsafe_ characters are known to cause problems when parsing URIs in certain environments + +Unless otherwise specified, this section uses RFC3986's definition of [reserved](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2) and [unreserved](https://datatracker.ietf.org/doc/html/rfc3986#section-2.3), and defines the unsafe set as all characters not included in either of those sets. + +### Percent-Encoding and `form-urlencoded` + +Each URI component (such as the query string) considers some of the reserved characters to be unsafe, either because they serve as delimiters between the components (e.g. `#`), or (in the case of `[` and `]`) were historically considered globally unsafe but were later given reserved status for limited purposes. + +Reserved characters with no special meaning defined within a component can be left un-percent encoded. +However, other specifications can define special meanings, requiring percent-encoding for those characters outside of the additional special meanings. + +The `form-urlencoded` media type defines special meanings for `=` and `&` as delimiters, and `+` as the replacement for the space character (instead of its percent-encoded form of `%20`). +This means that while these three characters are reserved-but-allowed in query strings by RFC3986, they must be percent-encoded in `form-urlencoded` query strings except when used for their `form-urlencoded` purposes; see [Appendix C](#appendix-c-using-rfc6570-based-serialization) for an example of handling `+` in form values. + +### Percent-Encoding and `form-data` + +[RFC7578](https://datatracker.ietf.org/doc/html/rfc7578#section-2) suggests RFC3986-based percent-encoding as a mechanism to keep text-based per-part header data such as file names within the ASCII character set. +This suggestion was not part of older (pre-2015) specifications for `form-data`, so care must be taken to ensure interoperability. + +The `form-data` media type allows arbitrary text or binary data in its parts, so percent-encoding is not needed and is likely to cause interoperability problems unless the `Content-Type` of the part is defined to require it. + +### Generating and Validating URIs and `form-urlencoded` Strings + +URI percent encoding and the `form-urlencoded` media type have complex specification histories spanning multiple revisions and, in some cases, conflicting claims of ownership by different standards bodies. +Unfortunately, these specifications each define slightly different percent-encoding rules, which need to be taken into account if the URIs or `form-urlencoded` message bodies will be subject to strict validation. +(Note that many URI parsers do not perform validation by default.) + +This specification normatively cites the following relevant standards: + +| Specification | Date | OAS Usage | Percent-Encoding | Notes | +| ---- | ---- | ---- | ---- | ---- | +| [RFC3986](https://www.rfc-editor.org/rfc/rfc3986) | 01/2005 | URI/URL syntax | [[RFC3986]] | obsoletes [[RFC1738]], [[RFC2396]] | +| [RFC6570](https://www.rfc-editor.org/rfc/rfc6570) | 03/2012 | style-based serialization | [[RFC3986]] | does not use `+` for form‑urlencoded | +| [RFC1866](https://datatracker.ietf.org/doc/html/rfc1866#section-8.2.1) | 11/1995 | content-based serialization | [[RFC1738]] | obsoleted by [[HTML401]] [Section 17.13.4.1](https://www.w3.org/TR/html401/interact/forms.html#h-17.13.4.1), [[URL]] [Section 5](https://url.spec.whatwg.org/#urlencoded-serializing) | + +Style-based serialization is used in the [Parameter Object](#parameter-object) when `schema` is present, and in the [Encoding Object](#encoding-object) when at least one of `style`, `explode`, or `allowReserved` is present. +See [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more details of RFC6570's two different approaches to percent-encoding, including an example involving `+`. + +Content-based serialization is defined by the [Media Type Object](#media-type-object), and used with the [Parameter Object](#parameter-object) when the `content` field is present, and with the [Encoding Object](#encoding-object) based on the `contentType` field when the fields `style`, `explode`, and `allowReserved` are absent. +Each part is encoded based on the media type (e.g. `text/plain` or `application/json`), and must then be percent-encoded for use in a `form-urlencoded` string. + +Note that content-based serialization for `form-data` does not expect or require percent-encoding in the data, only in per-part header values. + +#### Interoperability with Historical Specifications + +In most cases, generating query strings in strict compliance with [[RFC3986]] is sufficient to pass validation (including JSON Schema's `format: "uri"` and `format: "uri-reference"`), but some `form-urlencoded` implementations still expect the slightly more restrictive [[RFC1738]] rules to be used. + +Since all RFC1738-compliant URIs are compliant with RFC3986, applications needing to ensure historical interoperability SHOULD use RFC1738's rules. + +#### Interoperability with Web Browser Environments + +WHATWG is a [web browser-oriented](https://whatwg.org/faq#what-is-the-whatwg-working-on) standards group that has defined a "URL Living Standard" for parsing and serializing URLs in a browser context, including parsing and serializing `form-urlencoded` data. +WHATWG's percent-encoding rules for query strings are different depending on whether the query string is [being treated as `form-urlencoded`](https://url.spec.whatwg.org/#application-x-www-form-urlencoded-percent-encode-set) (where it requires more percent-encoding than [[RFC1738]]) or [as part of the generic syntax](https://url.spec.whatwg.org/#query-percent-encode-set), where it allows characters that [[RFC3986]] forbids. + +Implementations needing maximum compatibility with web browsers SHOULD use WHATWG's `form-urlencoded` percent-encoding rules. +However, they SHOULD NOT rely on WHATWG's less stringent generic query string rules, as the resulting URLs would fail RFC3986 validation, including JSON Schema's `format: uri` and `format: uri-reference`. + +### Decoding URIs and `form-urlencoded` Strings + +The percent-decoding algorithm does not care which characters were or were not percent-decoded, which means that URIs percent-encoded according to any specification will be decoded correctly. + +Similarly, all `form-urlencoded` decoding algorithms simply add `+`-for-space handling to the percent-decoding algorithm, and will work regardless of the encoding specification used. + +However, care must be taken to use `form-urlencoded` decoding if `+` represents a space, and to use regular percent-decoding if `+` represents itself as a literal value. + +### Percent-Encoding and Illegal or Reserved Delimiters + +The `[`, `]`, `|`, and space characters, which are used as delimiters for the `deepObject`, `pipeDelimited`, and `spaceDelimited` styles, respectively, all MUST be percent-encoded to comply with [[RFC3986]]. +This requires users to pre-encode the character(s) in some other way in parameter names and values to distinguish them from the delimiter usage when using one of these styles. + +The space character is always illegal and encoded in some way by all implementations of all versions of the relevant standards. +While one could use the `form-urlencoded` convention of `+` to distinguish spaces in parameter names and values from `spaceDelimited` delimiters encoded as `%20`, the specifications define the decoding as a single pass, making it impossible to distinguish the different usages in the decoded result. + +Some environments use `[`, `]`, and possibly `|` unencoded in query strings without apparent difficulties, and WHATWG's generic query string rules do not require percent-encoding them. +Code that relies on leaving these delimiters unencoded, while using regular percent-encoding for them within names and values, is not guaranteed to be interoperable across all implementations. + +For maximum interoperability, it is RECOMMENDED to either define and document an additional escape convention while percent-encoding the delimiters for these styles, or to avoid these styles entirely. +The exact method of additional encoding/escaping is left to the API designer, and is expected to be performed before serialization and encoding described in this specification, and reversed after this specification's encoding and serialization steps are reversed. +This keeps it outside of the processes governed by this specification. + +## Appendix F: Resolving Security Requirements in a Referenced Document + +This appendix shows how to retrieve an HTTP-accessible multi-document OpenAPI Description (OAD) and resolve a [Security Requirement Object](#security-requirement-object) in the referenced (non-entry) document. See [Resolving Implicit Connections](#resolving-implicit-connections) for more information. + +First, the [entry document](#openapi-description-structure) is where parsing begins. It defines the `MySecurity` security scheme to be JWT-based, and it defines a Path Item as a reference to a component in another document: + +```HTTP +GET /api/description/openapi HTTP/1.1 +Host: www.example.com +Accept: application/openapi+json +``` + +```json +"components": { + "securitySchemes": { + "MySecurity": { + "type": "http", + "scheme": "bearer", + "bearerFormat": "JWT" + } + } +}, +"paths": { + "/foo": { + "$ref": "other#/components/pathItems/Foo" + } +} +``` + +```HTTP +GET /api/description/openapi HTTP/1.1 +Host: www.example.com +Accept: application/openapi+yaml +``` + +```yaml +components: + securitySchemes: + MySecurity: + type: http + scheme: bearer + bearerFormat: JWT +paths: + /foo: + $ref: 'other#/components/pathItems/Foo' +``` + +This entry document references another document, `other`, without using a file extension. This gives the client the flexibility to choose an acceptable format on a resource-by-resource basis, assuming both representations are available: + +```HTTP +GET /api/description/other HTTP/1.1 +Host: www.example.com +Accept: application/openapi+json +``` + +```json +"components": { + "securitySchemes": { + "MySecurity": { + "type": "http", + "scheme": "basic" + } + }, + "pathItems": { + "Foo": { + "get": { + "security": [ + "MySecurity": [] + ] + } + } + } +} +``` + +```HTTP +GET /api/description/other HTTP/1.1 +Host: www.example.com +Accept: application/openapi+yaml +``` + +```yaml +components: + securitySchemes: + MySecurity: + type: http + scheme: basic + pathItems: + Foo: + get: + security: + - MySecurity: [] +``` + +In the `other` document, the referenced path item has a Security Requirement for a Security Scheme, `MySecurity`. The same Security Scheme exists in the original entry document. As outlined in [Resolving Implicit Connections](#resolving-implicit-connections), `MySecurity` is resolved with an [implementation-defined behavior](#undefined-and-implementation-defined-behavior). However, documented in that section, it is RECOMMENDED that tools resolve component names from the [entry document](#openapi-description-structure). As with all implementation-defined behavior, it is important to check tool documentation to determine which behavior is supported. diff --git a/src/schemas/validation/README.md b/src/schemas/validation/README.md new file mode 100644 index 0000000000..57501dfc51 --- /dev/null +++ b/src/schemas/validation/README.md @@ -0,0 +1,69 @@ +# OpenAPI 3.X.Y JSON Schema + +This directory contains the YAML sources for generating the JSON Schemas for validating OpenAPI definitions of versions 3.X.Y, which are published on [https://spec.openapis.org](https://spec.openapis.org). + +Due to limitations of GitHub pages, the schemas on the spec site are served with `Content-Type: application/octet-stream`, but should be interpreted as `application/schema+json`. + +The sources in this directory, which have `WORK-IN-PROGRESS` in their `$id`s, are _not intended for direct use_. + +## Schema `$id` dates + +The published schemas on the spec site have an _iteration date_ in their `id`s. +This allows the schemas for a release line to be updated independent of the spec patch release cycle. + +The iteration version of the JSON Schema can be found in the `$id` field. +For example, the value of `$id: https://spec.openapis.org/oas/3.1/schema/2021-03-02` means this iteration was created on March 2nd, 2021. + +We are [working on](https://github.com/OAI/OpenAPI-Specification/issues/4152) how to best provide programmatic access for determining the latest date for each schema. + +## Choosing which schema to use + +There are two schemas to choose from for versions 3.1 and greater, both of which have an `$id` that starts with `https://spec.openapis.org/oas/3.X/` and ends with the iteration date: + +* `https://spec.openapis.org/oas/3.X/schema/{date}`, source: `schema.yaml` — A self-contained schema that _does not_ validate Schema Objects beyond `type: [object, boolean]` +* `https://spec.openapis.org/oas/3.1/schema-base/{date}`, source: `schema-base.yaml` — A schema that combines the self-contained schema and the "base" dialect schema to validate Schema Objects with the dialect; this schema does not allow changing `$schema` or `jsonSchemaDialect` to other dialects + +Two metaschemas define the OAS "base" dialect: + +* `https://spec.openapis.org/oas/3.X/meta/{date}`, source: `meta.yaml` — The vocabulary metaschema for OAS 3.X's extensions to draft 2020-12 +* `https://spec.openapis.org/oas/3.X/dialect/{date}`, source: `dialect.yaml` — The dialect metaschema that extends the standard `draft/2020-12` metaschema by adding the OAS "base" vocabulary + +The name "base" for the dialect was intended to indicate that the OAS dialect could be further extended. + +~~~mermaid +flowchart LR + schema_base + schema + dialect + meta + schema --> |default| dialect + schema_base --> |$ref| schema + schema_base --> |$ref| dialect + dialect --> |$ref| meta +~~~ + +An additional schema that validates the Schema Object with the OAS 3.X dialect but does not restrict changing `$schema` is [under consideration](https://github.com/OAI/OpenAPI-Specification/issues/4147). + +## Improving the schemas + +As a reminder, the JSON Schema is not the source of truth for the Specification. In cases of conflicts between the Specification itself and the JSON Schema, the Specification wins. Also, some Specification constraints cannot be represented with the JSON Schema so it's highly recommended to employ other methods to ensure compliance. + +The schema only validates the mandatory aspects of the OAS. +Validating requirements that are optional, or field usage that has undefined or ignored behavior are not within the scope of this schema. +Schemas to perform additional optional validation are [under consideration](https://github.com/OAI/OpenAPI-Specification/issues/4141). + +Improvements can be submitted by opening a PR against the `vX.Y-dev` branch of the respective specification version. + +Modify the `schema.yaml` file and add test cases for your changes. + +The TSC will then: +- Run tests on the updated schema +- Update the iteration version +- Publish the new version + +The [test suite](../../../tests/schema) is part of this package. + +```bash +npm install +npm test +``` diff --git a/src/schemas/validation/dialect.yaml b/src/schemas/validation/dialect.yaml new file mode 100644 index 0000000000..d300d94feb --- /dev/null +++ b/src/schemas/validation/dialect.yaml @@ -0,0 +1,21 @@ +$id: https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS +$schema: https://json-schema.org/draft/2020-12/schema + +title: OpenAPI 3.1 Schema Object Dialect +description: A JSON Schema dialect describing schemas found in OpenAPI v3.1 Descriptions + +$dynamicAnchor: meta + +$vocabulary: + https://json-schema.org/draft/2020-12/vocab/applicator: true + https://json-schema.org/draft/2020-12/vocab/content: true + https://json-schema.org/draft/2020-12/vocab/core: true + https://json-schema.org/draft/2020-12/vocab/format-annotation: true + https://json-schema.org/draft/2020-12/vocab/meta-data: true + https://json-schema.org/draft/2020-12/vocab/unevaluated: true + https://json-schema.org/draft/2020-12/vocab/validation: true + https://spec.openapis.org/oas/3.1/vocab/base: false + +allOf: + - $ref: https://json-schema.org/draft/2020-12/schema + - $ref: https://spec.openapis.org/oas/3.1/meta/WORK-IN-PROGRESS diff --git a/src/schemas/validation/meta.yaml b/src/schemas/validation/meta.yaml new file mode 100644 index 0000000000..6cfce4976d --- /dev/null +++ b/src/schemas/validation/meta.yaml @@ -0,0 +1,70 @@ +$id: https://spec.openapis.org/oas/3.1/meta/WORK-IN-PROGRESS +$schema: https://json-schema.org/draft/2020-12/schema + +title: OAS Base Vocabulary +description: A JSON Schema Vocabulary used in the OpenAPI Schema Dialect + +$dynamicAnchor: meta + +$vocabulary: + https://spec.openapis.org/oas/3.1/vocab/base: true + +type: + - object + - boolean +properties: + discriminator: + $ref: '#/$defs/discriminator' + example: true + externalDocs: + $ref: '#/$defs/external-docs' + xml: + $ref: '#/$defs/xml' + +$defs: + discriminator: + $ref: '#/$defs/extensible' + properties: + mapping: + additionalProperties: + type: string + type: object + propertyName: + type: string + required: + - propertyName + type: object + unevaluatedProperties: false + + extensible: + patternProperties: + ^x-: true + external-docs: + $ref: '#/$defs/extensible' + properties: + description: + type: string + url: + format: uri-reference + type: string + required: + - url + type: object + unevaluatedProperties: false + + xml: + $ref: '#/$defs/extensible' + properties: + attribute: + type: boolean + name: + type: string + namespace: + format: uri + type: string + prefix: + type: string + wrapped: + type: boolean + type: object + unevaluatedProperties: false diff --git a/src/schemas/validation/schema-base.yaml b/src/schemas/validation/schema-base.yaml new file mode 100644 index 0000000000..ea239c03e9 --- /dev/null +++ b/src/schemas/validation/schema-base.yaml @@ -0,0 +1,20 @@ +$id: 'https://spec.openapis.org/oas/3.1/schema-base/WORK-IN-PROGRESS' +$schema: 'https://json-schema.org/draft/2020-12/schema' + +description: The description of OpenAPI v3.1.x Documents using the OpenAPI JSON Schema dialect + +$ref: 'https://spec.openapis.org/oas/3.1/schema/WORK-IN-PROGRESS' +properties: + jsonSchemaDialect: + $ref: '#/$defs/dialect' + +$defs: + dialect: + const: 'https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS' + + schema: + $dynamicAnchor: meta + $ref: 'https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS' + properties: + $schema: + $ref: '#/$defs/dialect' diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml new file mode 100644 index 0000000000..54c49a2f97 --- /dev/null +++ b/src/schemas/validation/schema.yaml @@ -0,0 +1,974 @@ +$id: 'https://spec.openapis.org/oas/3.1/schema/WORK-IN-PROGRESS' +$schema: 'https://json-schema.org/draft/2020-12/schema' + +description: The description of OpenAPI v3.1.x Documents without Schema Object validation + +type: object +properties: + openapi: + type: string + pattern: '^3\.1\.\d+(-.+)?$' + info: + $ref: '#/$defs/info' + jsonSchemaDialect: + type: string + format: uri + default: 'https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS' + servers: + type: array + items: + $ref: '#/$defs/server' + default: + - url: / + paths: + $ref: '#/$defs/paths' + webhooks: + type: object + additionalProperties: + $ref: '#/$defs/path-item' + components: + $ref: '#/$defs/components' + security: + type: array + items: + $ref: '#/$defs/security-requirement' + tags: + type: array + items: + $ref: '#/$defs/tag' + externalDocs: + $ref: '#/$defs/external-documentation' +required: + - openapi + - info +anyOf: + - required: + - paths + - required: + - components + - required: + - webhooks +$ref: '#/$defs/specification-extensions' +unevaluatedProperties: false + +$defs: + info: + $comment: https://spec.openapis.org/oas/v3.1#info-object + type: object + properties: + title: + type: string + summary: + type: string + description: + type: string + termsOfService: + type: string + format: uri + contact: + $ref: '#/$defs/contact' + license: + $ref: '#/$defs/license' + version: + type: string + required: + - title + - version + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + contact: + $comment: https://spec.openapis.org/oas/v3.1#contact-object + type: object + properties: + name: + type: string + url: + type: string + format: uri + email: + type: string + format: email + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + license: + $comment: https://spec.openapis.org/oas/v3.1#license-object + type: object + properties: + name: + type: string + identifier: + type: string + url: + type: string + format: uri + required: + - name + dependentSchemas: + identifier: + not: + required: + - url + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + server: + $comment: https://spec.openapis.org/oas/v3.1#server-object + type: object + properties: + url: + type: string + description: + type: string + variables: + type: object + additionalProperties: + $ref: '#/$defs/server-variable' + required: + - url + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + server-variable: + $comment: https://spec.openapis.org/oas/v3.1#server-variable-object + type: object + properties: + enum: + type: array + items: + type: string + minItems: 1 + default: + type: string + description: + type: string + required: + - default + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + components: + $comment: https://spec.openapis.org/oas/v3.1#components-object + type: object + properties: + schemas: + type: object + additionalProperties: + $dynamicRef: '#meta' + responses: + type: object + additionalProperties: + $ref: '#/$defs/response-or-reference' + parameters: + type: object + additionalProperties: + $ref: '#/$defs/parameter-or-reference' + examples: + type: object + additionalProperties: + $ref: '#/$defs/example-or-reference' + requestBodies: + type: object + additionalProperties: + $ref: '#/$defs/request-body-or-reference' + headers: + type: object + additionalProperties: + $ref: '#/$defs/header-or-reference' + securitySchemes: + type: object + additionalProperties: + $ref: '#/$defs/security-scheme-or-reference' + links: + type: object + additionalProperties: + $ref: '#/$defs/link-or-reference' + callbacks: + type: object + additionalProperties: + $ref: '#/$defs/callbacks-or-reference' + pathItems: + type: object + additionalProperties: + $ref: '#/$defs/path-item' + patternProperties: + '^(schemas|responses|parameters|examples|requestBodies|headers|securitySchemes|links|callbacks|pathItems)$': + $comment: Enumerating all of the property names in the regex above is necessary for unevaluatedProperties to work as expected + propertyNames: + pattern: '^[a-zA-Z0-9._-]+$' + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + paths: + $comment: https://spec.openapis.org/oas/v3.1#paths-object + type: object + patternProperties: + '^/': + $ref: '#/$defs/path-item' + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + path-item: + $comment: https://spec.openapis.org/oas/v3.1#path-item-object + type: object + properties: + $ref: + type: string + format: uri-reference + summary: + type: string + description: + type: string + servers: + type: array + items: + $ref: '#/$defs/server' + parameters: + type: array + items: + $ref: '#/$defs/parameter-or-reference' + get: + $ref: '#/$defs/operation' + put: + $ref: '#/$defs/operation' + post: + $ref: '#/$defs/operation' + delete: + $ref: '#/$defs/operation' + options: + $ref: '#/$defs/operation' + head: + $ref: '#/$defs/operation' + patch: + $ref: '#/$defs/operation' + trace: + $ref: '#/$defs/operation' + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + operation: + $comment: https://spec.openapis.org/oas/v3.1#operation-object + type: object + properties: + tags: + type: array + items: + type: string + summary: + type: string + description: + type: string + externalDocs: + $ref: '#/$defs/external-documentation' + operationId: + type: string + parameters: + type: array + items: + $ref: '#/$defs/parameter-or-reference' + requestBody: + $ref: '#/$defs/request-body-or-reference' + responses: + $ref: '#/$defs/responses' + callbacks: + type: object + additionalProperties: + $ref: '#/$defs/callbacks-or-reference' + deprecated: + default: false + type: boolean + security: + type: array + items: + $ref: '#/$defs/security-requirement' + servers: + type: array + items: + $ref: '#/$defs/server' + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + external-documentation: + $comment: https://spec.openapis.org/oas/v3.1#external-documentation-object + type: object + properties: + description: + type: string + url: + type: string + format: uri + required: + - url + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + parameter: + $comment: https://spec.openapis.org/oas/v3.1#parameter-object + type: object + properties: + name: + type: string + in: + enum: + - query + - header + - path + - cookie + description: + type: string + required: + default: false + type: boolean + deprecated: + default: false + type: boolean + schema: + $dynamicRef: '#meta' + content: + $ref: '#/$defs/content' + minProperties: 1 + maxProperties: 1 + required: + - name + - in + oneOf: + - required: + - schema + - required: + - content + if: + properties: + in: + const: query + required: + - in + then: + properties: + allowEmptyValue: + default: false + type: boolean + dependentSchemas: + schema: + properties: + style: + type: string + explode: + type: boolean + allOf: + - $ref: '#/$defs/examples' + - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-path' + - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-header' + - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-query' + - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-cookie' + - $ref: '#/$defs/styles-for-form' + + $defs: + styles-for-path: + if: + properties: + in: + const: path + required: + - in + then: + properties: + style: + default: simple + enum: + - matrix + - label + - simple + required: + const: true + required: + - required + + styles-for-header: + if: + properties: + in: + const: header + required: + - in + then: + properties: + style: + default: simple + const: simple + + styles-for-query: + if: + properties: + in: + const: query + required: + - in + then: + properties: + style: + default: form + enum: + - form + - spaceDelimited + - pipeDelimited + - deepObject + allowReserved: + default: false + type: boolean + + styles-for-cookie: + if: + properties: + in: + const: cookie + required: + - in + then: + properties: + style: + default: form + const: form + + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + parameter-or-reference: + if: + type: object + required: + - $ref + then: + $ref: '#/$defs/reference' + else: + $ref: '#/$defs/parameter' + + request-body: + $comment: https://spec.openapis.org/oas/v3.1#request-body-object + type: object + properties: + description: + type: string + content: + $ref: '#/$defs/content' + required: + default: false + type: boolean + required: + - content + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + request-body-or-reference: + if: + type: object + required: + - $ref + then: + $ref: '#/$defs/reference' + else: + $ref: '#/$defs/request-body' + + content: + $comment: https://spec.openapis.org/oas/v3.1#fixed-fields-10 + type: object + additionalProperties: + $ref: '#/$defs/media-type' + propertyNames: + format: media-range + + media-type: + $comment: https://spec.openapis.org/oas/v3.1#media-type-object + type: object + properties: + schema: + $dynamicRef: '#meta' + encoding: + type: object + additionalProperties: + $ref: '#/$defs/encoding' + allOf: + - $ref: '#/$defs/specification-extensions' + - $ref: '#/$defs/examples' + unevaluatedProperties: false + + encoding: + $comment: https://spec.openapis.org/oas/v3.1#encoding-object + type: object + properties: + contentType: + type: string + format: media-range + headers: + type: object + additionalProperties: + $ref: '#/$defs/header-or-reference' + style: + default: form + enum: + - form + - spaceDelimited + - pipeDelimited + - deepObject + explode: + type: boolean + allowReserved: + default: false + type: boolean + allOf: + - $ref: '#/$defs/specification-extensions' + - $ref: '#/$defs/styles-for-form' + unevaluatedProperties: false + + responses: + $comment: https://spec.openapis.org/oas/v3.1#responses-object + type: object + properties: + default: + $ref: '#/$defs/response-or-reference' + patternProperties: + '^[1-5](?:[0-9]{2}|XX)$': + $ref: '#/$defs/response-or-reference' + minProperties: 1 + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + if: + $comment: either default, or at least one response code property must exist + patternProperties: + '^[1-5](?:[0-9]{2}|XX)$': false + then: + required: [default] + + response: + $comment: https://spec.openapis.org/oas/v3.1#response-object + type: object + properties: + description: + type: string + headers: + type: object + additionalProperties: + $ref: '#/$defs/header-or-reference' + content: + $ref: '#/$defs/content' + links: + type: object + additionalProperties: + $ref: '#/$defs/link-or-reference' + required: + - description + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + response-or-reference: + if: + type: object + required: + - $ref + then: + $ref: '#/$defs/reference' + else: + $ref: '#/$defs/response' + + callbacks: + $comment: https://spec.openapis.org/oas/v3.1#callback-object + type: object + $ref: '#/$defs/specification-extensions' + additionalProperties: + $ref: '#/$defs/path-item' + + callbacks-or-reference: + if: + type: object + required: + - $ref + then: + $ref: '#/$defs/reference' + else: + $ref: '#/$defs/callbacks' + + example: + $comment: https://spec.openapis.org/oas/v3.1#example-object + type: object + properties: + summary: + type: string + description: + type: string + value: true + externalValue: + type: string + format: uri + not: + required: + - value + - externalValue + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + example-or-reference: + if: + type: object + required: + - $ref + then: + $ref: '#/$defs/reference' + else: + $ref: '#/$defs/example' + + link: + $comment: https://spec.openapis.org/oas/v3.1#link-object + type: object + properties: + operationRef: + type: string + format: uri-reference + operationId: + type: string + parameters: + $ref: '#/$defs/map-of-strings' + requestBody: true + description: + type: string + body: + $ref: '#/$defs/server' + oneOf: + - required: + - operationRef + - required: + - operationId + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + link-or-reference: + if: + type: object + required: + - $ref + then: + $ref: '#/$defs/reference' + else: + $ref: '#/$defs/link' + + header: + $comment: https://spec.openapis.org/oas/v3.1#header-object + type: object + properties: + description: + type: string + required: + default: false + type: boolean + deprecated: + default: false + type: boolean + schema: + $dynamicRef: '#meta' + content: + $ref: '#/$defs/content' + minProperties: 1 + maxProperties: 1 + oneOf: + - required: + - schema + - required: + - content + dependentSchemas: + schema: + properties: + style: + default: simple + const: simple + explode: + default: false + type: boolean + $ref: '#/$defs/examples' + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + header-or-reference: + if: + type: object + required: + - $ref + then: + $ref: '#/$defs/reference' + else: + $ref: '#/$defs/header' + + tag: + $comment: https://spec.openapis.org/oas/v3.1#tag-object + type: object + properties: + name: + type: string + description: + type: string + externalDocs: + $ref: '#/$defs/external-documentation' + required: + - name + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + reference: + $comment: https://spec.openapis.org/oas/v3.1#reference-object + type: object + properties: + $ref: + type: string + format: uri-reference + summary: + type: string + description: + type: string + + schema: + $comment: https://spec.openapis.org/oas/v3.1#schema-object + $dynamicAnchor: meta + type: + - object + - boolean + + security-scheme: + $comment: https://spec.openapis.org/oas/v3.1#security-scheme-object + type: object + properties: + type: + enum: + - apiKey + - http + - mutualTLS + - oauth2 + - openIdConnect + description: + type: string + required: + - type + allOf: + - $ref: '#/$defs/specification-extensions' + - $ref: '#/$defs/security-scheme/$defs/type-apikey' + - $ref: '#/$defs/security-scheme/$defs/type-http' + - $ref: '#/$defs/security-scheme/$defs/type-http-bearer' + - $ref: '#/$defs/security-scheme/$defs/type-oauth2' + - $ref: '#/$defs/security-scheme/$defs/type-oidc' + unevaluatedProperties: false + + $defs: + type-apikey: + if: + properties: + type: + const: apiKey + required: + - type + then: + properties: + name: + type: string + in: + enum: + - query + - header + - cookie + required: + - name + - in + + type-http: + if: + properties: + type: + const: http + required: + - type + then: + properties: + scheme: + type: string + required: + - scheme + + type-http-bearer: + if: + properties: + type: + const: http + scheme: + type: string + pattern: ^[Bb][Ee][Aa][Rr][Ee][Rr]$ + required: + - type + - scheme + then: + properties: + bearerFormat: + type: string + + type-oauth2: + if: + properties: + type: + const: oauth2 + required: + - type + then: + properties: + flows: + $ref: '#/$defs/oauth-flows' + required: + - flows + + type-oidc: + if: + properties: + type: + const: openIdConnect + required: + - type + then: + properties: + openIdConnectUrl: + type: string + format: uri + required: + - openIdConnectUrl + + security-scheme-or-reference: + if: + type: object + required: + - $ref + then: + $ref: '#/$defs/reference' + else: + $ref: '#/$defs/security-scheme' + + oauth-flows: + type: object + properties: + implicit: + $ref: '#/$defs/oauth-flows/$defs/implicit' + password: + $ref: '#/$defs/oauth-flows/$defs/password' + clientCredentials: + $ref: '#/$defs/oauth-flows/$defs/client-credentials' + authorizationCode: + $ref: '#/$defs/oauth-flows/$defs/authorization-code' + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + $defs: + implicit: + type: object + properties: + authorizationUrl: + type: string + format: uri + refreshUrl: + type: string + format: uri + scopes: + $ref: '#/$defs/map-of-strings' + required: + - authorizationUrl + - scopes + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + password: + type: object + properties: + tokenUrl: + type: string + format: uri + refreshUrl: + type: string + format: uri + scopes: + $ref: '#/$defs/map-of-strings' + required: + - tokenUrl + - scopes + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + client-credentials: + type: object + properties: + tokenUrl: + type: string + format: uri + refreshUrl: + type: string + format: uri + scopes: + $ref: '#/$defs/map-of-strings' + required: + - tokenUrl + - scopes + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + authorization-code: + type: object + properties: + authorizationUrl: + type: string + format: uri + tokenUrl: + type: string + format: uri + refreshUrl: + type: string + format: uri + scopes: + $ref: '#/$defs/map-of-strings' + required: + - authorizationUrl + - tokenUrl + - scopes + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + + security-requirement: + $comment: https://spec.openapis.org/oas/v3.1#security-requirement-object + type: object + additionalProperties: + type: array + items: + type: string + + specification-extensions: + $comment: https://spec.openapis.org/oas/v3.1#specification-extensions + patternProperties: + '^x-': true + + examples: + properties: + example: true + examples: + type: object + additionalProperties: + $ref: '#/$defs/example-or-reference' + + map-of-strings: + type: object + additionalProperties: + type: string + + styles-for-form: + if: + properties: + style: + const: form + required: + - style + then: + properties: + explode: + default: true + else: + properties: + explode: + default: false diff --git a/tests/schema/fail/invalid_schema_types.yaml b/tests/schema/fail/invalid_schema_types.yaml new file mode 100644 index 0000000000..d295b1f0ed --- /dev/null +++ b/tests/schema/fail/invalid_schema_types.yaml @@ -0,0 +1,13 @@ +openapi: 3.1.1 + +# this example shows invalid types for the schemaObject + +info: + title: API + version: 1.0.0 +components: + schemas: + invalid_null: null + invalid_number: 0 + invalid_array: [] + diff --git a/tests/schema/fail/no_containers.yaml b/tests/schema/fail/no_containers.yaml new file mode 100644 index 0000000000..c158bcb2b6 --- /dev/null +++ b/tests/schema/fail/no_containers.yaml @@ -0,0 +1,7 @@ +openapi: 3.1.0 + +# this example should fail as there are no paths, components or webhooks containers (at least one of which must be present) + +info: + title: API + version: 1.0.0 diff --git a/tests/schema/fail/server_enum_empty.yaml b/tests/schema/fail/server_enum_empty.yaml new file mode 100644 index 0000000000..cd6d30eb3e --- /dev/null +++ b/tests/schema/fail/server_enum_empty.yaml @@ -0,0 +1,14 @@ +openapi: 3.1.0 + +# this example should fail as the server variable enum is empty, and so does not contain the default value + +info: + title: API + version: 1.0.0 +servers: + - url: https://example.com/{var} + variables: + var: + enum: [] + default: a +components: {} diff --git a/tests/schema/fail/servers.yaml b/tests/schema/fail/servers.yaml new file mode 100644 index 0000000000..1470fe1ec8 --- /dev/null +++ b/tests/schema/fail/servers.yaml @@ -0,0 +1,11 @@ +openapi: 3.1.0 + +# this example should fail, as servers must be an array, not an object + +info: + title: API + version: 1.0.0 +paths: {} +servers: + url: /v1 + description: Run locally. diff --git a/tests/schema/fail/unknown_container.yaml b/tests/schema/fail/unknown_container.yaml new file mode 100644 index 0000000000..7f31e86053 --- /dev/null +++ b/tests/schema/fail/unknown_container.yaml @@ -0,0 +1,8 @@ +openapi: 3.1.0 + +# this example should fail as overlays is not a valid top-level object/keyword + +info: + title: API + version: 1.0.0 +overlays: {} diff --git a/tests/schema/pass/comp_pathitems.yaml b/tests/schema/pass/comp_pathitems.yaml new file mode 100644 index 0000000000..502ca1fca2 --- /dev/null +++ b/tests/schema/pass/comp_pathitems.yaml @@ -0,0 +1,6 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +components: + pathItems: {} diff --git a/tests/schema/pass/info_summary.yaml b/tests/schema/pass/info_summary.yaml new file mode 100644 index 0000000000..30d224afc2 --- /dev/null +++ b/tests/schema/pass/info_summary.yaml @@ -0,0 +1,6 @@ +openapi: 3.1.0 +info: + title: API + summary: My lovely API + version: 1.0.0 +components: {} diff --git a/tests/schema/pass/json_schema_dialect.yaml b/tests/schema/pass/json_schema_dialect.yaml new file mode 100644 index 0000000000..ae0ed863b3 --- /dev/null +++ b/tests/schema/pass/json_schema_dialect.yaml @@ -0,0 +1,15 @@ +openapi: 3.1.0 +info: + summary: Testing jsonSchemaDialect + title: My API + version: 1.0.0 + license: + name: Apache 2.0 + identifier: Apache-2.0 +jsonSchemaDialect: https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS +components: + schemas: + WithDollarSchema: + $id: "locked-metaschema" + $schema: https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS +paths: {} diff --git a/tests/schema/pass/license_identifier.yaml b/tests/schema/pass/license_identifier.yaml new file mode 100644 index 0000000000..fbdba5efbe --- /dev/null +++ b/tests/schema/pass/license_identifier.yaml @@ -0,0 +1,9 @@ +openapi: 3.1.0 +info: + title: API + summary: My lovely API + version: 1.0.0 + license: + name: Apache + identifier: Apache-2.0 +components: {} diff --git a/tests/schema/pass/mega.yaml b/tests/schema/pass/mega.yaml new file mode 100644 index 0000000000..98ce577dce --- /dev/null +++ b/tests/schema/pass/mega.yaml @@ -0,0 +1,48 @@ +openapi: 3.1.0 +info: + summary: My API's summary + title: My API + version: 1.0.0 + license: + name: Apache 2.0 + identifier: Apache-2.0 +paths: + /: + get: + parameters: [] + /{pathTest}: {} +webhooks: + myWebhook: + $ref: '#/components/pathItems/myPathItem' + description: Overriding description +components: + securitySchemes: + mtls: + type: mutualTLS + pathItems: + myPathItem: + post: + requestBody: + required: true + content: + 'application/json': + schema: + type: object + properties: + type: + type: string + int: + type: integer + exclusiveMaximum: 100 + exclusiveMinimum: 0 + none: + type: 'null' + arr: + type: array + $comment: Array without items keyword + either: + type: ['string','null'] + discriminator: + propertyName: type + x-extension: true + myArbitraryKeyword: true diff --git a/tests/schema/pass/minimal_comp.yaml b/tests/schema/pass/minimal_comp.yaml new file mode 100644 index 0000000000..4553689ab4 --- /dev/null +++ b/tests/schema/pass/minimal_comp.yaml @@ -0,0 +1,5 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +components: {} diff --git a/tests/schema/pass/minimal_hooks.yaml b/tests/schema/pass/minimal_hooks.yaml new file mode 100644 index 0000000000..e67b2889de --- /dev/null +++ b/tests/schema/pass/minimal_hooks.yaml @@ -0,0 +1,5 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +webhooks: {} diff --git a/tests/schema/pass/minimal_paths.yaml b/tests/schema/pass/minimal_paths.yaml new file mode 100644 index 0000000000..016e86796f --- /dev/null +++ b/tests/schema/pass/minimal_paths.yaml @@ -0,0 +1,5 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +paths: {} diff --git a/tests/schema/pass/non-oauth-scopes.yaml b/tests/schema/pass/non-oauth-scopes.yaml new file mode 100644 index 0000000000..e757452f38 --- /dev/null +++ b/tests/schema/pass/non-oauth-scopes.yaml @@ -0,0 +1,19 @@ +openapi: 3.1.0 +info: + title: Non-oAuth Scopes example + version: 1.0.0 +paths: + /users: + get: + security: + - bearerAuth: + - 'read:users' + - 'public' +components: + securitySchemes: + bearerAuth: + type: http + scheme: bearer + bearerFormat: jwt + description: 'note: non-oauth scopes are not defined at the securityScheme level' + diff --git a/tests/schema/pass/path_no_response.yaml b/tests/schema/pass/path_no_response.yaml new file mode 100644 index 0000000000..334608f111 --- /dev/null +++ b/tests/schema/pass/path_no_response.yaml @@ -0,0 +1,7 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +paths: + /: + get: {} diff --git a/tests/schema/pass/path_var_empty_pathitem.yaml b/tests/schema/pass/path_var_empty_pathitem.yaml new file mode 100644 index 0000000000..ba92742f10 --- /dev/null +++ b/tests/schema/pass/path_var_empty_pathitem.yaml @@ -0,0 +1,6 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +paths: + /{var}: {} diff --git a/tests/schema/pass/schema.yaml b/tests/schema/pass/schema.yaml new file mode 100644 index 0000000000..e192529a68 --- /dev/null +++ b/tests/schema/pass/schema.yaml @@ -0,0 +1,55 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +paths: {} +components: + schemas: + model: + type: object + properties: + one: + description: type array + type: + - integer + - string + two: + description: type 'null' + type: "null" + three: + description: type array including 'null' + type: + - string + - "null" + four: + description: array with no items + type: array + five: + description: singular example + type: string + examples: + - exampleValue + six: + description: exclusiveMinimum true + exclusiveMinimum: 10 + seven: + description: exclusiveMinimum false + minimum: 10 + eight: + description: exclusiveMaximum true + exclusiveMaximum: 20 + nine: + description: exclusiveMaximum false + maximum: 20 + ten: + description: nullable string + type: + - string + - "null" + eleven: + description: x-nullable string + type: + - string + - "null" + twelve: + description: file/binary diff --git a/tests/schema/pass/servers.yaml b/tests/schema/pass/servers.yaml new file mode 100644 index 0000000000..77a20498da --- /dev/null +++ b/tests/schema/pass/servers.yaml @@ -0,0 +1,10 @@ +openapi: 3.1.0 +info: + title: API + version: 1.0.0 +paths: {} +servers: + - url: /v1 + description: Run locally. + - url: https://production.com/v1 + description: Run on production server. diff --git a/tests/schema/pass/valid_schema_types.yaml b/tests/schema/pass/valid_schema_types.yaml new file mode 100644 index 0000000000..4431adcda5 --- /dev/null +++ b/tests/schema/pass/valid_schema_types.yaml @@ -0,0 +1,14 @@ +openapi: 3.1.1 + +# this example shows that top-level schemaObjects MAY be booleans + +info: + title: API + version: 1.0.0 +components: + schemas: + anything_boolean: true + nothing_boolean: false + anything_object: {} + nothing_object: { not: {} } + diff --git a/tests/schema/pass/webhook-example.yaml b/tests/schema/pass/webhook-example.yaml new file mode 100644 index 0000000000..2ac1cda985 --- /dev/null +++ b/tests/schema/pass/webhook-example.yaml @@ -0,0 +1,35 @@ +openapi: 3.1.0 +info: + title: Webhook Example + version: 1.0.0 +# Since OAS 3.1.0 the paths element isn't necessary. Now a valid OpenAPI Document can describe only paths, webhooks, or even only reusable components +webhooks: + # Each webhook needs a name + newPet: + # This is a Path Item Object, the only difference is that the request is initiated by the API provider + post: + requestBody: + description: Information about a new pet in the system + content: + application/json: + schema: + $ref: "#/components/schemas/Pet" + responses: + "200": + description: Return a 200 status to indicate that the data was received successfully + +components: + schemas: + Pet: + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + tag: + type: string + diff --git a/tests/schema/schema.test.mjs b/tests/schema/schema.test.mjs new file mode 100644 index 0000000000..e7b84f0a74 --- /dev/null +++ b/tests/schema/schema.test.mjs @@ -0,0 +1,38 @@ +import { readdirSync, readFileSync } from "node:fs"; +import YAML from "yaml"; +import { describe, test, expect } from "vitest"; +import { registerSchema } from "@hyperjump/json-schema-coverage/vitest"; +import registerOasSchema from "./oas-schema.mjs"; + +const parseYamlFromFile = (filePath) => { + const schemaYaml = readFileSync(filePath, "utf8"); + return YAML.parse(schemaYaml, { prettyErrors: true }); +}; + +await registerOasSchema(); +await registerSchema("./src/schemas/validation/schema.yaml"); +const fixtures = './tests/schema'; + +describe("v3.1", () => { + describe("Pass", () => { + readdirSync(`${fixtures}/pass`, { withFileTypes: true }) + .filter((entry) => entry.isFile() && /\.yaml$/.test(entry.name)) + .forEach((entry) => { + test(entry.name, async () => { + const instance = parseYamlFromFile(`${fixtures}/pass/${entry.name}`); + await expect(instance).to.matchJsonSchema("./src/schemas/validation/schema-base.yaml"); + }); + }); + }); + + describe("Fail", () => { + readdirSync(`${fixtures}/fail`, { withFileTypes: true }) + .filter((entry) => entry.isFile() && /\.yaml$/.test(entry.name)) + .forEach((entry) => { + test(entry.name, async () => { + const instance = parseYamlFromFile(`${fixtures}/fail/${entry.name}`); + await expect(instance).to.not.matchJsonSchema("./src/schemas/validation/schema-base.yaml"); + }); + }); + }); +}); From f60b80ad8c46ab9c8e808efb4fc23995c2eb1776 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Sat, 4 Oct 2025 18:48:08 +0200 Subject: [PATCH 87/91] sync dev with main via sync branch - create sync branch from dev - merge main into sync branch - restore src/* and tests/* from dev - commit & push - create PR if necessary --- .github/workflows/sync-main-to-dev.yaml | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/.github/workflows/sync-main-to-dev.yaml b/.github/workflows/sync-main-to-dev.yaml index d480254da8..06ad0fdef4 100644 --- a/.github/workflows/sync-main-to-dev.yaml +++ b/.github/workflows/sync-main-to-dev.yaml @@ -11,6 +11,7 @@ on: push: branches: - main + workflow_dispatch: {} jobs: sync-branch: @@ -25,22 +26,36 @@ jobs: - name: Checkout repository uses: actions/checkout@v5 + with: + fetch-depth: 0 + token: ${{ steps.generate-token.outputs.token }} - name: Create pull request id: pull_request shell: bash run: | - EXISTS=$(gh pr list --base $BASE --head $HEAD \ + git config user.name ${GITHUB_ACTOR} + git config user.email "a@b.c" + SYNC="$BASE-sync-with-$HEAD" + + git checkout -b $SYNC origin/$SYNC || git checkout -b $SYNC origin/$BASE + git merge origin/$HEAD -m "Merge $HEAD into $SYNC" + git checkout origin/$BASE src/* + git checkout origin/$BASE tests/* + git commit -m "Restored src/* and tests/*" || echo "" + git push -u origin $SYNC + + EXISTS=$(gh pr list --base $BASE --head $SYNC \ --json number --jq '.[] | .number') if [ ! -z "$EXISTS" ]; then - echo "PR #$EXISTS already wants to merge $HEAD into $BASE" + echo "PR #$EXISTS already wants to merge $SYNC into $BASE" exit 0 fi - gh pr create --base $BASE --head $HEAD \ + gh pr create --base $BASE --head $SYNC \ --label "Housekeeping" \ - --title "$BASE: update from $HEAD" \ - --body "Merge \`$HEAD\` into \`$BASE\`." + --title "$BASE: sync with $HEAD" \ + --body "Merge relevant changes from \`$HEAD\` into \`$BASE\`." env: GH_TOKEN: ${{ steps.generate-token.outputs.token }} HEAD: main From ea8eb918ae39bf956c6aaddcde1028eef6a00728 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Sat, 4 Oct 2025 23:17:10 +0200 Subject: [PATCH 88/91] Update sync-dev-to-vX.Y-dev.yaml Align with sync-main-to-dev.yaml --- .github/workflows/sync-dev-to-vX.Y-dev.yaml | 28 +++++++++++++++------ .github/workflows/sync-main-to-dev.yaml | 4 +-- 2 files changed, 23 insertions(+), 9 deletions(-) diff --git a/.github/workflows/sync-dev-to-vX.Y-dev.yaml b/.github/workflows/sync-dev-to-vX.Y-dev.yaml index 0ace68b375..6702c67de1 100644 --- a/.github/workflows/sync-dev-to-vX.Y-dev.yaml +++ b/.github/workflows/sync-dev-to-vX.Y-dev.yaml @@ -11,6 +11,7 @@ on: push: branches: - dev + workflow_dispatch: {} jobs: sync-branches: @@ -22,36 +23,49 @@ jobs: with: app-id: ${{ secrets.OAI_SPEC_PUBLISHER_APPID }} private-key: ${{ secrets.OAI_SPEC_PUBLISHER_PRIVATE_KEY }} - + - name: Checkout repository uses: actions/checkout@v5 with: fetch-depth: 0 + token: ${{ steps.generate-token.outputs.token }} - name: Create pull requests id: pull_requests shell: bash run: | + git config user.name ${GITHUB_ACTOR} + git config user.email "a@b.c" + DEV_BRANCHES=$(git branch -r --list origin/v?.?-dev) for DEV_BRANCH in $DEV_BRANCHES; do BASE=${DEV_BRANCH:7} - EXISTS=$(gh pr list --base $BASE --head $HEAD \ + SYNC="$BASE-sync-with-$HEAD" + + git checkout -b $SYNC origin/$SYNC || git checkout -b $SYNC origin/$BASE + git merge origin/$HEAD -m "Merge $HEAD into $SYNC" + git checkout origin/$BASE src/* + git checkout origin/$BASE tests/* + git commit -m "Restored src/* and tests/*" || echo "" + git push -u origin $SYNC + + EXISTS=$(gh pr list --base $BASE --head $SYNC \ --json number --jq '.[] | .number') if [ ! -z "$EXISTS" ]; then - echo "PR #$EXISTS already wants to merge $HEAD into $BASE" + echo "PR #$EXISTS already wants to merge $SYNC into $BASE" continue fi - PR=$(gh pr create --base $BASE --head $HEAD \ + PR=$(gh pr create --base $BASE --head $SYNC \ --label "Housekeeping" \ - --title "$BASE: update from $HEAD" \ - --body "Merge \`$HEAD\` into \`$BASE\`.") + --title "$BASE: sync with $HEAD" \ + --body "Merge relevant changes from \`$HEAD\` into \`$BASE\`.") echo "" echo "PR to sync $DEV_BRANCH: $PR" sleep 10 # allow status checks to be triggered gh pr checks $PR --watch --required || continue - gh pr merge $PR --merge --admin + # gh pr merge $PR --merge --admin done env: GH_TOKEN: ${{ steps.generate-token.outputs.token }} diff --git a/.github/workflows/sync-main-to-dev.yaml b/.github/workflows/sync-main-to-dev.yaml index 5027794d6d..06ad0fdef4 100644 --- a/.github/workflows/sync-main-to-dev.yaml +++ b/.github/workflows/sync-main-to-dev.yaml @@ -40,8 +40,8 @@ jobs: git checkout -b $SYNC origin/$SYNC || git checkout -b $SYNC origin/$BASE git merge origin/$HEAD -m "Merge $HEAD into $SYNC" - git checkout origin/dev src/* - git checkout origin/dev tests/* + git checkout origin/$BASE src/* + git checkout origin/$BASE tests/* git commit -m "Restored src/* and tests/*" || echo "" git push -u origin $SYNC From 55336a3ef890c571664c7faa7c717888b4542b90 Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Sun, 5 Oct 2025 00:26:47 +0200 Subject: [PATCH 89/91] Update sync-dev-to-vX.Y-dev.yaml --- .github/workflows/sync-dev-to-vX.Y-dev.yaml | 28 +++++++++++++++------ 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/.github/workflows/sync-dev-to-vX.Y-dev.yaml b/.github/workflows/sync-dev-to-vX.Y-dev.yaml index 0ace68b375..6702c67de1 100644 --- a/.github/workflows/sync-dev-to-vX.Y-dev.yaml +++ b/.github/workflows/sync-dev-to-vX.Y-dev.yaml @@ -11,6 +11,7 @@ on: push: branches: - dev + workflow_dispatch: {} jobs: sync-branches: @@ -22,36 +23,49 @@ jobs: with: app-id: ${{ secrets.OAI_SPEC_PUBLISHER_APPID }} private-key: ${{ secrets.OAI_SPEC_PUBLISHER_PRIVATE_KEY }} - + - name: Checkout repository uses: actions/checkout@v5 with: fetch-depth: 0 + token: ${{ steps.generate-token.outputs.token }} - name: Create pull requests id: pull_requests shell: bash run: | + git config user.name ${GITHUB_ACTOR} + git config user.email "a@b.c" + DEV_BRANCHES=$(git branch -r --list origin/v?.?-dev) for DEV_BRANCH in $DEV_BRANCHES; do BASE=${DEV_BRANCH:7} - EXISTS=$(gh pr list --base $BASE --head $HEAD \ + SYNC="$BASE-sync-with-$HEAD" + + git checkout -b $SYNC origin/$SYNC || git checkout -b $SYNC origin/$BASE + git merge origin/$HEAD -m "Merge $HEAD into $SYNC" + git checkout origin/$BASE src/* + git checkout origin/$BASE tests/* + git commit -m "Restored src/* and tests/*" || echo "" + git push -u origin $SYNC + + EXISTS=$(gh pr list --base $BASE --head $SYNC \ --json number --jq '.[] | .number') if [ ! -z "$EXISTS" ]; then - echo "PR #$EXISTS already wants to merge $HEAD into $BASE" + echo "PR #$EXISTS already wants to merge $SYNC into $BASE" continue fi - PR=$(gh pr create --base $BASE --head $HEAD \ + PR=$(gh pr create --base $BASE --head $SYNC \ --label "Housekeeping" \ - --title "$BASE: update from $HEAD" \ - --body "Merge \`$HEAD\` into \`$BASE\`.") + --title "$BASE: sync with $HEAD" \ + --body "Merge relevant changes from \`$HEAD\` into \`$BASE\`.") echo "" echo "PR to sync $DEV_BRANCH: $PR" sleep 10 # allow status checks to be triggered gh pr checks $PR --watch --required || continue - gh pr merge $PR --merge --admin + # gh pr merge $PR --merge --admin done env: GH_TOKEN: ${{ steps.generate-token.outputs.token }} From 1dd29968bf58291b7dba811898d02fb9184ee21a Mon Sep 17 00:00:00 2001 From: Ralf Handl Date: Sun, 5 Oct 2025 12:18:38 +0200 Subject: [PATCH 90/91] Bot username and email --- .github/workflows/sync-dev-to-vX.Y-dev.yaml | 4 ++-- .github/workflows/sync-main-to-dev.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sync-dev-to-vX.Y-dev.yaml b/.github/workflows/sync-dev-to-vX.Y-dev.yaml index 6702c67de1..3019659006 100644 --- a/.github/workflows/sync-dev-to-vX.Y-dev.yaml +++ b/.github/workflows/sync-dev-to-vX.Y-dev.yaml @@ -34,8 +34,8 @@ jobs: id: pull_requests shell: bash run: | - git config user.name ${GITHUB_ACTOR} - git config user.email "a@b.c" + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" DEV_BRANCHES=$(git branch -r --list origin/v?.?-dev) for DEV_BRANCH in $DEV_BRANCHES; do diff --git a/.github/workflows/sync-main-to-dev.yaml b/.github/workflows/sync-main-to-dev.yaml index 06ad0fdef4..09e1cd16e9 100644 --- a/.github/workflows/sync-main-to-dev.yaml +++ b/.github/workflows/sync-main-to-dev.yaml @@ -34,8 +34,8 @@ jobs: id: pull_request shell: bash run: | - git config user.name ${GITHUB_ACTOR} - git config user.email "a@b.c" + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" SYNC="$BASE-sync-with-$HEAD" git checkout -b $SYNC origin/$SYNC || git checkout -b $SYNC origin/$BASE From ee79aa1350f1c105b333850b3a97f7d9c3632b0c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 5 Oct 2025 10:29:32 +0000 Subject: [PATCH 91/91] Restored src/* and tests/* --- src/oas.md | 5046 ++++++++++------- src/schemas/validation/dialect.yaml | 10 +- src/schemas/validation/meta.yaml | 34 +- src/schemas/validation/schema-base.yaml | 10 +- src/schemas/validation/schema.yaml | 361 +- .../fail/encoding-enc-item-exclusion.yaml | 13 + .../fail/encoding-enc-prefix-exclusion.yaml | 13 + tests/schema/fail/example-examples.yaml | 17 + .../fail/example-object-old-exclusions.yaml | 10 + .../fail/example-object-old-vs-data.yaml | 10 + .../fail/example-object-old-vs-ser.yaml | 10 + .../fail/example-object-ser-exclusions.yaml | 10 + tests/schema/fail/invalid_schema_types.yaml | 3 +- .../fail/media-type-enc-item-exclusion.yaml | 11 + .../fail/media-type-enc-prefix-exclusion.yaml | 11 + tests/schema/fail/no_containers.yaml | 2 +- ...eration-object-query-with-querystring.yaml | 20 + .../operation-object-two-querystrings.yaml | 20 + ...rameter-object-content-not-with-style.yaml | 14 + ...er-object-querystring-not-with-schema.yaml | 11 + ...ject-conflicting-additional-operation.yaml | 64 + ...th-item-object-query-with-querystring.yaml | 19 + .../path-item-object-two-querystrings.yaml | 20 + tests/schema/fail/server_enum_empty.yaml | 2 +- tests/schema/fail/servers.yaml | 2 +- tests/schema/fail/unknown_container.yaml | 2 +- tests/schema/fail/xml-attr-exclusion.yaml | 11 + tests/schema/fail/xml-wrapped-exclusion.yaml | 11 + .../schema/pass/callback-object-examples.yaml | 30 + tests/schema/pass/comp_pathitems.yaml | 2 +- .../pass/components-object-example.yaml | 71 + .../schema/pass/example-object-examples.yaml | 64 + tests/schema/pass/header-object-examples.yaml | 26 + tests/schema/pass/info-object-example.yaml | 20 + tests/schema/pass/info_summary.yaml | 2 +- tests/schema/pass/json_schema_dialect.yaml | 6 +- tests/schema/pass/license_identifier.yaml | 2 +- tests/schema/pass/link-object-examples.yaml | 66 + tests/schema/pass/media-type-examples.yaml | 173 + tests/schema/pass/mega.yaml | 16 +- tests/schema/pass/minimal_comp.yaml | 2 +- tests/schema/pass/minimal_hooks.yaml | 2 +- tests/schema/pass/minimal_paths.yaml | 2 +- tests/schema/pass/non-oauth-scopes.yaml | 2 +- .../schema/pass/operation-object-example.yaml | 47 + .../pass/parameter-object-examples.yaml | 75 + .../schema/pass/path-item-object-example.yaml | 74 + .../pass/path_item_servers_parameters.yaml | 112 + tests/schema/pass/path_no_response.yaml | 2 +- .../schema/pass/path_var_empty_pathitem.yaml | 2 +- tests/schema/pass/paths-object-example.yaml | 17 + tests/schema/pass/request-body-examples.yaml | 34 + .../schema/pass/response-object-examples.yaml | 43 + ...ema-object-deprecated-example-keyword.yaml | 17 + tests/schema/pass/schema.yaml | 2 +- .../pass/security-scheme-object-examples.yaml | 69 + tests/schema/pass/servers.yaml | 18 +- .../schema/pass/specification-extensions.yaml | 6 + tests/schema/pass/tag-object-example.yaml | 25 + tests/schema/pass/valid_schema_types.yaml | 2 +- tests/schema/pass/webhook-example.yaml | 2 +- tests/schema/schema.test.mjs | 20 +- 62 files changed, 4643 insertions(+), 2177 deletions(-) create mode 100644 tests/schema/fail/encoding-enc-item-exclusion.yaml create mode 100644 tests/schema/fail/encoding-enc-prefix-exclusion.yaml create mode 100644 tests/schema/fail/example-examples.yaml create mode 100644 tests/schema/fail/example-object-old-exclusions.yaml create mode 100644 tests/schema/fail/example-object-old-vs-data.yaml create mode 100644 tests/schema/fail/example-object-old-vs-ser.yaml create mode 100644 tests/schema/fail/example-object-ser-exclusions.yaml create mode 100644 tests/schema/fail/media-type-enc-item-exclusion.yaml create mode 100644 tests/schema/fail/media-type-enc-prefix-exclusion.yaml create mode 100644 tests/schema/fail/operation-object-query-with-querystring.yaml create mode 100644 tests/schema/fail/operation-object-two-querystrings.yaml create mode 100644 tests/schema/fail/parameter-object-content-not-with-style.yaml create mode 100644 tests/schema/fail/parameter-object-querystring-not-with-schema.yaml create mode 100644 tests/schema/fail/path-item-object-conflicting-additional-operation.yaml create mode 100644 tests/schema/fail/path-item-object-query-with-querystring.yaml create mode 100644 tests/schema/fail/path-item-object-two-querystrings.yaml create mode 100644 tests/schema/fail/xml-attr-exclusion.yaml create mode 100644 tests/schema/fail/xml-wrapped-exclusion.yaml create mode 100644 tests/schema/pass/callback-object-examples.yaml create mode 100644 tests/schema/pass/components-object-example.yaml create mode 100644 tests/schema/pass/example-object-examples.yaml create mode 100644 tests/schema/pass/header-object-examples.yaml create mode 100644 tests/schema/pass/info-object-example.yaml create mode 100644 tests/schema/pass/link-object-examples.yaml create mode 100644 tests/schema/pass/media-type-examples.yaml create mode 100644 tests/schema/pass/operation-object-example.yaml create mode 100644 tests/schema/pass/parameter-object-examples.yaml create mode 100644 tests/schema/pass/path-item-object-example.yaml create mode 100644 tests/schema/pass/path_item_servers_parameters.yaml create mode 100644 tests/schema/pass/paths-object-example.yaml create mode 100644 tests/schema/pass/request-body-examples.yaml create mode 100644 tests/schema/pass/response-object-examples.yaml create mode 100644 tests/schema/pass/schema-object-deprecated-example-keyword.yaml create mode 100644 tests/schema/pass/security-scheme-object-examples.yaml create mode 100644 tests/schema/pass/specification-extensions.yaml create mode 100644 tests/schema/pass/tag-object-example.yaml diff --git a/src/oas.md b/src/oas.md index b2db701c19..430c1c6f5f 100644 --- a/src/oas.md +++ b/src/oas.md @@ -1,6 +1,6 @@ # OpenAPI Specification -## Version 3.1.1 +## Version 3.2.0 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [BCP 14](https://tools.ietf.org/html/bcp14) [RFC2119](https://tools.ietf.org/html/rfc2119) [RFC8174](https://tools.ietf.org/html/rfc8174) when, and only when, they appear in all capitals, as shown here. @@ -8,71 +8,25 @@ This document is licensed under [The Apache License, Version 2.0](https://www.ap ## Introduction -The OpenAPI Specification (OAS) defines a standard, language-agnostic interface to HTTP APIs which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection. When properly defined, a consumer can understand and interact with the remote service with a minimal amount of implementation logic. +The OpenAPI Specification (OAS) defines a standard, language-agnostic interface to HTTP APIs which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection. When properly defined, a consumer can understand and interact with the remote service by [parsing and serializing](#parsing-and-serializing) HTTP messages to and from a [data model](#data-types) with a minimal amount of implementation logic. -An OpenAPI Description can then be used by documentation generation tools to display the API, code generation tools to generate servers and clients in various programming languages, testing tools, and many other use cases. +An [OpenAPI Description](#openapi-description-structure) (OAD) can then be used by documentation generation tools to display the API, code generation tools to generate servers and clients in various programming languages, testing tools, and many other use cases. For examples of OpenAPI usage and additional documentation, please visit [[?OpenAPI-Learn]]. For extension registries and other specifications published by the OpenAPI Initiative, as well as the authoritative rendering of this specification, please visit [spec.openapis.org](https://spec.openapis.org/). -## Definitions +### Versions and Deprecation -### OpenAPI Description - -An OpenAPI Description (OAD) formally describes the surface of an API and its semantics. It is composed of an [entry document](#openapi-description-structure), which must be an OpenAPI Document, and any/all of its referenced documents. An OAD uses and conforms to the OpenAPI Specification, and MUST contain at least one [paths](#paths-object) field, [components](#oas-components) field, or [webhooks](#oas-webhooks) field. - -### OpenAPI Document - -An OpenAPI Document is a single JSON or YAML document that conforms to the OpenAPI Specification. An OpenAPI Document compatible with OAS 3.\*.\* contains a required [`openapi`](#oas-version) field which designates the version of the OAS that it uses. - -### Schema - -A "schema" is a formal description of syntax and structure. -This document serves as the [schema](#schema) for the OpenAPI Specification format; a non-authoritative JSON Schema based on this document is also provided on [spec.openapis.org](https://spec.openapis.org) for informational purposes. -This specification also _uses_ schemas in the form of the [Schema Object](#schema-object). - -### Object - -When capitalized, the word "Object" refers to any of the Objects that are named by section headings in this document. - -### Path Templating - -Path templating refers to the usage of template expressions, delimited by curly braces (`{}`), to mark a section of a URL path as replaceable using path parameters. - -Each template expression in the path MUST correspond to a path parameter that is included in the [Path Item](#path-item-object) itself and/or in each of the Path Item's [Operations](#operation-object). An exception is if the path item is empty, for example due to ACL constraints, matching path parameters are not required. - -The value for these path parameters MUST NOT contain any unescaped "generic syntax" characters described by [RFC3986](https://tools.ietf.org/html/rfc3986#section-3): forward slashes (`/`), question marks (`?`), or hashes (`#`). - -### Media Types - -Media type definitions are spread across several resources. -The media type definitions SHOULD be in compliance with [RFC6838](https://tools.ietf.org/html/rfc6838). - -Some examples of possible media type definitions: - -```text - text/plain; charset=utf-8 - application/json - application/vnd.github+json - application/vnd.github.v3+json - application/vnd.github.v3.raw+json - application/vnd.github.v3.text+json - application/vnd.github.v3.html+json - application/vnd.github.v3.full+json - application/vnd.github.v3.diff - application/vnd.github.v3.patch -``` - -### HTTP Status Codes +The OpenAPI Specification is versioned using a `major`.`minor`.`patch` versioning scheme. The `major`.`minor` portion of the version string (for example `3.1`) SHALL designate the OAS feature set. _`.patch`_ versions address errors in, or provide clarifications to, this document, not the feature set. Tooling which supports OAS 3.1 SHOULD be compatible with all OAS 3.1.\* versions. The patch version SHOULD NOT be considered by tooling, making no distinction between `3.1.0` and `3.1.1` for example. -The HTTP Status Codes are used to indicate the status of the executed operation. -Status codes SHOULD be selected from the available status codes registered in the [IANA Status Code Registry](https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml). +Certain fields or features may be marked **Deprecated**. +These fields and features remain part of the specification and can be used like any other field or feature. +However, OpenAPI Description authors should use newer fields and features documented to replace the deprecated ones whenever possible. -### Case Sensitivity +At this time, such elements are expected to remain part of the OAS until the next major version, although a future minor version of this specification may define a policy for later removal of deprecated elements. -As most field names and values in the OpenAPI Specification are case-sensitive, this document endeavors to call out any case-insensitive names and values. -However, the case sensitivity of field names and values that map directly to HTTP concepts follow the case sensitivity rules of HTTP, even if this document does not make a note of every concept. +Occasionally, non-backwards compatible changes may be made in `minor` versions of the OAS where impact is believed to be low relative to the benefit provided. ### Undefined and Implementation-Defined Behavior @@ -87,259 +41,151 @@ Behavior described as _implementation-defined_ allows implementations to choose This documents ambiguous requirements that API description authors are RECOMMENDED to avoid in order to maximize interoperability. Unlike undefined behavior, it is safe to rely on implementation-defined behavior if _and only if_ it can be guaranteed that all relevant tools support the same behavior. -## Specification - -### Versions - -The OpenAPI Specification is versioned using a `major`.`minor`.`patch` versioning scheme. The `major`.`minor` portion of the version string (for example `3.1`) SHALL designate the OAS feature set. _`.patch`_ versions address errors in, or provide clarifications to, this document, not the feature set. Tooling which supports OAS 3.1 SHOULD be compatible with all OAS 3.1.\* versions. The patch version SHOULD NOT be considered by tooling, making no distinction between `3.1.0` and `3.1.1` for example. - -Occasionally, non-backwards compatible changes may be made in `minor` versions of the OAS where impact is believed to be low relative to the benefit provided. - -### Format - -An OpenAPI Document that conforms to the OpenAPI Specification is itself a JSON object, which may be represented either in JSON or YAML format. - -For example, if a field has an array value, the JSON array representation will be used: +## Format -```json -{ - "field": [1, 2, 3] -} -``` +An OpenAPI document that conforms to the OpenAPI Specification is itself a JSON object, which may be represented either in [[RFC8259|JSON]] or [[YAML|YAML]] format. +Examples in this specification will be shown in YAML for brevity. -All field names in the specification are **case sensitive**. -This includes all fields that are used as keys in a map, except where explicitly noted that keys are **case insensitive**. +All field names in the specification are **case-sensitive**. +This includes all fields that are used as keys in a map, except where explicitly noted that keys are **case-insensitive**. -The [schema](#schema) exposes two types of fields: _fixed fields_, which have a declared name, and _patterned fields_, which have a declared pattern for the field name. +OAS [Objects](#objects-and-fields) expose two types of fields: _fixed fields_, which have a declared name, and _patterned fields_, which have a declared pattern for the field name. Patterned fields MUST have unique names within the containing object. -In order to preserve the ability to round-trip between YAML and JSON formats, YAML version [1.2](https://yaml.org/spec/1.2/spec.html) is RECOMMENDED along with some additional constraints: - -* Tags MUST be limited to those allowed by [YAML's JSON schema ruleset](https://yaml.org/spec/1.2/spec.html#id2803231), which defines a subset of the YAML syntax and is unrelated to [[JSON-Schema-2020-12|JSON Schema]]. -* Keys used in YAML maps MUST be limited to a scalar string, as defined by the [YAML Failsafe schema ruleset](https://yaml.org/spec/1.2/spec.html#id2802346). - **Note:** While APIs may be described by OpenAPI Descriptions in either YAML or JSON format, the API request and response bodies and other content are not required to be JSON or YAML. -### OpenAPI Description Structure - -An OpenAPI Description (OAD) MAY be made up of a single JSON or YAML document or be divided into multiple, connected parts at the discretion of the author. In the latter case, [Reference Object](#reference-object), [Path Item Object](#path-item-object) and [Schema Object](#schema-object) `$ref` fields, as well as the [Link Object](#link-object) `operationRef` field, and the URI form of the [Discriminator Object](#discriminator-object) `mapping` field, are used to identify the referenced elements. - -In a multi-document OAD, the document containing the OpenAPI Object where parsing begins is known as that OAD's **entry document**. - -It is RECOMMENDED that the entry document of an OAD be named: `openapi.json` or `openapi.yaml`. - -#### Parsing Documents - -In order to properly handle [Schema Objects](#schema-object), OAS 3.1 inherits the parsing requirements of [JSON Schema Specification Draft 2020-12](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-9), with appropriate modifications regarding base URIs as specified in [Relative References In URIs](#relative-references-in-api-description-uris). - -This includes a requirement to parse complete documents before deeming a Schema Object reference to be unresolvable, in order to detect keywords that might provide the reference target or impact the determination of the appropriate base URI. - -Implementations MAY support complete-document parsing in any of the following ways: - -* Detecting OpenAPI or JSON Schema documents using media types -* Detecting OpenAPI documents through the root `openapi` field -* Detecting JSON Schema documents through detecting keywords or otherwise successfully parsing the document in accordance with the JSON Schema specification -* Detecting a document containing a referenceable Object at its root based on the expected type of the reference -* Allowing users to configure the type of documents that might be loaded due to a reference to a non-root Object - -Implementations that parse referenced fragments of OpenAPI content without regard for the content of the rest of the containing document will miss keywords that change the meaning and behavior of the reference target. -In particular, failing to take into account keywords that change the base URI introduces security risks by causing references to resolve to unintended URIs, with unpredictable results. -While some implementations support this sort of parsing due to the requirements of past versions of this specification, in version 3.1, the result of parsing fragments in isolation is _undefined_ and likely to contradict the requirements of this specification. - -While it is possible to structure certain OpenAPI Descriptions to ensure that they will behave correctly when references are parsed as isolated fragments, depending on this is NOT RECOMMENDED. -This specification does not explicitly enumerate the conditions under which such behavior is safe and provides no guarantee for continued safety in any future versions of the OAS. - -A special case of parsing fragments of OAS content would be if such fragments are embedded in another format, referred to as an _embedding format_ with respect to the OAS. -Note that the OAS itself is an embedding format with respect to JSON Schema, which is embedded as Schema Objects. -It is the responsibility of an embedding format to define how to parse embedded content, and OAS implementations that do not document support for an embedding format cannot be expected to parse embedded OAS content correctly. - -#### Structural Interoperability - -JSON or YAML objects within an OAD are interpreted as specific Objects (such as [Operation Objects](#operation-object), [Response Objects](#response-object), [Reference Objects](#reference-object), etc.) based on their context. Depending on how references are arranged, a given JSON or YAML object can be interpreted in multiple different contexts: - -* As the root object of the [entry document](#openapi-description-structure), which is always interpreted as an OpenAPI Object -* As the Object type implied by its parent Object within the document -* As a reference target, with the Object type matching the reference source's context - -If the same JSON/YAML object is parsed multiple times and the respective contexts require it to be parsed as _different_ Object types, the resulting behavior is _implementation defined_, and MAY be treated as an error if detected. An example would be referencing an empty Schema Object under `#/components/schemas` where a Path Item Object is expected, as an empty object is valid for both types. For maximum interoperability, it is RECOMMENDED that OpenAPI Description authors avoid such scenarios. - -#### Resolving Implicit Connections - -Several features of this specification require resolution of non-URI-based connections to some other part of the OpenAPI Description (OAD). - -These connections are unambiguously resolved in single-document OADs, but the resolution process in multi-document OADs is _implementation-defined_, within the constraints described in this section. -In some cases, an unambiguous URI-based alternative is available, and OAD authors are RECOMMENDED to always use the alternative: - -| Source | Target | Alternative | -| ---- | ---- | ---- | -| [Security Requirement Object](#security-requirement-object) `{name}` | [Security Scheme Object](#security-scheme-object) name under the [Components Object](#components-object) | _n/a_ | -| [Discriminator Object](#discriminator-object) `mapping` _(implicit, or explicit name syntax)_ | [Schema Object](#schema-object) name under the Components Object | `mapping` _(explicit URI syntax)_ | -| [Operation Object](#operation-object) `tags` | [Tag Object](#tag-object) `name` (in the [OpenAPI Object](#openapi-object)'s `tags` array) | _n/a_ | -| [Link Object](#link-object) `operationId` | [Path Item Object](#path-item-object) `operationId` | `operationRef` | - -A fifth implicit connection involves appending the templated URL paths of the [Paths Object](#paths-object) to the appropriate [Server Object](#server-object)'s `url` field. -This is unambiguous because only the entry document's Paths Object contributes URLs to the described API. - -It is RECOMMENDED to consider all Operation Objects from all parsed documents when resolving any Link Object `operationId`. -This requires parsing all referenced documents prior to determining an `operationId` to be unresolvable. - -The implicit connections in the Security Requirement Object and Discriminator Object rely on the _component name_, which is the name of the property holding the component in the appropriately typed sub-object of the Components Object. -For example, the component name of the Schema Object at `#/components/schemas/Foo` is `Foo`. -The implicit connection of `tags` in the Operation Object uses the `name` field of Tag Objects, which (like the Components Object) are found under the root OpenAPI Object. -This means resolving component names and tag names both depend on starting from the correct OpenAPI Object. - -For resolving component and tag name connections from a referenced (non-entry) document, it is RECOMMENDED that tools resolve from the entry document, rather than the current document. -This allows Security Scheme Objects and Tag Objects to be defined next to the API's deployment information (the top-level array of Server Objects), and treated as an interface for referenced documents to access. - -The interface approach can also work for Discriminator Objects and Schema Objects, but it is also possible to keep the Discriminator Object's behavior within a single document using the relative URI-reference syntax of `mapping`. - -There are no URI-based alternatives for the Security Requirement Object or for the Operation Object's `tags` field. -These limitations are expected to be addressed in a future release. - -See [Appendix F: Resolving Security Requirements in a Referenced Document](#appendix-f-resolving-security-requirements-in-a-referenced-document) for an example of the possible resolutions, including which one is recommended by this section. -The behavior for Discrimator Object non-URI mappings and for the Operation Object's `tags` field operate on the same principles. +### JSON and YAML Compatibility -Note that no aspect of implicit connection resolution changes how [URIs are resolved](#relative-references-in-api-description-uris), or restricts their possible targets. - -### Data Types - -Data types in the OAS are based on the types defined by the [JSON Schema Validation Specification Draft 2020-12](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00#section-6.1.1): -"null", "boolean", "object", "array", "number", "string", or "integer". -Models are defined using the [Schema Object](#schema-object), which is a superset of the JSON Schema Specification Draft 2020-12. - -JSON Schema keywords and `format` values operate on JSON "instances" which may be one of the six JSON data types, "null", "boolean", "object", "array", "number", or "string", with certain keywords and formats only applying to a specific type. For example, the `pattern` keyword and the `date-time` format only apply to strings, and treat any instance of the other five types as _automatically valid._ This means JSON Schema keywords and formats do **NOT** implicitly require the expected type. Use the `type` keyword to explicitly constrain the type. +In order to preserve the ability to round-trip between YAML and JSON formats, YAML version [1.2](https://yaml.org/spec/1.2/spec.html) is RECOMMENDED along with the additional constraints listed in [[!RFC9512]] [Section 3.4](https://www.rfc-editor.org/rfc/rfc9512.html#name-yaml-and-json). -Note that the `type` keyword allows `"integer"` as a value for convenience, but keyword and format applicability does not recognize integers as being of a distinct JSON type from other numbers because [[RFC7159|JSON]] itself does not make that distinction. Since there is no distinct JSON integer type, JSON Schema defines integers mathematically. This means that both `1` and `1.0` are [equivalent](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-4.2.2), and are both considered to be integers. +The recommendation in previous versions of this specification to restrict YAML to its "JSON" [schema ruleset](https://yaml.org/spec/1.2/spec.html#id2803231) allowed for the inclusion of certain values that (despite the name) cannot be represented in JSON. +OAD authors SHOULD NOT rely on any such JSON-incompatible YAML values. -#### Data Type Format +### Case Sensitivity -As defined by the [JSON Schema Validation specification](https://tools.ietf.org/html/draft-bhutton-json-schema-validation-00#section-7.3), data types can have an optional modifier keyword: `format`. As described in that specification, `format` is treated as a non-validating annotation by default; the ability to validate `format` varies across implementations. +As most field names and values in the OpenAPI Specification are case-sensitive, this document endeavors to call out any case-insensitive names and values. +However, the case sensitivity of field names and values that map directly to HTTP concepts follow the case sensitivity rules of HTTP, even if this document does not make a note of every concept. -The OpenAPI Initiative also hosts a [Format Registry](https://spec.openapis.org/registry/format/) for formats defined by OAS users and other specifications. Support for any registered format is strictly OPTIONAL, and support for one registered format does not imply support for any others. +### Rich Text Formatting -Types that are not accompanied by a `format` keyword follow the type definition in the JSON Schema. Tools that do not recognize a specific `format` MAY default back to the `type` alone, as if the `format` is not specified. -For the purpose of [JSON Schema validation](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00#section-7.1), each format should specify the set of JSON data types for which it applies. In this registry, these types are shown in the "JSON Data Type" column. +Throughout the specification `description` fields are noted as supporting CommonMark markdown formatting. +Where OpenAPI tooling renders rich text it MUST support, at a minimum, markdown syntax as described by [CommonMark 0.27](https://spec.commonmark.org/0.27/). Tooling MAY choose to ignore some CommonMark or extension features to address security concerns. -The formats defined by the OAS are: +While the framing of CommonMark 0.27 as a minimum requirement means that tooling MAY choose to implement extensions on top of it, note that any such extensions are by definition implementation-defined and will not be interoperable. +OpenAPI Description authors SHOULD consider how text using such extensions will be rendered by tools that offer only the minimum support. -| `format` | JSON Data Type | Comments | -| ---- | ---- | ---- | -| `int32` | number | signed 32 bits | -| `int64` | number | signed 64 bits (a.k.a long) | -| `float` | number | | -| `double` | number | | -| `password` | string | A hint to obscure the value. | +## Objects and Fields -As noted under [Data Type](#data-types), both `type: number` and `type: integer` are considered to be numbers in the data model. +This section describes the structure of the OpenAPI Description format. +This text is the only normative description of the format. +A JSON Schema is hosted on [spec.openapis.org](https://spec.openapis.org) for informational purposes. +If the JSON Schema differs from this section, then this section MUST be considered authoritative. -#### Working with Binary Data +In the following description, if a field is not explicitly **REQUIRED** or described with a MUST or SHALL, it can be considered OPTIONAL. -The OAS can describe either _raw_ or _encoded_ binary data. +### OpenAPI Object -* **raw binary** is used where unencoded binary data is allowed, such as when sending a binary payload as the entire HTTP message body, or as part of a `multipart/*` payload that allows binary parts -* **encoded binary** is used where binary data is embedded in a text-only format such as `application/json` or `application/x-www-form-urlencoded` (either as a message body or in the URL query string). +This is the root object of the [OpenAPI Description](#openapi-description-structure). -In the following table showing how to use Schema Object keywords for binary data, we use `image/png` as an example binary media type. Any binary media type, including `application/octet-stream`, is sufficient to indicate binary content. +#### Fixed Fields -| Keyword | Raw | Encoded | Comments | -| ---- | ---- | ---- | ---- | -| `type` | _omit_ | `string` | raw binary is [outside of `type`](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-4.2.3) | -| `contentMediaType` | `image/png` | `image/png` | can sometimes be omitted if redundant (see below) | -| `contentEncoding` | _omit_ | `base64` or `base64url` | other encodings are [allowed](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00#section-8.3) | +In addition to the required fields, at least one of the `components`, `paths`, or `webhooks` fields MUST be present. -Note that the encoding indicated by `contentEncoding`, which inflates the size of data in order to represent it as 7-bit ASCII text, is unrelated to HTTP's `Content-Encoding` header, which indicates whether and how a message body has been compressed and is applied after all content serialization described in this section has occurred. Since HTTP allows unencoded binary message bodies, there is no standardized HTTP header for indicating base64 or similar encoding of an entire message body. +| Field Name | Type | Description | +| ---- | :----: | ---- | +| openapi | `string` | **REQUIRED**. This string MUST be the [version number](#versions-and-deprecation) of the OpenAPI Specification that the OpenAPI document uses. The `openapi` field SHOULD be used by tooling to interpret the OpenAPI document. This is _not_ related to the [`info.version`](#info-version) string, which describes the OpenAPI document's version. | +| $self | `string` | This string MUST be in the form of a URI reference as defined by [[RFC3986]] [Section 4.1](https://www.rfc-editor.org/rfc/rfc3986#section-4.1). The `$self` field provides the self-assigned URI of this document, which also serves as its base URI in accordance with [[RFC3986]] [Section 5.1.1](https://www.rfc-editor.org/rfc/rfc3986#section-5.1.1). Implementations MUST support identifying the targets of [API description URIs](#relative-references-in-api-description-uris) using the URI defined by this field when it is present. See [Establishing the Base URI](#establishing-the-base-uri) for the base URI behavior when `$self` is absent or relative, and see [Appendix F](#appendix-f-examples-of-base-uri-determination-and-reference-resolution) for examples of using `$self` to resolve references. | +| info | [Info Object](#info-object) | **REQUIRED**. Provides metadata about the API. The metadata MAY be used by tooling as required. | +| jsonSchemaDialect | `string` | The default value for the `$schema` keyword within [Schema Objects](#schema-object) contained within this OAS document. This MUST be in the form of a URI. | +| servers | [[Server Object](#server-object)] | An array of Server Objects, which provide connectivity information to a target server. If the `servers` field is not provided, or is an empty array, the default value would be an array consisting of a single [Server Object](#server-object) with a [url](#server-url) value of `/`. | +| paths | [Paths Object](#paths-object) | The available paths and operations for the API. | +| webhooks | Map[`string`, [Path Item Object](#path-item-object)] | The incoming webhooks that MAY be received as part of this API and that the API consumer MAY choose to implement. Closely related to the `callbacks` feature, this section describes requests initiated other than by an API call, for example by an out of band registration. The key name is a unique string to refer to each webhook, while the (optionally referenced) Path Item Object describes a request that may be initiated by the API provider and the expected responses. An [example](https://learn.openapis.org/examples/v3.1/webhook-example.html) is available. | +| components | [Components Object](#components-object) | An element to hold various Objects for the OpenAPI Description. | +| security | [[Security Requirement Object](#security-requirement-object)] | A declaration of which security mechanisms can be used across the API. The list of values includes alternative Security Requirement Objects that can be used. Only one of the Security Requirement Objects need to be satisfied to authorize a request. Individual operations can override this definition. The list can be incomplete, up to being empty or absent. To make security explicitly optional, an empty security requirement (`{}`) can be included in the array. | +| tags | [[Tag Object](#tag-object)] | A list of tags used by the OpenAPI Description with additional metadata. The order of the tags can be used to reflect on their order by the parsing tools. Not all tags that are used by the [Operation Object](#operation-object) must be declared. The tags that are not declared MAY be organized randomly or based on the tools' logic. Each tag name in the list MUST be unique. | +| externalDocs | [External Documentation Object](#external-documentation-object) | Additional external documentation. | -Using a `contentEncoding` of `base64url` ensures that URL encoding (as required in the query string and in message bodies of type `application/x-www-form-urlencoded`) does not need to further encode any part of the already-encoded binary data. +This object MAY be extended with [Specification Extensions](#specification-extensions). -The `contentMediaType` keyword is redundant if the media type is already set: +To ensure interoperability, references MUST use the target document's `$self` URI if the `$self` field is present. +Implementations MAY choose to support referencing by other URIs such as the retrieval URI even when `$self` is present, however this behavior is not interoperable and relying on it is NOT RECOMMENDED. -* as the key for a [MediaType Object](#media-type-object) -* in the `contentType` field of an [Encoding Object](#encoding-object) +#### OpenAPI Description Structure -If the [Schema Object](#schema-object) will be processed by a non-OAS-aware JSON Schema implementation, it may be useful to include `contentMediaType` even if it is redundant. However, if `contentMediaType` contradicts a relevant Media Type Object or Encoding Object, then `contentMediaType` SHALL be ignored. +An **OpenAPI Description** (**OAD**) formally describes the surface of an API and its semantics. +An OAD MAY be made up of a single document, or be distributed across multiple documents that are connected by various fields using [URI references](#relative-references-in-api-description-uris) and [implicit connections](#resolving-implicit-connections). -The `maxLength` keyword MAY be used to set an expected upper bound on the length of a streaming payload. The keyword can be applied to either string data, including encoded binary data, or to unencoded binary data. For unencoded binary, the length is the number of octets. +In order for parsing behavior to be well-defined, all documents in an OAD MUST have either an OpenAPI Object or a Schema Object at the root, and MUST be parsed as complete documents, as described in the next section. -##### Migrating binary descriptions from OAS 3.0 +Documents with a different Object at the root, or that mix OAD content with other content, MAY be supported, but will have implementation-defined or, potentially, undefined behavior as described in [Appendix G: Parsing and Resolution Guidance](#appendix-g-parsing-and-resolution-guidance). +Throughout this specification, documents are assumed to have either an OpenAPI Object or Schema Object at the root unless otherwise specified. -The following table shows how to migrate from OAS 3.0 binary data descriptions, continuing to use `image/png` as the example binary media type: +In a multi-document OAD, the document containing the OpenAPI Object where parsing begins is known as that OAD's **entry document**. +It is RECOMMENDED that the entry document of an OAD be named `openapi.json` or `openapi.yaml`. -| OAS < 3.1 | OAS 3.1 | Comments | -| ---- | ---- | ---- | -| type: string
format: binary | contentMediaType: image/png | if redundant, can be omitted, often resulting in an empty [Schema Object](#schema-object) | -| type: string
format: byte | type: string
contentMediaType: image/png
contentEncoding: base64 | note that `base64url` can be used to avoid re-encoding the base64 string to be URL-safe | +An OpenAPI Object MAY be embedded in another format, called the **embedding format**, just as JSON Schema is embedded in the OAS in the form of Schema Objects. +It is the responsibility of an embedding format to define how to parse embedded content, and OAS implementations that do not document support for an embedding format cannot be expected to parse embedded OAS content correctly. -### Rich Text Formatting +##### Parsing Documents -Throughout the specification `description` fields are noted as supporting CommonMark markdown formatting. -Where OpenAPI tooling renders rich text it MUST support, at a minimum, markdown syntax as described by [CommonMark 0.27](https://spec.commonmark.org/0.27/). Tooling MAY choose to ignore some CommonMark or extension features to address security concerns. +Each document in an OAD MUST be fully parsed in order to locate possible reference targets. +This includes the parsing requirements of [JSON Schema Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-9), with appropriate modifications regarding base URIs as specified in [Relative References In URIs](#relative-references-in-api-description-uris). +Reference targets are defined by fields including the OpenAPI Object's [`$self`](#oas-self) field and the [Schema Object's](#schema-object) `$id`, `$anchor`, and `$dynamicAnchor` keywords. -While the framing of CommonMark 0.27 as a minimum requirement means that tooling MAY choose to implement extensions on top of it, note that any such extensions are by definition implementation-defined and will not be interoperable. -OpenAPI Description authors SHOULD consider how text using such extensions will be rendered by tools that offer only the minimum support. +Implementations MUST NOT treat a reference as unresolvable before completely parsing all documents provided to the implementation as possible parts of the OAD. -### Relative References in API Description URIs +If only the referenced part of the document is parsed when resolving a reference, the resulting behavior can be implementation-defined or undefined; see [Warnings Regarding Fragmentary Parsing](#warnings-regarding-fragmentary-parsing) in [Appendix G](#appendix-g-parsing-and-resolution-guidance) for details. -URIs used as references within an OpenAPI Description, or to external documentation or other supplementary information such as a license, are resolved as _identifiers_, and described by this specification as **_URIs_**. -As noted under [Parsing Documents](#parsing-documents), this specification inherits JSON Schema Specification Draft 2020-12's requirements for [loading documents](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-9) and associating them with their expected URIs, which might not match their current location. -This feature is used both for working in development or test environments without having to change the URIs, and for working within restrictive network configurations or security policies. +##### Relative References in API Description URIs +URIs used as references within an OpenAPI Description, or to external documentation or other supplementary information such as a license, are resolved as _identifiers_, and described by this specification as **_URIs_**, in contrast with [API URLs](#relative-references-in-api-urls). Note that some URI fields are named `url` for historical reasons, but the descriptive text for those fields uses the correct "URI" terminology. -Unless specified otherwise, all fields that are URIs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). +As noted under [Parsing Documents](#parsing-documents), several fields can be used to associate an OpenAPI document or a Schema Object with a URI, which might not match the document's or schema's location. +This allows the same references to be used in different deployment environments, including local filesystems or networks restricted by security policies or connectivity limitations. -Relative references in [Schema Objects](#schema-object), including any that appear as `$id` values, use the nearest parent `$id` as a Base URI, as described by [JSON Schema Specification Draft 2020-12](https://tools.ietf.org/html/draft-bhutton-json-schema-00#section-8.2). +Unless specified otherwise, all fields that are URIs MAY be relative references as defined by [[RFC3986]] [Section 4.2](https://tools.ietf.org/html/rfc3986#section-4.2). -Relative URI references in other Objects, and in Schema Objects where no parent schema contains an `$id`, MUST be resolved using the referring document's base URI, which is determined in accordance with [[RFC3986]] [Section 5.1.2 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.2). -In practice, this is usually the retrieval URI of the document, which MAY be determined based on either its current actual location or a user-supplied expected location. +###### Establishing the Base URI -If a URI contains a fragment identifier, then the fragment should be resolved per the fragment resolution mechanism of the referenced document. If the representation of the referenced document is JSON or YAML, then the fragment identifier SHOULD be interpreted as a JSON-Pointer as per [RFC6901](https://tools.ietf.org/html/rfc6901). +Relative URI references are resolved using the appropriate base URI, which MUST be determined in accordance with [[RFC3986]] [Section 5.1.1 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.1) and, for Schema objects, [JSON Schema draft 2020-12 Section 8.2](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.2), as illustrated by the examples in [Appendix F: Examples of Base URI Determination and Reference Resolution](#appendix-f-examples-of-base-uri-determination-and-reference-resolution). -Relative references in CommonMark hyperlinks are resolved in their rendered context, which might differ from the context of the API description. +If `$self` is a relative URI reference, it is resolved against the next possible base URI source ([[RFC3986]] [Section 5.1.2 – 5.1.4](https://tools.ietf.org/html/rfc3986#section-5.1.2)) before being used for the resolution of other relative URI references. -### Relative References in API URLs +The most common base URI source that is used in the event of a missing or relative `$self` (in the [OpenAPI Object](#openapi-object)) and (for [Schema Object](#schema-object)) `$id` is the retrieval URI. +Implementations MAY support document retrieval, although see the [Security Considerations](#security-considerations) sections for additional guidance. +Even if retrieval is supported, it may be impossible due to network configuration or server unavailability (including the server hosting an older version while a new version is in development), or undesirable due to performance impacts. +Therefore, all implementations SHOULD allow users to provide documents with their intended retrieval URIs so that references can be resolved as if retrievals were performed. -API endpoints are by definition accessed as locations, and are described by this specification as **_URLs_**. +###### Resolving URI fragments -Unless specified otherwise, all fields that are URLs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). -Unless specified otherwise, relative references are resolved using the URLs defined in the [Server Object](#server-object) as a Base URL. Note that these themselves MAY be relative to the referring document. +If a URI contains a fragment identifier, then the fragment should be resolved per the fragment resolution mechanism of the referenced document. If the representation of the referenced document is JSON or YAML, then the fragment identifier SHOULD be interpreted as a JSON Pointer as per [RFC6901](https://tools.ietf.org/html/rfc6901). -### Schema +###### Relative URI References in CommonMark Fields -This section describes the structure of the OpenAPI Description format. -This text is the only normative description of the format. -A JSON Schema is hosted on [spec.openapis.org](https://spec.openapis.org) for informational purposes. -If the JSON Schema differs from this section, then this section MUST be considered authoritative. +Relative references in CommonMark hyperlinks are resolved in their rendered context, which might differ from the context of the API description. -In the following description, if a field is not explicitly **REQUIRED** or described with a MUST or SHALL, it can be considered OPTIONAL. +##### Resolving Implicit Connections -#### OpenAPI Object +Several features of this specification require resolution of non-URI-based connections to some other part of the OpenAPI Description (OAD). -This is the root object of the [OpenAPI Description](#openapi-description). +These connections are unambiguously resolved in single-document OADs, but the resolution process in multi-document OADs is _implementation-defined_, within the constraints described in this section. +In some cases, an unambiguous URI-based alternative is available, and OAD authors are RECOMMENDED to use the alternative to maximize interoperability. -##### Fixed Fields +For resolving [Components Object](#components-object) and [Tag Object](#tag-object) names from a referenced (non-entry) document, it is RECOMMENDED that tools resolve from the entry document, rather than the current document. +For resolving an [Operation Object](#operation-object) based on an `operationId`, it is RECOMMENDED to consider all Operation Objects from all parsed documents. -| Field Name | Type | Description | -| ---- | :----: | ---- | -| openapi | `string` | **REQUIRED**. This string MUST be the [version number](#versions) of the OpenAPI Specification that the OpenAPI Document uses. The `openapi` field SHOULD be used by tooling to interpret the OpenAPI Document. This is _not_ related to the API [`info.version`](#info-version) string. | -| info | [Info Object](#info-object) | **REQUIRED**. Provides metadata about the API. The metadata MAY be used by tooling as required. | -| jsonSchemaDialect | `string` | The default value for the `$schema` keyword within [Schema Objects](#schema-object) contained within this OAS document. This MUST be in the form of a URI. | -| servers | [[Server Object](#server-object)] | An array of Server Objects, which provide connectivity information to a target server. If the `servers` field is not provided, or is an empty array, the default value would be a [Server Object](#server-object) with a [url](#server-url) value of `/`. | -| paths | [Paths Object](#paths-object) | The available paths and operations for the API. | -| webhooks | Map[`string`, [Path Item Object](#path-item-object)] | The incoming webhooks that MAY be received as part of this API and that the API consumer MAY choose to implement. Closely related to the `callbacks` feature, this section describes requests initiated other than by an API call, for example by an out of band registration. The key name is a unique string to refer to each webhook, while the (optionally referenced) Path Item Object describes a request that may be initiated by the API provider and the expected responses. An [example](https://learn.openapis.org/examples/v3.1/webhook-example.html) is available. | -| components | [Components Object](#components-object) | An element to hold various Objects for the OpenAPI Description. | -| security | [[Security Requirement Object](#security-requirement-object)] | A declaration of which security mechanisms can be used across the API. The list of values includes alternative Security Requirement Objects that can be used. Only one of the Security Requirement Objects need to be satisfied to authorize a request. Individual operations can override this definition. The list can be incomplete, up to being empty or absent. To make security explicitly optional, an empty security requirement (`{}`) can be included in the array. | -| tags | [[Tag Object](#tag-object)] | A list of tags used by the OpenAPI Description with additional metadata. The order of the tags can be used to reflect on their order by the parsing tools. Not all tags that are used by the [Operation Object](#operation-object) must be declared. The tags that are not declared MAY be organized randomly or based on the tools' logic. Each tag name in the list MUST be unique. | -| externalDocs | [External Documentation Object](#external-documentation-object) | Additional external documentation. | +Note that no aspect of implicit connection resolution changes how [URIs are resolved](#relative-references-in-api-description-uris), or restricts their possible targets. -This object MAY be extended with [Specification Extensions](#specification-extensions). +See [Appendix G: Parsing and Resolution Guidance](#appendix-g-parsing-and-resolution-guidance) for more details, including a list of Objects and fields using implicit connections. -#### Info Object +### Info Object The object provides metadata about the API. The metadata MAY be used by the clients if needed, and MAY be presented in editing or documentation generation tools for convenience. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -349,30 +195,11 @@ The metadata MAY be used by the clients if needed, and MAY be presented in editi | termsOfService | `string` | A URI for the Terms of Service for the API. This MUST be in the form of a URI. | | contact | [Contact Object](#contact-object) | The contact information for the exposed API. | | license | [License Object](#license-object) | The license information for the exposed API. | -| version | `string` | **REQUIRED**. The version of the OpenAPI Document (which is distinct from the [OpenAPI Specification version](#oas-version) or the version of the API being described or the version of the OpenAPI Description). | +| version | `string` | **REQUIRED**. The version of the OpenAPI document (which is distinct from the [OpenAPI Specification version](#oas-version) or the version of the API being described or the version of the OpenAPI Description). | This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Info Object Example - -```json -{ - "title": "Example Pet Store App", - "summary": "A pet store manager.", - "description": "This is an example server for a pet store.", - "termsOfService": "https://example.com/terms/", - "contact": { - "name": "API Support", - "url": "https://www.example.com/support", - "email": "support@example.com" - }, - "license": { - "name": "Apache 2.0", - "url": "https://www.apache.org/licenses/LICENSE-2.0.html" - }, - "version": "1.0.1" -} -``` +#### Info Object Example ```yaml title: Example Pet Store App @@ -389,11 +216,11 @@ license: version: 1.0.1 ``` -#### Contact Object +### Contact Object Contact information for the exposed API. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -403,15 +230,7 @@ Contact information for the exposed API. This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Contact Object Example - -```json -{ - "name": "API Support", - "url": "https://www.example.com/support", - "email": "support@example.com" -} -``` +#### Contact Object Example ```yaml name: API Support @@ -419,11 +238,11 @@ url: https://www.example.com/support email: support@example.com ``` -#### License Object +### License Object License information for the exposed API. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -433,111 +252,88 @@ License information for the exposed API. This object MAY be extended with [Specification Extensions](#specification-extensions). -##### License Object Example - -```json -{ - "name": "Apache 2.0", - "identifier": "Apache-2.0" -} -``` +#### License Object Example ```yaml name: Apache 2.0 identifier: Apache-2.0 ``` -#### Server Object +### Server Object An object representing a Server. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | -| url | `string` | **REQUIRED**. A URL to the target host. This URL supports Server Variables and MAY be relative, to indicate that the host location is relative to the location where the document containing the Server Object is being served. Variable substitutions will be made when a variable is named in `{`braces`}`. | +| url | `string` | **REQUIRED**. A URL to the target host. This URL supports Server Variables and MAY be relative, to indicate that the host location is relative to the location where the document containing the Server Object is being served. Query and fragment MUST NOT be part of this URL. Variable substitutions will be made when a variable is named in `{`braces`}`. | | description | `string` | An optional string describing the host designated by the URL. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | +| name | `string` | An optional unique string to refer to the host designated by the URL. | | variables | Map[`string`, [Server Variable Object](#server-variable-object)] | A map between a variable name and its value. The value is used for substitution in the server's URL template. | This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Server Object Example +#### Relative References in API URLs -A single server would be described as: +API endpoints are by definition accessed as locations, and are described by this specification as **_URLs_**. -```json -{ - "url": "https://development.gigantic-server.com/v1", - "description": "Development server" -} +Unless specified otherwise, all fields that are URLs MAY be relative references as defined by [RFC3986](https://tools.ietf.org/html/rfc3986#section-4.2). + +Because the API is a distinct entity from the OpenAPI document, RFC3986's base URI rules for the OpenAPI document do not apply. +Unless specified otherwise, relative references are resolved using the URLs defined in the [Server Object](#server-object) as a base URL. Note that these themselves MAY be relative to the referring document. + +##### Examples of API Base URL Determination + +Assume a retrieval URI of `https://device1.example.com` for the following OpenAPI document: + +```yaml +openapi: 3.2.0 +$self: https://apidescriptions.example.com/foo +info: + title: Example API + version: 1.0 +servers: +- url: . + description: The production API on this device +- url: ./test + description: The test API on this device ``` +For API URLs the `$self` field, which identifies the OpenAPI document, is ignored and the retrieval URI is used instead. This produces a normalized production URL of `https://device1.example.com`, and a normalized test URL of `https://device1.example.com/test`. + +#### Server Object Example + +A single server would be described as: + ```yaml url: https://development.gigantic-server.com/v1 description: Development server +name: dev ``` The following shows how multiple servers can be described, for example, at the OpenAPI Object's [`servers`](#oas-servers): -```json -{ - "servers": [ - { - "url": "https://development.gigantic-server.com/v1", - "description": "Development server" - }, - { - "url": "https://staging.gigantic-server.com/v1", - "description": "Staging server" - }, - { - "url": "https://api.gigantic-server.com/v1", - "description": "Production server" - } - ] -} -``` - ```yaml servers: - url: https://development.gigantic-server.com/v1 description: Development server + name: dev - url: https://staging.gigantic-server.com/v1 description: Staging server + name: staging - url: https://api.gigantic-server.com/v1 description: Production server + name: prod ``` The following shows how variables can be used for a server configuration: -```json -{ - "servers": [ - { - "url": "https://{username}.gigantic-server.com:{port}/{basePath}", - "description": "The production API server", - "variables": { - "username": { - "default": "demo", - "description": "A user-specific subdomain. Use `demo` for a free sandbox environment." - }, - "port": { - "enum": ["8443", "443"], - "default": "8443" - }, - "basePath": { - "default": "v2" - } - } - } - ] -} -``` - ```yaml servers: - url: https://{username}.gigantic-server.com:{port}/{basePath} description: The production API server + name: prod variables: username: # note! no enum here means it is an open value @@ -549,15 +345,44 @@ servers: - '443' default: '8443' basePath: - # open meaning there is the opportunity to use special base paths as assigned by the provider, default is `v2` + # open meaning there is the opportunity to use special base paths as assigned by the provider, default is "v2" default: v2 ``` -#### Server Variable Object +### Server Variable Object An object representing a Server Variable for server URL template substitution. -##### Fixed Fields +The server URL templating is defined by the following [ABNF](https://tools.ietf.org/html/rfc5234) syntax. + +```abnf +server-url-template = 1*( literals / server-variable ) +server-variable = "{" server-variable-name "}" +server-variable-name = 1*( %x00-7A / %x7C / %x7E-10FFFF ) ; every Unicode character except { and } + +literals = 1*( %x21 / %x23-24 / %x26-3B / %x3D / %x3F-5B + / %x5D / %x5F / %x61-7A / %x7E / ucschar / iprivate + / pct-encoded) + ; any Unicode character except: CTL, SP, + ; DQUOTE, "%" (aside from pct-encoded), + ; "<", ">", "\", "^", "`", "{", "|", "}" +pct-encoded = "%" HEXDIG HEXDIG +ucschar = %xA0-D7FF / %xF900-FDCF / %xFDF0-FFEF + / %x10000-1FFFD / %x20000-2FFFD / %x30000-3FFFD + / %x40000-4FFFD / %x50000-5FFFD / %x60000-6FFFD + / %x70000-7FFFD / %x80000-8FFFD / %x90000-9FFFD + / %xA0000-AFFFD / %xB0000-BFFFD / %xC0000-CFFFD + / %xD0000-DFFFD / %xE1000-EFFFD +iprivate = %xE000-F8FF / %xF0000-FFFFD / %x100000-10FFFD +``` + +Here, `literals`, `pct-encoded`, `ucschar` and `iprivate` definitions are taken from [RFC 6570](https://www.rfc-editor.org/rfc/rfc6570), incorporating the corrections specified in [Errata 6937](https://www.rfc-editor.org/errata/eid6937) for `literals`. + +Each server variable MUST NOT appear more than once in the URL template. + +See the [Paths Object](#paths-object) for guidance on constructing full request URLs. + +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -567,12 +392,12 @@ An object representing a Server Variable for server URL template substitution. This object MAY be extended with [Specification Extensions](#specification-extensions). -#### Components Object +### Components Object Holds a set of reusable objects for different aspects of the OAS. All objects defined within the Components Object will have no effect on the API unless they are explicitly referenced from outside the Components Object. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :---- | ---- | @@ -582,10 +407,11 @@ All objects defined within the Components Object will have no effect on the API | examples | Map[`string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Example Objects](#example-object). | | requestBodies | Map[`string`, [Request Body Object](#request-body-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Request Body Objects](#request-body-object). | | headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Header Objects](#header-object). | -| securitySchemes | Map[`string`, [Security Scheme Object](#security-scheme-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Security Scheme Objects](#security-scheme-object). | +| securitySchemes | Map[`string`, [Security Scheme Object](#security-scheme-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Security Scheme Objects](#security-scheme-object). | | links | Map[`string`, [Link Object](#link-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Link Objects](#link-object). | | callbacks | Map[`string`, [Callback Object](#callback-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Callback Objects](#callback-object). | | pathItems | Map[`string`, [Path Item Object](#path-item-object)] | An object to hold reusable [Path Item Objects](#path-item-object). | +| mediaTypes | Map[`string`, [Media Type Object](#media-type-object) \| [Reference Object](#reference-object)] | An object to hold reusable [Media Type Objects](#media-type-object). | This object MAY be extended with [Specification Extensions](#specification-extensions). @@ -601,109 +427,7 @@ user-name my.org.User ``` -##### Components Object Example - -```json -"components": { - "schemas": { - "GeneralError": { - "type": "object", - "properties": { - "code": { - "type": "integer", - "format": "int32" - }, - "message": { - "type": "string" - } - } - }, - "Category": { - "type": "object", - "properties": { - "id": { - "type": "integer", - "format": "int64" - }, - "name": { - "type": "string" - } - } - }, - "Tag": { - "type": "object", - "properties": { - "id": { - "type": "integer", - "format": "int64" - }, - "name": { - "type": "string" - } - } - } - }, - "parameters": { - "skipParam": { - "name": "skip", - "in": "query", - "description": "number of items to skip", - "required": true, - "schema": { - "type": "integer", - "format": "int32" - } - }, - "limitParam": { - "name": "limit", - "in": "query", - "description": "max records to return", - "required": true, - "schema" : { - "type": "integer", - "format": "int32" - } - } - }, - "responses": { - "NotFound": { - "description": "Entity not found." - }, - "IllegalInput": { - "description": "Illegal input for operation." - }, - "GeneralError": { - "description": "General Error", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/GeneralError" - } - } - } - } - }, - "securitySchemes": { - "api_key": { - "type": "apiKey", - "name": "api-key", - "in": "header" - }, - "petstore_auth": { - "type": "oauth2", - "flows": { - "implicit": { - "authorizationUrl": "https://example.org/api/oauth/dialog", - "scopes": { - "write:pets": "modify pets in your account", - "read:pets": "read your pets" - } - } - } - } - } -} -``` +#### Components Object Example ```yaml components: @@ -775,19 +499,50 @@ components: read:pets: read your pets ``` -#### Paths Object +### Paths Object Holds the relative paths to the individual endpoints and their operations. The path is appended to the URL from the [Server Object](#server-object) in order to construct the full URL. The Paths Object MAY be empty, due to [Access Control List (ACL) constraints](#security-filtering). -##### Patterned Fields +#### Patterned Fields | Field Pattern | Type | Description | | ---- | :----: | ---- | -| /{path} | [Path Item Object](#path-item-object) | A relative path to an individual endpoint. The field name MUST begin with a forward slash (`/`). The path is **appended** (no relative URL resolution) to the expanded URL from the [Server Object](#server-object)'s `url` field in order to construct the full URL. [Path templating](#path-templating) is allowed. When matching URLs, concrete (non-templated) paths would be matched before their templated counterparts. Templated paths with the same hierarchy but different templated names MUST NOT exist as they are identical. In case of ambiguous matching, it's up to the tooling to decide which one to use. | +| /{path} | [Path Item Object](#path-item-object) | A relative path to an individual endpoint. The field name MUST begin with a forward slash (`/`). The URL from the [Server Object](#server-object)'s `url` field, resolved and with template variables substituted, has the path **appended** (no relative URL resolution) to it in order to construct the full URL. [Path templating](#path-templating) is allowed. When matching URLs, concrete (non-templated) paths would be matched before their templated counterparts. Templated paths with the same hierarchy but different templated names MUST NOT exist as they are identical. In case of ambiguous matching, it's up to the tooling to decide which one to use. | This object MAY be extended with [Specification Extensions](#specification-extensions). +#### Path Templating + +Path templating refers to the usage of template expressions, delimited by curly braces (`{}`), to mark a section of a URL path as replaceable using path parameters. + +Each template expression in the path MUST correspond to a path parameter that is included in the [Path Item](#path-item-object) itself and/or in each of the Path Item's [Operations](#operation-object). An exception is if the path item is empty, for example due to ACL constraints, matching path parameters are not required. + +The value for these path parameters MUST NOT contain any unescaped "generic syntax" characters described by [RFC3986](https://tools.ietf.org/html/rfc3986#section-3): forward slashes (`/`), question marks (`?`), or hashes (`#`). +See [URL Percent-Encoding](#url-percent-encoding) for additional guidance on escaping characters. + +The path templating is defined by the following [ABNF](https://tools.ietf.org/html/rfc5234) syntax + +```abnf +path-template = "/" *( path-segment "/" ) [ path-segment ] +path-segment = 1*( path-literal / template-expression ) +path-literal = 1*pchar +template-expression = "{" template-expression-param-name "}" +template-expression-param-name = 1*( %x00-7A / %x7C / %x7E-10FFFF ) ; every Unicode character except { and } + +pchar = unreserved / pct-encoded / sub-delims / ":" / "@" +unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" +pct-encoded = "%" HEXDIG HEXDIG +sub-delims = "!" / "$" / "&" / "'" / "(" / ")" + / "*" / "+" / "," / ";" / "=" +``` + +Here, `pchar`, `unreserved`, `pct-encoded` and `sub-delims` definitions are taken from [RFC 3986](https://tools.ietf.org/html/rfc3986). The `path-template` is directly derived from [RFC 3986, section 3.3](https://datatracker.ietf.org/doc/html/rfc3986#section-3.3). + +Each template expression MUST NOT appear more than once in a single path template. + +See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc6570-based-serialization) for additional guidance. + ##### Path Templating Matching Assuming the following paths, the concrete definition, `/pets/mine`, will be matched first if used: @@ -811,32 +566,7 @@ The following may lead to ambiguous resolution: /books/{id} ``` -##### Paths Object Example - -```json -{ - "/pets": { - "get": { - "description": "Returns all pets from the system that the user has access to", - "responses": { - "200": { - "description": "A list of pets.", - "content": { - "application/json": { - "schema": { - "type": "array", - "items": { - "$ref": "#/components/schemas/pet" - } - } - } - } - } - } - } - } -} -``` +#### Paths Object Example ```yaml /pets: @@ -853,13 +583,13 @@ The following may lead to ambiguous resolution: $ref: '#/components/schemas/pet' ``` -#### Path Item Object +### Path Item Object Describes the operations available on a single path. A Path Item MAY be empty, due to [ACL constraints](#security-filtering). The path itself is still exposed to the documentation viewer but they will not know which operations and parameters are available. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -874,62 +604,14 @@ The path itself is still exposed to the documentation viewer but they will not k | head | [Operation Object](#operation-object) | A definition of a HEAD operation on this path. | | patch | [Operation Object](#operation-object) | A definition of a PATCH operation on this path. | | trace | [Operation Object](#operation-object) | A definition of a TRACE operation on this path. | +| query | [Operation Object](#operation-object) | A definition of a QUERY operation, as defined in the most recent IETF draft ([draft-ietf-httpbis-safe-method-w-body-08](https://www.ietf.org/archive/id/draft-ietf-httpbis-safe-method-w-body-11.html) as of this writing) or its RFC successor, on this path. | +| additionalOperations | Map[`string`, [Operation Object](#operation-object)] | A map of additional operations on this path. The map key is the HTTP method with the same capitalization that is to be sent in the request. This map MUST NOT contain any entry for the methods that can be defined by other fixed fields with Operation Object values (e.g. no `POST` entry, as the `post` field is used for this method). | | servers | [[Server Object](#server-object)] | An alternative `servers` array to service all operations in this path. If a `servers` array is specified at the [OpenAPI Object](#oas-servers) level, it will be overridden by this value. | | parameters | [[Parameter Object](#parameter-object) \| [Reference Object](#reference-object)] | A list of parameters that are applicable for all the operations described under this path. These parameters can be overridden at the operation level, but cannot be removed there. The list MUST NOT include duplicated parameters. A unique parameter is defined by a combination of a [name](#parameter-name) and [location](#parameter-in). The list can use the [Reference Object](#reference-object) to link to parameters that are defined in the [OpenAPI Object's `components.parameters`](#components-parameters). | This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Path Item Object Example - -```json -{ - "get": { - "description": "Returns pets based on ID", - "summary": "Find pets by ID", - "operationId": "getPetsById", - "responses": { - "200": { - "description": "pet response", - "content": { - "*/*": { - "schema": { - "type": "array", - "items": { - "$ref": "#/components/schemas/Pet" - } - } - } - } - }, - "default": { - "description": "error payload", - "content": { - "text/html": { - "schema": { - "$ref": "#/components/schemas/ErrorModel" - } - } - } - } - } - }, - "parameters": [ - { - "name": "id", - "in": "path", - "description": "ID of pet to use", - "required": true, - "schema": { - "type": "array", - "items": { - "type": "string" - } - }, - "style": "simple" - } - ] -} -``` +#### Path Item Object Example ```yaml get: @@ -961,13 +643,33 @@ parameters: items: type: string style: simple +additionalOperations: + COPY: + description: Copies pet information based on ID + summary: Copies pets by ID + operationId: copyPetsById + responses: + '200': + description: pet response + content: + '*/*': + schema: + type: array + items: + $ref: '#/components/schemas/Pet' + default: + description: error payload + content: + text/html: + schema: + $ref: '#/components/schemas/ErrorModel' ``` -#### Operation Object +### Operation Object Describes a single API operation on a path. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -977,7 +679,7 @@ Describes a single API operation on a path. | externalDocs | [External Documentation Object](#external-documentation-object) | Additional external documentation for this operation. | | operationId | `string` | Unique string used to identify the operation. The id MUST be unique among all operations described in the API. The operationId value is **case-sensitive**. Tools and libraries MAY use the operationId to uniquely identify an operation, therefore, it is RECOMMENDED to follow common programming naming conventions. | | parameters | [[Parameter Object](#parameter-object) \| [Reference Object](#reference-object)] | A list of parameters that are applicable for this operation. If a parameter is already defined at the [Path Item](#path-item-parameters), the new definition will override it but can never remove it. The list MUST NOT include duplicated parameters. A unique parameter is defined by a combination of a [name](#parameter-name) and [location](#parameter-in). The list can use the [Reference Object](#reference-object) to link to parameters that are defined in the [OpenAPI Object's `components.parameters`](#components-parameters). | -| requestBody | [Request Body Object](#request-body-object) \| [Reference Object](#reference-object) | The request body applicable for this operation. The `requestBody` is fully supported in HTTP methods where the HTTP 1.1 specification [RFC7231](https://tools.ietf.org/html/rfc7231#section-4.3.1) has explicitly defined semantics for request bodies. In other cases where the HTTP spec is vague (such as [GET](https://tools.ietf.org/html/rfc7231#section-4.3.1), [HEAD](https://tools.ietf.org/html/rfc7231#section-4.3.2) and [DELETE](https://tools.ietf.org/html/rfc7231#section-4.3.5)), `requestBody` is permitted but does not have well-defined semantics and SHOULD be avoided if possible. | +| requestBody | [Request Body Object](#request-body-object) \| [Reference Object](#reference-object) | The request body applicable for this operation. The `requestBody` is fully supported in HTTP methods where the HTTP specification [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3) has explicitly defined semantics for request bodies. In other cases where the HTTP spec discourages message content (such as [GET](https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.1) and [DELETE](https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.5)), `requestBody` is permitted but does not have well-defined semantics and SHOULD be avoided if possible. | | responses | [Responses Object](#responses-object) | The list of possible responses as they are returned from executing this operation. | | callbacks | Map[`string`, [Callback Object](#callback-object) \| [Reference Object](#reference-object)] | A map of possible out-of band callbacks related to the parent operation. The key is a unique identifier for the Callback Object. Each value in the map is a [Callback Object](#callback-object) that describes a request that may be initiated by the API provider and the expected responses. | | deprecated | `boolean` | Declares this operation to be deprecated. Consumers SHOULD refrain from usage of the declared operation. Default value is `false`. | @@ -986,67 +688,7 @@ Describes a single API operation on a path. This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Operation Object Example - -```json -{ - "tags": ["pet"], - "summary": "Updates a pet in the store with form data", - "operationId": "updatePetWithForm", - "parameters": [ - { - "name": "petId", - "in": "path", - "description": "ID of pet that needs to be updated", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/x-www-form-urlencoded": { - "schema": { - "type": "object", - "properties": { - "name": { - "description": "Updated name of the pet", - "type": "string" - }, - "status": { - "description": "Updated status of the pet", - "type": "string" - } - }, - "required": ["status"] - } - } - } - }, - "responses": { - "200": { - "description": "Pet updated.", - "content": { - "application/json": {}, - "application/xml": {} - } - }, - "405": { - "description": "Method Not Allowed", - "content": { - "application/json": {}, - "application/xml": {} - } - } - }, - "security": [ - { - "petstore_auth": ["write:pets", "read:pets"] - } - ] -} -``` +#### Operation Object Example ```yaml tags: @@ -1091,11 +733,11 @@ security: - read:pets ``` -#### External Documentation Object +### External Documentation Object Allows referencing an external resource for extended documentation. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -1104,21 +746,14 @@ Allows referencing an external resource for extended documentation. This object MAY be extended with [Specification Extensions](#specification-extensions). -##### External Documentation Object Example - -```json -{ - "description": "Find more info here", - "url": "https://example.com" -} -``` +#### External Documentation Object Example ```yaml description: Find more info here url: https://example.com ``` -#### Parameter Object +### Parameter Object Describes a single operation parameter. @@ -1126,85 +761,141 @@ A unique parameter is defined by a combination of a [name](#parameter-name) and See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a detailed examination of percent-encoding concerns, including interactions with the `application/x-www-form-urlencoded` query string format. -##### Parameter Locations +#### Parameter Locations -There are four possible parameter locations specified by the `in` field: +There are five possible parameter locations specified by the `in` field: * path - Used together with [Path Templating](#path-templating), where the parameter value is actually part of the operation's URL. This does not include the host or base path of the API. For example, in `/items/{itemId}`, the path parameter is `itemId`. -* query - Parameters that are appended to the URL. For example, in `/items?id=###`, the query parameter is `id`. -* header - Custom headers that are expected as part of the request. Note that [RFC7230](https://tools.ietf.org/html/rfc7230#section-3.2) states header names are case insensitive. +* query - Parameters that are appended to the URL. For example, in `/items?id=###`, the query parameter is `id`; MUST NOT appear in the same operation (or in the operation's path-item) as an `in: "querystring"` parameter. +* querystring - A parameter that treats the entire URL query string as a value which MUST be specified using the `content` field, most often with media type `application/x-www-form-urlencoded` using [Encoding Objects](#encoding-object) in the same way as with request bodies of that media type; MUST NOT appear more than once, and MUST NOT appear in the same operation (or in the operation's path-item) as any `in: "query"` parameters. +* header - Custom headers that are expected as part of the request. Note that [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.1) states header names are case-insensitive. * cookie - Used to pass a specific cookie value to the API. -##### Fixed Fields +#### Fixed Fields The rules for serialization of the parameter are specified in one of two ways. Parameter Objects MUST include either a `content` field or a `schema` field, but not both. See [Appendix B](#appendix-b-data-type-conversion) for a discussion of converting values of various types to string representations. -###### Common Fixed Fields +##### Common Fixed Fields These fields MAY be used with either `content` or `schema`. +The `example` and `examples` fields are mutually exclusive; see [Working with Examples](#working-with-examples) for guidance on validation requirements. + | Field Name | Type | Description | | ---- | :----: | ---- | -| name | `string` | **REQUIRED**. The name of the parameter. Parameter names are _case sensitive_.
  • If [`in`](#parameter-in) is `"path"`, the `name` field MUST correspond to a template expression occurring within the [path](#paths-path) field in the [Paths Object](#paths-object). See [Path Templating](#path-templating) for further information.
  • If [`in`](#parameter-in) is `"header"` and the `name` field is `"Accept"`, `"Content-Type"` or `"Authorization"`, the parameter definition SHALL be ignored.
  • For all other cases, the `name` corresponds to the parameter name used by the [`in`](#parameter-in) field.
| -| in | `string` | **REQUIRED**. The location of the parameter. Possible values are `"query"`, `"header"`, `"path"` or `"cookie"`. | +| name | `string` | **REQUIRED**. The name of the parameter. Parameter names are _case-sensitive_.
  • If [`in`](#parameter-in) is `"path"`, the `name` field MUST correspond to a single template expression occurring within the [path](#paths-path) field in the [Paths Object](#paths-object). See [Path Templating](#path-templating) for further information.
  • If [`in`](#parameter-in) is `"header"` and the `name` field is `"Accept"`, `"Content-Type"` or `"Authorization"`, the parameter definition SHALL be ignored.
  • If `in` is `"querystring"`, or for [certain combinations](#style-examples) of [`style`](#parameter-style) and [`explode`](#parameter-explode), the value of `name` is not used in the parameter serialization.
  • For all other cases, the `name` corresponds to the parameter name used by the [`in`](#parameter-in) field.
| +| in | `string` | **REQUIRED**. The location of the parameter. Possible values are `"query"`, `"querystring"`, `"header"`, `"path"` or `"cookie"`. | | description | `string` | A brief description of the parameter. This could contain examples of use. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | required | `boolean` | Determines whether this parameter is mandatory. If the [parameter location](#parameter-in) is `"path"`, this field is **REQUIRED** and its value MUST be `true`. Otherwise, the field MAY be included and its default value is `false`. | | deprecated | `boolean` | Specifies that a parameter is deprecated and SHOULD be transitioned out of usage. Default value is `false`. | -| allowEmptyValue | `boolean` | If `true`, clients MAY pass a zero-length string value in place of parameters that would otherwise be omitted entirely, which the server SHOULD interpret as the parameter being unused. Default value is `false`. If [`style`](#parameter-style) is used, and if [behavior is _n/a_ (cannot be serialized)](#style-examples), the value of `allowEmptyValue` SHALL be ignored. Interactions between this field and the parameter's [Schema Object](#schema-object) are implementation-defined. This field is valid only for `query` parameters. Use of this field is NOT RECOMMENDED, and it is likely to be removed in a later revision. | +| allowEmptyValue | `boolean` | If `true`, clients MAY pass a zero-length string value in place of parameters that would otherwise be omitted entirely, which the server SHOULD interpret as the parameter being unused. Default value is `false`. If [`style`](#parameter-style) is used, and if [behavior is _n/a_ (cannot be serialized)](#style-examples), the value of `allowEmptyValue` SHALL be ignored. Interactions between this field and the parameter's [Schema Object](#schema-object) are implementation-defined. This field is valid only for `query` parameters.

**Deprecated:** Use of this field is NOT RECOMMENDED, and it is likely to be removed in a later revision. | +| example | Any | Example of the parameter's potential value; see [Working With Examples](#working-with-examples). | +| examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the parameter's potential value; see [Working With Examples](#working-with-examples). | This object MAY be extended with [Specification Extensions](#specification-extensions). Note that while `"Cookie"` as a `name` is not forbidden if `in` is `"header"`, the effect of defining a cookie parameter that way is undefined; use `in: "cookie"` instead. -###### Fixed Fields for use with `schema` +##### Fixed Fields for use with `schema` For simpler scenarios, a [`schema`](#parameter-schema) and [`style`](#parameter-style) can describe the structure and syntax of the parameter. -When `example` or `examples` are provided in conjunction with the `schema` field, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the parameter. -The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. -Serializing with `schema` is NOT RECOMMENDED for `in: "cookie"` parameters, `in: "header"` parameters that use HTTP header parameters (name=value pairs following a `;`) in their values, or `in: "header"` parameters where values might have non-URL-safe characters; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for details. +These fields MUST NOT be used with `in: "querystring"`. + +Care is needed for parameters with `schema` that have `in: "header"` or `in: "cookie", style: "cookie"`: + +* When serializing these values, URI percent-encoding MUST NOT be applied. +* When parsing these parameters, any apparent percent-encoding MUST NOT be decoded. +* If using an RFC6570 implementation that automatically performs encoding or decoding steps, the steps MUST be undone before use. + +In these cases, implementations MUST pass values through unchanged rather than attempting to quote or escape them, as the quoting rules for headers and escaping conventions for cookies vary too widely to be performed automatically; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on quoting and escaping. | Field Name | Type | Description | | ---- | :----: | ---- | -| style | `string` | Describes how the parameter value will be serialized depending on the type of the parameter value. Default values (based on value of `in`): for `"query"` - `"form"`; for `"path"` - `"simple"`; for `"header"` - `"simple"`; for `"cookie"` - `"form"`. | -| explode | `boolean` | When this is true, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters this field has no effect. When [`style`](#parameter-style) is `"form"`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. | -| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#section-3.4) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. This field only applies to parameters with an `in` value of `query`. The default value is `false`. | +| style | `string` | Describes how the parameter value will be serialized depending on the type of the parameter value. Default values (based on value of `in`): for `"query"` - `"form"`; for `"path"` - `"simple"`; for `"header"` - `"simple"`; for `"cookie"` - `"form"` (for compatibility reasons; note that `style: "cookie"` SHOULD be used with `in: "cookie"`; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for details). | +| explode | `boolean` | When this is true, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, or when [`style`](#parameter-style) is `"deepObject"`, this field has no effect. When `style` is `"form"` or `"cookie"`, the default value is `true`. For all other styles, the default value is `false`. | +| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed by the rules of the `in` destination or media type, or are [not allowed in the path by this specification](#path-templating); see [URL Percent-Encoding](#url-percent-encoding) for details. The default value is `false`. This field only applies to `in` and `style` values that automatically percent-encode. | | schema | [Schema Object](#schema-object) | The schema defining the type used for the parameter. | -| example | Any | Example of the parameter's potential value; see [Working With Examples](#working-with-examples). | -| examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the parameter's potential value; see [Working With Examples](#working-with-examples). | See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc6570-based-serialization) for additional guidance. -###### Fixed Fields for use with `content` +##### Fixed Fields for use with `content` For more complex scenarios, the [`content`](#parameter-content) field can define the media type and schema of the parameter, as well as give examples of its use. -Using `content` with a `text/plain` media type is RECOMMENDED for `in: "header"` and `in: "cookie"` parameters where the `schema` strategy is not appropriate. + +For use with `in: "querystring"` and `application/x-www-form-urlencoded`, see [Encoding the `x-www-form-urlencoded` Media Type](#encoding-the-x-www-form-urlencoded-media-type). | Field Name | Type | Description | | ---- | :----: | ---- | -| content | Map[`string`, [Media Type Object](#media-type-object)] | A map containing the representations for the parameter. The key is the media type and the value describes it. The map MUST only contain one entry. | +| content | Map[`string`, [Media Type Object](#media-type-object) \| [Reference Object](#reference-object)] | A map containing the representations for the parameter. The key is the media type and the value describes it. The map MUST only contain one entry. | -##### Style Values +#### Style Values -In order to support common ways of serializing simple parameters, a set of `style` values are defined. +In order to support common ways of serializing simple parameters, a set of `style` values are defined. Combinations not represented in this table are not permitted. | `style` | [`type`](#data-types) | `in` | Comments | | ---- | ---- | ---- | ---- | -| matrix | `primitive`, `array`, `object` | `path` | Path-style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.7) | -| label | `primitive`, `array`, `object` | `path` | Label style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.5) | -| simple | `primitive`, `array`, `object` | `path`, `header` | Simple style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.2). This option replaces `collectionFormat` with a `csv` value from OpenAPI 2.0. | -| form | `primitive`, `array`, `object` | `query`, `cookie` | Form style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.8). This option replaces `collectionFormat` with a `csv` (when `explode` is false) or `multi` (when `explode` is true) value from OpenAPI 2.0. | -| spaceDelimited | `array`, `object` | `query` | Space separated array values or object properties and values. This option replaces `collectionFormat` equal to `ssv` from OpenAPI 2.0. | -| pipeDelimited | `array`, `object` | `query` | Pipe separated array values or object properties and values. This option replaces `collectionFormat` equal to `pipes` from OpenAPI 2.0. | -| deepObject | `object` | `query` | Allows objects with scalar properties to be represented using form parameters. The representation of array or object properties is not defined. | +| `matrix` | primitive, `array`, `object` | `path` | Path-style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.7) | +| `label` | primitive, `array`, `object` | `path` | Label style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.5) | +| `simple` | primitive, `array`, `object` | `path`, `header` | Simple style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.2). This option replaces `collectionFormat` with a `csv` value from OpenAPI 2.0. | +| `form` | primitive, `array`, `object` | `query`, `cookie` | Form style parameters defined by [RFC6570](https://tools.ietf.org/html/rfc6570#section-3.2.8). This option replaces `collectionFormat` with a `csv` (when `explode` is false) or `multi` (when `explode` is true) value from OpenAPI 2.0. | +| `spaceDelimited` | `array`, `object` | `query` | Space separated array values or object properties and values. This option replaces `collectionFormat` equal to `ssv` from OpenAPI 2.0. | +| `pipeDelimited` | `array`, `object` | `query` | Pipe separated array values or object properties and values. This option replaces `collectionFormat` equal to `pipes` from OpenAPI 2.0. | +| `deepObject` | `object` | `query` | Allows objects with scalar properties to be represented using form parameters. The representation of array or object properties is not defined (but see [Extending Support for Querystring Formats](#extending-support-for-querystring-formats) for alternatives). | +| `cookie` | primitive, `array`, `object` | `cookie` | Analogous to `form`, but following [[RFC6265]] `Cookie` syntax rules, meaning that name-value pairs are separated by a semicolon followed by a single space (e.g. `n1=v1; n2=v2`), and no percent-encoding or other escaping is applied; data values that require any sort of escaping MUST be provided in escaped form. | + +#### URL Percent-Encoding + +All API URLs MUST successfully parse and percent-decode using [[RFC3986]] rules. + +Content in the `application/x-www-form-urlencoded` format, including query strings produced by [Parameter Objects](#parameter-object) with `in: "query"`, MUST also successfully parse and percent-decode using [[WHATWG-URL]] rules, including treating non-percent-encoded `+` as an escaped space character. + +These requirements are specified in terms of percent-_decoding_ rules, which are consistently tolerant across different versions of the various standards that apply to URIs. + +Percent-_encoding_ is performed in several places: + +* By [[RFC6570]] implementations (or simulations thereof; see [Appendix C](#appendix-c-using-rfc6570-based-serialization)) +* By the Parameter or [Encoding](#encoding-object) Objects when incorporating a value serialized with a [Media Type Object](#media-type-object) for a media type that does not already incorporate URI percent-encoding +* By the user, prior to passing data through RFC6570's reserved expansion process + +When percent-encoding, the safest approach is to percent-encode all characters not in RFC3986's "unreserved" set, and for `form-urlencoded` to also percent-encode the tilde character (`~`) to align with historical requirements that are traced back to [[?RFC1738]], the URI RFC at the time `form-urlencoded` was created. +This approach is used in examples in this specification. + +For `form-urlencoded`, while the encoding algorithm given by [[WHATWG-URL]] requires escaping the space character as `+`, percent-encoding it as `%20` also meets the above requirements. +Examples in this specification will prefer `%20` when using RFC6570's default (non-reserved) form-style expansion, and `+` otherwise. + +Reserved characters MUST NOT be percent-encoded when being used for reserved purposes such as `&=+` for `form-urlencoded` or `,` for delimiting non-exploded array and object values in RFC6570 expansions. +The result of inserting non-percent-encoded delimiters into data using manual percent-encoding, including via RFC6570's reserved expansion rules, is undefined and will likely prevent implementations from parsing the results back into the correct data structures. +In some cases, such as inserting `/` into path parameter values, doing so is [explicitly forbidden](#path-templating) by this specification. + +See also: + +* [Appendix C](#appendix-c-using-rfc6570-based-serialization) for guidance on using or simulating/extending RFC6570 implementations. +* [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on percent-encoding and cookies, as well as other escaping approaches for headers and cookies. +* [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding options, compatibility, and handling OAS-defined delimiters that are not allowed by RFC3986. + +#### Serialization and Examples + +The rules in this section apply to both the Parameter and [Header](#header-object) Objects, both of which use the same mechanisms. + +When showing serialized examples, such as with the [Example Object's](#example-object) `serializedValue` or `externalValue` fields, in most cases the value to show is just the value, with all relevant percent-encoding or other encoding/escaping applied, and also including any delimiters produced by the `style` and `explode` configuration. -See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a discussion of percent-encoding, including when delimiters need to be percent-encoded and options for handling collisions with percent-encoded data. +In cases where the name is an inherent part of constructing the serialization, such as the `name=value` pairs produced by `style: "form"` or the combination of `style: "simple", explode: true`, the name and any delimiter between the name and value MUST be included. -##### Style Examples +The `matrix` and `label` styles produce a leading delimiter which is always a valid part of the serialization and MUST be included. +The RFC6570 operators corresponding to `style: "form"` produce a leading delimiter of either `?` or `&` depending on the exact syntax used. +As the suitability of either delimiter depends on where in the query string the parameter occurs, as well as whether it is in a URI or in `application/x-www-form-urlencoded` content, this leading delimiter MUST NOT be included in examples of individual parameters or media type documents. +For `in: "cookie", style: "form"`, neither the `&` nor `?` delimiters are ever correct; see [Appendix D: Serializing Headers and Cookies](#appendix-d-serializing-headers-and-cookies) for more details. -Assume a parameter named `color` has one of the following values: +For headers, the header name MUST NOT be included as part of the serialization, as it is never part of the RFC6570-derived result. +However, names produced by `style: "simple", explode: "true"` are included as they appear within the header value, not as separate headers. +See the [Header Object](#header-object) for special rules for showing examples of the `Set-Cookie` response header, which violates the normal rules for multiple header values. + +#### Style Examples + +Assume a parameter named `color` has one of the following values, where the value to the right of the `->` is what would be shown in the `dataValue` field of an Example Object: ```js string -> "blue" @@ -1212,14 +903,13 @@ Assume a parameter named `color` has one of the following values: object -> { "R": 100, "G": 200, "B": 150 } ``` -The following table shows examples, as would be shown with the `example` or `examples` keywords, of the different serializations for each value. +The following table shows serialized examples, as would be shown with the `serializedValue` field of an Example Object, of the different serializations for each value. -* The value _empty_ denotes the empty string, and is unrelated to the `allowEmptyValue` field -* The behavior of combinations marked _n/a_ is undefined -* The `undefined` column replaces the `empty` column in previous versions of this specification in order to better align with [RFC6570](https://www.rfc-editor.org/rfc/rfc6570.html#section-2.3) terminology, which describes certain values including but not limited to `null` as "undefined" values with special handling; notably, the empty string is _not_ undefined -* For `form` and the non-RFC6570 query string styles `spaceDelimited`, `pipeDelimited`, and `deepObject`, each example is shown prefixed with `?` as if it were the only query parameter; see [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more information on constructing query strings from multiple parameters, and [Appendix D](#appendix-d-serializing-headers-and-cookies) for warnings regarding `form` and cookie parameters -* Note that the `?` prefix is not appropriate for serializing `application/x-www-form-urlencoded` HTTP message bodies, and MUST be stripped or (if constructing the string manually) not added when used in that context; see the [Encoding Object](#encoding-object) for more information -* The examples are percent-encoded as required by RFC6570 and RFC3986; see [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding concerns, including why unencoded `|` (`%7C`), `[` (`%5B`), and `]` (`%5D`) seem to work in some environments despite not being compliant. +* The value _empty_ denotes the empty string, and is unrelated to the `allowEmptyValue` field. +* The behavior of combinations marked _n/a_ is undefined. +* The `undefined` column replaces the `empty` column in previous versions of this specification in order to better align with [RFC6570](https://www.rfc-editor.org/rfc/rfc6570.html#section-2.3) terminology, which describes certain values including but not limited to `null` as "undefined" values with special handling; notably, the empty string is _not_ undefined. +* For `form` and the non-RFC6570 query string styles `spaceDelimited`, `pipeDelimited`, and `deepObject`, see [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more information on constructing query strings from multiple parameters, and [Appendix D](#appendix-d-serializing-headers-and-cookies) for warnings regarding `form` and `cookie` parameters. +* The examples are percent-encoded as explained in the [URL Percent-Encoding](#url-percent-encoding) section above; see [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a thorough discussion of percent-encoding concerns, including why unencoded `|` (`%7C`), `[` (`%5B`), and `]` (`%5D`) seem to work in some environments despite not being compliant. | [`style`](#style-values) | `explode` | `undefined` | `string` | `array` | `object` | | ---- | ---- | ---- | ---- | ---- | ---- | @@ -1229,38 +919,32 @@ The following table shows examples, as would be shown with the `example` or `exa | label | true | . | .blue | .blue.black.brown | .R=100.G=200.B=150 | | simple | false | _empty_ | blue | blue,black,brown | R,100,G,200,B,150 | | simple | true | _empty_ | blue | blue,black,brown | R=100,G=200,B=150 | -| form | false | ?color= | ?color=blue | ?color=blue,black,brown | ?color=R,100,G,200,B,150 | -| form | true | ?color= | ?color=blue | ?color=blue&color=black&color=brown | ?R=100&G=200&B=150 | -| spaceDelimited | false | _n/a_ | _n/a_ | ?color=blue%20black%20brown | ?color=R%20100%20G%20200%20B%20150 | +| form | false | color= | color=blue | color=blue,black,brown | color=R,100,G,200,B,150 | +| form | true | color= | color=blue | color=blue&color=black&color=brown | R=100&G=200&B=150 | +| spaceDelimited | false | _n/a_ | _n/a_ | color=blue%20black%20brown | color=R%20100%20G%20200%20B%20150 | | spaceDelimited | true | _n/a_ | _n/a_ | _n/a_ | _n/a_ | -| pipeDelimited | false | _n/a_ | _n/a_ | ?color=blue%7Cblack%7Cbrown | ?color=R%7C100%7CG%7C200%7CB%7C150 | +| pipeDelimited | false | _n/a_ | _n/a_ | color=blue%7Cblack%7Cbrown | color=R%7C100%7CG%7C200%7CB%7C150 | | pipeDelimited | true | _n/a_ | _n/a_ | _n/a_ | _n/a_ | -| deepObject | false | _n/a_ | _n/a_ | _n/a_ | _n/a_ | -| deepObject | true | _n/a_ | _n/a_ | _n/a_ | ?color%5BR%5D=100&color%5BG%5D=200&color%5BB%5D=150 | +| deepObject | _n/a_ | _n/a_ | _n/a_ | _n/a_ | color%5BR%5D=100&color%5BG%5D=200&color%5BB%5D=150 | +| cookie | false | color= | color=blue | color=blue,black,brown | color=R,100,G,200,B,150 | +| cookie | true | color= | color=blue | color=blue; color=black; color=brown | R=100; G=200; B=150 | -##### Parameter Object Examples +#### Extending Support for Querystring Formats -A header parameter with an array of 64-bit integer numbers: +Many frameworks define query string syntax for complex values, such as appending array indices to parameter names or indicating multiple levels of of nested objects, which go well beyond the capabilities of the `deepObject` style. -```json -{ - "name": "token", - "in": "header", - "description": "token to be passed as a header", - "required": true, - "schema": { - "type": "array", - "items": { - "type": "integer", - "format": "int64" - } - }, - "style": "simple" -} -``` +As these are not standards, and often contradict each other, the OAS does not attempt to support them directly. +Two avenues are available for supporting such formats with `in: "querystring"`: + +* Use `content` and `text/plain` with a schema of `type: "string"` and define the format outside of OpenAPI. While this requires more work to document and construct or parse the format, which is seen as a plain string from the OpenAPI perspective, it provides the easiest flexible option +* Define a media type (which need not necessarily be [IANA-registered](https://www.rfc-editor.org/rfc/rfc6838.html)) and a process for mapping in-memory data to the serialized media type. To increase the likelihood of support across multiple tools, submit a registration for the media type and process to the OpenAPI Initiative's [Media Type Registry](#openapi-media-type-registry). + +#### Parameter Object Examples + +A header parameter with an array of 64-bit integer numbers: ```yaml -name: token +name: X-Token in: header description: token to be passed as a header required: true @@ -1270,22 +954,63 @@ schema: type: integer format: int64 style: simple +examples: + Tokens: + dataValue: + - 12345678 + - 90099 + serializedValue: "12345678,90099" ``` -A path parameter of a string value: -```json -{ - "name": "username", - "in": "path", - "description": "username to fetch", - "required": true, - "schema": { - "type": "string" - } -} +A cookie parameter with an exploded object (the default for `style: "cookie"`): + +```yaml +name: cookie +in: cookie +style: cookie +schema: + type: object + properties: + greeting: + type: string + code: + type: integer + minimum: 0 +examples: + Object: + description: | + Note that the comma (,) has been pre-percent-encoded + to "%2C" in the data, as it is forbidden in + cookie values. However, the exclamation point (!) + is legal in cookies, so it can be left unencoded. + dataValue: + greeting: Hello%2C world! + code: 42 + serializedValue: "greeting=Hello%2C world!; code=42" +``` + +A cookie parameter relying on the percent-encoding behavior of the default `style: "form"`: + +```yaml +name: greeting +in: cookie +schema: + type: string +examples: + Greeting: + description: | + Note that in this approach, RFC6570's percent-encoding + process applies, so unsafe characters are not + pre-percent-encoded. This results in all non-URL-safe + characters, rather than just the one non-cookie-safe + character, getting percent-encoded. + dataValue: Hello, world! + serializedValue: "greeting=Hello%2C%20world%21" ``` +A path parameter of a string value: + ```yaml name: username in: path @@ -1293,31 +1018,24 @@ description: username to fetch required: true schema: type: string +examples: + "Edsger Dijkstra": + dataValue: edijkstra + serializedValue: edijkstra + Diṅnāga: + dataValue: diṅnāga + serializedValue: di%E1%B9%85n%C4%81ga + Al-Khwarizmi: + dataValue: "الخوارزميّ" + serializedValue: "%D8%A7%D9%84%D8%AE%D9%88%D8%A7%D8%B1%D8%B2%D9%85%D9%8A%D9%91" ``` -An optional query parameter of a string value, allowing multiple values by repeating the query parameter: - -```json -{ - "name": "id", - "in": "query", - "description": "ID of the object to fetch", - "required": false, - "schema": { - "type": "array", - "items": { - "type": "string" - } - }, - "style": "form", - "explode": true -} -``` +An optional query parameter of a string value, allowing multiple values by repeating the query parameter +(Note that we use `"%20"` in place of `" "` (space) because that is how RFC6570 handles it; for guidance on using `+` to represent the space character, see [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for more guidance on these escaping options): ```yaml -name: id +name: thing in: query -description: ID of the object to fetch required: false schema: type: array @@ -1325,23 +1043,15 @@ schema: type: string style: form explode: true +examples: + ObjectList: + dataValue: + - one thing + - another thing + serializedValue: "thing=one%20thing&thing=another%20thing" ``` -A free-form query parameter, allowing undefined parameters of a specific type: - -```json -{ - "in": "query", - "name": "freeForm", - "schema": { - "type": "object", - "additionalProperties": { - "type": "integer" - } - }, - "style": "form" -} -``` +A free-form query parameter, allowing arbitrary parameters of `type: "integer"`: ```yaml in: query @@ -1351,32 +1061,15 @@ schema: additionalProperties: type: integer style: form +examples: + Pagination: + dataValue: + page: 4 + pageSize: 50 + serializeValue: page=4&pageSize=50 ``` -A complex parameter using `content` to define serialization: - -```json -{ - "in": "query", - "name": "coordinates", - "content": { - "application/json": { - "schema": { - "type": "object", - "required": ["lat", "long"], - "properties": { - "lat": { - "type": "number" - }, - "long": { - "type": "number" - } - } - } - } - } -} -``` +A complex parameter using `content` to define serialization, with multiple levels and types of examples shown to make the example usage options clear — note that `dataValue` is the same at both levels and does not need to be shown in both places in normal usage, but `serializedValue` is different: ```yaml in: query @@ -1393,72 +1086,136 @@ content: type: number long: type: number + examples: + dataValue: + lat: 10 + long: 60 + serializedValue: '{"lat":10,"long":60}' +examples: + dataValue: + lat: 10 + long: 60 + serializedValue: coordinates=%7B%22lat%22%3A10%2C%22long%22%3A60%7D +``` + +A querystring parameter using regular form encoding, but managed with a Media Type Object. +This shows spaces being handled per the `application/x-www-form-urlencoded` media type rules (encode as `+`) rather than the RFC6570 process (encode as `%20`); see [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for further guidance on this distinction. +Examples are shown at both the media type and parameter level to emphasize that, since `application/x-www-form-urlencoded` is suitable for use in query strings by definition, no further encoding or escaping is applied to the serialized media type value: + +```yaml +in: querystring +content: + application/x-www-form-urlencoded: + schema: + type: object + properties: + foo: + type: string + bar: + type: boolean + examples: + spacesAndPluses: + description: Note handling of spaces and "+" per media type. + dataValue: + foo: a + b + bar: true + serializedValue: foo=a+%2B+b&bar=true +examples: + spacesAndPluses: + description: | + Note that no additional percent encoding is done, as this + media type is URI query string-ready by definition. + dataValue: + foo: a + b + bar: true + serializedValue: foo=a+%2B+b&bar=true +``` + +A querystring parameter that uses JSON for the entire string (not as a single query parameter value). +The `dataValue` field is shown at both levels to fully illustrate both ways of providing an example. +As seen below, this is redundant and need not be done in practice: + +```yaml +in: querystring +name: json +content: + application/json: + schema: + type: object + properties: + numbers: + type: array + items: + type: integer + flag: + type: [boolean, "null"] + examples: + TwoNoFlag: + description: Serialize with minimized whitespace + dataValue: + numbers: + - 1 + - 2 + flag: null + serializedValue: '{"numbers":[1,2],"flag":null}' +examples: + TwoNoFlag: + dataValue: + numbers: + - 1 + - 2 + flag: null + serializedValue: "%7B%22numbers%22%3A%5B1%2C2%5D%2C%22flag%22%3Anull%7D" +``` + +Assuming a path of `/foo`, a server of `https://example.com`, the full URL incorporating the value from `serializedValue` would be: + +```uri +https://example.com/foo?%7B%22numbers%22%3A%5B1%2C2%5D%2C%22flag%22%3Anull%7D +``` + +A querystring parameter that uses [[?RFC9535|JSONPath]]. +Note that in this example we not only do not repeat `dataValue`, but we use the shorthand `example` because the `application/jsonpath` value is a string that, at the media type level, is serialized as-is: + +```yaml +in: querystring +name: selector +content: + application/jsonpath: + schema: + type: string + example: $.a.b[1:1] +examples: + Selector: + serializedValue: "%24.a.b%5B1%3A1%5D" +``` + +As there is not, as of this writing, a [registered](#openapi-media-type-registry) mapping between the JSON Schema data model and JSONPath, the details of the string's allowed structure would need to be conveyed either in a human-readable `description` field, or through a mechanism outside of the OpenAPI Description, such as a JSON Schema for the data structure to be queried. + +Assuming a path of `/foo` and a server of `https://example.com`, the full URL incorporating the value from `serializedValue` would be: + +```uri +https://example.com/foo?%24.a.b%5B1%3A1%5D ``` -#### Request Body Object +### Request Body Object Describes a single request body. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | | description | `string` | A brief description of the request body. This could contain examples of use. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | -| content | Map[`string`, [Media Type Object](#media-type-object)] | **REQUIRED**. The content of the request body. The key is a media type or [media type range](https://tools.ietf.org/html/rfc7231#appendix-D) and the value describes it. For requests that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | +| content | Map[`string`, [Media Type Object](#media-type-object) \| [Reference Object](#reference-object)] | **REQUIRED**. The content of the request body. The key is a media type or [media type range](https://www.rfc-editor.org/rfc/rfc9110.html#appendix-A) and the value describes it. The map SHOULD have at least one entry; if it does not, the behavior is implementation-defined. For requests that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | | required | `boolean` | Determines if the request body is required in the request. Defaults to `false`. | This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Request Body Examples +#### Request Body Examples A request body with a referenced schema definition. -```json -{ - "description": "user to add to the system", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/User" - }, - "examples": { - "user": { - "summary": "User Example", - "externalValue": "https://foo.bar/examples/user-example.json" - } - } - }, - "application/xml": { - "schema": { - "$ref": "#/components/schemas/User" - }, - "examples": { - "user": { - "summary": "User example in XML", - "externalValue": "https://foo.bar/examples/user-example.xml" - } - } - }, - "text/plain": { - "examples": { - "user": { - "summary": "User example in Plain text", - "externalValue": "https://foo.bar/examples/user-example.txt" - } - } - }, - "*/*": { - "examples": { - "user": { - "summary": "User example in other format", - "externalValue": "https://foo.bar/examples/user-example.whatever" - } - } - } - } -} -``` - ```yaml description: user to add to the system content: @@ -1488,101 +1245,414 @@ content: externalValue: https://foo.bar/examples/user-example.whatever ``` -#### Media Type Object +### Media Type Object -Each Media Type Object provides schema and examples for the media type identified by its key. +Each Media Type Object describes content structured in accordance with the media type identified by its key. +Multiple Media Type Objects can be used to describe content that can appear in any of several different media types. When `example` or `examples` are provided, the example SHOULD match the specified schema and be in the correct format as specified by the media type and its encoding. -The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. +The `example` and `examples` fields are mutually exclusive. See [Working With Examples](#working-with-examples) for further guidance regarding the different ways of specifying examples, including non-JSON/YAML values. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | -| schema | [Schema Object](#schema-object) | The schema defining the content of the request, response, parameter, or header. | +| schema | [Schema Object](#schema-object) | A schema describing the complete content of the request, response, parameter, or header. | +| itemSchema | [Schema Object](#schema-object) | A schema describing each item within a [sequential media type](#sequential-media-types). | | example | Any | Example of the media type; see [Working With Examples](#working-with-examples). | | examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the media type; see [Working With Examples](#working-with-examples). | -| encoding | Map[`string`, [Encoding Object](#encoding-object)] | A map between a property name and its encoding information. The key, being the property name, MUST exist in the schema as a property. The `encoding` field SHALL only apply to [Request Body Objects](#request-body-object), and only when the media type is `multipart` or `application/x-www-form-urlencoded`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. | +| encoding | Map[`string`, [Encoding Object](#encoding-object)] | A map between a property name and its encoding information, as defined under [Encoding By Name](#encoding-by-name). The `encoding` field SHALL only apply when the media type is `multipart` or `application/x-www-form-urlencoded`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. This field MUST NOT be present if `prefixEncoding` or `itemEncoding` are present. | +| prefixEncoding | [[Encoding Object](#encoding-object)] | An array of positional encoding information, as defined under [Encoding By Position](#encoding-by-position). The `prefixEncoding` field SHALL only apply when the media type is `multipart`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. This field MUST NOT be present if `encoding` is present. | +| itemEncoding | [Encoding Object](#encoding-object) | A single Encoding Object that provides encoding information for multiple array items, as defined under [Encoding By Position](#encoding-by-position). The `itemEncoding` field SHALL only apply when the media type is `multipart`. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object. This field MUST NOT be present if `encoding` is present. | This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Media Type Examples +#### Media Types -```json -{ - "application/json": { - "schema": { - "$ref": "#/components/schemas/Pet" - }, - "examples": { - "cat": { - "summary": "An example of a cat", - "value": { - "name": "Fluffy", - "petType": "Cat", - "color": "White", - "gender": "male", - "breed": "Persian" - } - }, - "dog": { - "summary": "An example of a dog with a cat's name", - "value": { - "name": "Puma", - "petType": "Dog", - "color": "Black", - "gender": "Female", - "breed": "Mixed" - } - }, - "frog": { - "$ref": "#/components/examples/frog-example" - } - } - } -} -``` +Media types are publicly registered with the [IANA media types registry](https://www.iana.org/assignments/media-types/media-types.xhtml), through process documented in [[?RFC6838]]. -```yaml -application/json: - schema: - $ref: '#/components/schemas/Pet' - examples: - cat: - summary: An example of a cat - value: - name: Fluffy - petType: Cat - color: White - gender: male - breed: Persian - dog: - summary: An example of a dog with a cat's name - value: - name: Puma - petType: Dog - color: Black - gender: Female - breed: Mixed - frog: - $ref: '#/components/examples/frog-example' -``` +APIs also sometimes define private media types such as GitHub's `application/vnd.github.v3+json`, which are not registered, and other media types such as `application/schema+json` become widely used before an intended registration. -##### Considerations for File Uploads +See [Parsing and Serializing](#parsing-and-serializing) under the [Schema Object](#schema-object) for guidance on using schemas with a variety of media types. -In contrast to OpenAPI 2.0, `file` input/output content in OAS 3.x is described with the same semantics as any other schema type. +##### OpenAPI Media Type Registry -In contrast to OAS 3.0, the `format` keyword has no effect on the content-encoding of the schema in OAS 3.1. Instead, JSON Schema's `contentEncoding` and `contentMediaType` keywords are used. See [Working With Binary Data](#working-with-binary-data) for how to model various scenarios with these keywords, and how to migrate from the previous `format` usage. +The OpenAPI Initiative maintains a [Media Type Registry](https://spec.openapis.org/registry/media-type/) summarizing media type support expected by this specification and providing an index to which sections address which media types. +It also links to IANA registrations (where they exist) and to the most notable specification document(s) related to each media type. +Any additional media types added to this registry as extensions or for later versions of this or other OpenAPI specifications MAY be supported by implementations of this version of the OAS. -Examples: +#### Complete vs Streaming Content -Content transferred in binary (octet-stream) MAY omit `schema`: +The `schema` field MUST be applied to the complete content, as defined by the media type and the context ([Request Body Object](#request-body-object), [Response Object](#response-object), [Parameter Object](#parameter-object), or [Header Object](#header-object). +Because this requires loading the content into memory in its entirety, it poses a challenge for streamed content. +Use cases where clients are intended to choose when to stop reading are particularly challenging as there is no well-defined end to the stream. -```yaml -# a PNG image as a binary file: -content: - image/png: {} +##### Sequential Media Types + +Within this specification, a _sequential media type_ is defined as any media type that consists of a repeating structure, without any sort of header, footer, envelope, or other metadata in addition to the sequence. + +Some examples of sequential media types (including some that are not IANA-registered but are in common use) are: + +```text + application/jsonl + application/x-ndjson + application/json-seq + application/geo+json-seq + text/event-stream + multipart/mixed +``` + +In the first three above, the repeating structure is any [JSON value](https://tools.ietf.org/html/rfc8259#section-3). +The fourth repeats `application/geo+json`-structured values, while `text/event-stream` repeats a custom text format related to Server-Sent Events. +The final media type listed above, `multipart/mixed`, provides an ordered list of documents of any media type, and is sometimes streamed. +Note that while `multipart` formats technically allow a preamble and an epilogue, the RFC directs that they are to be ignored, making them effectively comments, and this specification does not model them. + +Implementations MUST support mapping sequential media types into the JSON Schema data model by treating them as if the values were in an array in the same order. + +See [Complete vs Streaming Content](#complete-vs-streaming-content) for more information on handling sequential media types in a streaming context, including special considerations for `text/event-stream` content. +For `multipart` types, see also [Encoding By Position](#encoding-by-position). + +###### Streaming Sequential Media Types + +The `itemSchema` field is provided to support streaming use cases for sequential media types, with `itemEncoding` as a corresponding encoding mechanism for streaming [positional `multipart` media types](#encoding-by-position). + +Unlike `schema`, which is applied to the complete content (treated as an array as described in the [sequential media types](#sequential-media-types) section), `itemSchema` MUST be applied to each item in the stream independently, which supports processing each item as it is read from the stream. + +Both `schema` and `itemSchema` MAY be used in the same Media Type Object. +However, doing so is unlikely to have significant advantages over using the `items` keyword within the `schema` field. + +##### Binary Streams + +The `maxLength` keyword MAY be used to set an expected upper bound on the length of a streaming payload that consists of either string data, including encoded binary data, or unencoded binary data. +For unencoded binary data, the length is the number of octets. +For this use case, `maxLength` MAY be implemented outside of regular JSON Schema evaluation as JSON Schema does not directly apply to binary data, and an encoded binary stream may be impractical to store in memory in its entirety. + +#### Special Considerations for Server-Sent Events + +For `text/event-stream`, implementations MUST work with event data after it has been parsed according to the [`text/event-stream` specification](https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream), including all guidance on ignoring certain fields (including comments) and/or values, and on combining values split across multiple lines. + +Field value types MUST be handled as specified by the `text/event-stream` specification (e.g. the `retry` field value is modeled as a JSON number that is expected to be of JSON Schema `type: integer`), and fields not given an explicit value type MUST be handled as strings. + +Some users of `text/event-stream` use a format such as JSON for field values, particularly the `data` field. +Use JSON Schema's keywords for working with the [contents of string-encoded data](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#name-a-vocabulary-for-the-conten), particularly `contentMediaType` and `contentSchema`, to describe and validate such fields with more detail than string-related validation keywords such as `pattern` can support. +Note that `contentSchema` is [not automatically validated by default](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#name-implementation-requirements-2) (see also the [Non-validating constraint keywords](#non-validating-constraint-keywords) section of this specification). + +The following Schema Object is a generic schema for the `text/event-stream` media type as documented by the [[?HTML]] specification as of the time of this writing: + +```yaml +type: object +required: +- data +properties: + data: + type: string + event: + type: string + id: + type: string + retry: + type: integer + minimum: 0 +``` + +#### Encoding Usage and Restrictions + +These encoding fields define how to map each [Encoding Object](#encoding-object) to a specific value in the data. +Each field has its own set of media types with which it can be used; for all other media types all three fields SHALL be ignored. + +##### Encoding By Name + +The behavior of the `encoding` field is designed to support web forms, and is therefore only defined for media types structured as name-value pairs that allow repeat values, most notably `application/x-www-form-urlencoded` and `multipart/form-data`. + +To use the `encoding` field, each key under the field MUST exist as a property; `encoding` entries with no corresponding property SHALL be ignored. +Array properties MUST be handled by applying the given Encoding Object to produce one encoded value per array item, each with the same `name`, as is recommended by [[!RFC7578]] [Section 4.3](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. +For all other value types for both top-level non-array properties and for values, including array values, within a top-level array, the Encoding Object MUST be applied to the entire value. +The order of these name-value pairs in the target media type is implementation-defined. + +For `application/x-www-form-urlencoded`, the encoding keys MUST map to parameter names, with the values produced according to the rules of the [Encoding Object](#encoding-object). +See [Encoding the `x-www-form-urlencoded` Media Type](#encoding-the-x-www-form-urlencoded-media-type) for guidance and examples, both with and without the `encoding` field. + +For `multipart`, the encoding keys MUST map to the [`name` parameter](https://www.rfc-editor.org/rfc/rfc7578#section-4.2) of the `Content-Disposition: form-data` header of each part, as is defined for `multipart/form-data` in [[!RFC7578]]. +See [[!RFC7578]] [Section 5](https://www.rfc-editor.org/rfc/rfc7578.html#section-5) for guidance regarding non-ASCII part names. + +See [Encoding `multipart` Media Types](#encoding-multipart-media-types) for further guidance and examples, both with and without the `encoding` field. + +##### Encoding By Position + +Most `multipart` media types, including `multipart/mixed` which defines the underlying rules for parsing all `multipart` types, do not have named parts. +Data for these media types are modeled as an array, with one item per part, in order. + +To use the `prefixEncoding` and/or `itemEncoding` fields, either `itemSchema` or an array `schema` MUST be present. +These fields are analogous to the `prefixItems` and `items` JSON Schema keywords, with `prefixEncoding` (if present) providing an array of Encoding Objects that are each applied to the value at the same position in the data array, and `itemEncoding` applying its single Encoding Object to all remaining items in the array. +As with `prefixItems`, it is _not_ an error if the instance array is shorter than the `prefixEncoding` array; the additional Encoding Objects SHALL be ignored. + +The `itemEncoding` field can also be used with `itemSchema` to support streaming `multipart` content. + +##### Additional Encoding Approaches + +The `prefixEncoding` field can be used with any `multipart` content to require a fixed part order. +This includes `multipart/form-data`, for which the Encoding Object's `headers` field MUST be used to provide the `Content-Disposition` and part name, as no property names exist to provide the names automatically. + +Prior versions of this specification advised using the [`name` parameter](https://www.rfc-editor.org/rfc/rfc7578#section-4.2) of the `Content-Disposition: form-data` header of each part with `multipart` media types other than `multipart/form-data` in order to work around the limitations of the `encoding` field. +Implementations MAY choose to support this workaround, but as this usage is not common, implementations of non-`form-data` `multipart` media types are unlikely to support it. + +#### Media Type Examples + +For form-related and `multipart` media type examples, see the [Encoding Object](#encoding-object). + +##### JSON + +Note that since this example is written in YAML, the Example Object's `value` field can be formatted as YAML due to the trivial conversion to JSON. +This avoids needing to embed JSON as a string. + +```yaml +application/json: + schema: + $ref: '#/components/schemas/Pet' + examples: + cat: + summary: An example of a cat + value: + name: Fluffy + petType: Cat + color: White + gender: male + breed: Persian + dog: + summary: An example of a dog with a cat's name + value: + name: Puma + petType: Dog + color: Black + gender: Female + breed: Mixed + frog: + $ref: '#/components/examples/frog-example' +``` + +Alternatively, since all JSON is valid YAML, the example value can use JSON syntax within a YAML document: + +```yaml +application/json: + schema: + $ref: '#/components/schemas/Pet' + examples: + cat: + summary: An example of a cat + value: { + "name": "Fluffy", + "petType": "Cat", + "color": "White", + "gender": "male", + "breed": "Persian" + } + dog: + summary: An example of a dog with a cat's name + value: { + "name": "Puma", + "petType": "Dog", + "color": "Black", + "gender": "Female", + "breed": "Mixed" + } + frog: + $ref: '#/components/examples/frog-example' +``` + +##### Sequential JSON + +For any [sequential media type](#sequential-media-types) where the items in the sequence are JSON values, no conversion of each value is required. +JSON Text Sequences ([[?RFC7464]] `application/json-seq` and [[?RFC8091]] the `+json-seq` structured suffix), [JSON Lines](https://jsonlines.org/) (`application/jsonl`), and [NDJSON](https://github.com/ndjson/ndjson-spec) (`application/x-ndjson`) are all in this category. +Note that the media types for JSON Lines and NDJSON are not registered with the IANA, but are in common use. + +The following example shows Media Type Objects for both streaming log entries and returning a fixed-length set in response to a query. +This shows the relationship between `schema` and `itemSchema`, and when to use each even though the `examples` field is the same either way. + +```yaml +components: + schemas: + LogEntry: + type: object + properties: + timestamp: + type: string + format: date-time + level: + type: integer + minimum: 0 + message: + type: string + Log: + type: array + items: + $ref: "#/components/schemas/LogEntry" + maxItems: 100 + examples: + LogJSONSeq: + summary: Log entries in application/json-seq + # JSON Text Sequences require an unprintable character + # that cannot be escaped in a YAML string, and therefore + # must be placed in an external document shown below + externalValue: examples/log.json-seq + LogJSONPerLine: + summary: Log entries in application/jsonl or application/x-ndjson + description: JSONL and NDJSON are identical for this example + # Note that the value must be written as a string with newlines, + # as JSONL and NDJSON are not valid YAML + value: | + {"timestamp": "1985-04-12T23:20:50.52Z", "level": 1, "message": "Hi!"} + {"timestamp": "1985-04-12T23:20:51.37Z", "level": 1, "message": "Bye!"} + responses: + LogStream: + description: | + A stream of JSON-format log messages that can be read + for as long as the application is running, and is available + in any of the sequential JSON media types. + content: + application/json-seq: + itemSchema: + $ref: "#/components/schemas/LogEntry" + examples: + JSON-SEQ: + $ref: "#/components/examples/LogJSONSeq" + application/jsonl: + itemSchema: + $ref: "#/components/schemas/LogEntry" + examples: + JSONL: + $ref: "#/components/examples/LogJSONPerLine" + application/x-ndjson: + itemSchema: + $ref: "#/components/schemas/LogEntry" + examples: + NDJSON: + $ref: "#/components/examples/LogJSONPerLine" + LogExcerpt: + description: | + A response consisting of no more than 100 log records, + generally as a result of a query of the historical log, + available in any of the sequential JSON media types. + content: + application/json-seq: + schema: + $ref: "#/components/schemas/Log" + examples: + JSON-SEQ: + $ref: "#/components/examples/LogJSONSeq" + application/jsonl: + schema: + $ref: "#/components/schemas/Log" + examples: + JSONL: + $ref: "#/components/examples/LogJSONPerLine" + application/x-ndjson: + schema: + $ref: "#/components/schemas/Log" + examples: + NDJSON: + $ref: "#/components/examples/LogJSONPerLine" +``` + +Our `application/json-seq` example has to be an external document because of the use of both newlines and of the unprintable Record Separator (`0x1E`) character, which cannot be escaped in YAML block literals: + +```jsonseq +0x1E{ + "timestamp": "1985-04-12T23:20:50.52Z", + "level": 1, + "message": "Hi!" +} +0x1E{ + "timestamp": "1985-04-12T23:20:51.37Z", + "level": 1, + "message": "Bye!" +} +``` + +##### Server-Sent Event Streams + +For this example, assume that the generic event schema provided in the [Special Considerations for Server-Sent Events](#special-considerations-for-server-sent-events) section is available at `#/components/schemas/Event`: + +```yaml +description: A request body to add a stream of typed data. +required: true +content: + text/event-stream: + itemSchema: + $ref: "#/components/schemas/Event" + required: [event] + oneOf: + - properties: + event: + const: addString + - properties: + event: + const: addInt64 + data: + $comment: | + Since the `data` field is a string, + we need a format to signal that it + should be handled as a 64-bit integer. + format: int64 + - properties: + event: + const: addJson + data: + $comment: | + These content fields indicate + that the string value should + be parsed and validated as a + JSON document (since JSON is not + a binary format, `contentEncoding` + is not needed) + contentMediaType: application/json + contentSchema: + type: object + required: [foo] + properties: + foo: + type: integer +``` + +The following `text/event-stream` document is an example of a valid request body for the above example: + +```eventstream +event: addString +data: This data is formatted +data: across two lines +retry: 5 + +event: addInt64 +data: 1234.5678 +unknownField: this is ignored + +: This is a comment +event: addJSON +data: {"foo": 42} +``` + +To more clearly see how this stream is handled, the following is the equivalent JSON Lines document, which shows how the numeric and JSON data are handled as strings, and how unknown fields and comments are ignored and not passed to schema validation: + +```jsonl +{"event": "addString", "data": "This data is formatted\nacross two lines", "retry": 5} +{"event": "addInt64", "data": "1234.5678"} +{"event": "addJSON", "data": "{\"foo\": 42}"} +``` + +#### Considerations for File Uploads + +In contrast to OpenAPI 2.0, `file` input/output content in OAS 3.x is described with the same semantics as any other schema type. + +In contrast to OAS 3.0, the `format` keyword has no effect on the content-encoding of the schema in OAS 3.1. Instead, JSON Schema's `contentEncoding` and `contentMediaType` keywords are used. See [Working With Binary Data](#working-with-binary-data) for how to model various scenarios with these keywords, and how to migrate from the previous `format` usage. + +Examples: + +Content transferred in binary (octet-stream) MAY omit `schema`: + +```yaml +# a PNG image as a binary file: +content: + image/png: {} ``` ```yaml @@ -1620,38 +1690,34 @@ requestBody: To upload multiple files, a `multipart` media type MUST be used as shown under [Example: Multipart Form with Multiple Files](#example-multipart-form-with-multiple-files). -##### Support for x-www-form-urlencoded Request Bodies +### Encoding Object -See [Encoding the `x-www-form-urlencoded` Media Type](#encoding-the-x-www-form-urlencoded-media-type) for guidance and examples, both with and without the `encoding` field. - -##### Special Considerations for `multipart` Content - -See [Encoding `multipart` Media Types](#encoding-multipart-media-types) for further guidance and examples, both with and without the `encoding` field. +A single encoding definition applied to a single value, with the mapping of Encoding Objects to values determined by the [Media Type Object](@media-type-object) as described under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions). -#### Encoding Object - -A single encoding definition applied to a single schema property. See [Appendix B](#appendix-b-data-type-conversion) for a discussion of converting values of various types to string representations. -Properties are correlated with `multipart` parts using the [`name` parameter](https://www.rfc-editor.org/rfc/rfc7578#section-4.2) of `Content-Disposition: form-data`, and with `application/x-www-form-urlencoded` using the query string parameter names. -In both cases, their order is implementation-defined. - See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a detailed examination of percent-encoding concerns for form media types. -##### Fixed Fields +#### Fixed Fields -###### Common Fixed Fields +##### Common Fixed Fields These fields MAY be used either with or without the RFC6570-style serialization fields defined in the next section below. | Field Name | Type | Description | | ---- | :----: | ---- | -| contentType | `string` | The `Content-Type` for encoding a specific property. The value is a comma-separated list, each element of which is either a specific media type (e.g. `image/png`) or a wildcard media type (e.g. `image/*`). Default value depends on the property type as shown in the table below. | -| headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | A map allowing additional information to be provided as headers. `Content-Type` is described separately and SHALL be ignored in this section. This field SHALL be ignored if the request body media type is not a `multipart`. | +| contentType | `string` | The `Content-Type` for encoding a specific property. The value is a comma-separated list, each element of which is either a specific media type (e.g. `image/png`) or a wildcard media type (e.g. `image/*`). The default value depends on the type as shown in the table below. | +| headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | A map allowing additional information to be provided as headers. `Content-Type` is described separately and SHALL be ignored in this section. This field SHALL be ignored if the media type is not a `multipart`. | +| encoding | Map[`string`, [Encoding Object](#encoding-object)] | Applies nested Encoding Objects in the same manner as the [Media Type Object](#media-type-object)'s `encoding` field. | +| prefixEncoding | [[Encoding Object](#encoding-object)] | Applies nested Encoding Objects in the same manner as the [Media Type Object](#media-type-object)'s `prefixEncoding` field. | +| itemEncoding | [Encoding Object](#encoding-object) | Applies nested Encoding Objects in the same manner as the [Media Type Object](#media-type-object)'s `itemEncoding` field. | This object MAY be extended with [Specification Extensions](#specification-extensions). -The default values for `contentType` are as follows, where an _n/a_ in the `contentEncoding` column means that the presence or value of `contentEncoding` is irrelevant: +The default values for `contentType` are as follows, where an _n/a_ in the `contentEncoding` column means that the presence or value of `contentEncoding` is irrelevant. +This table is based on the value to which the Encoding Object is being applied as defined under [Encoding Usage and Restrictions](#encoding-usage-and-restrictions). +Note that in the case of [Encoding By Name](#encoding-by-name), this value is the array item for properties of type `"array"`, and the entire value for all other types. +Therefore the `array` row in this table applies only to array values inside of a top-level array when encoding by name. | `type` | `contentEncoding` | Default `contentType` | | ---- | ---- | ---- | @@ -1660,33 +1726,39 @@ The default values for `contentType` are as follows, where an _n/a_ in the `cont | `string` | _absent_ | `text/plain` | | `number`, `integer`, or `boolean` | _n/a_ | `text/plain` | | `object` | _n/a_ | `application/json` | -| `array` | _n/a_ | according to the `type` of the `items` schema | +| `array` | _n/a_ | `application/json` | Determining how to handle a `type` value of `null` depends on how `null` values are being serialized. If `null` values are entirely omitted, then the `contentType` is irrelevant. See [Appendix B](#appendix-b-data-type-conversion) for a discussion of data type conversion options. -###### Fixed Fields for RFC6570-style Serialization +##### Fixed Fields for RFC6570-style Serialization | Field Name | Type | Description | | ---- | :----: | ---- | -| style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameter-object) for details on the [`style`](#parameter-style) field. The behavior follows the same values as `query` parameters, including default values. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | -| explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this field has no effect. When [`style`](#encoding-style) is `"form"`, the default value is `true`. For all other styles, the default value is `false`. Note that despite `false` being the default for `deepObject`, the combination of `false` with `deepObject` is undefined. This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | -| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are [not allowed in the query string](https://datatracker.ietf.org/doc/html/rfc3986#section-3.4) (`[`, `]`, `#`), or have a special meaning in `application/x-www-form-urlencoded` (`-`, `&`, `+`); see Appendices [C](#appendix-c-using-rfc6570-based-serialization) and [E](#appendix-e-percent-encoding-and-form-media-types) for details. The default value is `false`. This field SHALL be ignored if the request body media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | +| style | `string` | Describes how a specific property value will be serialized depending on its type. See [Parameter Object](#parameter-object) for details on the [`style`](#parameter-style) field. The behavior follows the same values as `query` parameters, including the default value of `"form"` which applies only when `contentType` is _not_ being used due to one or both of `explode` or `allowReserved` being explicitly specified. Note that the initial `?` used in query strings is not used in `application/x-www-form-urlencoded` message bodies, and MUST be removed (if using an RFC6570 implementation) or simply not added (if constructing the string manually). This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | +| explode | `boolean` | When this is true, property values of type `array` or `object` generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties, or when [`style`](#encoding-style) is `"deepObject"`, this field has no effect. When `style` is `"form"`, the default value is `true`. For all other styles, the default value is `false`. This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | +| allowReserved | `boolean` | When this is true, parameter values are serialized using reserved expansion, as defined by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570#section-3.2.3), which allows [RFC3986's reserved character set](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including `%` outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed in the target media type; see [URL Percent-Encoding](#url-percent-encoding) for details. The default value is `false`. This field SHALL be ignored if the media type is not `application/x-www-form-urlencoded` or `multipart/form-data`. If a value is explicitly defined, then the value of [`contentType`](#encoding-content-type) (implicit or explicit) SHALL be ignored. | -See also [Appendix C: Using RFC6570 Implementations](#appendix-c-using-rfc6570-based-serialization) for additional guidance, including on difficulties caused by the interaction between RFC6570's percent-encoding rules and the `multipart/form-data` media type. +When using RFC6570-style serialization for `multipart/form-data`, URI percent-encoding MUST NOT be applied, and the value of `allowReserved` has no effect. +See also [Appendix C: Using RFC6570 Implementations](#appendix-c-using-rfc6570-based-serialization) for additional guidance. Note that the presence of at least one of `style`, `explode`, or `allowReserved` with an explicit value is equivalent to using `schema` with `in: "query"` Parameter Objects. The absence of all three of those fields is the equivalent of using `content`, but with the media type specified in `contentType` rather than through a Media Type Object. -##### Encoding the `x-www-form-urlencoded` Media Type +#### Nested Encoding + +Nested formats requiring encoding, most notably nested `multipart/mixed`, can be supported with this Object's `encoding`, `prefixEncoding`, and / or `itemEncoding` fields. +Implementations MUST support one level of nesting, and MAY support additional levels. + +#### Encoding the `x-www-form-urlencoded` Media Type -To submit content using form url encoding via [RFC1866](https://tools.ietf.org/html/rfc1866), use the `application/x-www-form-urlencoded` media type in the [Media Type Object](#media-type-object) under the [Request Body Object](#request-body-object). -This configuration means that the request body MUST be encoded per [RFC1866](https://tools.ietf.org/html/rfc1866) when passed to the server, after any complex objects have been serialized to a string representation. +To work with content using form url encoding via [[WHATWG-URL]], use the `application/x-www-form-urlencoded` media type in the [Media Type Object](#media-type-object). +This configuration means that the content MUST be percent-encoded per [[WHATWG-URL]]'s rules for that media type, after any complex objects have been serialized to a string representation. See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a detailed examination of percent-encoding concerns for form media types. -###### Example: URL Encoded Form with JSON Values +##### Example: URL Encoded Form with JSON Values When there is no [`encoding`](#media-type-encoding) field, the serialization strategy is based on the Encoding Object's default values: @@ -1701,7 +1773,6 @@ requestBody: type: string format: uuid address: - # complex types are stringified to support RFC 1866 type: object properties: {} ``` @@ -1717,26 +1788,26 @@ With this example, consider an `id` of `f81d4fae-7dec-11d0-a765-00a0c91e6bf6` an } ``` -Assuming the most compact representation of the JSON value (with unnecessary whitespace removed), we would expect to see the following request body, where space characters have been replaced with `+` and `+`, `"`, `{`, and `}` have been percent-encoded to `%2B`, `%22`, `%7B`, and `%7D`, respectively: +Assuming the most compact representation of the JSON value (with unnecessary whitespace removed), we would expect to see the following request body, where space characters have been replaced with `+` and `+`, `"`, `:`, `,`, `{`, and `}` have been percent-encoded to `%2B`, `%22`, `%3A`, `%2C`, `%7B`, and `%7D`, respectively: ```uri -id=f81d4fae-7dec-11d0-a765-00a0c91e6bf6&address=%7B%22streetAddress%22:%22123+Example+Dr.%22,%22city%22:%22Somewhere%22,%22state%22:%22CA%22,%22zip%22:%2299999%2B1234%22%7D +id=f81d4fae-7dec-11d0-a765-00a0c91e6bf6&address=%7B%22streetAddress%22%3A%22123+Example+Dr.%22%2C%22city%22%3A%22Somewhere%22%2C%22state%22%3A%22CA%22%2C%22zip%22%3A%2299999%2B1234%22%7D ``` Note that the `id` keyword is treated as `text/plain` per the [Encoding Object](#encoding-object)'s default behavior, and is serialized as-is. If it were treated as `application/json`, then the serialized value would be a JSON string including quotation marks, which would be percent-encoded as `%22`. -Here is the `id` parameter (without `address`) serialized as `application/json` instead of `text/plain`, and then encoded per RFC1866: +Here is the `id` parameter (without `address`) serialized as `application/json` instead of `text/plain`, and then encoded per [[WHATWG-URL]]'s `form-urlencoded` rules: ```uri id=%22f81d4fae-7dec-11d0-a765-00a0c91e6bf6%22 ``` -###### Example: URL Encoded Form with Binary Values +##### Example: URL Encoded Form with Binary Values Note that `application/x-www-form-urlencoded` is a text format, which requires base64-encoding any binary data: -```YAML +```yaml requestBody: content: application/x-www-form-urlencoded: @@ -1746,8 +1817,9 @@ requestBody: name: type: string icon: - # The default with "contentEncoding" is application/octet-stream, - # so we need to set image media type(s) in the Encoding Object. + # The default content type with `contentEncoding` present + # is `application/octet-stream`, so we need to set the correct + # image media type(s) in the Encoding Object. type: string contentEncoding: base64url encoding: @@ -1766,30 +1838,32 @@ Note that the `=` padding characters at the end need to be percent-encoded, even Some base64-decoding implementations may be able to use the string without the padding per [RFC4648](https://datatracker.ietf.org/doc/html/rfc4648#section-3.2). However, this is not guaranteed, so it may be more interoperable to keep the padding and rely on percent-decoding. -##### Encoding `multipart` Media Types +#### Encoding `multipart` Media Types -It is common to use `multipart/form-data` as a `Content-Type` when transferring forms as request bodies. In contrast to OpenAPI 2.0, a `schema` is REQUIRED to define the input parameters to the operation when using `multipart` content. This supports complex structures as well as supporting mechanisms for multiple file uploads. +See [Encoding Usage and Restrictions](#encoding-usage-and-restrictions) for guidance on correlating schema properties with parts. -The `form-data` disposition and its `name` parameter are mandatory for `multipart/form-data` ([RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.2)). -Array properties are handled by applying the same `name` to multiple parts, as is recommended by [RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3) for supplying multiple values per form field. -See [RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-5) for guidance regarding non-ASCII part names. +Note that there are significant restrictions on what headers can be used with `multipart` media types in general ([RFC2046](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1)) and `multi-part/form-data` in particular ([RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.8)). -Various other `multipart` types, most notable `multipart/mixed` ([RFC2046](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1.3)) neither require nor forbid specific `Content-Disposition` values, which means care must be taken to ensure that any values used are supported by all relevant software. -It is not currently possible to correlate schema properties with unnamed, ordered parts in media types such as `multipart/mixed`, but implementations MAY choose to support such types when `Content-Disposition: form-data` is used with a `name` parameter. +##### Handling Multiple `contentType` Values -Note that there are significant restrictions on what headers can be used with `multipart` media types in general ([RFC2046](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1)) and `multi-part/form-data` in particular ([RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.8)). +When multiple values are provided for `contentType`, parsing remains straightforward as the part's actual `Content-Type` is included in the document. -Note also that `Content-Transfer-Encoding` is deprecated for `multipart/form-data` ([RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.7)) where binary data is supported, as it is in HTTP. +For encoding and serialization, implementations MUST provide a mechanism for applications to indicate which media type is intended. +Implementations MAY choose to offer media type sniffing ([[SNIFF]]) as an alternative, but this MUST NOT be the default behavior due to the security risks inherent in the process. -+Using `contentEncoding` for a multipart field is equivalent to specifying an [Encoding Object](#encoding-object) with a `headers` field containing `Content-Transfer-Encoding` with a schema that requires the value used in `contentEncoding`. -+If `contentEncoding` is used for a multipart field that has an Encoding Object with a `headers` field containing `Content-Transfer-Encoding` with a schema that disallows the value from `contentEncoding`, the result is undefined for serialization and parsing. +##### `Content-Transfer-Encoding` and `contentEncoding` + +Using `contentEncoding` for a multipart field is equivalent to specifying an [Encoding Object](#encoding-object) with a `headers` field containing `Content-Transfer-Encoding` with a schema that requires the value used in `contentEncoding`. +If `contentEncoding` is used for a multipart field that has an Encoding Object with a `headers` field containing `Content-Transfer-Encoding` with a schema that disallows the value from `contentEncoding`, the result is undefined for serialization and parsing. Note that as stated in [Working with Binary Data](#working-with-binary-data), if the Encoding Object's `contentType`, whether set explicitly or implicitly through its default value rules, disagrees with the `contentMediaType` in a Schema Object, the `contentMediaType` SHALL be ignored. -Because of this, and because the Encoding Object's `contentType` defaulting rules do not take the Schema Object's`contentMediaType` into account, the use of `contentMediaType` with an Encoding Object is NOT RECOMMENDED. +Because of this, and because the Encoding Object's `contentType` defaulting rules do not take the Schema Object's `contentMediaType` into account, the use of `contentMediaType` with an Encoding Object is NOT RECOMMENDED. + +Note also that `Content-Transfer-Encoding` is deprecated for `multipart/form-data` ([RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.7)) where binary data is supported, as it is in HTTP. See [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for a detailed examination of percent-encoding concerns for form media types. -###### Example: Basic Multipart Form +##### Example: Basic Multipart Form When the `encoding` field is _not_ used, the encoding is determined by the Encoding Object's defaults: @@ -1800,23 +1874,28 @@ requestBody: schema: type: object properties: + # default content type for a string without `contentEncoding` + # is `text/plain` id: - # default for primitives without a special format is text/plain type: string format: uuid - profileImage: - # default for string with binary format is `application/octet-stream` - type: string - format: binary + + # default content type for a schema without `type` + # is `application/octet-stream` + profileImage: {} + + # for arrays, the `encoding` field applies the Encoding Object + # to each item individually and determines the default content type + # based on the type in the `items` subschema, which in this example + # is an object, so the default content type for each item is + # `application/json` addresses: - # default for arrays is based on the type in the `items` - # subschema, which is an object, so `application/json` type: array items: $ref: '#/components/schemas/Address' ``` -###### Example: Multipart Form with Encoding Objects +##### Example: Multipart Form with Encoding Objects Using `encoding`, we can set more specific types for binary data, or non-JSON formats for complex values. We can also describe headers for each part: @@ -1828,31 +1907,27 @@ requestBody: schema: type: object properties: + # No Encoding Object, so use default `text/plain` id: - # default is `text/plain` type: string format: uuid + + # Encoding Object overrides the default `application/json` content type + # for each item in the array with `application/xml; charset=utf-8` addresses: - # default based on the `items` subschema would be - # `application/json`, but we want these address objects - # serialized as `application/xml` instead description: addresses in XML format type: array items: $ref: '#/components/schemas/Address' - profileImage: - # default is application/octet-stream, but we can declare - # a more specific image type or types - type: string - format: binary + + # Encoding Object accepts only PNG or JPEG, and also describes + # a custom header for just this part in the multipart format + profileImage: {} + encoding: addresses: - # require XML Content-Type in utf-8 encoding - # This is applied to each address part corresponding - # to each address in he array contentType: application/xml; charset=utf-8 profileImage: - # only accept png or jpeg contentType: image/png, image/jpeg headers: X-Rate-Limit-Limit: @@ -1861,7 +1936,7 @@ requestBody: type: integer ``` -###### Example: Multipart Form with Multiple Files +##### Example: Multipart Form with Multiple Files In accordance with [RFC7578](https://www.rfc-editor.org/rfc/rfc7578.html#section-4.3), multiple files for a single form field are uploaded using the same name (`file` in this example) for each file's part: @@ -1871,7 +1946,7 @@ requestBody: multipart/form-data: schema: properties: - # The property name 'file' will be used for all files. + # The property name `file` will be used for all files. file: type: array items: {} @@ -1879,7 +1954,148 @@ requestBody: As seen in the [Encoding Object's `contentType` field documentation](#encoding-content-type), the empty schema for `items` indicates a media type of `application/octet-stream`. -#### Responses Object +##### Example: Ordered, Unnamed Multipart + +A `multipart/mixed` payload consisting of a JSON metadata document followed by an image which the metadata describes: + +```yaml +multipart/mixed: + schema: + type: array + prefixItems: + - # default content type for objects + # is `application/json` + type: object + properties: + author: + type: string + created: + type: string + format: datetime + copyright: + type: string + license: + type: string + - # default content type for a schema without `type` + # is `application/octet-stream`, which we need + # to override. + {} + prefixEncoding: + - # Encoding Object defaults are correct for JSON + {} + - contentType: image/* +``` + +##### Example: Ordered Multipart With Required Header + +As described in [[?RFC2557]], a set of resources making up a web page can be sent in a `multipart/related` payload, preserving links from the `text/html` document to subsidiary resources such as scripts, style sheets, and images by defining a `Content-Location` header for each page. +The first part is used as the root resource (unless using `Content-ID`, which RFC2557 advises against and is forbidden in this example), so we use `prefixItems` and `prefixEncoding` to define that it must be an HTML resource, and then allow any of several different types of resources in any order to follow. + +The `Content-Location` header is defined using `content: {text/plain: {...}}` to avoid percent-encoding its URI value; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for further details. + +```yaml +components: + headers: + RFC2557NoContentId: + description: Use Content-Location instead of Content-ID + schema: false + RFC2557ContentLocation: + required: true + content: + text/plain: + schema: + $comment: Use a full URI (not a relative reference) + type: string + format: uri + requestBodies: + RFC2557: + content: + multipart/related; type=text/html: + schema: + prefixItems: + - type: string + items: + anyOf: + - type: string + - $comment: To allow binary, this must always pass + prefixEncoding: + - contentType: text/html + headers: + Content-ID: + $ref: '#/components/headers/RFC2557NoContentId' + Content-Location: + $ref: '#/components/headers/RFC2557ContentLocation' + itemEncoding: + contentType: text/css,text/javascript,image/* + headers: + Content-ID: + $ref: '#/components/headers/RFC2557NoContentId' + Content-Location: + $ref: '#/components/headers/RFC2557ContentLocation' +``` + +##### Example: Streaming Multipart + +This example assumes a device that takes large sets of pictures and streams them to the caller. +Unlike the previous example, we use `itemSchema` here because the expectation is that each image is processed as it arrives (or in small batches), since we know that buffering the entire stream will take too much memory. + +```yaml +multipart/mixed: + itemSchema: + $comment: A single data image from the device + itemEncoding: + contentType: image/jpg +``` + +##### Example: Streaming Byte Ranges + +For `multipart/byteranges` [[RFC9110]] [Section 14.6](https://www.rfc-editor.org/rfc/rfc9110.html#section-14.6), a `Content-Range` header is required: + +See [Appendix D](#appendix-d-serializing-headers-and-cookies) for an explanation of why `content: {text/plain: {...}}` is used to describe the header value. + +```yaml +multipart/byteranges: + itemSchema: + $comment: A single range of bytes from a video + itemEncoding: + contentType: video/mp4 + headers: + Content-Range: + required: true + content: + text/plain: + schema: + # The `pattern` regular expression that would + # be included in practice is omitted for simplicity + type: string +``` + +##### Example: Nested `multipart/mixed` + +This defines a two-part `multipart/mixed` where the first part is a JSON array and the second part is a nested `multipart/mixed` document. +The nested parts are XML, plain text, and a PNG image. + +```yaml +multipart/mixed: + schema: + type: array + prefixItems: + - type: array + - type: array + prefixItems: + - type: object + - type: string + - {} + prefixEncoding: + - {} # Accept the default application/json + - contentType: multipart/mixed + prefixEncoding: + - contentType: application/xml + - {} # Accept the default text/plain + - contentType: image/png +``` + +### Responses Object A container for the expected responses of an operation. The container maps a HTTP response code to the expected response. @@ -1894,13 +2110,13 @@ The Responses Object MUST contain at least one response code, and if only one response code is provided it SHOULD be the response for a successful operation call. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | | default | [Response Object](#response-object) \| [Reference Object](#reference-object) | The documentation of responses other than the ones declared for specific HTTP response codes. Use this field to cover undeclared responses. | -##### Patterned Fields +#### Patterned Fields | Field Pattern | Type | Description | | ---- | :----: | ---- | @@ -1908,34 +2124,14 @@ call. This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Responses Object Example +#### HTTP Status Codes -A 200 response for a successful operation and a default response for others (implying an error): +The HTTP Status Codes are used to indicate the status of the executed operation. +Status codes SHOULD be selected from the available status codes registered in the [IANA Status Code Registry](https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml). -```json -{ - "200": { - "description": "a pet to be returned", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/Pet" - } - } - } - }, - "default": { - "description": "Unexpected error", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/ErrorModel" - } - } - } - } -} -``` +#### Responses Object Example + +A 200 response for a successful operation and a default response for others (implying an error): ```yaml '200': @@ -1952,42 +2148,27 @@ default: $ref: '#/components/schemas/ErrorModel' ``` -#### Response Object +### Response Object Describes a single response from an API operation, including design-time, static `links` to operations based on the response. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | -| description | `string` | **REQUIRED**. A description of the response. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | -| headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | Maps a header name to its definition. [RFC7230](https://tools.ietf.org/html/rfc7230#section-3.2) states header names are case insensitive. If a response header is defined with the name `"Content-Type"`, it SHALL be ignored. | -| content | Map[`string`, [Media Type Object](#media-type-object)] | A map containing descriptions of potential response payloads. The key is a media type or [media type range](https://tools.ietf.org/html/rfc7231#appendix-D) and the value describes it. For responses that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | +| summary | `string` | A short summary of the meaning of the response. | +| description | `string` | A description of the response. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | +| headers | Map[`string`, [Header Object](#header-object) \| [Reference Object](#reference-object)] | Maps a header name to its definition. [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.1) states header names are case-insensitive. If a response header is defined with the name `"Content-Type"`, it SHALL be ignored. | +| content | Map[`string`, [Media Type Object](#media-type-object) \| [Reference Object](#reference-object)] | A map containing descriptions of potential response payloads. The key is a media type or [media type range](https://www.rfc-editor.org/rfc/rfc9110.html#appendix-A) and the value describes it. For responses that match multiple keys, only the most specific key is applicable. e.g. `"text/plain"` overrides `"text/*"` | | links | Map[`string`, [Link Object](#link-object) \| [Reference Object](#reference-object)] | A map of operations links that can be followed from the response. The key of the map is a short name for the link, following the naming constraints of the names for [Component Objects](#components-object). | This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Response Object Examples +#### Response Object Examples Response of an array of a complex type: -```json -{ - "description": "A complex object array response", - "content": { - "application/json": { - "schema": { - "type": "array", - "items": { - "$ref": "#/components/schemas/VeryComplexType" - } - } - } - } -} -``` - ```yaml description: A complex object array response content: @@ -2000,19 +2181,6 @@ content: Response with a string type: -```json -{ - "description": "A simple string response", - "content": { - "text/plain": { - "schema": { - "type": "string" - } - } - } -} -``` - ```yaml description: A simple string response content: @@ -2023,40 +2191,6 @@ content: Plain text response with headers: -```json -{ - "description": "A simple string response", - "content": { - "text/plain": { - "schema": { - "type": "string" - }, - "example": "whoa!" - } - }, - "headers": { - "X-Rate-Limit-Limit": { - "description": "The number of allowed requests in the current period", - "schema": { - "type": "integer" - } - }, - "X-Rate-Limit-Remaining": { - "description": "The number of remaining requests in the current period", - "schema": { - "type": "integer" - } - }, - "X-Rate-Limit-Reset": { - "description": "The number of seconds left in the current period", - "schema": { - "type": "integer" - } - } - } -} -``` - ```yaml description: A simple string response content: @@ -2081,17 +2215,11 @@ headers: Response with no return value: -```json -{ - "description": "object created" -} -``` - ```yaml description: object created ``` -#### Callback Object +### Callback Object A map of possible out-of band callbacks related to the parent operation. Each value in the map is a [Path Item Object](#path-item-object) that describes a set of requests that may be initiated by the API provider and the expected responses. @@ -2099,7 +2227,7 @@ The key value used to identify the Path Item Object is an expression, evaluated To describe incoming requests from the API provider independent from another API call, use the [`webhooks`](#oas-webhooks) field. -##### Patterned Fields +#### Patterned Fields | Field Pattern | Type | Description | | ---- | :----: | ---- | @@ -2107,7 +2235,7 @@ To describe incoming requests from the API provider independent from another API This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Key Expression +#### Key Expression The key that identifies the [Path Item Object](#path-item-object) is a [runtime expression](#runtime-expressions) that can be evaluated in the context of a runtime HTTP request/response to identify the URL to be used for the callback request. A simple example might be `$request.body#/url`. @@ -2152,7 +2280,7 @@ The following examples show how the various expressions evaluate, assuming the c | $request.body#/successUrls/1 | | | $response.header.Location | | -##### Callback Object Examples +#### Callback Object Examples The following example uses the user provided `queryUrl` query string parameter to define the callback URL. This is similar to a [webhook](#oas-webhooks), but differs in that the callback only occurs because of the initial request that sent the `queryUrl`. @@ -2188,182 +2316,168 @@ transactionCallback: description: callback successfully processed ``` -#### Example Object +### Example Object An object grouping an internal or external example value with basic `summary` and `description` metadata. +The examples can show either data suitable for schema validation, or serialized data as required by the containing [Media Type Object](#media-type-object), [Parameter Object](#parameter-object), or [Header Object](#header-object). This object is typically used in fields named `examples` (plural), and is a [referenceable](#reference-object) alternative to older `example` (singular) fields that do not support referencing or metadata. +The various fields and types of examples are explained in more detail under [Working With Examples](#working-with-examples). -Examples allow demonstration of the usage of properties, parameters and objects within OpenAPI. - -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | | summary | `string` | Short description for the example. | | description | `string` | Long description for the example. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | -| value | Any | Embedded literal example. The `value` field and `externalValue` field are mutually exclusive. To represent examples of media types that cannot naturally represented in JSON or YAML, use a string value to contain the example, escaping where necessary. | -| externalValue | `string` | A URI that identifies the literal example. This provides the capability to reference examples that cannot easily be included in JSON or YAML documents. The `value` field and `externalValue` field are mutually exclusive. See the rules for resolving [Relative References](#relative-references-in-api-description-uris). | +| dataValue | Any | An example of the data structure that MUST be valid according to the relevant [Schema Object](#schema-object). If this field is present, `value` MUST be absent. | +| serializedValue | `string` | An example of the serialized form of the value, including encoding and escaping as described under [Validating Examples](#validating-examples). If `dataValue` is present, then this field SHOULD contain the serialization of the given data. Otherwise, it SHOULD be the valid serialization of a data value that itself MUST be valid as described for `dataValue`. This field SHOULD NOT be used if the serialization format is JSON, as the data form is easier to work with. If this field is present, `value`, and `externalValue` MUST be absent. | +| externalValue | `string` | A URI that identifies the serialized example in a separate document, allowing for values not easily or readably expressed as a Unicode string. If `dataValue` is present, then this field SHOULD identify a serialization of the given data. Otherwise, the value SHOULD be the valid serialization of a data value that itself MUST be valid as described for `dataValue`. If this field is present, `serializedValue` and `value` MUST be absent. See also the rules for resolving [Relative References](#relative-references-in-api-description-uris). | +| value | Any | Embedded literal example. The `value` field and `externalValue` field are mutually exclusive. To represent examples of media types that cannot naturally be represented in JSON or YAML, use a string value to contain the example, escaping where necessary.

**Deprecated for non-JSON serialization targets:** Use `dataValue` and/or `serializedValue`, which both have unambiguous syntax and semantics, instead. | This object MAY be extended with [Specification Extensions](#specification-extensions). In all cases, the example value SHOULD be compatible with the schema of its associated value. Tooling implementations MAY choose to validate compatibility automatically, and reject the example value(s) if incompatible. +See [Validating Examples](#validating-examples) for the exact meaning of "compatible" for each field in this Object. -##### Working with Examples +#### Working with Examples -Example Objects can be used in both [Parameter Objects](#parameter-object) and [Media Type Objects](#media-type-object). -In both Objects, this is done through the `examples` (plural) field. -However, there are several other ways to provide examples: The `example` (singular) field that is mutually exclusive with `examples` in both Objects, and two keywords (the deprecated singular `example` and the current plural `examples`, which takes an array of examples) in the [Schema Object](#schema-object) that appears in the `schema` field of both Objects. +Example Objects can be used in [Parameter Objects](#parameter-object), [Header Objects](#header-object), and [Media Type Objects](#media-type-object). +In all three Objects, this is done through the `examples` (plural) field. +However, there are several other ways to provide examples: The `example` (singular) field that is mutually exclusive with `examples` in all three Objects, and two keywords (the deprecated singular `example` and the current plural `examples`, which takes an array of examples) in the [Schema Object](#schema-object) that appears in the `schema` field of all three Objects. +We will refer to the singular `example` field in the Parameter, Header, or Media Type Object, which has the same behavior as a single Example Object with only the `value` field, as the "shorthand `example`" field. Each of these fields has slightly different considerations. -The Schema Object's fields are used to show example values without regard to how they might be formatted as parameters or within media type representations. -The `examples` array is part of JSON Schema and is the preferred way to include examples in the Schema Object, while `example` is retained purely for compatibility with older versions of the OpenAPI Specification. +##### JSON-Compatible and `value`-Safe Examples -The mutually exclusive fields in the Parameter or Media Type Objects are used to show example values which SHOULD both match the schema and be formatted as they would appear as a serialized parameter or within a media type representation. -The exact serialization and encoding is determined by various fields in the Parameter Object, or in the Media Type Object's [Encoding Object](#encoding-object). -Because examples using these fields represent the final serialized form of the data, they SHALL _override_ any `example` in the corresponding Schema Object. +The `value` and the shorthand `example` field are intended to have the same _semantics_ as `serializedValue` (or `externalValue`), while allowing a more convenient _syntax_ when there is no difference between a JSON (or [JSON-compatible YAML](#format)) representation and the final serialized form. +When using this syntax for `application/json` or any `+json` media type, these fields effectively behave like `dataValue`, as the serialization is trivial, and they are safe to use. -The singular `example` field in the Parameter or Media Type Object is concise and convenient for simple examples, but does not offer any other advantages over using Example Objects under `examples`. +For data that consists of a single string, and a serialization target such as `text/plain` where the string is guaranteed to be serialized without any further escaping, these fields are also safe to use. -Some examples cannot be represented directly in JSON or YAML. -For all three ways of providing examples, these can be shown as string values with any escaping necessary to make the string valid in the JSON or YAML format of documents that comprise the OpenAPI Description. -With the Example Object, such values can alternatively be handled through the `externalValue` field. +For other serialization targets, the ambiguity of the phrase "naturally be represented in JSON or YAML," as well as past errors in the parameter style examples table, have resulted in inconsistencies in the support and usage of these fields. +In practice, this has resulted in the `value` and shorthand `example` fields having implementation-defined behavior for non-JSON targets; OAD authors SHOULD use other fields to ensure interoperability. -##### Example Object Examples +##### Choosing Which Field(s) to Use -In a request body: +Keeping in mind the caveats from the previous section, and that the shorthand `example` can be used in place of `value` if there is only one Example Object involved, use the following guidelines to determine which field to use. -```yaml -requestBody: - content: - 'application/json': - schema: - $ref: '#/components/schemas/Address' - examples: - foo: - summary: A foo example - value: - foo: bar - bar: - summary: A bar example - value: - bar: baz - application/xml: - examples: - xmlExample: - summary: This is an example in XML - externalValue: https://example.org/examples/address-example.xml - text/plain: - examples: - textExample: - summary: This is a text example - externalValue: https://foo.bar/examples/address-example.txt -``` +To show an example as it would be validated by a Schema Object: -In a parameter: +* Use the Schema Object's `examples` array (from JSON Schema draft 2020-12) if the intent is to keep the example with the validating schema. + * Use the Schema Object's `example` (singular) only if compatibility with OAS v3.0 or earlier is required. +* Use the Example Object's `dataValue` field if the intent is to associate the example with an example of its serialization, or if it is desirable to maintain it separately from the schema. + * Use the Example Object's `value` field only if compatibility with OAS v3.1 or earlier is needed and the value can be "naturally represented in JSON or YAML" without any changes (such as percent-encoding) between the validation-ready value and the serialized representation. -```yaml -parameters: - - name: zipCode - in: query - schema: - type: string - format: zip-code - examples: - zip-example: - $ref: '#/components/examples/zip-example' -``` +To show an example as it would be serialized in order to construct an HTTP/1.1 message: -In a response: +* Use the Example Object's `serializedValue` if the serialization can be represented as a valid Unicode string, and there is no need to demonstrate the exact character encoding to be used. + * Use the string form of `value` only if compatibility with OAS v3.1 or earlier is needed. +* Use the Example Object's `externalValue` for all other values, or if it is desirable to maintain the example separately from the OpenAPI document. -```yaml -responses: - '200': - description: your car appointment has been booked - content: - application/json: - schema: - $ref: '#/components/schemas/SuccessResponse' - examples: - confirmation-success: - $ref: '#/components/examples/confirmation-success' -``` +The `serializedValue` and `externalValue` fields both MUST show the serialized form of the data. +For Media Type Objects, this is a document of the appropriate media type, with any Encoding Object effects applied. +For Parameter and Header Objects using `schema` and `style` rather than a Media Type Object, see [Style Examples](#style-examples) for what constitutes a serialized value. -Two different uses of JSON strings: +##### Criteria for `serializedExample` -First, a request or response body that is just a JSON string (not an object containing a string): +A serialization can be represented as a valid Unicode string in `serializedValue` if any of the following are true of the serialization: -```json -"application/json": { - "schema": { - "type": "string" - }, - "examples": { - "jsonBody": { - "description": "A body of just the JSON string \"json\"", - "value": "json" - } - } -} -``` +* It is for a media type that supports a `charset` parameter that indicates any Unicode encoding (UTF-8, UTF-16, etc.), or any valid subset of such an encoding, such as US-ASCII. +* It is for a format (such as URIs or HTTP fields) or character-based media type that requires or defaults to a Unicode encoding, or any valid subset of such an encoding, such as US-ASCII, and this is not overridden by `charset`. +* It is for a compound format where all parts meet at least one of the above criteria, e.g. a `multipart/mixed` media type with parts that are `application/json` (a media type that defaults to UTF-8) and `application/xml; charset=utf-8` (a media type with an explicit `charset` parameter). + +In all of these cases, the conversion from the character set of the OAD (presumed to be UTF-8 as the only interoperable character set for JSON, and therefore also for JSON-compatible YAML as noted in [[RFC9512]] [Section 3.4](https://www.rfc-editor.org/rfc/rfc9512.html#section-3.4)) first to Unicode code points and then to the actual serialization character set is well-defined. + +For `externalValue`, if the character set is neither explicitly stated nor determined by the format or media type specification, implementations SHOULD assume UTF-8. + +##### Validating Examples + +Tooling implementations MAY choose to validate compatibility automatically, and reject the example value(s) if incompatible. +For examples that are in schema-ready data form, this is straightforward. + +With serialized examples, some formats allow multiple possible valid representations of the same data, including in scenarios noted in [Appendix B](#appendix-b-data-type-conversion). +In some cases, parsing the serialized example and validating the resulting data can eliminate the ambiguity, but in a few cases parsing is also ambiguous. +Therefore, OAD authors are cautioned that validation of certain serialized examples is by necessity a best-effort feature. + +#### Example Object Examples + +##### JSON Examples + +When writing in YAML, JSON syntax can be used for `dataValue` (as shown in the `noRating` example) but is not required. +While this example shows the behavior of both `dataValue` and `serializedValue` for JSON (in the 'withRating` example), in most cases only the data form is needed. ```yaml -application/json: - schema: - type: string - examples: - jsonBody: - description: 'A body of just the JSON string "json"' - value: json +content: + application/json: + schema: + type: object + required: + - author + - title + properties: + author: + type: string + title: + type: string + rating: + type: number + minimum: 1 + maximum: 5 + multipleOf: 0.5 + examples: + noRating: + summary: A not-yet-rated work + dataValue: + author: A. Writer + title: The Newest Book + withRating: + summary: A work with an average rating of 4.5 stars + dataValue: + author: A. Writer + title: An Older Book + rating: 4.5 + serializedValue: | + { + "author": "A. Writer", + "title": "An Older Book", + "rating": 4.5 + } ``` -In the above example, we can just show the JSON string (or any JSON value) as-is, rather than stuffing a serialized JSON value into a JSON string, which would have looked like `"\"json\""`. +##### Binary Examples -In contrast, a JSON string encoded inside of a URL-style form body: +Fully binary data is shown using `externalValue`: -```json -"application/x-www-form-urlencoded": { - "schema": { - "type": "object", - "properties": { - "jsonValue": { - "type": "string" - } - } - }, - "encoding": { - "jsonValue": { - "contentType": "application/json" - } - }, - "examples": { - "jsonFormValue": { - "description": "The JSON string \"json\" as a form value", - "value": "jsonValue=%22json%22" - } - } -} +```yaml +content: + image/png: + schema: {} + examples: + Red: + externalValue: ./examples/2-by-2-red-pixels.png ``` +##### Boolean Query Parameter Examples + +Since there is no standard for serializing boolean values (as discussed in [Appendix B](#appendix-b-data-type-conversion)), this example uses `dataValue` and `serializedValue` to show how booleans are serialized for this particular parameter: + ```yaml -application/x-www-form-urlencoded: - schema: - type: object - properties: - jsonValue: - type: string - encoding: - jsonValue: - contentType: application/json - examples: - jsonFormValue: - description: 'The JSON string "json" as a form value' - value: jsonValue=%22json%22 +name: flag +in: query +required: true +schema: + type: boolean +examples: + "true": + dataValue: true + serializedValue: flag=true + "false": + dataValue: false + serializedValue: flag=false ``` -In this example, the JSON string had to be serialized before encoding it into the URL form value, so the example includes the quotation marks that are part of the JSON serialization, which are then URL percent-encoded. - -#### Link Object +### Link Object The Link Object represents a possible design-time link for a response. The presence of a link does not guarantee the caller's ability to successfully invoke it, rather it provides a known relationship and traversal mechanism between responses and other operations. @@ -2372,7 +2486,7 @@ Unlike _dynamic_ links (i.e. links provided **in** the response payload), the OA For computing links and providing instructions to execute them, a [runtime expression](#runtime-expressions) is used for accessing values in an operation and using them as parameters while invoking the linked operation. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -2386,7 +2500,7 @@ For computing links and providing instructions to execute them, a [runtime expre This object MAY be extended with [Specification Extensions](#specification-extensions). A linked operation MUST be identified using either an `operationRef` or `operationId`. -The identified or reference operation MUST be unique, and in the case of an `operationId`, it MUST be resolved within the scope of the OpenAPI Description (OAD). +The identified or referenced operation MUST be unique, and in the case of an `operationId`, it MUST be resolved within the scope of the OpenAPI Description (OAD). Because of the potential for name clashes, the `operationRef` syntax is preferred for multi-document OADs. However, because use of an operation depends on its URL path template in the [Paths Object](#paths-object), operations from any [Path Item Object](#path-item-object) that is referenced multiple times within the OAD cannot be resolved unambiguously. In such ambiguous cases, the resulting behavior is implementation-defined and MAY result in an error. @@ -2394,7 +2508,7 @@ In such ambiguous cases, the resulting behavior is implementation-defined and MA Note that it is not possible to provide a constant value to `parameters` that matches the syntax of a runtime expression. It is possible to have ambiguous parameter names, e.g. `name: "id", in: "path"` and `name: "path.id", in: "query"`; this is NOT RECOMMENDED and the behavior is implementation-defined, however implementations SHOULD prefer the qualified interpretation (`path.id` as a path parameter), as the names can always be qualified to disambiguate them (e.g. using `query.path.id` for the query parameter). -##### Examples +#### Examples Computing a link from a request operation where the `$request.path.id` is used to pass a request parameter to the linked operation. @@ -2425,7 +2539,7 @@ paths: # the target link operationId operationId: getUserAddress parameters: - # get the `id` field from the request path parameter named `id` + # get the `id` field from the request path parameter named "id" userid: $request.path.id # the path item of the linked operation /users/{userid}/address: @@ -2463,8 +2577,10 @@ solely by the existence of a relationship. ##### `operationRef` Examples -As references to `operationId` MAY NOT be possible (the `operationId` is an optional -field in an [Operation Object](#operation-object)), references MAY also be made through a relative `operationRef`: +As the `operationId` is an optional field in an [Operation Object](#operation-object), references MAY instead be made through a URI reference with `operationRef`. +Note that both of these examples reference operations that can be identified via the [Paths Object](#paths-object) to ensure that the operation's path template is unambiguous. + +A relative URI reference `operationRef`: ```yaml links: @@ -2475,7 +2591,7 @@ links: username: $response.body#/username ``` -or a URI `operationRef`: +A non-relative URI `operationRef`: ```yaml links: @@ -2486,10 +2602,11 @@ links: username: $response.body#/username ``` -Note that in the use of `operationRef` the _escaped forward-slash_ is necessary when -using JSON Pointer, and it is necessary to URL-encode `{` and `}` as `%7B` and `%7D`, respectively, when using JSON Pointer as URI fragments. +Note that in the use of `operationRef` the _escaped forward-slash_ (`~1`) is necessary when +using JSON Pointer in URI fragments, and it is necessary to URL-encode `{` and `}` as `%7B` and `%7D`, respectively. +The unescaped, percent-decoded path template in the above examples would be `/2.0/repositories/{username}`. -##### Runtime Expressions +#### Runtime Expressions Runtime expressions allow defining values based on information that will only be available within the HTTP message in an actual API call. This mechanism is used by [Link Objects](#link-object) and [Callback Objects](#callback-object). @@ -2509,19 +2626,19 @@ The runtime expression is defined by the following [ABNF](https://tools.ietf.org ; %x2F ('/') and %x7E ('~') are excluded from 'unescaped' escaped = "~" ( "0" / "1" ) ; representing '~' and '/', respectively - name = *( CHAR ) + name = *char token = 1*tchar tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA ``` -Here, `json-pointer` is taken from [RFC6901](https://tools.ietf.org/html/rfc6901), `char` from [RFC7159](https://tools.ietf.org/html/rfc7159#section-7) and `token` from [RFC7230](https://tools.ietf.org/html/rfc7230#section-3.2.6). +Here, `json-pointer` is taken from [RFC6901](https://tools.ietf.org/html/rfc6901), `char` from [RFC8259](https://tools.ietf.org/html/rfc8259#section-7) and `token` from [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.6.2). The `name` identifier is case-sensitive, whereas `token` is not. The table below provides examples of runtime expressions and examples of their use in a value: -##### Examples +##### Example Expressions | Source Location | example expression | notes | | ---- | :---- | :---- | @@ -2536,7 +2653,7 @@ The table below provides examples of runtime expressions and examples of their u Runtime expressions preserve the type of the referenced value. Expressions can be embedded into string values by surrounding the expression with `{}` curly braces. -#### Header Object +### Header Object Describes a single header for [HTTP responses](#response-headers) and for [individual parts in `multipart` representations](#encoding-headers); see the relevant [Response Object](#response-object) and [Encoding Object](#encoding-object) documentation for restrictions on which headers can be described. @@ -2544,64 +2661,208 @@ The Header Object follows the structure of the [Parameter Object](#parameter-obj 1. `name` MUST NOT be specified, it is given in the corresponding `headers` map. 1. `in` MUST NOT be specified, it is implicitly in `header`. -1. All traits that are affected by the location MUST be applicable to a location of `header` (for example, [`style`](#parameter-style)). This means that `allowEmptyValue` and `allowReserved` MUST NOT be used, and `style`, if used, MUST be limited to `"simple"`. +1. All traits that are affected by the location MUST be applicable to a location of `header` (for example, [`style`](#parameter-style)). This means that `allowEmptyValue` MUST NOT be used, and `style`, if used, MUST be limited to `"simple"`. -##### Fixed Fields +#### Fixed Fields -###### Common Fixed Fields +##### Common Fixed Fields These fields MAY be used with either `content` or `schema`. +The `example` and `examples` fields are mutually exclusive; see [Working with Examples](#working-with-examples) for guidance on validation requirements. + | Field Name | Type | Description | | ---- | :----: | ---- | | description | `string` | A brief description of the header. This could contain examples of use. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | required | `boolean` | Determines whether this header is mandatory. The default value is `false`. | | deprecated | `boolean` | Specifies that the header is deprecated and SHOULD be transitioned out of usage. Default value is `false`. | +| example | Any | Example of the header's potential value; see [Working With Examples](#working-with-examples). | +| examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the header's potential value; see [Working With Examples](#working-with-examples). | This object MAY be extended with [Specification Extensions](#specification-extensions). -###### Fixed Fields for use with `schema` +##### Fixed Fields for use with `schema` For simpler scenarios, a [`schema`](#header-schema) and [`style`](#header-style) can describe the structure and syntax of the header. -When `example` or `examples` are provided in conjunction with the `schema` field, the example MUST follow the prescribed serialization strategy for the header. -Serializing with `schema` is NOT RECOMMENDED for headers with parameters (name=value pairs following a `;`) in their values, or where values might have non-URL-safe characters; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for details. - -When `example` or `examples` are provided in conjunction with the `schema` field, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the header. -The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema. +When serializing headers with `schema`, URI percent-encoding MUST NOT be applied; if using an RFC6570 implementation that automatically applies it, it MUST be removed before use. +Implementations MUST pass header values through unchanged rather than attempting to automatically quote header values, as the quoting rules vary too widely among different headers; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on quoting and escaping. | Field Name | Type | Description | | ---- | :----: | ---- | | style | `string` | Describes how the header value will be serialized. The default (and only legal value for headers) is `"simple"`. | | explode | `boolean` | When this is true, header values of type `array` or `object` generate a single header whose value is a comma-separated list of the array items or key-value pairs of the map, see [Style Examples](#style-examples). For other data types this field has no effect. The default value is `false`. | -| schema | [Schema Object](#schema-object) \| [Reference Object](#reference-object) | The schema defining the type used for the header. | -| example | Any | Example of the header's potential value; see [Working With Examples](#working-with-examples). | -| examples | Map[ `string`, [Example Object](#example-object) \| [Reference Object](#reference-object)] | Examples of the header's potential value; see [Working With Examples](#working-with-examples). | +| schema | [Schema Object](#schema-object) | The schema defining the type used for the header. | See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc6570-based-serialization) for additional guidance. -###### Fixed Fields for use with `content` +##### Fixed Fields for use with `content` For more complex scenarios, the [`content`](#header-content) field can define the media type and schema of the header, as well as give examples of its use. -Using `content` with a `text/plain` media type is RECOMMENDED for headers where the `schema` strategy is not appropriate. | Field Name | Type | Description | | ---- | :----: | ---- | -| content | Map[`string`, [Media Type Object](#media-type-object)] | A map containing the representations for the header. The key is the media type and the value describes it. The map MUST only contain one entry. | +| content | Map[`string`, [Media Type Object](#media-type-object) \| [Reference Object](#reference-object)] | A map containing the representations for the header. The key is the media type and the value describes it. The map MUST only contain one entry. | -##### Header Object Example +#### Modeling Link Headers -A simple header of type `integer`: +[[!RFC9264]] defines the `application/linkset` and `application/linkset+json` media types. +The former is exactly the format of HTTP link header values except allowing additional whitespace for readability, while the latter is an equivalent JSON representation of such headers. -```json -"X-Rate-Limit-Limit": { - "description": "The number of allowed requests in the current period", - "schema": { - "type": "integer" - } -} +To use either of these media types, the `schema` in the [Media Type Object](#media-type-object) MUST describe the links as they would be structured in the `application/linkset+json` format. +If the Media Type Object's parent key is `application/linkset+json`, then the serialization is trivial, however this format cannot be used in the HTTP `Link` header. +If the Media Type Object's parent key is `application/linkset`, then the serialization MUST be the equivalent representation of the `schema`-modeled links in the `application/linkset` format. +If the `application/linkset` Media Type Object is used in the `content` field of a Header Object (or a Parameter Object with `in: "header"`), the serialization MUST be made compatible with the HTTP field syntax as described by [[!RFC9264]] [Section 4.1](https://www.rfc-editor.org/rfc/rfc9264.html#name-http-link-document-format-a). + +The following example shows how the same data model can be used for a collection pagination linkset either in JSON format as message content, or in the HTTP `Link` header: + +```yaml +components: + schemas: + SimpleLinkContext: + type: array + items: + type: object + required: + - href + properties: + href: + type: string + format: uri-reference + CollectionLinks: + type: object + required: + - linkset + properties: + linkset: + type: array + items: + type: object + required: [first, prev, next, last] + properties: + anchor: + type: string + format: uri + additionalProperties: + $ref: '#/components/schemas/SimpleLinkContext' + responses: + CollectionWithLinks: + content: + application/json: + schema: + type: array + headers: + Link: + required: true + content: + application/linkset: + schema: + $ref: '#/components/schemas/CollectionLinks' + StandaloneJsonLinkset: + content: + application/linkset+json: + schema: + $ref: '#/components/mediaTypes/CollectionLinks' +``` + +#### Representing the `Set-Cookie` Header + +The `Set-Cookie` header is noted in [[!RFC9110]] [Section 5.3](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.3) as an exception to the normal rules of headers with multiple values. + +For most headers using the general syntax defined in RFC9110, the multiple-line and comma-separated single-line forms are interchangeable, meaning that this: + +```http +Accept-Encoding: compress;q=0.5 +Accept-Encoding: gzip;q=1.0 +``` + +is interchangeable with the one-line form that works well with the OAS's `style: "simple"` option: + +```http +Accept-Encoding: compress;q=0.5,gzip;q=1.0 +``` + +The OAS models such multi-value headers using the one-line form as it matches the behavior of `style: "simple"`, and works well when using `content` as the values are completely separate from the header name, but it does not matter which form is used in an actual HTTP message. + +As also noted in the RFC, `Set-Cookie` is an exception as it allows unquoted, non-escaped commas in its values, and can only use the one-value-per-line form. +For HTTP messages, this is purely a serialization concern, and no more of a problem than a message that uses the multi-line form of any other header. + +However, because examples and values modeled with `content` do not incorporate the header name, for these fields `Set-Cookie` MUST be handled by placing each value on a separate line, without the header name or the `:` delimiter. + +Note also that any URI percent-encoding, base64 encoding, or other escaping MUST be performed prior to supplying the data to OAS tooling; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for details. + +The following example shows two different ways to describe `Set-Cookie` headers that require cookies named `"lang"` and `"foo"`, as well as a `"urlSafeData"` cookie that is expected to be percent-encoded. The first uses `content` in order to show exactly how such examples are formatted, but also notes the limitations of schema constraints with multi-line text. The second shows the use of `style: "simple"`, which produces the same serialized example text (with each line corresponding to one `Set-Cookie:` line in the HTTP response), but allows schema constraints on each cookie; note that the percent-encoding is already applied in the `dataValue` field of the example: + +```yaml +components: + headers: + SetCookieWithContent: + content: + text/plain: + schema: + # Due to lack of support for multiline regular expressions + # in the `pattern` keyword, not much validation can be done. + type: string + examples: + WithExpires: + # This demonstrates that the text is required to be provided + # in the final format, and is not changed by serialization. + # In practice, it is not necessary to show both value fields. + # Note that only the comma (%2C) would need to be percent-encoded + # if percent-encoding were only being done to make the value + # a valid cookie, as space (%20) and the exclamation point (%21) + # are allowed in cookies, but not in URLs. See the cookie + # input parameter examples for an example of encoding only + # what is needed for the cookie syntax. + dataValue: | + lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT + foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT + urlSafeData: Hello%2C%20world%21 + serializedValue: | + lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT + foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT + urlSafeData: Hello%2C%20world%21 + SetCookieWithSchemaAndStyle: + schema: + type: object + required: + - lang + - foo + - urlSafeData + properties: + urlSafeData: + type: string + pattern: ^[-_.%a-zA-Z0-9]+(;|$) + additionalProperties: + $comment: Require an Expires parameter + pattern: "; *Expires=" + style: simple + explode: true + examples: + SetCookies: + dataValue: { + "lang": "en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT" + "foo": "bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT" + "urlSafeData": "Hello%2C%20world%21" + } + serializedValue: | + lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT + foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT + urlSafeData: Hello%2C%20world%21 +``` + +In an HTTP message, the serialized example would look like: + +```http +Set-Cookie: lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GM +Set-Cookie: foo=bar; Expires=Wed, 09 Jun 2021 10:18:14 GMT +Set-Cookie: urlSafeData=Hello%2C%20world%21 ``` +#### Header Object Example + +A simple header of type `integer`: + ```yaml X-Rate-Limit-Limit: description: The number of allowed requests in the current period @@ -2609,62 +2870,61 @@ X-Rate-Limit-Limit: type: integer ``` -Requiring that a strong `ETag` header (with a value starting with `"` rather than `W/`) is present. Note the use of `content`, because using `schema` and `style` would require the `"` to be percent-encoded as `%22`: - -```json -"ETag": { - "required": true, - "content": { - "text/plain": { - "schema": { - "type": "string", - "pattern": "^\"" - } - } - } -} -``` +Requiring that a strong `ETag` header (with a value starting with `"` rather than `W/`) is present. ```yaml ETag: required: true - content: - text/plain: - schema: - type: string - pattern: ^" + schema: + type: string + # Note that quotation marks are part of the + # ETag value, unlike many other headers that + # use a quoted string purely for managing + # reserved characters. + pattern: ^" + example: '"xyzzy"' ``` -#### Tag Object +### Tag Object Adds metadata to a single tag that is used by the [Operation Object](#operation-object). It is not mandatory to have a Tag Object per tag defined in the Operation Object instances. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | -| name | `string` | **REQUIRED**. The name of the tag. | +| name | `string` | **REQUIRED**. The name of the tag. Use this value in the `tags` array of an Operation. | +| summary | `string` | A short summary of the tag, used for display purposes. | | description | `string` | A description for the tag. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | externalDocs | [External Documentation Object](#external-documentation-object) | Additional external documentation for this tag. | +| parent | `string` | The `name` of a tag that this tag is nested under. The named tag MUST exist in the API description, and circular references between parent and child tags MUST NOT be used. | +| kind | `string` | A machine-readable string to categorize what sort of tag it is. Any string value can be used; common uses are `nav` for Navigation, `badge` for visible badges, `audience` for APIs used by different groups. A [registry of the most commonly used values](https://spec.openapis.org/registry/tag-kind/) is available. | This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Tag Object Example - -```json -{ - "name": "pet", - "description": "Pets operations" -} -``` +#### Tag Object Example ```yaml -name: pet -description: Pets operations +tags: + - name: account-updates + summary: Account Updates + description: Account update operations + kind: nav + + - name: partner + summary: Partner + description: Operations available to the partners network + parent: external + kind: audience + + - name: external + summary: External + description: Operations available to external consumers + kind: audience ``` -#### Reference Object +### Reference Object A simple object to allow referencing other components in the OpenAPI Description, internally and externally. @@ -2672,7 +2932,7 @@ The `$ref` string value contains a URI [RFC3986](https://tools.ietf.org/html/rfc See the rules for resolving [Relative References](#relative-references-in-api-description-uris). -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -2684,55 +2944,37 @@ This object cannot be extended with additional properties, and any properties ad Note that this restriction on additional properties is a difference between Reference Objects and [Schema Objects](#schema-object) that contain a `$ref` keyword. -##### Reference Object Example - -```json -{ - "$ref": "#/components/schemas/Pet" -} -``` +#### Reference Object Example ```yaml $ref: '#/components/schemas/Pet' ``` -##### Relative Schema Document Example - -```json -{ - "$ref": "Pet.json" -} -``` +#### Relative Schema Document Example ```yaml $ref: Pet.yaml ``` -##### Relative Documents with Embedded Schema Example - -```json -{ - "$ref": "definitions.json#/Pet" -} -``` +#### Relative Documents with Embedded Schema Example ```yaml $ref: definitions.yaml#/Pet ``` -#### Schema Object +### Schema Object The Schema Object allows the definition of input and output data types. -These types can be objects, but also primitives and arrays. This object is a superset of the [JSON Schema Specification Draft 2020-12](https://tools.ietf.org/html/draft-bhutton-json-schema-00). The empty schema (which allows any instance to validate) MAY be represented by the boolean value `true` and a schema which allows no instance to validate MAY be represented by the boolean value `false`. +These types can be objects, but also primitives and arrays. This object is a superset of the [JSON Schema Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html). The empty schema (which allows any instance to validate) MAY be represented by the boolean value `true` and a schema which allows no instance to validate MAY be represented by the boolean value `false`. -For more information about the keywords, see [JSON Schema Core](https://tools.ietf.org/html/draft-bhutton-json-schema-00) and [JSON Schema Validation](https://tools.ietf.org/html/draft-bhutton-json-schema-validation-00). +For more information about the keywords, see [JSON Schema Core](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html) and [JSON Schema Validation](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html). Unless stated otherwise, the keyword definitions follow those of JSON Schema and do not add any additional semantics; this includes keywords such as `$schema`, `$id`, `$ref`, and `$dynamicRef` being URIs rather than URLs. Where JSON Schema indicates that behavior is defined by the application (e.g. for annotations), OAS also defers the definition of semantics to the application consuming the OpenAPI document. -##### JSON Schema Keywords +#### JSON Schema Keywords -The OpenAPI Schema Object [dialect](https://tools.ietf.org/html/draft-bhutton-json-schema-00#section-4.3.3) is defined as requiring the [OAS base vocabulary](#base-vocabulary), in addition to the vocabularies as specified in the JSON Schema Specification Draft 2020-12 [general purpose meta-schema](https://tools.ietf.org/html/draft-bhutton-json-schema-00#section-8). +The OpenAPI Schema Object [dialect](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.3.3) is defined as requiring the [OAS base vocabulary](#base-vocabulary), in addition to the vocabularies as specified in the JSON Schema Specification Draft 2020-12 [general purpose meta-schema](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8). The OpenAPI Schema Object dialect for this version of the specification is identified by the URI `https://spec.openapis.org/oas/3.1/dialect/base` (the "OAS dialect schema id"). @@ -2743,128 +2985,321 @@ The following keywords are taken from the JSON Schema specification but their de In addition to the JSON Schema keywords comprising the OAS dialect, the Schema Object supports keywords from any other vocabularies, or entirely arbitrary properties. -JSON Schema implementations MAY choose to treat keywords defined by the OpenAPI Specification's base vocabulary as [unknown keywords](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-4.3.1), due to its inclusion in the OAS dialect with a [`$vocabulary`](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-8.1.2) value of `false`. +JSON Schema implementations MAY choose to treat keywords defined by the OpenAPI Specification's base vocabulary as [unknown keywords](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.3.1), due to its inclusion in the OAS dialect with a [`$vocabulary`](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-8.1.2) value of `false`. The OAS base vocabulary is comprised of the following keywords: -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | -| discriminator | [Discriminator Object](#discriminator-object) | Adds support for polymorphism. The discriminator is used to determine which of a set of schemas a payload is expected to satisfy. See [Composition and Inheritance](#composition-and-inheritance-polymorphism) for more details. | -| xml | [XML Object](#xml-object) | This MAY be used only on property schemas. It has no effect on root schemas. Adds additional metadata to describe the XML representation of this property. | +| discriminator | [Discriminator Object](#discriminator-object) | The discriminator provides a "hint" for which of a set of schemas a payload is expected to satisfy. See [Composition and Inheritance](#composition-and-inheritance-polymorphism) for more details. | +| xml | [XML Object](#xml-object) | Adds additional metadata to describe the XML representation of this schema. | | externalDocs | [External Documentation Object](#external-documentation-object) | Additional external documentation for this schema. | | example | Any | A free-form field to include an example of an instance for this schema. To represent examples that cannot be naturally represented in JSON or YAML, a string value can be used to contain the example with escaping where necessary.

**Deprecated:** The `example` field has been deprecated in favor of the JSON Schema `examples` keyword. Use of `example` is discouraged, and later versions of this specification may remove it. | This object MAY be extended with [Specification Extensions](#specification-extensions), though as noted, additional properties MAY omit the `x-` prefix within this object. -##### Extended Validation with Annotations +#### Data Types -JSON Schema Draft 2020-12 supports [collecting annotations](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-7.7.1), including [treating unrecognized keywords as annotations](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-6.5). -OAS implementations MAY use such annotations, including [extensions](https://spec.openapis.org/registry/extension/) not recognized as part of a declared JSON Schema vocabulary, as the basis for further validation. -Note that JSON Schema Draft 2020-12 does not require an `x-` prefix for extensions. +Data types in the OAS are based on the types defined by the [JSON Schema Validation Specification Draft 2020-12](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-6.1.1): +"null", "boolean", "object", "array", "number", "string", or "integer". +Models are defined using the [Schema Object](#schema-object), which is a superset of the JSON Schema Specification Draft 2020-12. -###### Non-validating constraint keywords +JSON Schema keywords and `format` values operate on JSON "instances" which may be one of the six JSON data types, "null", "boolean", "object", "array", "number", or "string", with certain keywords and formats only applying to a specific type. For example, the `pattern` keyword and the `date-time` format only apply to strings, and treat any instance of the other five types as _automatically valid._ This means JSON Schema keywords and formats do **NOT** implicitly require the expected type. Use the `type` keyword to explicitly constrain the type. -The [`format` keyword (when using default format-annotation vocabulary)](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00#section-7.2.1) and the [`contentMediaType`, `contentEncoding`, and `contentSchema` keywords](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00#section-8.2) define constraints on the data, but are treated as annotations instead of being validated directly. -Extended validation is one way that these constraints MAY be enforced. +Note that the `type` keyword allows `"integer"` as a value for convenience, but keyword and format applicability does not recognize integers as being of a distinct JSON type from other numbers because [[RFC8259|JSON]] itself does not make that distinction. Since there is no distinct JSON integer type, JSON Schema defines integers mathematically. This means that both `1` and `1.0` are [equivalent](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.2.2), and are both considered to be integers. -###### Validating `readOnly` and `writeOnly` +##### Data Type Format -The `readOnly` and `writeOnly` keywords are annotations, as JSON Schema is not aware of how the data it is validating is being used. -Validation of these keywords MAY be done by checking the annotation, the read or write direction, and (if relevant) the current value of the field. -[JSON Schema Validation Draft 2020-12 §9.4](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00#section-9.4) defines the expectations of these keywords, including that a resource (described as the "owning authority") MAY either ignore a `readOnly` field or treat it as an error. +As defined by the [JSON Schema Validation specification](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-7.3), data types can have an optional modifier keyword: `format`. As described in that specification, `format` is treated as a non-validating annotation by default; the ability to validate `format` varies across implementations. -Fields that are both required and read-only are an example of when it is beneficial to ignore a `readOnly: true` constraint in a PUT, particularly if the value has not been changed. -This allows correctly requiring the field on a GET and still using the same representation and schema with PUT. -Even when read-only fields are not required, stripping them is burdensome for clients, particularly when the JSON data is complex or deeply nested. +The OpenAPI Initiative also hosts a [Format Registry](https://spec.openapis.org/registry/format/) for formats defined by OAS users and other specifications. Support for any registered format is strictly OPTIONAL, and support for one registered format does not imply support for any others. -Note that the behavior of `readOnly` in particular differs from that specified by version 3.0 of this specification. +Types that are not accompanied by a `format` keyword follow the type definition in the JSON Schema. Tools that do not recognize a specific `format` MAY default back to the `type` alone, as if the `format` is not specified. +For the purpose of [JSON Schema validation](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-7.1), each format should specify the set of JSON data types for which it applies. In this registry, these types are shown in the "JSON Data Type" column. -##### Data Modeling Techniques +The formats defined by the OAS are: -###### Composition and Inheritance (Polymorphism) +| `format` | JSON Data Type | Comments | +| ---- | ---- | ---- | +| `int32` | number | signed 32 bits | +| `int64` | number | signed 64 bits (a.k.a long) | +| `float` | number | | +| `double` | number | | +| `password` | string | A hint to obscure the value. | -The OpenAPI Specification allows combining and extending model definitions using the `allOf` keyword of JSON Schema, in effect offering model composition. -`allOf` takes an array of object definitions that are validated _independently_ but together compose a single object. +As noted under [Data Type](#data-types), both `type: number` and `type: integer` are considered to be numbers in the data model. -While composition offers model extensibility, it does not imply a hierarchy between the models. -To support polymorphism, the OpenAPI Specification adds the [`discriminator`](#schema-discriminator) field. -When used, the `discriminator` indicates the name of the property that hints which schema definition is expected to validate the structure of the model. -As such, the `discriminator` field MUST be a required field. -There are two ways to define the value of a discriminator for an inheriting instance. +#### Parsing and Serializing -* Use the schema name. -* [Override the schema name](#discriminator-mapping) by overriding the property with a new value. If a new value exists, this takes precedence over the schema name. +API data has several forms: -###### Generic (Template) Data Structures +1. The serialized form, which is either a document of a particular media type, an HTTP header value, or part of a URI. +2. The data form, intended for use with a [Schema Object](#schema-object). +3. The application form, which incorporates any additional information conveyed by JSON Schema keywords such as `format` and `contentType`, and possibly additional information such as class hierarchies that are beyond the scope of this specification, although they MAY be based on specification elements such as the [Discriminator Object](#discriminator-object) or guidance regarding [Data Modeling Techniques](#data-modeling-techniques). -Implementations MAY support defining generic or template data structures using JSON Schema's dynamic referencing feature: +##### JSON Data -* `$dynamicAnchor` identifies a set of possible schemas (including a default placeholder schema) to which a `$dynamicRef` can resolve -* `$dynamicRef` resolves to the first matching `$dynamicAnchor` encountered on its path from the schema entry point to the reference, as described in the JSON Schema specification +JSON-serialized data is nearly equivalent to the data form because the [JSON Schema data model](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.2.1) is nearly equivalent to the JSON representation. +The serialized UTF-8 JSON string `{"when": "1985-04-12T23:20:50.52"}` represents an object with one data field, named `when`, with a string value, `1985-04-12T23:20:50.52`. -An example is included in the "Schema Object Examples" section below, and further information can be found on the Learn OpenAPI site's ["Dynamic References"](https://learn.openapis.org/referencing/dynamic.html) page. +The exact application form is beyond the scope of this specification, as can be shown with the following schema for our JSON instance: -###### Annotated Enumerations +```yaml +type: object +properties: + when: + type: string + format: date-time +``` -The Schema Object's `enum` keyword does not allow associating descriptions or other information with individual values. +Some applications might leave the string as a string regardless of programming language, while others might notice the `format` and use it as a `datetime.datetime` instance in Python, or a `java.time.ZonedDateTime` in Java. +This specification only requires that the data is valid according to the schema, and that [annotations](#extended-validation-with-annotations) such as `format` are available in accordance with the JSON Schema specification. -Implementations MAY support recognizing a `oneOf` or `anyOf` where each subschema in the keyword's array consists of a `const` keyword and annotations such as `title` or `description` as an enumerated type with additional information. The exact behavior of this pattern beyond what is required by JSON Schema is implementation-defined. +##### Non-JSON Data -###### XML Modeling +Non-JSON serializations can be substantially different from their corresponding data form, and might require several steps to parse. -The [xml](#schema-xml) field allows extra definitions when translating the JSON definition to XML. -The [XML Object](#xml-object) contains additional information about the available options. +To continue our "when" example, if we serialized the object as `application/x-www-form-urlencoded`, it would appear as the ASCII string `when=1985-04-12T23%3A20%3A50.52`. +This example is still straightforward to use as it is all string data, and the only differences from JSON are the URI percent-encoding and the delimiter syntax (`=` instead of JSON punctuation and quoting). -##### Specifying Schema Dialects +However, many non-JSON text-based formats can be complex, requiring examination of the appropriate schema(s) in order to correctly parse the text into a schema-ready data structure. +Serializing data into such formats requires either examining the schema-validated data or performing the same schema inspections. -It is important for tooling to be able to determine which dialect or meta-schema any given resource wishes to be processed with: JSON Schema Core, JSON Schema Validation, OpenAPI Schema dialect, or some custom meta-schema. +When inspecting schemas, given a starting point schema, implementations MUST examine that schema and all schemas that can be reached from it by following only `$ref` and `allOf` keywords. +These schemas are guaranteed to apply to any instance. +When searching schemas for `type`, if the `type` keyword's value is a list of types and the serialized value can be successfully parsed as more than one of the types in the list, and no other findable `type` keyword disambiguates the actual required type, the behavior is implementation-defined. +Schema Objects that do not contain `type` MUST be considered to allow all types, regardless of which other keywords are present (e.g. `maximum` applies to numbers, but _does not_ require the instance to be a number). -The `$schema` keyword MAY be present in any Schema Object that is a [schema resource root](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-4.3.5), and if present MUST be used to determine which dialect should be used when processing the schema. This allows use of Schema Objects which comply with other drafts of JSON Schema than the default Draft 2020-12 support. Tooling MUST support the OAS dialect schema id, and MAY support additional values of `$schema`. +Implementations MAY inspect subschemas or possible reference targets of other keywords such as `oneOf` or `$dynamicRef`, but MUST NOT attempt to resolve ambiguities. +For example, if an implementation opts to inspect `anyOf`, the schema: -To allow use of a different default `$schema` value for all Schema Objects contained within an OAS document, a `jsonSchemaDialect` value may be set within the OpenAPI Object. If this default is not set, then the OAS dialect schema id MUST be used for these Schema Objects. The value of `$schema` within a resource root Schema Object always overrides any default. +```yaml +anyOf: +- type: number + minimum: 0 +- type: number + maximum: 100 +``` -For standalone JSON Schema documents that do not set `$schema`, or for Schema Objects in OpenAPI description documents that are _not_ [complete documents](#openapi-description-structure), the dialect SHOULD be assumed to be the OAS dialect. -However, for maximum interoperability, it is RECOMMENDED that OpenAPI description authors explicitly set the dialect through `$schema` in such documents. +unambiguously indicates a numeric type, but the schema: -##### Schema Object Examples +```yaml +anyOf: +- type: number +- maximum: 100 +``` -###### Primitive Example +does not, because the second subschema allows all types. -```json -{ - "type": "string", - "format": "email" -} -``` +Due to these limited requirements for searching schemas, serializers that have access to validated data MUST inspect the data if possible; implementations that either do not work with runtime data (such as code generators) or cannot access validated data for some reason MUST fall back to schema inspection. -```yaml -type: string -format: email -``` +Recall also that in JSON Schema, keywords that apply to a specific type (e.g. `pattern` applies to strings, `minimum` applies to numbers) _do not_ require or imply that the data will actually be of that type. -###### Simple Model +As an example of these processes, given these OpenAPI components: -```json -{ - "type": "object", - "required": ["name"], - "properties": { - "name": { - "type": "string" - }, - "address": { - "$ref": "#/components/schemas/Address" - }, - "age": { - "type": "integer", - "format": "int32", - "minimum": 0 - } +```yaml +components: + requestBodies: + Form: + content: + application/x-www-form-urlencoded: + schema: + $ref: "#/components/schemas/FormData" + encoding: + extra: + contentType: application/xml + schemas: + FormData: + type: object + properties: + code: + allOf: + - type: [string, number] + pattern: "1" + minimum: 0 + - type: string + pattern: "2" + count: + type: integer + extra: + type: object +``` + +And this request body to parse into its data form: + +```uri +code=1234&count=42&extra=%3Cinfo%3Eabc%3C/info%3E +``` + +We must first search the schema for `properties` or other property-defining keywords, and then use each property schema as a starting point for a search for that property's `type` keyword, as follows (the exact order is implementation-defined): + +* `#/components/requestBodies/Form/content/application~1x-www-form-urlencoded/schema` (initial starting point schema, only `$ref`) +* `#/components/schemas/FormData` (follow `$ref`, found `properties`) +* `#/components/schemas/FormData/properties/code` (starting point schema for `code` property) +* `#/components/schemas/FormData/properties/code/allOf/0` (follow `allOf`, found `type: [string, number]`) +* `#/components/schemas/FormData/properties/code/allOf/1` (follow `allOf`, found `type: string`) +* `#/components/schemas/FormData/properties/count` (starting point schema for `count` property, found `type: integer`) +* `#/components/schemas/FormData/properties/extra` (starting point schema for `extra` property, found `type: object`) + +Note that for `code` we first found an ambiguous `type`, but then found another `type` keyword that ensures only one of the two possibilities is valid. + +From this inspection, we determine that `code` is a string that happens to look like a number, while `count` needs to be parsed into a number _prior_ to schema validation. +Furthermore, the `extra` string is in fact an XML serialization of an object containing an `info` property. +This means that the data form of this serialization is equivalent to the following JSON object: + +```json +{ + "code": "1234", + "count": 42 + "extra": { + "info": "abc" } } ``` +Serializing this object also requires correlating properties with [Encoding Objects](#encoding-object), and may require inspection to determine a default value of the `contentType` field. +If validated data is not available, the schema inspection process is identical to that shown for parsing. + +In this example, both `code` and `count` are of primitive type and do not appear in the `encoding` field, and are therefore serialized as plain text. +However, the `extra` field is an object, which would by default be serialized as JSON, but the `extra` entry in the `encoding` field tells use to serialize it as XML instead. + +##### Working with Binary Data + +The OAS can describe either _raw_ or _encoded_ binary data. + +* **raw binary** is used where unencoded binary data is allowed, such as when sending a binary payload as the entire HTTP message body, or as part of a `multipart/*` payload that allows binary parts +* **encoded binary** is used where binary data is embedded in a text-only format such as `application/json` or `application/x-www-form-urlencoded` (either as a message body or in the URL query string). + +In the following table showing how to use Schema Object keywords for binary data, we use `image/png` as an example binary media type. Any binary media type, including `application/octet-stream`, is sufficient to indicate binary content. + +| Keyword | Raw | Encoded | Comments | +| ---- | ---- | ---- | ---- | +| `type` | _omit_ | `string` | raw binary is [outside of `type`](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.2.3) | +| `contentMediaType` | `image/png` | `image/png` | can sometimes be omitted if redundant (see below) | +| `contentEncoding` | _omit_ | `base64` or `base64url` | other encodings are [allowed](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-8.3) | + +Note that the encoding indicated by `contentEncoding`, which inflates the size of data in order to represent it as 7-bit ASCII text, is unrelated to HTTP's `Content-Encoding` header, which indicates whether and how a message body has been compressed and is applied after all content serialization described in this section has occurred. Since HTTP allows unencoded binary message bodies, there is no standardized HTTP header for indicating base64 or similar encoding of an entire message body. + +Using a `contentEncoding` of `base64url` ensures that URL encoding (as required in the query string and in message bodies of type `application/x-www-form-urlencoded`) does not need to further encode any part of the already-encoded binary data. + +The `contentMediaType` keyword is redundant if the media type is already set: + +* as the key for a [Media Type Object](#media-type-object) +* in the `contentType` field of an [Encoding Object](#encoding-object) + +If the [Schema Object](#schema-object) will be processed by a non-OAS-aware JSON Schema implementation, it may be useful to include `contentMediaType` even if it is redundant. However, if `contentMediaType` contradicts a relevant Media Type Object or Encoding Object, then `contentMediaType` SHALL be ignored. + +See [Complete vs Streaming Content](#complete-vs-streaming-content) for guidance on streaming binary payloads. + +###### Schema Evaluation and Binary Data + +Few JSON Schema implementations directly support working with binary data, as doing so is not a mandatory part of that specification. + +OAS Implementations that do not have access to a binary-instance-supporting JSON Schema implementation MUST examine schemas and apply them in accordance with [Working with Binary Data](#working-with-binary-data). +When the entire instance is binary, this is straightforward as few keywords are relevant. + +However, `multipart` media types can mix binary and text-based data, leaving implementations with two options for schema evaluations: + +1. Use a placeholder value, on the assumption that no assertions will apply to the binary data and no conditional schema keywords will cause the schema to treat the placeholder value differently (e.g. a part that could be either plain text or binary might behave unexpectedly if a string is used as a binary placeholder, as it would likely be treated as plain text and subject to different subschemas and keywords). +2. Inspect the schema(s) to find the appropriate keywords (`properties`, `prefixItems`, etc.) in order to break up the subschemas and apply them separately to binary and JSON-compatible data. + +###### Migrating Binary Descriptions from OAS 3.0 + +The following table shows how to migrate from OAS 3.0 binary data descriptions, continuing to use `image/png` as the example binary media type: + +| OAS < 3.1 | OAS >= 3.1 | Comments | +| ---- | ---- | ---- | +| type: string
format: binary | contentMediaType: image/png | if redundant, can be omitted, often resulting in an empty [Schema Object](#schema-object) | +| type: string
format: byte | type: string
contentMediaType: image/png
contentEncoding: base64 | note that `base64url` can be used to avoid re-encoding the base64 string to be URL-safe | + +#### Extended Validation with Annotations + +JSON Schema Draft 2020-12 supports [collecting annotations](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-7.7.1), including [treating unrecognized keywords as annotations](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-6.5). +OAS implementations MAY use such annotations, including [extensions](https://spec.openapis.org/registry/extension/) not recognized as part of a declared JSON Schema vocabulary, as the basis for further validation. +Note that JSON Schema Draft 2020-12 does not require an `x-` prefix for extensions. + +##### Non-Validating Constraint Keywords + +The [`format` keyword (when using default format-annotation vocabulary)](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-7.2.1) and the [`contentMediaType`, `contentEncoding`, and `contentSchema` keywords](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-8.2) define constraints on the data, but are treated as annotations instead of being validated directly. +Extended validation is one way that these constraints MAY be enforced. + +##### Validating `readOnly` and `writeOnly` + +The `readOnly` and `writeOnly` keywords are annotations, as JSON Schema is not aware of how the data it is validating is being used. +Validation of these keywords MAY be done by checking the annotation, the read or write direction, and (if relevant) the current value of the field. +[JSON Schema Validation Draft 2020-12 Section 9.4](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-9.4) defines the expectations of these keywords, including that a resource (described as the "owning authority") MAY either ignore a `readOnly` field or treat it as an error. + +Fields that are both required and read-only are an example of when it is beneficial to ignore a `readOnly: true` constraint in a PUT, particularly if the value has not been changed. +This allows correctly requiring the field on a GET and still using the same representation and schema with PUT. +Even when read-only fields are not required, stripping them is burdensome for clients, particularly when the JSON data is complex or deeply nested. + +Note that the behavior of `readOnly` in particular differs from that specified by version 3.0 of this specification. + +#### Data Modeling Techniques + +##### Composition and Inheritance (Polymorphism) + +The OpenAPI Specification allows combining and extending model definitions using the `allOf` keyword of JSON Schema, in effect offering model composition. +`allOf` takes an array of object definitions that are validated _independently_ but together compose a single object. + +While composition offers model extensibility, it does not imply a hierarchy between the models. + +JSON Schema also provides the `anyOf` and `oneOf` keywords, which allow defining multiple schemas where at least one or exactly one of them must be valid, respectively. +As is the case with `allOf`, the schemas are validated _independently_. +These keywords can be used to describe polymorphism, where a single field can accept multiple types of values. + +The OpenAPI specification extends the JSON Schema support for polymorphism by adding the [`discriminator`](#schema-discriminator) field whose value is a [Discriminator Object](#discriminator-object). +When used, the Discriminator Object indicates the name of the property that hints which schema of an `anyOf` or `oneOf` is expected to validate the structure of the model. +The discriminating property MAY be defined as required or optional, but when defined as an optional property the Discriminator Object MUST include a `defaultMapping` field that specifies which schema of the `anyOf` or `oneOf`, or which schema that references the current schema in an `allOf`, is expected to validate the structure of the model when the discriminating property is not present. + +There are two ways to define the value of a discriminating property for an inheriting instance. + +* Use the schema name. +* [Override the schema name](#discriminator-mapping) by overriding the property with a new value. If a new value exists, this takes precedence over the schema name. + +##### Generic (Template) Data Structures + +Implementations SHOULD support defining generic or template data structures using JSON Schema's dynamic referencing feature: + +* `$dynamicAnchor` identifies a set of possible schemas (including a default placeholder schema) to which a `$dynamicRef` can resolve +* `$dynamicRef` resolves to the first matching `$dynamicAnchor` encountered on its path from the schema entry point to the reference, as described in the JSON Schema specification + +An example is included in the [Schema Object Examples](#schema-object-examples) section below, and further information can be found on the Learn OpenAPI site's ["Dynamic References"](https://learn.openapis.org/referencing/dynamic.html) page. + +##### Annotated Enumerations + +The Schema Object's `enum` keyword does not allow associating descriptions or other information with individual values. + +Implementations MAY support recognizing a `oneOf` or `anyOf` where each subschema in the keyword's array consists of a `const` keyword and annotations such as `title` or `description` as an enumerated type with additional information. The exact behavior of this pattern beyond what is required by JSON Schema is implementation-defined. + +##### XML Modeling + +The [xml](#schema-xml) field allows extra definitions when translating the JSON definition to XML. +The [XML Object](#xml-object) contains additional information about the available options. + +#### Specifying Schema Dialects + +It is important for tooling to be able to determine which dialect or meta-schema any given resource wishes to be processed with: JSON Schema Core, JSON Schema Validation, OpenAPI Schema dialect, or some custom meta-schema. + +The `$schema` keyword MAY be present in any Schema Object that is a [schema resource root](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.3.5), and if present MUST be used to determine which dialect should be used when processing the schema. This allows use of Schema Objects which comply with other drafts of JSON Schema than the default Draft 2020-12 support. Tooling MUST support the OAS dialect schema id, and MAY support additional values of `$schema`. + +To allow use of a different default `$schema` value for all Schema Objects contained within an OAS document, a `jsonSchemaDialect` value may be set within the OpenAPI Object. If this default is not set, then the OAS dialect schema id MUST be used for these Schema Objects. The value of `$schema` within a resource root Schema Object always overrides any default. + +For standalone JSON Schema documents that do not set `$schema`, or for Schema Objects in OpenAPI description documents that are _not_ [complete documents](#openapi-description-structure), the dialect SHOULD be assumed to be the OAS dialect. +However, for maximum interoperability, it is RECOMMENDED that OpenAPI description authors explicitly set the dialect through `$schema` in such documents. + +#### Schema Object Examples + +##### Primitive Example + +```yaml +type: string +format: email +``` + +##### Simple Model + ```yaml type: object required: @@ -2880,19 +3315,10 @@ properties: minimum: 0 ``` -###### Model with Map/Dictionary Properties +##### Model with Map/Dictionary Properties For a simple string to string mapping: -```json -{ - "type": "object", - "additionalProperties": { - "type": "string" - } -} -``` - ```yaml type: object additionalProperties: @@ -2901,39 +3327,13 @@ additionalProperties: For a string to model mapping: -```json -{ - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/ComplexModel" - } -} -``` - ```yaml type: object additionalProperties: $ref: '#/components/schemas/ComplexModel' ``` -###### Model with Annotated Enumeration - -```json -{ - "oneOf": [ - { - "const": "RGB", - "title": "Red, Green, Blue", - "description": "Specify colors with the red, green, and blue additive color model" - }, - { - "const": "CMYK", - "title": "Cyan, Magenta, Yellow, Black", - "description": "Specify colors with the cyan, magenta, yellow, and black subtractive color model" - } - ] -} -``` +##### Model with Annotated Enumeration ```yaml oneOf: @@ -2945,29 +3345,7 @@ oneOf: description: Specify colors with the cyan, magenta, yellow, and black subtractive color model ``` -###### Model with Example - -```json -{ - "type": "object", - "properties": { - "id": { - "type": "integer", - "format": "int64" - }, - "name": { - "type": "string" - } - }, - "required": ["name"], - "examples": [ - { - "name": "Puma", - "id": 1 - } - ] -} -``` +##### Model with Example ```yaml type: object @@ -2984,46 +3362,7 @@ examples: id: 1 ``` -###### Models with Composition - -```json -{ - "components": { - "schemas": { - "ErrorModel": { - "type": "object", - "required": ["message", "code"], - "properties": { - "message": { - "type": "string" - }, - "code": { - "type": "integer", - "minimum": 100, - "maximum": 600 - } - } - }, - "ExtendedErrorModel": { - "allOf": [ - { - "$ref": "#/components/schemas/ErrorModel" - }, - { - "type": "object", - "required": ["rootCause"], - "properties": { - "rootCause": { - "type": "string" - } - } - } - ] - } - } - } -} -``` +##### Models with Composition ```yaml components: @@ -3051,73 +3390,116 @@ components: type: string ``` -###### Models with Polymorphism Support +##### Models with Polymorphism Support -```json -{ - "components": { - "schemas": { - "Pet": { - "type": "object", - "discriminator": { - "propertyName": "petType" - }, - "properties": { - "name": { - "type": "string" - }, - "petType": { - "type": "string" - } - }, - "required": ["name", "petType"] - }, - "Cat": { - "description": "A representation of a cat. Note that `Cat` will be used as the discriminating value.", - "allOf": [ - { - "$ref": "#/components/schemas/Pet" - }, - { - "type": "object", - "properties": { - "huntingSkill": { - "type": "string", - "description": "The measured skill for hunting", - "default": "lazy", - "enum": ["clueless", "lazy", "adventurous", "aggressive"] - } - }, - "required": ["huntingSkill"] - } - ] - }, - "Dog": { - "description": "A representation of a dog. Note that `Dog` will be used as the discriminating value.", - "allOf": [ - { - "$ref": "#/components/schemas/Pet" - }, - { - "type": "object", - "properties": { - "packSize": { - "type": "integer", - "format": "int32", - "description": "the size of the pack the dog is from", - "default": 0, - "minimum": 0 - } - }, - "required": ["packSize"] - } - ] - } - } - } -} +The following example describes a `Pet` model that can represent either a cat or a dog, as distinguished by the `petType` property. Each type of pet has other properties beyond those of the base `Pet` model. An instance without a `petType` property, or with a `petType` property that does not match either `cat` or `dog`, is invalid. + +```yaml +components: + schemas: + Pet: + type: object + properties: + name: + type: string + required: + - name + - petType + oneOf: + - $ref: '#/components/schemas/Cat' + - $ref: '#/components/schemas/Dog' + Cat: + description: A pet cat + type: object + properties: + petType: + const: 'cat' + huntingSkill: + type: string + description: The measured skill for hunting + enum: + - clueless + - lazy + - adventurous + - aggressive + required: + - huntingSkill + Dog: + description: A pet dog + type: object + properties: + petType: + const: 'dog' + packSize: + type: integer + format: int32 + description: the size of the pack the dog is from + default: 0 + minimum: 0 + required: + - packSize +``` + +##### Models with Polymorphism Support and a Discriminator Object + +The following example extends the example of the previous section by adding a [Discriminator Object](#discriminator-object) to the `Pet` schema. Note that the Discriminator Object is only a hint to the consumer of the API and does not change the validation outcome of the schema. + +```yaml +components: + schemas: + Pet: + type: object + discriminator: + propertyName: petType + mapping: + cat: '#/components/schemas/Cat' + dog: '#/components/schemas/Dog' + properties: + name: + type: string + required: + - name + - petType + oneOf: + - $ref: '#/components/schemas/Cat' + - $ref: '#/components/schemas/Dog' + Cat: + description: A pet cat + type: object + properties: + petType: + const: 'cat' + huntingSkill: + type: string + description: The measured skill for hunting + enum: + - clueless + - lazy + - adventurous + - aggressive + required: + - huntingSkill + Dog: + description: A pet dog + type: object + properties: + petType: + const: 'dog' + packSize: + type: integer + format: int32 + description: the size of the pack the dog is from + default: 0 + minimum: 0 + required: + - petType + - packSize ``` +##### Models with Polymorphism Support using `allOf` and a Discriminator Object + +It is also possible to describe polymorphic models using `allOf`. The following example uses `allOf` with a [Discriminator Object](#discriminator-object) to describe a polymorphic `Pet` model. + ```yaml components: schemas: @@ -3165,71 +3547,9 @@ components: - packSize ``` -###### Generic Data Structure Model +##### Generic Data Structure Model -```JSON -{ - "components": { - "schemas": { - "genericArrayComponent": { - "$id": "fully_generic_array", - "type": "array", - "items": { - "$dynamicRef": "#generic-array" - }, - "$defs": { - "allowAll": { - "$dynamicAnchor": "generic-array" - } - } - }, - "numberArray": { - "$id": "array_of_numbers", - "$ref": "fully_generic_array", - "$defs": { - "numbersOnly": { - "$dynamicAnchor": "generic-array", - "type": "number" - } - } - }, - "stringArray": { - "$id": "array_of_strings", - "$ref": "fully_generic_array", - "$defs": { - "stringsOnly": { - "$dynamicAnchor": "generic-array", - "type": "string" - } - } - }, - "objWithTypedArray": { - "$id": "obj_with_typed_array", - "type": "object", - "required": ["dataType", "data"], - "properties": { - "dataType": { - "enum": ["string", "number"] - } - }, - "oneOf": [{ - "properties": { - "dataType": {"const": "string"}, - "data": {"$ref": "array_of_strings"} - } - }, { - "properties": { - "dataType": {"const": "number"}, - "data": {"$ref": "array_of_numbers"} - } - }] - } - } - } -} -``` - -```YAML +```yaml components: schemas: genericArrayComponent: @@ -3278,24 +3598,27 @@ components: $ref: array_of_numbers ``` -#### Discriminator Object +### Discriminator Object + +When request bodies or response payloads may be one of a number of different schemas, these should use the JSON Schema `anyOf` or `oneOf` keywords to describe the possible schemas (see [Composition and Inheritance](#composition-and-inheritance-polymorphism)). -When request bodies or response payloads may be one of a number of different schemas, a Discriminator Object gives a hint about the expected schema of the document. +A polymorphic schema MAY include a Discriminator Object, which defines the name of the property that may be used as a hint for which schema of the `anyOf` or `oneOf`, or which schema that references the current schema in an `allOf`, is expected to validate the structure of the model. This hint can be used to aid in serialization, deserialization, and validation. The Discriminator Object does this by implicitly or explicitly associating the possible values of a named property with alternative schemas. Note that `discriminator` MUST NOT change the validation outcome of the schema. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | -| propertyName | `string` | **REQUIRED**. The name of the property in the payload that will hold the discriminating value. This property SHOULD be required in the payload schema, as the behavior when the property is absent is undefined. | +| propertyName | `string` | **REQUIRED**. The name of the discriminating property in the payload that will hold the discriminating value. The discriminating property MAY be defined as required or optional, but when defined as optional the Discriminator Object MUST include a `defaultMapping` field that specifies which schema is expected to validate the structure of the model when the discriminating property is not present. | | mapping | Map[`string`, `string`] | An object to hold mappings between payload values and schema names or URI references. | +| defaultMapping | `string` | The schema name or URI reference to a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload or contains a value for which there is no explicit or implicit mapping. | This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Conditions for Using the Discriminator Object +#### Conditions for Using the Discriminator Object The Discriminator Object is legal only when using one of the composite keywords `oneOf`, `anyOf`, `allOf`. @@ -3308,18 +3631,39 @@ This is because `discriminator` cannot change the validation outcome, and no sta The behavior of any configuration of `oneOf`, `anyOf`, `allOf` and `discriminator` that is not described above is undefined. -##### Options for Mapping Values to Schemas +#### Options for Mapping Values to Schemas The value of the property named in `propertyName` is used as the name of the associated schema under the [Components Object](#components-object), _unless_ a `mapping` is present for that value. The `mapping` entry maps a specific property value to either a different schema component name, or to a schema identified by a URI. When using implicit or explicit schema component names, inline `oneOf` or `anyOf` subschemas are not considered. -The behavior of a `mapping` value that is both a valid schema name and a valid relative URI reference is implementation-defined, but it is RECOMMENDED that it be treated as a schema name. +The behavior of a `mapping` value or `defaultMapping` value that is both a valid schema name and a valid relative URI reference is implementation-defined, but it is RECOMMENDED that it be treated as a schema name. To ensure that an ambiguous value (e.g. `"foo"`) is treated as a relative URI reference by all implementations, authors MUST prefix it with the `"."` path segment (e.g. `"./foo"`). Mapping keys MUST be string values, but tooling MAY convert response values to strings for comparison. However, the exact nature of such conversions are implementation-defined. -##### Examples +#### Optional Discriminating Property + +When the discriminating property is defined as optional, the [Discriminator Object](#discriminator-object) MUST include a `defaultMapping` field that specifies a schema that is expected to validate the structure of the model when the discriminating property is not present in the payload or contains a value for which there is no explicit or implicit mapping. This allows the schema to still be validated correctly even if the discriminating property is missing. + +The primary use case for an optional discriminating property is to allow a schema to be extended with a discriminator without breaking existing clients that do not provide the discriminating property. + +When the discriminating property is defined as optional, it is important that each subschema that defines a value for the discriminating property also define the property as required, since this is no longer enforced by the parent schema. + +The `defaultMapping` schema is also expected to validate the structure of the model when the discriminating property is present but contains a value for which there is no explicit or implicit mapping. This is typically expressed in the `defaultMapping` schema by excluding any instances with mapped values of the discriminating property, e.g. + +```yaml +OtherPet: + type: object + properties: + petType: + not: + enum: ['cat', 'dog'] +``` + +This prevents the `defaultMapping` schema from validating a payload that includes the discriminating property with a mapped discriminating value, which would cause a validation to fail when polymorphism is described using the `oneOf` JSON schema keyword. + +#### Examples For these examples, assume all schemas are in the [entry document](#openapi-description-structure) of the OAD; for handling of `discriminator` in referenced documents see [Resolving Implicit Connections](#resolving-implicit-connections). @@ -3333,7 +3677,7 @@ MyResponseType: - $ref: '#/components/schemas/Lizard' ``` -which means the payload _MUST_, by validation, match exactly one of the schemas described by `Cat`, `Dog`, or `Lizard`. Deserialization of a `oneOf` can be a costly operation, as it requires determining which schema matches the payload and thus should be used in deserialization. This problem also exists for `anyOf` schemas. A `discriminator` MAY be used as a "hint" to improve the efficiency of selection of the matching schema. The `discriminator` field cannot change the validation result of the `oneOf`, it can only help make the deserialization more efficient and provide better error messaging. We can specify the exact field that tells us which schema is expected to match the instance: +which means a valid payload has to match exactly one of the schemas described by `Cat`, `Dog`, or `Lizard`. Deserialization of a `oneOf` can be a costly operation, as it requires determining which schema matches the payload and thus should be used in deserialization. This problem also exists for `anyOf` schemas. A `discriminator` can be used as a "hint" to improve the efficiency of selection of the matching schema. The [Discriminator Object](#discriminator-object) cannot change the validation result of the `oneOf`, it can only help make the deserialization more efficient and provide better error messaging. We can specify the exact field that tells us which schema is expected to match the instance: ```yaml MyResponseType: @@ -3356,7 +3700,7 @@ The expectation now is that a property with name `petType` _MUST_ be present in will indicate that the `Cat` schema is expected to match this payload. -In scenarios where the value of the `discriminator` field does not match the schema name or implicit mapping is not possible, an optional `mapping` definition MAY be used: +In scenarios where the value of the discriminating property does not match the schema name or implicit mapping is not possible, an optional `mapping` definition can be used: ```yaml MyResponseType: @@ -3376,6 +3720,30 @@ Here the discriminating value of `dog` will map to the schema `#/components/sche When used in conjunction with the `anyOf` construct, the use of the discriminator can avoid ambiguity for serializers/deserializers where multiple schemas may satisfy a single payload. +When the discriminating property is defined as optional, the Discriminator Object has to include a `defaultMapping` field that specifies a schema of the `anyOf` or `oneOf` is expected to validate the structure of the model when the discriminating property is not present in the payload. This allows the schema to still be validated correctly even if the discriminator property is missing. + +For example: + +```yaml +MyResponseType: + oneOf: + - $ref: '#/components/schemas/Cat' + - $ref: '#/components/schemas/Dog' + - $ref: '#/components/schemas/Lizard' + - $ref: '#/components/schemas/OtherPet' + discriminator: + propertyName: petType + defaultMapping: OtherPet +OtherPet: + type: object + properties: + petType: + not: + enum: ['Cat', 'Dog', 'Lizard'] +``` + +In this example, if the `petType` property is not present in the payload, or if the value of `petType` is not "Cat", "Dog", or "Lizard", then the payload should validate against the `OtherPet` schema. + This example shows the `allOf` usage, which avoids needing to reference all child schemas in the parent: ```yaml @@ -3438,374 +3806,768 @@ will indicate that the `#/components/schemas/Cat` schema is expected to match. L will map to `#/components/schemas/Dog` because the `dog` entry in the `mapping` element maps to `Dog` which is the schema name for `#/components/schemas/Dog`. -#### XML Object +### XML Object A metadata object that allows for more fine-tuned XML model definitions. +When using a Schema Object with XML, if no XML Object is present, the behavior is determined by the XML Object's default field values. -When using arrays, XML element names are _not_ inferred (for singular/plural forms) and the `name` field SHOULD be used to add that information. -See examples for expected behavior. - -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | -| name | `string` | Replaces the name of the element/attribute used for the described schema property. When defined within `items`, it will affect the name of the individual XML elements within the list. When defined alongside `type` being `"array"` (outside the `items`), it will affect the wrapping element if and only if `wrapped` is `true`. If `wrapped` is `false`, it will be ignored. | -| namespace | `string` | The URI of the namespace definition. Value MUST be in the form of a non-relative URI. | +| nodeType | `string` | One of `element`, `attribute`, `text`, `cdata`, or `none`, as explained under [XML Node Types](#xml-node-types). The default value is `none` if `$ref`, `$dynamicRef`, or `type: "array"` is present in the [Schema Object](#schema-object) containing the XML Object, and `element` otherwise. | +| name | `string` | Sets the name of the element/attribute corresponding to the schema, replacing the name that was inferred as described under [XML Node Names](#xml-node-names). This field SHALL be ignored if the `nodeType` is `text`, `cdata`, or `none`. | +| namespace | `string` | The IRI ([[RFC3987]]) of the namespace definition. Value MUST be in the form of a non-relative IRI. | | prefix | `string` | The prefix to be used for the [name](#xml-name). | -| attribute | `boolean` | Declares whether the property definition translates to an attribute instead of an element. Default value is `false`. | -| wrapped | `boolean` | MAY be used only for an array definition. Signifies whether the array is wrapped (for example, ``) or unwrapped (``). Default value is `false`. The definition takes effect only when defined alongside `type` being `"array"` (outside the `items`). | +| attribute | `boolean` | Declares whether the property definition translates to an attribute instead of an element. Default value is `false`. If `nodeType` is present, this field MUST NOT be present.

**Deprecated:** Use `nodeType: "attribute"` instead of `attribute: true` | +| wrapped | `boolean` | MAY be used only for an array definition. Signifies whether the array is wrapped (for example, ``) or unwrapped (``). Default value is `false`. The definition takes effect only when defined alongside `type` being `"array"` (outside the `items`). If `nodeType` is present, this field MUST NOT be present.

**Deprecated:** Use `nodeType: "element"` instead of `wrapped: true` | + +Note that when generating an XML document from object data, the order of the nodes is undefined. +Use `prefixItems` to control node ordering as shown under [Ordered Elements and Text](#ordered-elements-and-text). + +See [Appendix B](#appendix-b-data-type-conversion) for a discussion of converting values of various types to string representations. This object MAY be extended with [Specification Extensions](#specification-extensions). +#### XML Node Types + +Each Schema Object describes a particular type of XML [[!DOM]] [node](https://dom.spec.whatwg.org/#interface-node) which is specified by the `nodeType` field, which has the following possible values. +Except for the special value `none`, these values have numeric equivalents in the DOM specification which are given in parentheses after the name: + +* `element` (1): The schema represents an element and describes its contents +* `attribute` (2): The schema represents an attribute and describes its value +* `text` (3): The schema represents a text node (parsed character data) +* `cdata` (4): The schema represents a CDATA section +* `none`: The schema does not correspond to any node in the XML document, and the nodes corresponding to its subschema(s) are included directly under its parent schema's node + +The `none` type is useful for JSON Schema constructs that require more Schema Objects than XML nodes, such as a schema containing only `$ref` that exists to facilitate re-use rather than imply any structure. + +##### Modeling Element Lists + +For historical compatibility, schemas of `type: "array"` default to `nodeType: "none"`, placing the nodes for each array item directly under the parent node. +This also aligns with the inferred naming behavior defined under [XML Node Names](#xml-node-names). + +To produce an element wrapping the list, set an explicit `nodeType: "element"` on the `type: "array"` schema. +When doing so, it is advisable to set an explicit name on either the wrapping element or the item elements to avoid them having the same inferred name. +See examples for expected behavior. + +##### Implicit and Explicit `text` Nodes + +If an `element` node has a primitive type, then the schema also produces an implicit `text` node described by the schema for the contents of the `element` node named by the property name (or `name` field). + +Explicit `text` nodes are necessary if an element has both attributes and content. + +Note that placing two `text` nodes adjacent to each other is ambiguous for parsing, and the resulting behavior is implementation-defined. + +#### XML Node Names + +The `element` and `attribute` node types require a name, which MUST be inferred from the schema as follows, unless overridden by the `name` field: + +* For schemas directly under the [Components Object's](#components-object) `schemas` field, the component name is the inferred name. +* For property schemas, and for array item schemas under a property schema, the property name is the inferred name. +* In all other cases, such as an inline schema under a [Media Type Object's](#media-type-object) `schema` field, no name can be inferred and an XML Object with a `name` field MUST be present. + +Note that when using arrays, singular vs plural forms are _not_ inferred, and must be set explicitly. + +#### Namespace Limitations + The `namespace` field is intended to match the syntax of [XML namespaces](https://www.w3.org/TR/xml-names11/), although there are a few caveats: -* Versions 3.1.0, 3.0.3, and earlier of this specification erroneously used the term "absolute URI" instead of "non-relative URI", so authors using namespaces that include a fragment should check tooling support carefully. -* XML allows but discourages relative URI-references, while this specification outright forbids them. -* XML 1.1 allows IRIs ([RFC3987](https://datatracker.ietf.org/doc/html/rfc3987)) as namespaces, and specifies that namespaces are compared without any encoding or decoding, which means that IRIs encoded to meet this specification's URI syntax requirement cannot be compared to IRIs as-is. +* Versions 3.1.0, 3.0.3, and earlier of this specification erroneously used the term "absolute URI" instead of "non-relative URI" ("non-relative IRI" as of OAS v3.2.0), so authors using namespaces that include a fragment should check tooling support carefully. +* XML allows but discourages relative IRI-references, while this specification outright forbids them. -##### XML Object Examples +#### Handling `null` Values -Each of the following examples represent the value of the `properties` keyword in a [Schema Object](#schema-object) that is omitted for brevity. -The JSON and YAML representations of the `properties` value are followed by an example XML representation produced for the single property shown. +XML does not, by default, have a concept equivalent to `null`, and to preserve compatibility with version 3.1.1 and earlier of this specification, the behavior of serializing `null` values is implementation-defined. -###### No XML Element +However, implementations SHOULD handle `null` values as follows: -Basic string property: +* For elements, produce an empty element with an `xsi:nil="true"` attribute. +* For attributes, omit the attribute. +* For text and CDATA sections, see [Appendix B](#appendix-b-data-type-conversion) for a discussion of serializing non-text values to text. -```json -{ - "animals": { - "type": "string" - } -} +Note that for attributes, this makes either a `null` value or a missing property serialize to an omitted attribute. +As the Schema Object validates the in-memory representation, this allows handling the combination of `null` and a required property. +However, because there is no distinct way to represent `null` as an attribute, it is RECOMMENDED to make attribute properties optional rather than use `null`. + +To ensure correct round-trip behavior, when parsing an element that omits an attribute, implementations SHOULD set the corresponding property to `null` if the schema allows for that value (e.g. `type: ["number", "null"]`), and omit the property otherwise (e.g.`type: "number"`). + +#### XML Object Examples + +The Schema Objects are followed by an example XML representation produced for the schema shown. +For examples using `attribute` or `wrapped`, please see version 3.1 of the OpenAPI Specification. + +##### No XML Object + +Basic string property without an XML Object, using `serializedValue` (the remaining examples will use `externalValue` so that the XML form can be shown with syntax highlighting): + +```yaml +application/xml: + schema: + type: object + xml: + name: document + properties: + animals: + type: string + examples: + pets: + dataValue: + animals: dog, cat, hamster + serializedValue: | + + dog, cat, hamster + ``` +Basic string array property (`nodeType` is `none` by default): + ```yaml -animals: - type: string +application/xml: + schema: + type: object + xml: + name: document + properties: + animals: + type: array + items: + type: string + examples: + pets: + dataValue: + animals: + - dog + - cat + - hamster + externalValue: ./examples/pets.xml ``` +Where `./examples/pets.xml` would be: + ```xml -... + + dog + cat + hamster + ``` -Basic string array property ([`wrapped`](#xml-wrapped) is `false` by default): +##### XML Name Replacement -```json -{ - "animals": { - "type": "array", - "items": { - "type": "string" - } - } -} +```yaml +application/xml: + schema: + type: object + xml: + name: document + properties: + animals: + type: string + xml: + name: animal + examples: + pets: + dataValue: + animals: + - dog + - cat + - hamster + externalValue: ./examples/pets.xml ``` +Where `./examples/pets.xml` would be: + +```xml + + dog + cat + hamster + +``` + +##### XML Attribute, Prefix and Namespace + +Note that the name of the root XML element comes from the component name. + ```yaml -animals: - type: array - items: - type: string +components: + schemas: + Person: + type: object + properties: + id: + type: integer + format: int32 + xml: + nodeType: attribute + name: + type: string + xml: + namespace: https://example.com/schema/sample + prefix: sample + requestBodies: + Person: + content: + application/xml: + schema: + $ref: "#/components/schemas/Person" + examples: + Person: + dataValue: + id: 123 + name: example + externalValue: ./examples/Person.xml ``` +Where `./examples/Person.xml` would be: + ```xml -... -... -... + + example + ``` -###### XML Name Replacement +##### XML Arrays -```json -{ - "animals": { - "type": "string", - "xml": { - "name": "animal" - } - } -} -``` +Changing the element names: ```yaml -animals: - type: string - xml: - name: animal +application/xml: + schema: + type: object + xml: + name: document + properties: + animals: + type: array + items: + type: string + xml: + name: animal + examples: + pets: + dataValue: + animals: + - dog + - cat + - hamster + externalValue: ./examples/pets.xml ``` +Where `./examples/pets.xml` would be: + ```xml -... + + dog + cat + hamster + ``` -###### XML Attribute, Prefix and Namespace +The `name` field for the `type: "array"` schema has no effect because the default `nodeType` for that object is `none`: -In this example, a full model definition is shown. +```yaml +application/xml: + schema: + type: object + xml: + name: document + properties: + animals: + type: array + xml: + name: aliens + items: + type: string + xml: + name: animal + examples: + pets: + dataValue: + animals: + - dog + - cat + - hamster + externalValue: ./examples/pets.xml +``` -```json -{ - "Person": { - "type": "object", - "properties": { - "id": { - "type": "integer", - "format": "int32", - "xml": { - "attribute": true - } - }, - "name": { - "type": "string", - "xml": { - "namespace": "https://example.com/schema/sample", - "prefix": "sample" - } - } - } - } -} +Where `./examples/pets.xml` would be: + +```xml + + dog + cat + hamster + ``` +Even when a wrapping element is explicitly created by setting `nodeType` to `element`, if a name is not explicitly defined, the same name will be used for both the wrapping element and the list item elements: + ```yaml -Person: - type: object - properties: - id: - type: integer - format: int32 - xml: - attribute: true - name: - type: string - xml: - namespace: https://example.com/schema/sample - prefix: sample +application/xml: + schema: + type: object + xml: + name: document + properties: + animals: + type: array + xml: + nodeType: element + items: + type: string + examples: + pets: + dataValue: + animals: + - dog + - cat + - hamster + externalValue: ./examples/pets.xml ``` +Where `./examples/pets.xml` would be: + ```xml - - example - + + + dog + cat + hamster + + ``` -###### XML Arrays +To overcome the naming problem in the example above, the following definition can be used: + +```yaml +application/xml: + schema: + type: object + xml: + name: document + properties: + animals: + type: array + xml: + nodeType: element + items: + type: string + xml: + name: animal + examples: + pets: + dataValue: + animals: + - dog + - cat + - hamster + externalValue: ./examples/pets.xml +``` -Changing the element names: +Where `./examples/pets.xml` would be: -```json -{ - "animals": { - "type": "array", - "items": { - "type": "string", - "xml": { - "name": "animal" - } - } - } -} +```xml + + + dog + cat + hamster + + ``` +Affecting both wrapping element and item element names: + ```yaml -animals: - type: array - items: - type: string +application/xml: + schema: + type: object xml: - name: animal + name: document + properties: + animals: + type: array + xml: + name: aliens + nodeType: element + items: + type: string + xml: + name: animal + examples: + pets: + dataValue: + animals: + - dog + - cat + - hamster + externalValue: ./examples/pets.xml ``` +Where `./examples/pets.xml` would be: + ```xml -value -value + + + dog + cat + hamster + + ``` -The external `name` field has no effect on the XML: +If we change the wrapping element name but not the item element names: -```json -{ - "animals": { - "type": "array", - "items": { - "type": "string", - "xml": { - "name": "animal" - } - }, - "xml": { - "name": "aliens" - } - } -} +```yaml +application/xml: + schema: + type: object + xml: + name: document + properties: + animals: + type: array + xml: + name: aliens + nodeType: element + items: + type: string + examples: + pets: + dataValue: + animals: + - dog + - cat + - hamster + externalValue: ./examples/pets.xml +``` + +Where `./examples/pets.xml` would be: + +```xml + + + dog + cat + hamster + + ``` +##### Elements With Attributes And Text + ```yaml -animals: - type: array - items: - type: string +application/xml: + schema: + type: array xml: - name: animal - xml: - name: aliens + nodeType: element + name: animals + items: + xml: + name: animal + properties: + kind: + type: string + xml: + nodeType: attribute + name: + type: string + xml: + nodeType: text + examples: + pets: + dataValue: + - kind: Cat + name: Fluffy + - kind: Dog + name: Fido ``` +Where `./examples/pets.xml` would be: + ```xml -value -value + + Fluffy + Fido + ``` -Even when the array is wrapped, if a name is not explicitly defined, the same name will be used both internally and externally: +##### Referenced Element With CDATA -```json -{ - "animals": { - "type": "array", - "items": { - "type": "string" - }, - "xml": { - "wrapped": true - } - } -} +In this example, no element is created for the Schema Object that contains only the `$ref`, as its `nodeType` defaults to `none`. +It is necessary to create a subschema for the CDATA section as otherwise the content would be treated as an implicit node of type `text`. + +```yaml +components: + schemas: + Documentation: + type: object + properties: + content: + type: string + contentMediaType: text/html + xml: + nodeType: cdata + responses: + content: + application/xml: + schema: + $ref: "#/components/schemas/Documentation" + examples: + docs: + dataValue: + content: Awesome Docs + externalValue: ./examples/docs.xml ``` +Where `./examples/docs.xml` would be: + +```xml + + Awesome Docs]]> + +``` + +Alternatively, the named root element could be set at the point of use and the root element disabled on the component (note that in this example, the same `dataValue` is used in two places with different serializations shown with `externalValue`): + ```yaml -animals: - type: array - items: - type: string - xml: - wrapped: true +paths: + /docs: + get: + responses: + "200": + content: + application/xml: + schema: + xml: + nodeType: element + name: StoredDocument + $ref: "#/components/schemas/Documentation" + examples: + stored: + dataValue: + content: Awesome Docs + externalValue: ./examples/stored.xml + put: + requestBody: + required: true + content: + application/xml: + schema: + xml: + nodeType: element + name: UpdatedDocument + $ref: "#/components/schemas/Documentation" + examples: + updated: + dataValue: + content: Awesome Docs + externalValue: ./examples/updated.xml + responses: + "201": {} +components: + schemas: + Documentation: + xml: + nodeType: none + type: object + properties: + content: + type: string + contentMediaType: text/html + xml: + nodeType: cdata ``` +where `./examples/stored.xml` would be: + ```xml - - value - value - + + Awesome Docs]]> + ``` -To overcome the naming problem in the example above, the following definition can be used: +and `./examples/updated.xml` would be: -```json -{ - "animals": { - "type": "array", - "items": { - "type": "string", - "xml": { - "name": "animal" - } - }, - "xml": { - "wrapped": true - } - } -} +```xml + + Awesome Docs]]> + ``` +##### Ordered Elements and Text + +To control the exact order of elements, use the `prefixItems` keyword. +With this approach, it is necessary to set the element names using the XML Object as they would otherwise all inherit the parent's name despite being different elements in a specific order. +It is also necessary to set `nodeType: "element"` explicitly on the array in order to get an element containing the sequence. + +This first ordered example shows a sequence of elements, as well as the recommended serialization of `null` for elements: + ```yaml -animals: - type: array - items: - type: string +application/xml: + schema: xml: - name: animal - xml: - wrapped: true + nodeType: element + name: OneTwoThree + type: array + minLength: 3 + maxLength: 3 + prefixItems: + - xml: + name: One + type: string + - xml: + name: Two + type: object + required: + - unit + - value + properties: + unit: + type: string + xml: + nodeType: attribute + value: + type: number + xml: + nodeType: text + - xml: + name: Three + type: + - boolean + - "null" + examples: + OneTwoThree: + dataValue: + - Some text + - unit: cubits + value: 42 + null + ] + externalValue: ./examples/OneTwoThree.xml ``` +Where `./examples/OneTwoThree.xml` would be: + ```xml - - value - value - + + Some text + 42 + + ``` -Affecting both internal and external names: - -```json -{ - "animals": { - "type": "array", - "items": { - "type": "string", - "xml": { - "name": "animal" - } - }, - "xml": { - "name": "aliens", - "wrapped": true - } - } -} -``` +In this next example, the `name` needs to be set for the element, while the `nodeType` needs to be set for the text nodes. ```yaml -animals: - type: array - items: - type: string +application/xml: + schema: xml: - name: animal - xml: - name: aliens - wrapped: true + nodeType: element + name: Report + type: array + prefixItems: + - xml: + nodeType: text + type: string + - xml: + name: data + type: number + - xml: + nodeType: text + type: string + examples: + Report: + dataValue: + - Some preamble text. + - 42 + - Some postamble text. + externalValue: ./examples/Report.xml ``` +Where `./examples/Report.xml` would be: + ```xml - - value - value - +Some preamble text.42Some postamble text. ``` -If we change the external element but not the internal ones: +##### XML With `null` Values -```json -{ - "animals": { - "type": "array", - "items": { - "type": "string" - }, - "xml": { - "name": "aliens", - "wrapped": true - } - } -} -``` +Recall that the schema validates the in-memory data, not the XML document itself. +This example does not define properties for `"related"` as it is showing how +empty objects and `null` are handled. + +```yaml +application/xml: + schema: + xml: + name: product + type: object + required: + - count + - description + - related + properties: + count: + type: + - number + - "null" + xml: + nodeType: attribute + rating: + type: string + xml: + nodeType: attribute + description: + type: string + related: + type: + - object + - "null" + examples: + productWithNulls: + dataValue: + count: null + description: Thing + related: null + externalValue: ./examples/productWithNulls.xml + productNoNulls: + dataValue: + count: 42 + description: Thing + related: {} + externalValue: ./examples/productNoNulls.xml +``` + +Where `./examples/productWithNulls.xml` would be: -```yaml -animals: - type: array - items: - type: string - xml: - name: aliens - wrapped: true +```xml + + Thing + + ``` +and `./examples/productNoNulls.xml` would be: + ```xml - - value - value - + + Thing + + ``` -#### Security Scheme Object +### Security Scheme Object Defines a security scheme that can be used by the operations. -Supported schemes are HTTP authentication, an API key (either as a header, a cookie parameter or as a query parameter), mutual TLS (use of a client certificate), OAuth2's common flows (implicit, password, client credentials and authorization code) as defined in [RFC6749](https://tools.ietf.org/html/rfc6749), and [[OpenID-Connect-Core]]. +Supported schemes are HTTP authentication, an API key (either as a header, a cookie parameter or as a query parameter), mutual TLS (use of a client certificate), OAuth2's common flows (implicit, password, client credentials and authorization code) as defined in [RFC6749](https://tools.ietf.org/html/rfc6749), OAuth2 device authorization flow as defined in [RFC8628](https://tools.ietf.org/html/rfc8628), and [[OpenID-Connect-Core]]. Please note that as of 2020, the implicit flow is about to be deprecated by [OAuth 2.0 Security Best Current Practice](https://tools.ietf.org/html/draft-ietf-oauth-security-topics). Recommended for most use cases is Authorization Code Grant flow with PKCE. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Applies To | Description | | ---- | :----: | ---- | ---- | @@ -3813,38 +4575,25 @@ Please note that as of 2020, the implicit flow is about to be deprecated by [OAu | description | `string` | Any | A description for security scheme. [CommonMark syntax](https://spec.commonmark.org/) MAY be used for rich text representation. | | name | `string` | `apiKey` | **REQUIRED**. The name of the header, query or cookie parameter to be used. | | in | `string` | `apiKey` | **REQUIRED**. The location of the API key. Valid values are `"query"`, `"header"`, or `"cookie"`. | -| scheme | `string` | `http` | **REQUIRED**. The name of the HTTP Authentication scheme to be used in the [Authorization header as defined in RFC7235](https://tools.ietf.org/html/rfc7235#section-5.1). The values used SHOULD be registered in the [IANA Authentication Scheme registry](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml). The value is case-insensitive, as defined in [RFC7235](https://datatracker.ietf.org/doc/html/rfc7235#section-2.1). | +| scheme | `string` | `http` | **REQUIRED**. The name of the HTTP Authentication scheme to be used in the [Authorization header as defined in RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-16.4.1). The values used SHOULD be registered in the [IANA Authentication Scheme registry](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml). The value is case-insensitive, as defined in [RFC9110](https://www.rfc-editor.org/rfc/rfc9110.html#section-11.1). | | bearerFormat | `string` | `http` (`"bearer"`) | A hint to the client to identify how the bearer token is formatted. Bearer tokens are usually generated by an authorization server, so this information is primarily for documentation purposes. | | flows | [OAuth Flows Object](#oauth-flows-object) | `oauth2` | **REQUIRED**. An object containing configuration information for the flow types supported. | | openIdConnectUrl | `string` | `openIdConnect` | **REQUIRED**. [Well-known URL](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) to discover the [[OpenID-Connect-Discovery]] [provider metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). | +| oauth2MetadataUrl | `string` | `oauth2` | URL to the OAuth2 authorization server metadata [RFC8414](https://datatracker.ietf.org/doc/html/rfc8414). TLS is required. | +| deprecated | `boolean` | Any | Declares this security scheme to be deprecated. Consumers SHOULD refrain from usage of the declared scheme. Default value is `false`. | This object MAY be extended with [Specification Extensions](#specification-extensions). -##### Security Scheme Object Examples - -###### Basic Authentication Example +#### Security Scheme Object Examples -```json -{ - "type": "http", - "scheme": "basic" -} -``` +##### Basic Authentication Example ```yaml type: http scheme: basic ``` -###### API Key Example - -```json -{ - "type": "apiKey", - "name": "api-key", - "in": "header" -} -``` +##### API Key Example ```yaml type: apiKey @@ -3852,15 +4601,7 @@ name: api-key in: header ``` -###### JWT Bearer Example - -```json -{ - "type": "http", - "scheme": "bearer", - "bearerFormat": "JWT" -} -``` +##### JWT Bearer Example ```yaml type: http @@ -3868,36 +4609,14 @@ scheme: bearer bearerFormat: JWT ``` -###### MutualTLS Example - -```json -{ - "type": "mutualTLS", - "description": "Cert must be signed by example.com CA" -} -``` +##### MutualTLS Example ```yaml type: mutualTLS description: Cert must be signed by example.com CA ``` -###### Implicit OAuth2 Example - -```json -{ - "type": "oauth2", - "flows": { - "implicit": { - "authorizationUrl": "https://example.com/api/oauth/dialog", - "scopes": { - "write:pets": "modify pets in your account", - "read:pets": "read your pets" - } - } - } -} -``` +##### Implicit OAuth2 Example ```yaml type: oauth2 @@ -3909,11 +4628,11 @@ flows: read:pets: read your pets ``` -#### OAuth Flows Object +### OAuth Flows Object Allows configuration of the supported OAuth Flows. -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Description | | ---- | :----: | ---- | @@ -3921,48 +4640,27 @@ Allows configuration of the supported OAuth Flows. | password | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Resource Owner Password flow | | clientCredentials | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Client Credentials flow. Previously called `application` in OpenAPI 2.0. | | authorizationCode | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Authorization Code flow. Previously called `accessCode` in OpenAPI 2.0. | +| deviceAuthorization | [OAuth Flow Object](#oauth-flow-object) | Configuration for the OAuth Device Authorization flow. | This object MAY be extended with [Specification Extensions](#specification-extensions). -#### OAuth Flow Object +### OAuth Flow Object Configuration details for a supported OAuth Flow -##### Fixed Fields +#### Fixed Fields | Field Name | Type | Applies To | Description | | ---- | :----: | ---- | ---- | | authorizationUrl | `string` | `oauth2` (`"implicit"`, `"authorizationCode"`) | **REQUIRED**. The authorization URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | -| tokenUrl | `string` | `oauth2` (`"password"`, `"clientCredentials"`, `"authorizationCode"`) | **REQUIRED**. The token URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | +| deviceAuthorizationUrl | `string` | `oauth2` (`"deviceAuthorization"`) | **REQUIRED**. The device authorization URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | +| tokenUrl | `string` | `oauth2` (`"password"`, `"clientCredentials"`, `"authorizationCode"`, `"deviceAuthorization"`) | **REQUIRED**. The token URL to be used for this flow. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | | refreshUrl | `string` | `oauth2` | The URL to be used for obtaining refresh tokens. This MUST be in the form of a URL. The OAuth2 standard requires the use of TLS. | | scopes | Map[`string`, `string`] | `oauth2` | **REQUIRED**. The available scopes for the OAuth2 security scheme. A map between the scope name and a short description for it. The map MAY be empty. | This object MAY be extended with [Specification Extensions](#specification-extensions). -##### OAuth Flow Object Example - -```JSON -{ - "type": "oauth2", - "flows": { - "implicit": { - "authorizationUrl": "https://example.com/api/oauth/dialog", - "scopes": { - "write:pets": "modify pets in your account", - "read:pets": "read your pets" - } - }, - "authorizationCode": { - "authorizationUrl": "https://example.com/api/oauth/dialog", - "tokenUrl": "https://example.com/api/oauth/token", - "scopes": { - "write:pets": "modify pets in your account", - "read:pets": "read your pets" - } - } - } -} -``` +#### OAuth Flow Object Example ```yaml type: oauth2 @@ -3980,10 +4678,15 @@ flows: read:pets: read your pets ``` -#### Security Requirement Object +### Security Requirement Object Lists the required security schemes to execute this operation. -The name used for each property MUST correspond to a security scheme declared in the [Security Schemes](#security-scheme-object) under the [Components Object](#components-object). + +The name used for each property MUST either correspond to a security scheme declared in the [Security Schemes](#components-security-schemes) under the [Components Object](#components-object), or be the URI of a Security Scheme Object. +Property names that are identical to a component name under the Components Object MUST be treated as a component name. +To reference a Security Scheme with a single-segment relative URI reference (e.g. `foo`) that collides with a component name (e.g. `#/components/securitySchemes/foo`), use the `.` path segment (e.g. `./foo`). + +Using a Security Scheme component name that appears to be a URI is NOT RECOMMENDED, as the precedence of component-name-matching over URI resolution, which is necessary to maintain compatibility with prior OAS versions, is counter-intuitive. See also [Security Considerations](#security-considerations). A Security Requirement Object MAY refer to multiple security schemes in which case all schemes MUST be satisfied for a request to be authorized. This enables support for scenarios where multiple query parameters or HTTP headers are required to convey security information. @@ -3993,35 +4696,25 @@ This enables support for scenarios where the API allows multiple, independent se An empty Security Requirement Object (`{}`) indicates anonymous access is supported. -##### Patterned Fields +#### Patterned Fields | Field Pattern | Type | Description | | ---- | :----: | ---- | -| {name} | [`string`] | Each name MUST correspond to a security scheme which is declared in the [Security Schemes](#security-scheme-object) under the [Components Object](#components-object). If the security scheme is of type `"oauth2"` or `"openIdConnect"`, then the value is a list of scope names required for the execution, and the list MAY be empty if authorization does not require a specified scope. For other security scheme types, the array MAY contain a list of role names which are required for the execution, but are not otherwise defined or exchanged in-band. | - -##### Security Requirement Object Examples +| {name} | [`string`] | Each name or URI MUST correspond to a security scheme as described above. If the security scheme is of type `"oauth2"` or `"openIdConnect"`, then the value is a list of scope names required for the execution, and the list MAY be empty if authorization does not require a specified scope. For other security scheme types, the array MAY contain a list of role names which are required for the execution, but are not otherwise defined or exchanged in-band. | -See also [Appendix F: Resolving Security Requirements in a Referenced Document](#appendix-f-resolving-security-requirements-in-a-referenced-document) for an example using Security Requirement Objects in multi-document OpenAPI Descriptions. +#### Security Requirement Object Examples -###### Non-OAuth2 Security Requirement +See also [Implicit Connection Resolution Examples](#implicit-connection-resolution-examples) in [Appendix G: Parsing and Resolution Guidance](#appendix-g-parsing-and-resolution-guidance) for an example using Security Requirement Objects in multi-document OpenAPI Descriptions. -```json -{ - "api_key": [] -} -``` +##### Non-OAuth2 Security Requirement ```yaml api_key: [] ``` -###### OAuth2 Security Requirement +##### OAuth2 Security Requirement -```json -{ - "petstore_auth": ["write:pets", "read:pets"] -} -``` +This example uses a component name for the Security Scheme. ```yaml petstore_auth: @@ -4029,20 +4722,11 @@ petstore_auth: - read:pets ``` -###### Optional OAuth2 Security +##### Optional OAuth2 Security -Optional OAuth2 security as would be defined in an OpenAPI Object or an Operation Object: +This example uses a relative URI reference for the Security Scheme. -```json -{ - "security": [ - {}, - { - "petstore_auth": ["write:pets", "read:pets"] - } - ] -} -``` +Optional OAuth2 security as would be defined in an OpenAPI Object or an Operation Object: ```yaml security: @@ -4052,7 +4736,7 @@ security: - read:pets ``` -### Specification Extensions +## Specification Extensions While the OpenAPI Specification tries to accommodate most use cases, additional data can be added to extend the specification at certain points. @@ -4069,18 +4753,6 @@ It is therefore RECOMMENDED that implementations be designed for extensibility t Support for any one extension is OPTIONAL, and support for one extension does not imply support for others. -### Security Filtering - -Some objects in the OpenAPI Specification MAY be declared and remain empty, or be completely removed, even though they are inherently the core of the API documentation. - -The reasoning is to allow an additional layer of access control over the documentation. -While not part of the specification itself, certain libraries MAY choose to allow access to parts of the documentation based on some form of authentication/authorization. - -Two examples of this: - -1. The [Paths Object](#paths-object) MAY be present but empty. It may be counterintuitive, but this may tell the viewer that they got to the right place, but can't access any documentation. They would still have access to at least the [Info Object](#info-object) which may contain additional information regarding authentication. -2. The [Path Item Object](#path-item-object) MAY be empty. In this case, the viewer will be aware that the path exists, but will not be able to see any of its operations or parameters. This is different from hiding the path itself from the [Paths Object](#paths-object), because the user will be aware of its existence. This allows the documentation provider to finely control what the viewer can see. - ## Security Considerations ### OpenAPI Description Formats @@ -4089,8 +4761,8 @@ OpenAPI Descriptions use a combination of JSON, YAML, and JSON Schema, and there * [JSON](https://www.iana.org/assignments/media-types/application/json) * [YAML](https://www.iana.org/assignments/media-types/application/yaml) -* [JSON Schema Core](https://tools.ietf.org/html/draft-bhutton-json-schema-00#section-13) -* [JSON Schema Validation](https://tools.ietf.org/html/draft-bhutton-json-schema-validation-00#section-10) +* [JSON Schema Core](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-13) +* [JSON Schema Validation](https://www.ietf.org/archive/id/draft-bhutton-json-schema-validation-01.html#section-10) ### Tooling and Usage Scenarios @@ -4100,6 +4772,23 @@ In addition, OpenAPI Descriptions are processed by a wide variety of tooling for An OpenAPI Description describes the security schemes used to protect the resources it defines. The security schemes available offer varying degrees of protection. Factors such as the sensitivity of the data and the potential impact of a security breach should guide the selection of security schemes for the API resources. Some security schemes, such as basic auth and OAuth Implicit flow, are supported for compatibility with existing APIs. However, their inclusion in OpenAPI does not constitute an endorsement of their use, particularly for highly sensitive data or operations. +The rules for connecting a [Security Requirement Object](#security-requirement-object) to a [Security Scheme Object](#security-scheme-object) under a [Components Object](#components-object) are ambiguous in a way that could be exploited. Specifically: + +* It is implementation-defined whether a component name used by a Security Requirement Object in a referenced document is resolved from the entry document (RECOMMENDED) or the referenced document. +* A Security Requirement Object that uses a URI to identify a Security Scheme Object can have the URI resolution hijacked by providing a Security Scheme component name identical to the URI, as the name lookup behavior takes precedence over URI resolution for compatibility with previous versions of the OAS. + +### Security Filtering + +Some objects in the OpenAPI Specification MAY be declared and remain empty, or be completely removed, even though they are inherently the core of the API documentation. + +The reasoning is to allow an additional layer of access control over the documentation. +While not part of the specification itself, certain libraries MAY choose to allow access to parts of the documentation based on some form of authentication/authorization. + +Two examples of this: + +1. The [Paths Object](#paths-object) MAY be present but empty. It may be counterintuitive, but this may tell the viewer that they got to the right place, but can't access any documentation. They would still have access to at least the [Info Object](#info-object) which may contain additional information regarding authentication. +2. The [Path Item Object](#path-item-object) MAY be empty. In this case, the viewer will be aware that the path exists, but will not be able to see any of its operations or parameters. This is different from hiding the path itself from the [Paths Object](#paths-object), because the user will be aware of its existence. This allows the documentation provider to finely control what the viewer can see. + ### Handling External Resources OpenAPI Descriptions may contain references to external resources that may be dereferenced automatically by consuming tools. External resources may be hosted on different domains that may be untrusted. @@ -4116,6 +4805,8 @@ Certain fields allow the use of Markdown which can contain HTML including script | Version | Date | Notes | | ---- | ---- | ---- | +| 3.2.0 | TBD | Release of the OpenAPI Specification 3.2.0 | +| 3.1.2 | TBD | Patch release of the OpenAPI Specification 3.1.2 | | 3.1.1 | 2024-10-24 | Patch release of the OpenAPI Specification 3.1.1 | | 3.1.0 | 2021-02-15 | Release of the OpenAPI Specification 3.1.0 | | 3.1.0-rc1 | 2020-10-08 | rc1 of the 3.1 specification | @@ -4138,7 +4829,7 @@ Certain fields allow the use of Markdown which can contain HTML including script Serializing typed data to plain text, which can occur in `text/plain` message bodies or `multipart` parts, as well as in the `application/x-www-form-urlencoded` format in either URL query strings or message bodies, involves significant implementation- or application-defined behavior. -[Schema Objects](#schema-object) validate data based on the [JSON Schema data model](https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#section-4.2.1), which only recognizes four primitive data types: strings (which are [only broadly interoperable as UTF-8](https://datatracker.ietf.org/doc/html/rfc7159#section-8.1)), numbers, booleans, and `null`. +[Schema Objects](#schema-object) validate data based on the [JSON Schema data model](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#section-4.2.1), which only recognizes four primitive data types: strings (which are [only broadly interoperable as UTF-8](https://datatracker.ietf.org/doc/html/rfc7159#section-8.1)), numbers, booleans, and `null`. Notably, integers are not a distinct type from other numbers, with `type: "integer"` being a convenience defined mathematically, rather than based on the presence or absence of a decimal point in any string representation. The [Parameter Object](#parameter-object), [Header Object](#header-object), and [Encoding Object](#encoding-object) offer features to control how to arrange values from array or object types. @@ -4176,9 +4867,9 @@ Implementations of this specification MAY use an implementation of RFC6570 to pe Note that when using `style: "form"` RFC6570 expansion to produce an `application/x-www-form-urlencoded` HTTP message body, it is necessary to remove the `?` prefix that is produced to satisfy the URI query string syntax. -When using `style` and similar keywords to produce a `multipart/form-data` body, the query string names are placed in the `name` parameter of the `Content-Disposition` part header, and the values are placed in the corresponding part body; the `?`, `=`, and `&` characters are not used. +When using `style` and similar keywords to produce a `multipart/form-data` body, the query string names are placed in the `name` parameter of the `Content-Disposition` part header, and the values are placed in the corresponding part body; the `?`, `=`, and `&` characters are not used, and URI percent encoding is not applied, regardless of the value of `allowReserved`. Note that while [RFC7578](https://datatracker.ietf.org/doc/html/rfc7578) allows using [[RFC3986]] percent-encoding in "file names", it does not otherwise address the use of percent-encoding within the format. -RFC7578 discusses character set and encoding issues for `multipart/form-data` in detail, and it is RECOMMENDED that OpenAPI Description authors read this guidance carefully before deciding to use RFC6570-based serialization with this media type. +Users are expected to provide names and data with any escaping necessary for conformance with RFC7578 already applied. Note also that not all RFC6570 implementations support all four levels of operators, all of which are needed to fully support the OpenAPI Specification's usage. Using an implementation with a lower level of support will require additional manual construction of URI Templates to work around the limitations. @@ -4200,7 +4891,7 @@ Certain field values translate to RFC6570 [operators](https://datatracker.ietf.o Multiple `style: "form"` parameters are equivalent to a single RFC6570 [variable list](https://www.rfc-editor.org/rfc/rfc6570#section-2.2) using the `?` prefix operator: -```YAML +```yaml parameters: - name: foo in: query @@ -4245,7 +4936,7 @@ A parameter name that includes characters outside of the allowed RFC6570 variabl Let's say we want to use the following data in a form query string, where `formulas` is exploded, and `words` is not: -```YAML +```yaml formulas: a: x+y b: x/y @@ -4260,7 +4951,7 @@ words: This array of Parameter Objects uses regular `style: "form"` expansion, fully supported by [RFC6570](https://datatracker.ietf.org/doc/html/rfc6570): -```YAML +```yaml parameters: - name: formulas in: query @@ -4294,7 +4985,7 @@ when expanded with the data given earlier, we get: But now let's say that (for some reason), we really want that `/` in the `b` formula to show up as-is in the query string, and we want our words to be space-separated like in a written phrase. To do that, we'll add `allowReserved: true` to `formulas`, and change to `style: "spaceDelimited"` for `words`: -```YAML +```yaml parameters: - name: formulas in: query @@ -4326,15 +5017,17 @@ Here is one such template, using a made-up convention of `words.0` for the first RFC6570 [mentions](https://www.rfc-editor.org/rfc/rfc6570.html#section-2.4.2) the use of `.` "to indicate name hierarchy in substructures," but does not define any specific naming convention or behavior for it. Since the `.` usage is not automatic, we'll need to construct an appropriate input structure for this new template. -We'll also need to pre-process the values for `formulas` because while `/` and most other reserved characters are allowed in the query string by RFC3986, `[`, `]`, and `#` [are not](https://datatracker.ietf.org/doc/html/rfc3986#appendix-A), and `&`, `=`, and `+` all have [special behavior](https://www.rfc-editor.org/rfc/rfc1866#section-8.2.1) in the `application/x-www-form-urlencoded` format, which is what we are using in the query string. +We'll also need to pre-process the values for `formulas` because while `/` and most other reserved characters are allowed in the query string by RFC3986, `[`, `]`, and `#` [are not](https://datatracker.ietf.org/doc/html/rfc3986#appendix-A), and `&`, `=`, and `+` all have [special behavior](https://url.spec.whatwg.org/#application/x-www-form-urlencoded) in the `application/x-www-form-urlencoded` format, which is what we are using in the query string. -Setting `allowReserved: true` does _not_ make reserved characters that are not allowed in URIs allowed, it just allows them to be _passed through expansion unchanged._ -Therefore, any tooling still needs to percent-encode those characters because reserved expansion will not do it, but it _will_ leave the percent-encoded triples unchanged. +Setting `allowReserved: true` does _not_ make reserved characters that are not allowed in URIs allowed, it just allows them to be _passed through expansion unchanged_, for example because some other specification has defined a particular meaning for them. + +Therefore, users still need to percent-encode any reserved characters that are _not_ being passed through due to a special meaning because reserved expansion does not know which reserved characters are being used, and which should still be percent-encoded. +However, reserved expansion, unlike regular expansion, _will_ leave the pre-percent-encoded triples unchanged. See also [Appendix E](#appendix-e-percent-encoding-and-form-media-types) for further guidance on percent-encoding and form media types, including guidance on handling the delimiter characters for `spaceDelimited`, `pipeDelimited`, and `deepObject` in parameter names and values. So here is our data structure that arranges the names and values to suit the template above, where values for `formulas` have `[]#&=+` pre-percent encoded (although only `+` appears in this example): -```YAML +```yaml a: x%2By b: x/y c: x^y @@ -4355,7 +5048,7 @@ The `/` and the pre-percent-encoded `%2B` have been left alone, but the disallow Care must be taken when manually constructing templates to handle the values that RFC6570 [considers to be _undefined_](https://datatracker.ietf.org/doc/html/rfc6570#section-2.3) correctly: -```YAML +```yaml formulas: {} words: - hello @@ -4372,7 +5065,7 @@ This means that the manually constructed URI Template and restructured data need Restructured data: -```YAML +```yaml words.0: hello words.1: world ``` @@ -4393,7 +5086,7 @@ Result: In this example, the heart emoji is not legal in URI Template names (or URIs): -```YAML +```yaml parameters: - name: ❤️ in: query @@ -4404,7 +5097,7 @@ parameters: We can't just pass `❤️: "love!"` to an RFC6570 implementation. Instead, we have to pre-percent-encode the name (which is a six-octet UTF-8 sequence) in both the data and the URI Template: -```YAML +```yaml "%E2%9D%A4%EF%B8%8F": love! ``` @@ -4420,32 +5113,40 @@ This will expand to the result: ## Appendix D: Serializing Headers and Cookies -[RFC6570](https://www.rfc-editor.org/rfc/rfc6570)'s percent-encoding behavior is not always appropriate for `in: "header"` and `in: "cookie"` parameters. -In many cases, it is more appropriate to use `content` with a media type such as `text/plain` and require the application to assemble the correct string. +HTTP headers have inconsistent rules regarding what characters are allowed, and how some or all disallowed characters can be escaped and included. +While the `quoted-string` ABNF rule given in [[RFC9110]] [Section 5.4.6](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.6.4) is the most common escaping solution, it is not sufficiently universal to apply automatically. +For example, a strong `ETag` looks like `"foo"` (with quotes, regardless of the contents), and a weak `ETag` looks like `W/"foo"` (note that only part of the value is quoted); the contents of the quotes for this header are also not escaped in the way `quoted-string` contents are. -For both [RFC6265](https://www.rfc-editor.org/rfc/rfc6265) cookies and HTTP headers using the [RFC8941](https://www.rfc-editor.org/rfc/rfc8941) structured fields syntax, non-ASCII content is handled using base64 encoding (`contentEncoding: "base64"`). -Note that the standard base64-encoding alphabet includes non-URL-safe characters that are percent-encoded by RFC6570 expansion; serializing values through both encodings is NOT RECOMMENDED. -While `contentEncoding` also supports the `base64url` encoding, which is URL-safe, the header and cookie RFCs do not mention this encoding. +For this reason, any data being passed to a header by way of a [Parameter](#parameter-object) or [Header](#header-object) Object needs to be quoted and escaped prior to passing it to the OAS implementation, and the parsed header values are expected to contain the quotes and escapes. -Most HTTP headers predate the structured field syntax, and a comprehensive assessment of their syntax and encoding rules is well beyond the scope of this specification. -While [RFC8187](https://www.rfc-editor.org/rfc/rfc8187) recommends percent-encoding HTTP (header or trailer) field parameters, these parameters appear after a `;` character. -With `style: "simple"`, that delimiter would itself be percent-encoded, violating the general HTTP field syntax. +### Percent-Encoding and Cookies -Using `style: "form"` with `in: "cookie"` is ambiguous for a single value, and incorrect for multiple values. -This is true whether the multiple values are the result of using `explode: true` or not. +[RFC6570](https://www.rfc-editor.org/rfc/rfc6570)'s percent-encoding behavior is not always appropriate for `in: "cookie"` parameters. +While percent-encoding seems more common as an escaping mechanism than the base64 encoding (`contentEncoding`: "base64") recommended by [[RFC6265]], [section 5.6 of draft-ietf-httpbis-rfc6265bis-20](https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-20.html#section-5.6), the proposed update to that RFC notes that cookies sent in the `Set-Cookie` response header that appear to be percent-encoded MUST NOT be decoded when stored by the client, which would mean that they are already encoded when retrieved from that storage for use in the `Cookie` request header. +The behavior of `style: "cookie"` assumes this usage, and _does not_ apply or remove percent-encoding. -This style is specified to be equivalent to RFC6570 form expansion which includes the `?` character (see [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more details), which is not part of the cookie syntax. -However, examples of this style in past versions of this specification have not included the `?` prefix, suggesting that the comparison is not exact. -Because implementations that rely on an RFC6570 implementation and those that perform custom serialization based on the style example will produce different results, it is implementation-defined as to which of the two results is correct. - -For multiple values, `style: "form"` is always incorrect as name=value pairs in cookies are delimited by `;` (a semicolon followed by a space character) rather than `&`. +If automatic percent-encoding is desired, `style: "form"` with a primitive value or with the non-default `explode` value of `false` provides this behavior. +However, note that the default value of `explode: true` for `style: "form"` with non-primitive values uses the wrong delimiter for cookies (`&` instead of `;` followed by a single space) to set multiple cookie values. +Using `style: "form"` with `in: "cookie"` via an RFC6570 implementation requires stripping the `?` prefix, as when producing `application/x-www-form-urlencoded` message bodies. +To allow the full use of `style: "form"` with `in: "cookie"`, use the `allowReserved` field. ## Appendix E: Percent-Encoding and Form Media Types _**NOTE:** In this section, the `application/x-www-form-urlencoded` and `multipart/form-data` media types are abbreviated as `form-urlencoded` and `form-data`, respectively, for readability._ Percent-encoding is used in URIs and media types that derive their syntax from URIs. -This process is concerned with three sets of characters, the names of which vary among specifications but are defined as follows for the purposes of this section: +The fundamental rules of percent-encoding are: + +* The set of characters that MUST be encoded varies depending on which version of which specification you use, and (for URIs) in which part of the URI the character appears. +* The way an unencoded `+` character is decoded depends on whether you are using `application/x-www-form-urlencoded` rules or more general URI rules; this is the only time where choice of decoding algorithm can change the outcome. +* Encoding more characters than necessary is always safe in terms of the decoding process, but may produce non-normalized URIs. +* In practice, some systems tolerate or even expect unencoded characters that some or all percent-encoding specifications require to be encoded; this can cause interoperability issues with more strictly compliant implementations. + +The rest of this appendix provides more detailed guidance based on the above rules. + +### Percent-Encoding Character Classes + +This process is concerned with three classes of characters, the names of which vary among specifications but are defined as follows for the purposes of this section: * _unreserved_ characters do not need to be percent-encoded; while it is safe to percent-encode them, doing so produces a URI that is [not normalized](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.2) * _reserved_ characters either have special behavior in the URI syntax (such as delimiting components) or are reserved for other specifications that need to define special behavior (e.g. `form-urlencoded` defines special behavior for `=`, `&`, and `+`) @@ -4467,44 +5168,44 @@ This means that while these three characters are reserved-but-allowed in query s [RFC7578](https://datatracker.ietf.org/doc/html/rfc7578#section-2) suggests RFC3986-based percent-encoding as a mechanism to keep text-based per-part header data such as file names within the ASCII character set. This suggestion was not part of older (pre-2015) specifications for `form-data`, so care must be taken to ensure interoperability. +Users wishing to use percent-encoding in this way MUST provide the data in percent-encoded form, as percent-encoding is not automatically applied for this media type regardless of which Encoding Object fields are used. -The `form-data` media type allows arbitrary text or binary data in its parts, so percent-encoding is not needed and is likely to cause interoperability problems unless the `Content-Type` of the part is defined to require it. +The `form-data` media type allows arbitrary text or binary data in its parts, so percent-encoding or similar escaping is not needed in general. ### Generating and Validating URIs and `form-urlencoded` Strings URI percent encoding and the `form-urlencoded` media type have complex specification histories spanning multiple revisions and, in some cases, conflicting claims of ownership by different standards bodies. Unfortunately, these specifications each define slightly different percent-encoding rules, which need to be taken into account if the URIs or `form-urlencoded` message bodies will be subject to strict validation. -(Note that many URI parsers do not perform validation by default.) +(Note that many URI parsers do not perform validation by default, if at all.) This specification normatively cites the following relevant standards: | Specification | Date | OAS Usage | Percent-Encoding | Notes | | ---- | ---- | ---- | ---- | ---- | -| [RFC3986](https://www.rfc-editor.org/rfc/rfc3986) | 01/2005 | URI/URL syntax | [[RFC3986]] | obsoletes [[RFC1738]], [[RFC2396]] | -| [RFC6570](https://www.rfc-editor.org/rfc/rfc6570) | 03/2012 | style-based serialization | [[RFC3986]] | does not use `+` for form‑urlencoded | -| [RFC1866](https://datatracker.ietf.org/doc/html/rfc1866#section-8.2.1) | 11/1995 | content-based serialization | [[RFC1738]] | obsoleted by [[HTML401]] [Section 17.13.4.1](https://www.w3.org/TR/html401/interact/forms.html#h-17.13.4.1), [[URL]] [Section 5](https://url.spec.whatwg.org/#urlencoded-serializing) | +| [RFC3986](https://www.rfc-editor.org/rfc/rfc3986) | 01/2005 | URI/URL syntax, including non-`form-urlencoded` content-based serialization | [[RFC3986]] | obsoletes [[?RFC1738]], [[?RFC2396]] | +| [RFC6570](https://www.rfc-editor.org/rfc/rfc6570) | 03/2012 | style-based serialization | [[RFC3986]] | does not use `+` for query strings | +| [WHATWG-URL Section 5](https://url.spec.whatwg.org/#application/x-www-form-urlencoded) | "living" standard | content-based `form/url-encoded` serialization, including HTTP message contents | [WHATWG-URL Section 1.3](https://url.spec.whatwg.org/#application-x-www-form-urlencoded-percent-encode-set) | obsoletes [[?RFC1866]], [[?HTML401]] | -Style-based serialization is used in the [Parameter Object](#parameter-object) when `schema` is present, and in the [Encoding Object](#encoding-object) when at least one of `style`, `explode`, or `allowReserved` is present. +Style-based serialization with percent-encoding is used in the [Parameter Object](#parameter-object) when `schema` is present, and in the [Encoding Object](#encoding-object) when at least one of `style`, `explode`, or `allowReserved` is present. See [Appendix C](#appendix-c-using-rfc6570-based-serialization) for more details of RFC6570's two different approaches to percent-encoding, including an example involving `+`. -Content-based serialization is defined by the [Media Type Object](#media-type-object), and used with the [Parameter Object](#parameter-object) when the `content` field is present, and with the [Encoding Object](#encoding-object) based on the `contentType` field when the fields `style`, `explode`, and `allowReserved` are absent. -Each part is encoded based on the media type (e.g. `text/plain` or `application/json`), and must then be percent-encoded for use in a `form-urlencoded` string. - -Note that content-based serialization for `form-data` does not expect or require percent-encoding in the data, only in per-part header values. +Content-based serialization is defined by the [Media Type Object](#media-type-object), and used with the [Parameter Object](#parameter-object) and [Header Object](#header-object) when the `content` field is present, and with the [Encoding Object](#encoding-object) based on the `contentType` field when the fields `style`, `explode`, and `allowReserved` are absent. +For use in URIs, each part is encoded based on the media type (e.g. `text/plain` or `application/json`), and must then be percent-encoded for use in a `form-urlencoded` string (in form-style query strings), or for general URI use in other URL components, unless the media type already incorporates URI percent-encoding. #### Interoperability with Historical Specifications -In most cases, generating query strings in strict compliance with [[RFC3986]] is sufficient to pass validation (including JSON Schema's `format: "uri"` and `format: "uri-reference"`), but some `form-urlencoded` implementations still expect the slightly more restrictive [[RFC1738]] rules to be used. +Prior versions of this specification required [[?RFC1866]] and its use of [[?RFC1738]] percent-encoding rules in place of [[WHATWG-URL]]. +The [[WHATWG-URL]] `form-urlencoded` rules represent the current browser consensus on that media type, and avoid the ambiguity introduced by unclear paraphrasing of RFC1738 in RFC1866. -Since all RFC1738-compliant URIs are compliant with RFC3986, applications needing to ensure historical interoperability SHOULD use RFC1738's rules. +Users needing conformance with RFC1866/RFC1738 are advised to check their tooling and library behavior carefully. #### Interoperability with Web Browser Environments WHATWG is a [web browser-oriented](https://whatwg.org/faq#what-is-the-whatwg-working-on) standards group that has defined a "URL Living Standard" for parsing and serializing URLs in a browser context, including parsing and serializing `form-urlencoded` data. -WHATWG's percent-encoding rules for query strings are different depending on whether the query string is [being treated as `form-urlencoded`](https://url.spec.whatwg.org/#application-x-www-form-urlencoded-percent-encode-set) (where it requires more percent-encoding than [[RFC1738]]) or [as part of the generic syntax](https://url.spec.whatwg.org/#query-percent-encode-set), where it allows characters that [[RFC3986]] forbids. +WHATWG's percent-encoding rules for query strings are different depending on whether the query string is [being treated as `form-urlencoded`](https://url.spec.whatwg.org/#application-x-www-form-urlencoded-percent-encode-set) (where it requires more percent-encoding than [[?RFC1738]]) or [as part of the generic syntax](https://url.spec.whatwg.org/#query-percent-encode-set), where its requirements differ from [[RFC3986]]. -Implementations needing maximum compatibility with web browsers SHOULD use WHATWG's `form-urlencoded` percent-encoding rules. -However, they SHOULD NOT rely on WHATWG's less stringent generic query string rules, as the resulting URLs would fail RFC3986 validation, including JSON Schema's `format: uri` and `format: uri-reference`. +This specification only depends on WHATWG for its `form-urlencoded` specification. +Implementations using the query string in other ways are advised that, the distinctions between WHATWG's non-`form-urlencoded` query string rules and RFC3986 require careful consideration, incorporating both WHATWG's percent-encoding sets and their set of valid Unicode code points for URLs; see [Percent-Encoding and Illegal or Reserved Delimiters](#percent-encoding-and-illegal-or-reserved-delimiters) for more information. ### Decoding URIs and `form-urlencoded` Strings @@ -4520,22 +5221,299 @@ The `[`, `]`, `|`, and space characters, which are used as delimiters for the `d This requires users to pre-encode the character(s) in some other way in parameter names and values to distinguish them from the delimiter usage when using one of these styles. The space character is always illegal and encoded in some way by all implementations of all versions of the relevant standards. -While one could use the `form-urlencoded` convention of `+` to distinguish spaces in parameter names and values from `spaceDelimited` delimiters encoded as `%20`, the specifications define the decoding as a single pass, making it impossible to distinguish the different usages in the decoded result. +While one could use the `form-urlencoded` convention of `+` to distinguish spaces in parameter names and values from `spaceDelimited` delimiters encoded as `%20`, the specifications define the decoding as a single pass, making it impossible to distinguish the different usages in the decoded result unless a non-standard parsing algorithm is used that separates based on one delimiter before decoding the other. +Any such non-standard parsing approach will not be interoperable across all tools. -Some environments use `[`, `]`, and possibly `|` unencoded in query strings without apparent difficulties, and WHATWG's generic query string rules do not require percent-encoding them. +Some environments use `[`, `]`, and possibly `|` unencoded in query strings without apparent difficulties. +WHATWG's generic query string rules do not require percent-encoding them in non-`form-urlencoded` query strings, although it also excludes them from the set of valid URL Unicode code points. Code that relies on leaving these delimiters unencoded, while using regular percent-encoding for them within names and values, is not guaranteed to be interoperable across all implementations. For maximum interoperability, it is RECOMMENDED to either define and document an additional escape convention while percent-encoding the delimiters for these styles, or to avoid these styles entirely. The exact method of additional encoding/escaping is left to the API designer, and is expected to be performed before serialization and encoding described in this specification, and reversed after this specification's encoding and serialization steps are reversed. This keeps it outside of the processes governed by this specification. -## Appendix F: Resolving Security Requirements in a Referenced Document +## Appendix F: Examples of Base URI Determination and Reference Resolution + +This section shows each of the four possible sources of base URIs, followed by an example with a relative `$self` and `$id`. + +### Base URI Within Content + +A base URI within the resource's content ([RFC3986](https://tools.ietf.org/html/rfc3986#section-5.1.1)) is the highest-precedence source of a base URI. +For OpenAPI documents, this source is the OpenAPI Object's `$self` field, while for Schema Objects that contain a `$id`, or are a subschema of a Schema Object containing a `$id`, the source is the `$id` field: + +Assume the retrieval URI of the following document is `file://home/someone/src/api/openapi.yaml`: + +```yaml +openapi: 3.2.0 +$self: https://example.com/api/openapi +info: + title: Example API + version: 1.0 +paths: + /foo: + get: + requestBody: + $ref: "shared/foo#/components/requestBodies/Foo" +``` + +Assume the retrieval URI for the following document is `https://git.example.com/shared/blob/main/shared/foo.yaml`: + +```yaml +openapi: 3.2.0 +$self: https://example.com/api/shared/foo +info: + title: Shared components for all APIs + version: 1.0 +components: + requestBodies: + Foo: + content: + application/json: + schema: + $ref: ../schemas/foo + schemas: + Foo: + $id: https://example.com/api/schemas/foo + properties: + bar: + $ref: bar + Bar: + $id: https://example.com/api/schemas/bar + type: string +``` + +In this example, the retrieval URIs are irrelevant because both documents define `$self`. + +The relative `$ref` in the first document is resolved against `$self` to produce `https://example.com/api/shared/foo#/components/requestBodies/Foo`. +The portion of that URI before the `#` matches the `$self` of the second document, so the reference target is resolved to `#/components/requestBodies/Foo` in that second document. + +In that document, the `$ref` in the Request Body Object is resolved using that document's `$self` as the base URI, producing `https://example.com/api/schemas/foo`. +This matches the `$id` at `#/components/schemas/Foo/$id` so it points to that Schema Object. +That Schema Object has a subschema with `$ref: bar`, which is resolved against the `$id` to produce `https://example.com/api/schemas/bar`, which matches the `$id` at `#/components/schemas/Bar/$id`. + +To guarantee interoperability, Schema Objects containing an `$id`, or that are under a schema containing an `$id`, MUST be referenced by the nearest such `$id` for the non-fragment part of the reference. +As the JSON Schema specification notes, using a base URI other than the nearest `$id` and crossing that `$id` with a JSON Pointer fragment [is not interoperable](https://www.ietf.org/archive/id/draft-bhutton-json-schema-01.html#name-json-pointer-fragments-and-). + +Note also that it is impossible for the reference at `#/components/schemas/Foo/properties/bar/$ref` to reference the schema at `#/components/schemas/Bar` using _only_ a JSON Pointer fragment, as the JSON Pointer would be resolved relative to `https://example.com/api/schemas/foo`, not to the OpenAPI document's base URI from `$self`. + +### Base URI From Encapsulating Entity + +If no base URI can be determined within the content, the next location to search is any encapsulating entity ([RFC3986](https://tools.ietf.org/html/rfc3986#section-5.1.2)). + +This is common for Schema Objects encapsulated within an OpenAPI document. +An example of an OpenAPI Object itself being encapsulated in another entity would be a `multipart/related` archive ([[?RFC2557]]), such as the following `multipart/related; boundary="boundary-example"; type="application/openapi+yaml"` document. +Note that this is purely an example, and support for such multipart documents or any other format that could encapsulate an OpenAPI Object is not a requirement of this specification. + +RFC2557 was written to allow sending hyperlinked sets of documents as email attachments, in which case there would not be a retrieval URI for the multipart attachment (although the format could also be used in HTTP as well). + +```multipart +--boundary-example +Content-Type: application/openapi+yaml +Content-Location: https://example.com/api/openapi.yaml + +openapi: 3.2.0 +info: + title: Example API + version: 1.0 + externalDocs: + url: docs.html +components: + requestBodies: + Foo: + content: + application/json: + schema: + $ref: "#/components/api/schemas/Foo" + schemas: + Foo: + properties: + bar: + $ref: schemas/bar +--boundary-example +Content-Type: application/schema+json +Content-Location: https://example.com/api/schemas/bar + +{ + "type": "string" +} +--boundary-example +Content-Type: text/html +Content-Location: https://example.com/api/docs.html + + + + API Documentation + + +

Awesome documentation goes here

+ + +--boundary-example +``` + +In this example, the URI for each part, which also serves as its base URI, comes from the part's `Content-Location` header as specified by RFC2557. +Since the Schema Object at `#/components/schemas/Foo` does not contain an `$id`, the reference in its subschema uses the OpenAPI document's base URI, which is taken from the `Content-Location` header of its part within the `multipart/related` format. +The resulting reference to `https://example.com/schemas/bar` matches the `Content-Location` header of the second part, which according to RFC2557 allows the reference target to be located within the multipart archive. + +Similarly, the `url` field of the [External Documentation Object](#external-documentation-object) is resolved against the base URI from `Content-Location`, producing `https://example.com/api/docs.html` which matches the `Content-Location` of the third part. + +### Base URI From the Retrieval URI + +If no base URI is provided from either of the previous sources, the next source is the retrieval URI ([RFC3986](https://tools.ietf.org/html/rfc3986#section-5.1.3)). + +Assume this document was retrieved from `https://example.com/api/openapis.yaml`: + +```yaml +openapi: 3.2.0 +info: + title: Example API + version: 1.0 +components: + requestBodies: + Foo: + content: + application/json: + schema: + $ref: schemas/foo +``` + +Assume this document was retrieved from `https://example.com/api/schemas/foo`: + +```json +{ + "type": "object", + "properties": { + "bar": { + "type": "string" + } + } +} +``` + +Resolving the `$ref: schemas/foo` against the retrieval URI of the OpenAPI document produces `https://example.com/api/schemas/foo`, the retrieval URI of the JSON Schema document. + +### Application-Specific Default Base URI + +When constructing an OpenAPI document in memory that does not have a `$self`, or an encapsulating entity, or a retrieval URI, applications can resolve internal (fragment-only) references by assuming a default base URI ([RFC3986](https://tools.ietf.org/html/rfc3986#section-5.1.4)). +While this sort of internal resolution can be performed in practice without choosing a base URI, choosing one, such as a URN with a randomly generated UUID (e.g. `urn:uuid:f26cdaad-3193-4398-a838-4ecb7326c4c5`) avoids the need to implement it as a special case. + +### Resolving Relative `$self` and `$id` + +Let's re-consider the first example in this appendix, but with relative URI references for `$self` and `$id`, and retrieval URIs that support that relative usage: + + +Assume that the following is retrieved from `https://staging.example.com/api/openapi`: + +```yaml +openapi: 3.2.0 +$self: /api/openapi +info: + title: Example API + version: 1.0 +paths: + /foo: + get: + requestBody: + $ref: "shared/foo#/components/requestBodies/Foo" +``` + +Assume the retrieval URI for the following document is `https://staging.example.com/api/shared/foo`: + +```yaml +openapi: 3.2.0 +$self: /api/shared/foo +info: + title: Shared components for all APIs + version: 1.0 +components: + requestBodies: + Foo: + content: + application/json: + schema: + $ref: ../schemas/foo + schemas: + Foo: + $id: /api/schemas/foo + properties: + bar: + $ref: bar + Bar: + $id: /api/schemas/bar + type: string +``` + +In this example, all of the `$self` and `$id` values are relative URI references consisting of an absolute path. +This allows the retrieval URI to set the host (and scheme), in this case `https://staging.example.com`, resulting in the first document's `$self` being `https://staging.example.com/openapi`, and the second document's `$self` being `https://staging.example.com/api/shared/foo`, with `$id` values of `https://staging.example.com/api/schemas/foo` and `https://staging.example.com/api/schemas/bar`. +Relative `$self` and `$id` values of this sort allow the same set of documents to work when deployed to other hosts, e.g. `https://example.com` (production) or `https://localhost:8080` (local development). + +## Appendix G: Parsing and Resolution Guidance + +Implementations MAY support complete-document parsing in any of the following ways: + +* Detecting OpenAPI or JSON Schema documents using media types +* Detecting OpenAPI documents through the root `openapi` field +* Detecting JSON Schema documents through detecting keywords or otherwise successfully parsing the document in accordance with the JSON Schema specification + +Additional mechanisms can be used to support documents with Objects other than an OpenAPI Object or a Schema Object at the root, but note that the resulting behavior is implementation-defined: + +* Detecting a document containing a referenceable Object at its root based on the expected type of the reference +* Allowing users to configure the type of documents that might be loaded due to a reference to a non-root Object + +### Warnings Regarding Fragmentary Parsing + +Implementations that parse referenced fragments of OpenAPI content without regard for the content of the rest of the containing document will miss keywords that change the meaning and behavior of the reference target. +In particular, failing to take into account keywords that change the base URI introduces security risks by causing references to resolve to unintended URIs, with unpredictable results. +While some implementations support this sort of parsing due to the requirements of past versions of this specification, in version 3.1 and later, the result of parsing fragments in isolation is _undefined_ and likely to contradict the requirements of this specification. + +While it is possible to structure certain OpenAPI Descriptions to ensure that they will behave correctly when references are parsed as isolated fragments, depending on this is NOT RECOMMENDED. +This specification does not explicitly enumerate the conditions under which such behavior is safe and provides no guarantee for continued safety in any future versions of the OAS. + +### Conflicts Between Field Types and Reference Contexts + +JSON or YAML objects within an OAD are interpreted as specific Objects (such as [Operation Objects](#operation-object), [Response Objects](#response-object), [Reference Objects](#reference-object), etc.) based on their context. Depending on how references are arranged, a given JSON or YAML object can be interpreted in multiple different contexts: + +* As the root object of the [entry document](#openapi-description-structure), which is always interpreted as an OpenAPI Object +* As the Object type implied by its parent Object's field within the document +* As a reference target, with the Object type matching the reference source's context + +If the same JSON/YAML object is parsed multiple times and the respective contexts require it to be parsed as _different_ Object types, the resulting behavior is _implementation defined_, and MAY be treated as an error if detected. An example would be referencing an empty Schema Object under `#/components/schemas` where a Path Item Object is expected, as an empty object is valid for both types. For maximum interoperability, it is RECOMMENDED that OpenAPI Description authors avoid such scenarios. + +### Guidance Regarding Implicit Connections + +The following Objects and Fields involve the use of implicit connections: + +| Source | Target | Alternative | +| ---- | ---- | ---- | +| [Security Requirement Object](#security-requirement-object) `{name}` | [Security Scheme Object](#security-scheme-object) name under the [Components Object](#components-object) | _n/a_ | +| [Discriminator Object](#discriminator-object) `mapping` _(implicit, or explicit name syntax)_ | [Schema Object](#schema-object) name under the Components Object | `mapping` _(explicit URI syntax)_ | +| [Operation Object](#operation-object) `tags` | [Tag Object](#tag-object) `name` (in the [OpenAPI Object](#openapi-object)'s `tags` array) | _n/a_ | +| [Link Object](#link-object) `operationId` | [Operation Object](#operation-object) `operationId` | `operationRef` | + +An additional implicit connection involves appending the templated URL paths of the [Paths Object](#paths-object) to the appropriate [Server Object](#server-object)'s `url` field. +This connection is unambiguous because only the entry document's Paths Object contributes URLs to the described API. + +The implicit connections in the Security Requirement Object and Discriminator Object rely on the _component name_, which is the name of the property holding the component in the appropriately typed sub-object of the Components Object. +For example, the component name of the Schema Object at `#/components/schemas/Foo` is `Foo`. +The implicit connection of `tags` in the Operation Object uses the `name` field of Tag Objects, which (like the Components Object) are found under the root OpenAPI Object. +This means resolving component names and tag names both depend on starting from the correct OpenAPI Object. + +For resolving component and tag name connections from a referenced (non-entry) document, it is RECOMMENDED that tools resolve from the entry document, rather than the current document. +Resolving component and tag name connections from a referenced (non-entry) document to the entry document as recommended under [Resolving Implicit Connections](#resolving-implicit-connections) allows components and Tag Objects to be defined next to the API's deployment information in the top-level array of Server Objects and treated as an interface for referenced documents to access. + +For Security Requirement Objects and Discriminator Objects, it is also possible to keep the resolution within the referenced document by using the URI-reference form that these Objects offer. + +There are no URI-based alternatives for the Operation Object's `tags` field. +OAD authors are advised to use external solutions such as the OpenAPI Initiative's Overlay Specification to simulate sharing [Tag Objects](#tag-object) across multiple documents. + +#### Implicit Connection Resolution Examples -This appendix shows how to retrieve an HTTP-accessible multi-document OpenAPI Description (OAD) and resolve a [Security Requirement Object](#security-requirement-object) in the referenced (non-entry) document. See [Resolving Implicit Connections](#resolving-implicit-connections) for more information. +This section shows how to retrieve an HTTP-accessible multi-document OpenAPI Description (OAD) and resolve a [Security Requirement Object](#security-requirement-object) in the referenced (non-entry) document. +The behavior for Discriminator Object non-URI mappings and for the Operation Object's `tags` field operate on the same principles. First, the [entry document](#openapi-description-structure) is where parsing begins. It defines the `MySecurity` security scheme to be JWT-based, and it defines a Path Item as a reference to a component in another document: -```HTTP +```http GET /api/description/openapi HTTP/1.1 Host: www.example.com Accept: application/openapi+json @@ -4558,7 +5536,7 @@ Accept: application/openapi+json } ``` -```HTTP +```http GET /api/description/openapi HTTP/1.1 Host: www.example.com Accept: application/openapi+yaml @@ -4578,7 +5556,7 @@ paths: This entry document references another document, `other`, without using a file extension. This gives the client the flexibility to choose an acceptable format on a resource-by-resource basis, assuming both representations are available: -```HTTP +```http GET /api/description/other HTTP/1.1 Host: www.example.com Accept: application/openapi+json @@ -4604,7 +5582,7 @@ Accept: application/openapi+json } ``` -```HTTP +```http GET /api/description/other HTTP/1.1 Host: www.example.com Accept: application/openapi+yaml @@ -4623,4 +5601,4 @@ components: - MySecurity: [] ``` -In the `other` document, the referenced path item has a Security Requirement for a Security Scheme, `MySecurity`. The same Security Scheme exists in the original entry document. As outlined in [Resolving Implicit Connections](#resolving-implicit-connections), `MySecurity` is resolved with an [implementation-defined behavior](#undefined-and-implementation-defined-behavior). However, documented in that section, it is RECOMMENDED that tools resolve component names from the [entry document](#openapi-description-structure). As with all implementation-defined behavior, it is important to check tool documentation to determine which behavior is supported. +In the `other` document, the referenced path item has a Security Requirement for a Security Scheme, `MySecurity`. The same Security Scheme exists in the original entry document. As outlined in [Resolving Implicit Connections](#resolving-implicit-connections), `MySecurity` is resolved with an [implementation-defined behavior](#undefined-and-implementation-defined-behavior), but the section formally recommends that tools resolve component names from the [entry document](#openapi-description-structure). As with all implementation-defined behavior, it is important to check tool documentation to determine which behavior is supported. diff --git a/src/schemas/validation/dialect.yaml b/src/schemas/validation/dialect.yaml index d300d94feb..1986c9e8f8 100644 --- a/src/schemas/validation/dialect.yaml +++ b/src/schemas/validation/dialect.yaml @@ -1,8 +1,8 @@ -$id: https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS +$id: https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS $schema: https://json-schema.org/draft/2020-12/schema -title: OpenAPI 3.1 Schema Object Dialect -description: A JSON Schema dialect describing schemas found in OpenAPI v3.1 Descriptions +title: OpenAPI 3.2 Schema Object Dialect +description: A JSON Schema dialect describing schemas found in OpenAPI v3.2.x Descriptions $dynamicAnchor: meta @@ -14,8 +14,8 @@ $vocabulary: https://json-schema.org/draft/2020-12/vocab/meta-data: true https://json-schema.org/draft/2020-12/vocab/unevaluated: true https://json-schema.org/draft/2020-12/vocab/validation: true - https://spec.openapis.org/oas/3.1/vocab/base: false + https://spec.openapis.org/oas/3.2/vocab/base: false allOf: - $ref: https://json-schema.org/draft/2020-12/schema - - $ref: https://spec.openapis.org/oas/3.1/meta/WORK-IN-PROGRESS + - $ref: https://spec.openapis.org/oas/3.2/meta/WORK-IN-PROGRESS diff --git a/src/schemas/validation/meta.yaml b/src/schemas/validation/meta.yaml index 6cfce4976d..ca512c4353 100644 --- a/src/schemas/validation/meta.yaml +++ b/src/schemas/validation/meta.yaml @@ -1,13 +1,13 @@ -$id: https://spec.openapis.org/oas/3.1/meta/WORK-IN-PROGRESS +$id: https://spec.openapis.org/oas/3.2/meta/WORK-IN-PROGRESS $schema: https://json-schema.org/draft/2020-12/schema title: OAS Base Vocabulary -description: A JSON Schema Vocabulary used in the OpenAPI Schema Dialect +description: A JSON Schema Vocabulary used in the OpenAPI JSON Schema Dialect $dynamicAnchor: meta $vocabulary: - https://spec.openapis.org/oas/3.1/vocab/base: true + https://spec.openapis.org/oas/3.2/vocab/base: true type: - object @@ -15,7 +15,8 @@ type: properties: discriminator: $ref: '#/$defs/discriminator' - example: true + example: + deprecated: true externalDocs: $ref: '#/$defs/external-docs' xml: @@ -29,10 +30,10 @@ $defs: additionalProperties: type: string type: object + defaultMapping: + type: string propertyName: type: string - required: - - propertyName type: object unevaluatedProperties: false @@ -55,16 +56,31 @@ $defs: xml: $ref: '#/$defs/extensible' properties: - attribute: - type: boolean + nodeType: + type: string + enum: + - element + - attribute + - text + - cdata + - none name: type: string namespace: - format: uri + format: iri type: string prefix: type: string + attribute: + type: boolean + deprecated: true wrapped: type: boolean + deprecated: true type: object + dependentSchemas: + nodeType: + properties: + attribute: false + wrapped: false unevaluatedProperties: false diff --git a/src/schemas/validation/schema-base.yaml b/src/schemas/validation/schema-base.yaml index ea239c03e9..195ae5ed43 100644 --- a/src/schemas/validation/schema-base.yaml +++ b/src/schemas/validation/schema-base.yaml @@ -1,20 +1,20 @@ -$id: 'https://spec.openapis.org/oas/3.1/schema-base/WORK-IN-PROGRESS' +$id: 'https://spec.openapis.org/oas/3.2/schema-base/WORK-IN-PROGRESS' $schema: 'https://json-schema.org/draft/2020-12/schema' -description: The description of OpenAPI v3.1.x Documents using the OpenAPI JSON Schema dialect +description: The description of OpenAPI v3.2.x Documents using the OpenAPI JSON Schema dialect -$ref: 'https://spec.openapis.org/oas/3.1/schema/WORK-IN-PROGRESS' +$ref: 'https://spec.openapis.org/oas/3.2/schema/WORK-IN-PROGRESS' properties: jsonSchemaDialect: $ref: '#/$defs/dialect' $defs: dialect: - const: 'https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS' + const: 'https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS' schema: $dynamicAnchor: meta - $ref: 'https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS' + $ref: 'https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS' properties: $schema: $ref: '#/$defs/dialect' diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml index 54c49a2f97..05e5704fe1 100644 --- a/src/schemas/validation/schema.yaml +++ b/src/schemas/validation/schema.yaml @@ -1,19 +1,24 @@ -$id: 'https://spec.openapis.org/oas/3.1/schema/WORK-IN-PROGRESS' +$id: 'https://spec.openapis.org/oas/3.2/schema/WORK-IN-PROGRESS' $schema: 'https://json-schema.org/draft/2020-12/schema' -description: The description of OpenAPI v3.1.x Documents without Schema Object validation +description: The description of OpenAPI v3.2.x Documents without Schema Object validation type: object properties: openapi: type: string - pattern: '^3\.1\.\d+(-.+)?$' + pattern: '^3\.2\.\d+(-.+)?$' + $self: + type: string + format: uri-reference + $comment: MUST NOT contain a fragment + pattern: '^[^#]*$' info: $ref: '#/$defs/info' jsonSchemaDialect: type: string - format: uri - default: 'https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS' + format: uri-reference + default: 'https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS' servers: type: array items: @@ -53,7 +58,7 @@ unevaluatedProperties: false $defs: info: - $comment: https://spec.openapis.org/oas/v3.1#info-object + $comment: https://spec.openapis.org/oas/v3.2#info-object type: object properties: title: @@ -64,7 +69,7 @@ $defs: type: string termsOfService: type: string - format: uri + format: uri-reference contact: $ref: '#/$defs/contact' license: @@ -78,14 +83,14 @@ $defs: unevaluatedProperties: false contact: - $comment: https://spec.openapis.org/oas/v3.1#contact-object + $comment: https://spec.openapis.org/oas/v3.2#contact-object type: object properties: name: type: string url: type: string - format: uri + format: uri-reference email: type: string format: email @@ -93,7 +98,7 @@ $defs: unevaluatedProperties: false license: - $comment: https://spec.openapis.org/oas/v3.1#license-object + $comment: https://spec.openapis.org/oas/v3.2#license-object type: object properties: name: @@ -102,7 +107,7 @@ $defs: type: string url: type: string - format: uri + format: uri-reference required: - name dependentSchemas: @@ -114,13 +119,15 @@ $defs: unevaluatedProperties: false server: - $comment: https://spec.openapis.org/oas/v3.1#server-object + $comment: https://spec.openapis.org/oas/v3.2#server-object type: object properties: url: type: string description: type: string + name: + type: string variables: type: object additionalProperties: @@ -131,7 +138,7 @@ $defs: unevaluatedProperties: false server-variable: - $comment: https://spec.openapis.org/oas/v3.1#server-variable-object + $comment: https://spec.openapis.org/oas/v3.2#server-variable-object type: object properties: enum: @@ -149,7 +156,7 @@ $defs: unevaluatedProperties: false components: - $comment: https://spec.openapis.org/oas/v3.1#components-object + $comment: https://spec.openapis.org/oas/v3.2#components-object type: object properties: schemas: @@ -192,8 +199,12 @@ $defs: type: object additionalProperties: $ref: '#/$defs/path-item' + mediaTypes: + type: object + additionalProperties: + $ref: '#/$defs/media-type-or-reference' patternProperties: - '^(schemas|responses|parameters|examples|requestBodies|headers|securitySchemes|links|callbacks|pathItems)$': + '^(?:schemas|responses|parameters|examples|requestBodies|headers|securitySchemes|links|callbacks|pathItems|mediaTypes)$': $comment: Enumerating all of the property names in the regex above is necessary for unevaluatedProperties to work as expected propertyNames: pattern: '^[a-zA-Z0-9._-]+$' @@ -201,7 +212,7 @@ $defs: unevaluatedProperties: false paths: - $comment: https://spec.openapis.org/oas/v3.1#paths-object + $comment: https://spec.openapis.org/oas/v3.2#paths-object type: object patternProperties: '^/': @@ -210,7 +221,7 @@ $defs: unevaluatedProperties: false path-item: - $comment: https://spec.openapis.org/oas/v3.1#path-item-object + $comment: https://spec.openapis.org/oas/v3.2#path-item-object type: object properties: $ref: @@ -225,9 +236,25 @@ $defs: items: $ref: '#/$defs/server' parameters: - type: array - items: - $ref: '#/$defs/parameter-or-reference' + $ref: '#/$defs/parameters' + additionalOperations: + type: object + additionalProperties: + $ref: '#/$defs/operation' + propertyNames: + $comment: RFC9110 restricts methods to "1*tchar" in ABNF + pattern: "^[a-zA-Z0-9!#$%&'*+.^_`|~-]+$" + not: + enum: + - GET + - PUT + - POST + - DELETE + - OPTIONS + - HEAD + - PATCH + - TRACE + - QUERY get: $ref: '#/$defs/operation' put: @@ -244,11 +271,13 @@ $defs: $ref: '#/$defs/operation' trace: $ref: '#/$defs/operation' + query: + $ref: '#/$defs/operation' $ref: '#/$defs/specification-extensions' unevaluatedProperties: false operation: - $comment: https://spec.openapis.org/oas/v3.1#operation-object + $comment: https://spec.openapis.org/oas/v3.2#operation-object type: object properties: tags: @@ -264,9 +293,7 @@ $defs: operationId: type: string parameters: - type: array - items: - $ref: '#/$defs/parameter-or-reference' + $ref: '#/$defs/parameters' requestBody: $ref: '#/$defs/request-body-or-reference' responses: @@ -290,21 +317,51 @@ $defs: unevaluatedProperties: false external-documentation: - $comment: https://spec.openapis.org/oas/v3.1#external-documentation-object + $comment: https://spec.openapis.org/oas/v3.2#external-documentation-object type: object properties: description: type: string url: type: string - format: uri + format: uri-reference required: - url $ref: '#/$defs/specification-extensions' unevaluatedProperties: false + parameters: + type: array + items: + $ref: '#/$defs/parameter-or-reference' + not: + allOf: + - contains: + type: object + properties: + in: + const: query + required: + - in + - contains: + type: object + properties: + in: + const: querystring + required: + - in + contains: + type: object + properties: + in: + const: querystring + required: + - in + minContains: 0 + maxContains: 1 + parameter: - $comment: https://spec.openapis.org/oas/v3.1#parameter-object + $comment: https://spec.openapis.org/oas/v3.2#parameter-object type: object properties: name: @@ -312,6 +369,7 @@ $defs: in: enum: - query + - querystring - header - path - cookie @@ -337,17 +395,25 @@ $defs: - schema - required: - content - if: - properties: - in: - const: query - required: - - in - then: - properties: - allowEmptyValue: - default: false - type: boolean + allOf: + - $ref: '#/$defs/examples' + - $ref: '#/$defs/specification-extensions' + - if: + properties: + in: + const: query + then: + properties: + allowEmptyValue: + default: false + type: boolean + - if: + properties: + in: + const: querystring + then: + required: + - content dependentSchemas: schema: properties: @@ -355,8 +421,10 @@ $defs: type: string explode: type: boolean + allowReserved: + default: false + type: boolean allOf: - - $ref: '#/$defs/examples' - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-path' - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-header' - $ref: '#/$defs/parameter/dependentSchemas/schema/$defs/styles-for-query' @@ -369,8 +437,6 @@ $defs: properties: in: const: path - required: - - in then: properties: style: @@ -389,8 +455,6 @@ $defs: properties: in: const: header - required: - - in then: properties: style: @@ -402,8 +466,6 @@ $defs: properties: in: const: query - required: - - in then: properties: style: @@ -413,24 +475,20 @@ $defs: - spaceDelimited - pipeDelimited - deepObject - allowReserved: - default: false - type: boolean styles-for-cookie: if: properties: in: const: cookie - required: - - in then: properties: style: default: form - const: form + enum: + - form + - cookie - $ref: '#/$defs/specification-extensions' unevaluatedProperties: false parameter-or-reference: @@ -444,7 +502,7 @@ $defs: $ref: '#/$defs/parameter' request-body: - $comment: https://spec.openapis.org/oas/v3.1#request-body-object + $comment: https://spec.openapis.org/oas/v3.2#request-body-object type: object properties: description: @@ -470,30 +528,55 @@ $defs: $ref: '#/$defs/request-body' content: - $comment: https://spec.openapis.org/oas/v3.1#fixed-fields-10 + $comment: https://spec.openapis.org/oas/v3.2#fixed-fields-10 type: object additionalProperties: - $ref: '#/$defs/media-type' + $ref: '#/$defs/media-type-or-reference' propertyNames: format: media-range media-type: - $comment: https://spec.openapis.org/oas/v3.1#media-type-object + $comment: https://spec.openapis.org/oas/v3.2#media-type-object type: object properties: + description: + type: string schema: $dynamicRef: '#meta' + itemSchema: + $dynamicRef: '#meta' encoding: type: object additionalProperties: $ref: '#/$defs/encoding' + prefixEncoding: + type: array + items: + $ref: '#/$defs/encoding' + itemEncoding: + $ref: '#/$defs/encoding' + dependentSchemas: + encoding: + properties: + prefixEncoding: false + itemEncoding: false allOf: - - $ref: '#/$defs/specification-extensions' - $ref: '#/$defs/examples' + - $ref: '#/$defs/specification-extensions' unevaluatedProperties: false + media-type-or-reference: + if: + type: object + required: + - $ref + then: + $ref: '#/$defs/reference' + else: + $ref: '#/$defs/media-type' + encoding: - $comment: https://spec.openapis.org/oas/v3.1#encoding-object + $comment: https://spec.openapis.org/oas/v3.2#encoding-object type: object properties: contentType: @@ -504,7 +587,6 @@ $defs: additionalProperties: $ref: '#/$defs/header-or-reference' style: - default: form enum: - form - spaceDelimited @@ -513,15 +595,43 @@ $defs: explode: type: boolean allowReserved: - default: false type: boolean + encoding: + type: object + additionalProperties: + $ref: '#/$defs/encoding' + prefixEncoding: + type: array + items: + $ref: '#/$defs/encoding' + itemEncoding: + $ref: '#/$defs/encoding' + dependentSchemas: + encoding: + properties: + prefixEncoding: false + itemEncoding: false + style: + properties: + allowReserved: + default: false + explode: + properties: + style: + default: form + allowReserved: + default: false + allowReserved: + properties: + style: + default: form allOf: - $ref: '#/$defs/specification-extensions' - $ref: '#/$defs/styles-for-form' unevaluatedProperties: false responses: - $comment: https://spec.openapis.org/oas/v3.1#responses-object + $comment: https://spec.openapis.org/oas/v3.2#responses-object type: object properties: default: @@ -540,9 +650,11 @@ $defs: required: [default] response: - $comment: https://spec.openapis.org/oas/v3.1#response-object + $comment: https://spec.openapis.org/oas/v3.2#response-object type: object properties: + summary: + type: string description: type: string headers: @@ -555,8 +667,6 @@ $defs: type: object additionalProperties: $ref: '#/$defs/link-or-reference' - required: - - description $ref: '#/$defs/specification-extensions' unevaluatedProperties: false @@ -571,7 +681,7 @@ $defs: $ref: '#/$defs/response' callbacks: - $comment: https://spec.openapis.org/oas/v3.1#callback-object + $comment: https://spec.openapis.org/oas/v3.2#callback-object type: object $ref: '#/$defs/specification-extensions' additionalProperties: @@ -588,21 +698,37 @@ $defs: $ref: '#/$defs/callbacks' example: - $comment: https://spec.openapis.org/oas/v3.1#example-object + $comment: https://spec.openapis.org/oas/v3.2#example-object type: object properties: summary: type: string description: type: string + dataValue: true + serializedValue: + type: string value: true externalValue: type: string - format: uri - not: - required: - - value - - externalValue + format: uri-reference + allOf: + - not: + required: + - value + - externalValue + - not: + required: + - value + - dataValue + - not: + required: + - value + - serializedValue + - not: + required: + - serializedValue + - externalValue $ref: '#/$defs/specification-extensions' unevaluatedProperties: false @@ -617,7 +743,7 @@ $defs: $ref: '#/$defs/example' link: - $comment: https://spec.openapis.org/oas/v3.1#link-object + $comment: https://spec.openapis.org/oas/v3.2#link-object type: object properties: operationRef: @@ -630,7 +756,7 @@ $defs: requestBody: true description: type: string - body: + server: $ref: '#/$defs/server' oneOf: - required: @@ -651,7 +777,7 @@ $defs: $ref: '#/$defs/link' header: - $comment: https://spec.openapis.org/oas/v3.1#header-object + $comment: https://spec.openapis.org/oas/v3.2#header-object type: object properties: description: @@ -682,8 +808,12 @@ $defs: explode: default: false type: boolean - $ref: '#/$defs/examples' - $ref: '#/$defs/specification-extensions' + allowReserved: + default: false + type: boolean + allOf: + - $ref: '#/$defs/examples' + - $ref: '#/$defs/specification-extensions' unevaluatedProperties: false header-or-reference: @@ -697,22 +827,28 @@ $defs: $ref: '#/$defs/header' tag: - $comment: https://spec.openapis.org/oas/v3.1#tag-object + $comment: https://spec.openapis.org/oas/v3.2#tag-object type: object properties: name: type: string + summary: + type: string description: type: string externalDocs: $ref: '#/$defs/external-documentation' + parent: + type: string + kind: + type: string required: - name $ref: '#/$defs/specification-extensions' unevaluatedProperties: false reference: - $comment: https://spec.openapis.org/oas/v3.1#reference-object + $comment: https://spec.openapis.org/oas/v3.2#reference-object type: object properties: $ref: @@ -724,14 +860,14 @@ $defs: type: string schema: - $comment: https://spec.openapis.org/oas/v3.1#schema-object + $comment: https://spec.openapis.org/oas/v3.2#schema-object $dynamicAnchor: meta type: - object - boolean security-scheme: - $comment: https://spec.openapis.org/oas/v3.1#security-scheme-object + $comment: https://spec.openapis.org/oas/v3.2#security-scheme-object type: object properties: type: @@ -743,6 +879,9 @@ $defs: - openIdConnect description: type: string + deprecated: + default: false + type: boolean required: - type allOf: @@ -760,8 +899,6 @@ $defs: properties: type: const: apiKey - required: - - type then: properties: name: @@ -780,8 +917,6 @@ $defs: properties: type: const: http - required: - - type then: properties: scheme: @@ -810,12 +945,13 @@ $defs: properties: type: const: oauth2 - required: - - type then: properties: flows: $ref: '#/$defs/oauth-flows' + oauth2MetadataUrl: + type: string + format: uri-reference required: - flows @@ -824,13 +960,11 @@ $defs: properties: type: const: openIdConnect - required: - - type then: properties: openIdConnectUrl: type: string - format: uri + format: uri-reference required: - openIdConnectUrl @@ -855,6 +989,8 @@ $defs: $ref: '#/$defs/oauth-flows/$defs/client-credentials' authorizationCode: $ref: '#/$defs/oauth-flows/$defs/authorization-code' + deviceAuthorization: + $ref: '#/$defs/oauth-flows/$defs/device-authorization' $ref: '#/$defs/specification-extensions' unevaluatedProperties: false @@ -864,10 +1000,10 @@ $defs: properties: authorizationUrl: type: string - format: uri + format: uri-reference refreshUrl: type: string - format: uri + format: uri-reference scopes: $ref: '#/$defs/map-of-strings' required: @@ -881,10 +1017,10 @@ $defs: properties: tokenUrl: type: string - format: uri + format: uri-reference refreshUrl: type: string - format: uri + format: uri-reference scopes: $ref: '#/$defs/map-of-strings' required: @@ -898,10 +1034,10 @@ $defs: properties: tokenUrl: type: string - format: uri + format: uri-reference refreshUrl: type: string - format: uri + format: uri-reference scopes: $ref: '#/$defs/map-of-strings' required: @@ -915,13 +1051,13 @@ $defs: properties: authorizationUrl: type: string - format: uri + format: uri-reference tokenUrl: type: string - format: uri + format: uri-reference refreshUrl: type: string - format: uri + format: uri-reference scopes: $ref: '#/$defs/map-of-strings' required: @@ -931,8 +1067,29 @@ $defs: $ref: '#/$defs/specification-extensions' unevaluatedProperties: false + device-authorization: + type: object + properties: + deviceAuthorizationUrl: + type: string + format: uri-reference + tokenUrl: + type: string + format: uri-reference + refreshUrl: + type: string + format: uri-reference + scopes: + $ref: '#/$defs/map-of-strings' + required: + - deviceAuthorizationUrl + - tokenUrl + - scopes + $ref: '#/$defs/specification-extensions' + unevaluatedProperties: false + security-requirement: - $comment: https://spec.openapis.org/oas/v3.1#security-requirement-object + $comment: https://spec.openapis.org/oas/v3.2#security-requirement-object type: object additionalProperties: type: array @@ -940,7 +1097,7 @@ $defs: type: string specification-extensions: - $comment: https://spec.openapis.org/oas/v3.1#specification-extensions + $comment: https://spec.openapis.org/oas/v3.2#specification-extensions patternProperties: '^x-': true @@ -951,6 +1108,10 @@ $defs: type: object additionalProperties: $ref: '#/$defs/example-or-reference' + not: + required: + - example + - examples map-of-strings: type: object diff --git a/tests/schema/fail/encoding-enc-item-exclusion.yaml b/tests/schema/fail/encoding-enc-item-exclusion.yaml new file mode 100644 index 0000000000..e0c7e03b8e --- /dev/null +++ b/tests/schema/fail/encoding-enc-item-exclusion.yaml @@ -0,0 +1,13 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + requestBodies: + encoding-with-prefixEncoding-not-allowed: + content: + multipart/mixed: + prefixEncoding: + - contentType: multipart/mixed + encoding: {} + prefixEncoding: [] diff --git a/tests/schema/fail/encoding-enc-prefix-exclusion.yaml b/tests/schema/fail/encoding-enc-prefix-exclusion.yaml new file mode 100644 index 0000000000..9ed8c09c18 --- /dev/null +++ b/tests/schema/fail/encoding-enc-prefix-exclusion.yaml @@ -0,0 +1,13 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + requestBodies: + encoding-with-itemEncoding-not-allowed: + content: + multipart/mixed: + prefixEncoding: + - contentType: multipart/mixed + encoding: {} + itemEncoding: [] diff --git a/tests/schema/fail/example-examples.yaml b/tests/schema/fail/example-examples.yaml new file mode 100644 index 0000000000..aa8227817d --- /dev/null +++ b/tests/schema/fail/example-examples.yaml @@ -0,0 +1,17 @@ +openapi: 3.2.0 + +# this example should fail, as example cannot be used together with examples. + +info: + title: API + version: 1.0.0 +components: + parameters: + animal: + name: animal + in: header + schema: {} + example: bear + examples: + a mammalian example: + dataValue: bear diff --git a/tests/schema/fail/example-object-old-exclusions.yaml b/tests/schema/fail/example-object-old-exclusions.yaml new file mode 100644 index 0000000000..37be07da1c --- /dev/null +++ b/tests/schema/fail/example-object-old-exclusions.yaml @@ -0,0 +1,10 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 + +components: + examples: + CannotHaveBoth: + value: foo + externalValue: https://example.com/foo diff --git a/tests/schema/fail/example-object-old-vs-data.yaml b/tests/schema/fail/example-object-old-vs-data.yaml new file mode 100644 index 0000000000..f52e7feb0e --- /dev/null +++ b/tests/schema/fail/example-object-old-vs-data.yaml @@ -0,0 +1,10 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 + +components: + examples: + NoValueWithDataValue: + value: foo + dataValue: foo diff --git a/tests/schema/fail/example-object-old-vs-ser.yaml b/tests/schema/fail/example-object-old-vs-ser.yaml new file mode 100644 index 0000000000..43ba991e4e --- /dev/null +++ b/tests/schema/fail/example-object-old-vs-ser.yaml @@ -0,0 +1,10 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 + +components: + examples: + CannotHaveBoth: + value: foo + serializedValue: foo diff --git a/tests/schema/fail/example-object-ser-exclusions.yaml b/tests/schema/fail/example-object-ser-exclusions.yaml new file mode 100644 index 0000000000..3a6bc01e21 --- /dev/null +++ b/tests/schema/fail/example-object-ser-exclusions.yaml @@ -0,0 +1,10 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 + +components: + examples: + CannotHaveBoth: + serializedValue: foo + externalValue: https://example.com/foo diff --git a/tests/schema/fail/invalid_schema_types.yaml b/tests/schema/fail/invalid_schema_types.yaml index d295b1f0ed..b3aa50a6c8 100644 --- a/tests/schema/fail/invalid_schema_types.yaml +++ b/tests/schema/fail/invalid_schema_types.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.1 +openapi: 3.2.0 # this example shows invalid types for the schemaObject @@ -10,4 +10,3 @@ components: invalid_null: null invalid_number: 0 invalid_array: [] - diff --git a/tests/schema/fail/media-type-enc-item-exclusion.yaml b/tests/schema/fail/media-type-enc-item-exclusion.yaml new file mode 100644 index 0000000000..5bcf06a94d --- /dev/null +++ b/tests/schema/fail/media-type-enc-item-exclusion.yaml @@ -0,0 +1,11 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + requestBodies: + encoding-with-itemEncoding-not-allowed: + content: + multipart/mixed: + encoding: {} + itemEncoding: {} diff --git a/tests/schema/fail/media-type-enc-prefix-exclusion.yaml b/tests/schema/fail/media-type-enc-prefix-exclusion.yaml new file mode 100644 index 0000000000..2f19064c22 --- /dev/null +++ b/tests/schema/fail/media-type-enc-prefix-exclusion.yaml @@ -0,0 +1,11 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + requestBodies: + encoding-with-prefixEncoding-not-allowed: + content: + multipart/mixed: + encoding: {} + prefixEncoding: [] diff --git a/tests/schema/fail/no_containers.yaml b/tests/schema/fail/no_containers.yaml index c158bcb2b6..3c38be021d 100644 --- a/tests/schema/fail/no_containers.yaml +++ b/tests/schema/fail/no_containers.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 # this example should fail as there are no paths, components or webhooks containers (at least one of which must be present) diff --git a/tests/schema/fail/operation-object-query-with-querystring.yaml b/tests/schema/fail/operation-object-query-with-querystring.yaml new file mode 100644 index 0000000000..5046d9c73c --- /dev/null +++ b/tests/schema/fail/operation-object-query-with-querystring.yaml @@ -0,0 +1,20 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + pathItems: + my-path-item: + get: + description: a query parameter cannot be used together with a querystring parameter + parameters: + - name: myquerystring + in: querystring + content: + application/json: + schema: + type: string + - name: myquery + in: query + schema: + type: string diff --git a/tests/schema/fail/operation-object-two-querystrings.yaml b/tests/schema/fail/operation-object-two-querystrings.yaml new file mode 100644 index 0000000000..35cebf0a3c --- /dev/null +++ b/tests/schema/fail/operation-object-two-querystrings.yaml @@ -0,0 +1,20 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + pathItems: + my-path-item: + get: + description: querystring cannot be used twice + parameters: + - name: myquerystring1 + in: querystring + content: + application/json: + schema: {} + - name: myquerystring2 + in: querystring + content: + application/json: + schema: {} diff --git a/tests/schema/fail/parameter-object-content-not-with-style.yaml b/tests/schema/fail/parameter-object-content-not-with-style.yaml new file mode 100644 index 0000000000..7a16b89aa8 --- /dev/null +++ b/tests/schema/fail/parameter-object-content-not-with-style.yaml @@ -0,0 +1,14 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + parameters: + content-not-with-style: + in: querystring + name: json + content: + application/json: + schema: + type: object + style: simple diff --git a/tests/schema/fail/parameter-object-querystring-not-with-schema.yaml b/tests/schema/fail/parameter-object-querystring-not-with-schema.yaml new file mode 100644 index 0000000000..4f4cf98666 --- /dev/null +++ b/tests/schema/fail/parameter-object-querystring-not-with-schema.yaml @@ -0,0 +1,11 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + parameters: + querystring-not-with-schema: + in: querystring + name: json + schema: + type: object diff --git a/tests/schema/fail/path-item-object-conflicting-additional-operation.yaml b/tests/schema/fail/path-item-object-conflicting-additional-operation.yaml new file mode 100644 index 0000000000..f068406b68 --- /dev/null +++ b/tests/schema/fail/path-item-object-conflicting-additional-operation.yaml @@ -0,0 +1,64 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: + /pets/{id}: + get: + description: Returns pets based on ID + summary: Find pets by ID + operationId: getPetsById + responses: + '200': + description: pet response + content: + '*/*': + schema: + type: array + items: + $ref: '#/components/schemas/Pet' + default: + description: error payload + content: + text/html: + schema: + $ref: '#/components/schemas/ErrorModel' + parameters: + - name: id + in: path + description: ID of pet to use + required: true + schema: + type: array + items: + type: string + style: simple + additionalOperations: + POST: + description: Returns pets based on ID + summary: Find pets by ID + operationId: postPetsById + requestBody: + description: ID of pet to use + required: true + content: + application/json: + schema: + type: array + items: + type: string + responses: + '200': + description: pet response + content: + '*/*': + schema: + type: array + items: + $ref: '#/components/schemas/Pet' + default: + description: error payload + content: + text/html: + schema: + $ref: '#/components/schemas/ErrorModel' \ No newline at end of file diff --git a/tests/schema/fail/path-item-object-query-with-querystring.yaml b/tests/schema/fail/path-item-object-query-with-querystring.yaml new file mode 100644 index 0000000000..6efbda4468 --- /dev/null +++ b/tests/schema/fail/path-item-object-query-with-querystring.yaml @@ -0,0 +1,19 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + pathItems: + my-path-item: + parameters: + - name: myquerystring + in: querystring + content: + application/json: + schema: + type: string + - name: myquery + in: query + schema: + type: string + get: {} diff --git a/tests/schema/fail/path-item-object-two-querystrings.yaml b/tests/schema/fail/path-item-object-two-querystrings.yaml new file mode 100644 index 0000000000..daf5caa494 --- /dev/null +++ b/tests/schema/fail/path-item-object-two-querystrings.yaml @@ -0,0 +1,20 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + pathItems: + my-path-item: + description: querystring cannot be used twice + parameters: + - name: myquerystring1 + in: querystring + content: + application/json: + schema: {} + - name: myquerystring2 + in: querystring + content: + application/json: + schema: {} + get: {} diff --git a/tests/schema/fail/server_enum_empty.yaml b/tests/schema/fail/server_enum_empty.yaml index cd6d30eb3e..db4b970ced 100644 --- a/tests/schema/fail/server_enum_empty.yaml +++ b/tests/schema/fail/server_enum_empty.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 # this example should fail as the server variable enum is empty, and so does not contain the default value diff --git a/tests/schema/fail/servers.yaml b/tests/schema/fail/servers.yaml index 1470fe1ec8..1b5e2d5fc8 100644 --- a/tests/schema/fail/servers.yaml +++ b/tests/schema/fail/servers.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 # this example should fail, as servers must be an array, not an object diff --git a/tests/schema/fail/unknown_container.yaml b/tests/schema/fail/unknown_container.yaml index 7f31e86053..c0a4b8bb7e 100644 --- a/tests/schema/fail/unknown_container.yaml +++ b/tests/schema/fail/unknown_container.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 # this example should fail as overlays is not a valid top-level object/keyword diff --git a/tests/schema/fail/xml-attr-exclusion.yaml b/tests/schema/fail/xml-attr-exclusion.yaml new file mode 100644 index 0000000000..b48a02d1a5 --- /dev/null +++ b/tests/schema/fail/xml-attr-exclusion.yaml @@ -0,0 +1,11 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + schemas: + Attr: + type: string + xml: + attribute: true + nodeType: attribute diff --git a/tests/schema/fail/xml-wrapped-exclusion.yaml b/tests/schema/fail/xml-wrapped-exclusion.yaml new file mode 100644 index 0000000000..74f8ea512e --- /dev/null +++ b/tests/schema/fail/xml-wrapped-exclusion.yaml @@ -0,0 +1,11 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + schemas: + List: + type: array + xml: + wrapped: true + nodeType: element diff --git a/tests/schema/pass/callback-object-examples.yaml b/tests/schema/pass/callback-object-examples.yaml new file mode 100644 index 0000000000..7a7f86f070 --- /dev/null +++ b/tests/schema/pass/callback-object-examples.yaml @@ -0,0 +1,30 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + callbacks: + myCallback: + '{$request.query.queryUrl}': + post: + requestBody: + description: Callback payload + content: + application/json: + schema: + $ref: '#/components/schemas/SomePayload' + responses: + '200': + description: callback successfully processed + transactionCallback: + 'http://notificationServer.com?transactionId={$request.body#/id}&email={$request.body#/email}': + post: + requestBody: + description: Callback payload + content: + application/json: + schema: + $ref: '#/components/schemas/SomePayload' + responses: + '200': + description: callback successfully processed \ No newline at end of file diff --git a/tests/schema/pass/comp_pathitems.yaml b/tests/schema/pass/comp_pathitems.yaml index 502ca1fca2..5178c1f56b 100644 --- a/tests/schema/pass/comp_pathitems.yaml +++ b/tests/schema/pass/comp_pathitems.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API version: 1.0.0 diff --git a/tests/schema/pass/components-object-example.yaml b/tests/schema/pass/components-object-example.yaml new file mode 100644 index 0000000000..33a56e608f --- /dev/null +++ b/tests/schema/pass/components-object-example.yaml @@ -0,0 +1,71 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + schemas: + GeneralError: + type: object + properties: + code: + type: integer + format: int32 + message: + type: string + Category: + type: object + properties: + id: + type: integer + format: int64 + name: + type: string + Tag: + type: object + properties: + id: + type: integer + format: int64 + name: + type: string + parameters: + skipParam: + name: skip + in: query + description: number of items to skip + required: true + schema: + type: integer + format: int32 + limitParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer + format: int32 + responses: + NotFound: + description: Entity not found. + IllegalInput: + description: Illegal input for operation. + GeneralError: + description: General Error + content: + application/json: + schema: + $ref: '#/components/schemas/GeneralError' + securitySchemes: + api_key: + type: apiKey + name: api-key + in: header + petstore_auth: + type: oauth2 + flows: + implicit: + authorizationUrl: https://example.org/api/oauth/dialog + scopes: + write:pets: modify pets in your account + read:pets: read your pets \ No newline at end of file diff --git a/tests/schema/pass/example-object-examples.yaml b/tests/schema/pass/example-object-examples.yaml new file mode 100644 index 0000000000..af8cc255f0 --- /dev/null +++ b/tests/schema/pass/example-object-examples.yaml @@ -0,0 +1,64 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + requestBodies: + with-example: + content: + 'application/json': + schema: + $ref: '#/components/schemas/Address' + examples: + foo: + summary: A foo example + value: + foo: bar + bar: + summary: A bar example + value: + bar: baz + application/xml: + examples: + xmlExample: + summary: This is an example in XML + externalValue: https://example.org/examples/address-example.xml + text/plain: + examples: + textExample: + summary: This is a text example + externalValue: https://foo.bar/examples/address-example.txt + parameters: + with-example: + name: zipCode + in: query + schema: + type: string + format: zip-code + examples: + zip-example: + $ref: '#/components/examples/zip-example' + responses: + '200': + description: your car appointment has been booked + content: + application/json: + schema: + $ref: '#/components/schemas/SuccessResponse' + examples: + confirmation-success: + $ref: '#/components/examples/confirmation-success' + application/x-www-form-urlencoded: + schema: + type: object + properties: + jsonValue: + type: string + encoding: + jsonValue: + contentType: application/json + examples: + jsonFormValue: + description: 'The JSON string "json" as a form value' + dataValue: json + serializedValue: jsonValue=%22json%22 diff --git a/tests/schema/pass/header-object-examples.yaml b/tests/schema/pass/header-object-examples.yaml new file mode 100644 index 0000000000..4122c75c61 --- /dev/null +++ b/tests/schema/pass/header-object-examples.yaml @@ -0,0 +1,26 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + headers: + X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + deprecated: false + schema: + type: integer + ETag: + required: true + content: + text/plain: + schema: + type: string + pattern: ^" + Reference: + $ref: '#/components/schemas/ETag' + Style: + schema: + type: array + style: simple + explode: true + allowReserved: true \ No newline at end of file diff --git a/tests/schema/pass/info-object-example.yaml b/tests/schema/pass/info-object-example.yaml new file mode 100644 index 0000000000..1d36bef06c --- /dev/null +++ b/tests/schema/pass/info-object-example.yaml @@ -0,0 +1,20 @@ +# including External Documentation Object Example +openapi: 3.2.0 +$self: https://example.com/openapi +info: + title: Example Pet Store App + summary: A pet store manager. + description: This is an example server for a pet store. + termsOfService: https://example.com/terms/ + contact: + name: API Support + url: https://www.example.com/support + email: support@example.com + license: + name: Apache 2.0 + url: https://www.apache.org/licenses/LICENSE-2.0.html + version: 1.0.1 +externalDocs: + description: Find more info here + url: https://example.com +components: {} diff --git a/tests/schema/pass/info_summary.yaml b/tests/schema/pass/info_summary.yaml index 30d224afc2..6697751d56 100644 --- a/tests/schema/pass/info_summary.yaml +++ b/tests/schema/pass/info_summary.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API summary: My lovely API diff --git a/tests/schema/pass/json_schema_dialect.yaml b/tests/schema/pass/json_schema_dialect.yaml index ae0ed863b3..fa054c9b89 100644 --- a/tests/schema/pass/json_schema_dialect.yaml +++ b/tests/schema/pass/json_schema_dialect.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: summary: Testing jsonSchemaDialect title: My API @@ -6,10 +6,10 @@ info: license: name: Apache 2.0 identifier: Apache-2.0 -jsonSchemaDialect: https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS +jsonSchemaDialect: https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS components: schemas: WithDollarSchema: $id: "locked-metaschema" - $schema: https://spec.openapis.org/oas/3.1/dialect/WORK-IN-PROGRESS + $schema: https://spec.openapis.org/oas/3.2/dialect/WORK-IN-PROGRESS paths: {} diff --git a/tests/schema/pass/license_identifier.yaml b/tests/schema/pass/license_identifier.yaml index fbdba5efbe..20d5e4368e 100644 --- a/tests/schema/pass/license_identifier.yaml +++ b/tests/schema/pass/license_identifier.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API summary: My lovely API diff --git a/tests/schema/pass/link-object-examples.yaml b/tests/schema/pass/link-object-examples.yaml new file mode 100644 index 0000000000..9d471f0a03 --- /dev/null +++ b/tests/schema/pass/link-object-examples.yaml @@ -0,0 +1,66 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: + /users/{id}: + parameters: + - name: id + in: path + required: true + description: the user identifier, as userId + schema: + type: string + get: + responses: + '200': + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: # the unique user id + type: string + format: uuid + links: + address: + # the target link operationId + operationId: getUserAddress + parameters: + # get the `id` field from the request path parameter named `id` + userid: $request.path.id + address2: + operationId: getUserAddressByUUID + parameters: + # get the `uuid` field from the `uuid` field in the response body + userUuid: $response.body#/uuid + UserRepositories: + # returns array of '#/components/schemas/repository' + operationRef: '#/paths/~12.0~1repositories~1%7Busername%7D/get' + parameters: + username: $response.body#/username + UserRepositories2: + # returns array of '#/components/schemas/repository' + operationRef: https://na2.gigantic-server.com/#/paths/~12.0~1repositories~1%7Busername%7D/get + parameters: + username: $response.body#/username + withBody: + operationId: queryUserWithBody + requestBody: + userId: $request.path.id + # the path item of the linked operation + /users/{userid}/address: + parameters: + - name: userid + in: path + required: true + description: the user identifier, as userId + schema: + type: string + # linked operation + get: + operationId: getUserAddress + responses: + '200': + description: the user's address \ No newline at end of file diff --git a/tests/schema/pass/media-type-examples.yaml b/tests/schema/pass/media-type-examples.yaml new file mode 100644 index 0000000000..6ace84a8d5 --- /dev/null +++ b/tests/schema/pass/media-type-examples.yaml @@ -0,0 +1,173 @@ +# including Encoding Object examples +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + mediaTypes: + StreamingPets: + description: | + Streaming sequence of JSON pet representations, + suitable for use with any of the streaming JSON + media types. + itemSchema: + $ref: '#components/schemas/Pet' +paths: + /something: + put: + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Pet' + examples: + cat: + summary: An example of a cat + value: + name: Fluffy + petType: Cat + color: White + gender: male + breed: Persian + dog: + summary: An example of a dog with a cat's name + value: + name: Puma + petType: Dog + color: Black + gender: Female + breed: Mixed + frog: + $ref: '#/components/examples/frog-example' + application/jsonl: + $ref: '#/components/mediaTypes/StreamingPets' + application/x-ndjson: + $ref: '#/components/mediaTypes/StreamingPets' + application/xml: + schema: + type: object + properties: + foo: + type: string + xml: + namespace: https://example.com + prefix: example + name: Foo + bar: + type: array + items: + type: number + xml: + wrapped: true + attr: + type: string + xml: + attribute: true + elementNode: + $ref: "#/components/schemas/Pet" + xml: + nodeType: element + attributeNode: + type: string + xml: + nodeType: attribute + textNode: + type: string + xml: + nodeType: text + cdataNode: + type: string + xml: + nodeType: cdata + noneNode: + type: object + xml: + nodeType: none + application/x-www-form-urlencoded: + schema: + type: object + properties: + id: + type: string + format: uuid + address: + # complex types are stringified to support RFC 1866 + type: object + properties: {} + icon: + # The default with "contentEncoding" is application/octet-stream, + # so we need to set image media type(s) in the Encoding Object. + type: string + contentEncoding: base64url + encoding: + icon: + contentType: image/png, image/jpeg + multipart/form-data: + schema: + type: object + properties: + id: + # default is `text/plain` + type: string + format: uuid + addresses: + # default based on the `items` subschema would be + # `application/json`, but we want these address objects + # serialized as `application/xml` instead + description: addresses in XML format + type: array + items: + $ref: '#/components/schemas/Address' + profileImage: + # default is application/octet-stream, but we can declare + # a more specific image type or types + type: string + format: binary + forCoverage: + type: string + forCoverage2: + type: string + nested1: + type: object + nested2: + type: array + encoding: + addresses: + # require XML Content-Type in utf-8 encoding + # This is applied to each address part corresponding + # to each address in he array + contentType: application/xml; charset=utf-8 + profileImage: + # only accept png or jpeg + contentType: image/png, image/jpeg + headers: + X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + schema: + type: integer + forCoverage: + style: form + explode: false + allowReserved: true + forCoverage2: + style: spaceDelimited + explode: true + nested1: + contentType: multipart/form-data + encoding: + inner: {} + nested2: + contentType: multipart/mixed + prefixEncoding: + - {} + itemEncoding: {} + multipart/related: + schema: + type: array + itemEncoding: + contentType: text/plain + prefixEncoding: + - headers: + Content-Location: + schema: + type: string diff --git a/tests/schema/pass/mega.yaml b/tests/schema/pass/mega.yaml index 98ce577dce..8304fbe199 100644 --- a/tests/schema/pass/mega.yaml +++ b/tests/schema/pass/mega.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: summary: My API's summary title: My API @@ -19,6 +19,12 @@ components: securitySchemes: mtls: type: mutualTLS + schemas: + Foo: + type: object + properties: + type: + const: foo pathItems: myPathItem: post: @@ -27,6 +33,9 @@ components: content: 'application/json': schema: + externalDocs: + description: More docs! + url: https://example.com/elsewhere.html type: object properties: type: @@ -44,5 +53,10 @@ components: type: ['string','null'] discriminator: propertyName: type + mapping: + foo: Foo + defaultMapping: Bar x-extension: true + anyOf: + - $ref: "#/components/schemas/Foo" myArbitraryKeyword: true diff --git a/tests/schema/pass/minimal_comp.yaml b/tests/schema/pass/minimal_comp.yaml index 4553689ab4..8f81f7e05e 100644 --- a/tests/schema/pass/minimal_comp.yaml +++ b/tests/schema/pass/minimal_comp.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API version: 1.0.0 diff --git a/tests/schema/pass/minimal_hooks.yaml b/tests/schema/pass/minimal_hooks.yaml index e67b2889de..0e44257ad0 100644 --- a/tests/schema/pass/minimal_hooks.yaml +++ b/tests/schema/pass/minimal_hooks.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API version: 1.0.0 diff --git a/tests/schema/pass/minimal_paths.yaml b/tests/schema/pass/minimal_paths.yaml index 016e86796f..c332bba18c 100644 --- a/tests/schema/pass/minimal_paths.yaml +++ b/tests/schema/pass/minimal_paths.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API version: 1.0.0 diff --git a/tests/schema/pass/non-oauth-scopes.yaml b/tests/schema/pass/non-oauth-scopes.yaml index e757452f38..45506616b4 100644 --- a/tests/schema/pass/non-oauth-scopes.yaml +++ b/tests/schema/pass/non-oauth-scopes.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: Non-oAuth Scopes example version: 1.0.0 diff --git a/tests/schema/pass/operation-object-example.yaml b/tests/schema/pass/operation-object-example.yaml new file mode 100644 index 0000000000..1e5bac29f1 --- /dev/null +++ b/tests/schema/pass/operation-object-example.yaml @@ -0,0 +1,47 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: + /pets/{id}: + put: + tags: + - pet + summary: Updates a pet in the store with form data + operationId: updatePetWithForm + parameters: + - name: petId + in: path + description: ID of pet that needs to be updated + required: true + schema: + type: string + requestBody: + content: + application/x-www-form-urlencoded: + schema: + type: object + properties: + name: + description: Updated name of the pet + type: string + status: + description: Updated status of the pet + type: string + required: + - status + responses: + '200': + description: Pet updated. + content: + application/json: {} + application/xml: {} + '405': + description: Method Not Allowed + content: + application/json: {} + application/xml: {} + security: + - petstore_auth: + - write:pets + - read:pets \ No newline at end of file diff --git a/tests/schema/pass/parameter-object-examples.yaml b/tests/schema/pass/parameter-object-examples.yaml new file mode 100644 index 0000000000..8a3db655ba --- /dev/null +++ b/tests/schema/pass/parameter-object-examples.yaml @@ -0,0 +1,75 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: + /user/{username}: + parameters: + - name: token + in: header + description: token to be passed as a header + required: true + schema: + type: array + items: + type: integer + format: int64 + style: simple + - name: username + in: path + description: username to fetch + required: true + schema: + type: string + - name: id + in: query + description: ID of the object to fetch + required: false + schema: + type: array + items: + type: string + style: form + explode: true + - in: query + name: freeForm + schema: + type: object + additionalProperties: + type: integer + style: form + - in: query + name: coordinates + content: + application/json: + schema: + type: object + required: + - lat + - long + properties: + lat: + type: number + long: + type: number + - in: cookie + name: my_cookie1 + style: form + schema: {} + - in: cookie + name: my_cookie2 + style: cookie + schema: {} + /user: + parameters: + - in: querystring + name: json + content: + application/json: + schema: + # Allow an arbitrary JSON object to keep + # the example simple + type: object + example: + numbers: [1, 2] + flag: null diff --git a/tests/schema/pass/path-item-object-example.yaml b/tests/schema/pass/path-item-object-example.yaml new file mode 100644 index 0000000000..0ecc2d64fa --- /dev/null +++ b/tests/schema/pass/path-item-object-example.yaml @@ -0,0 +1,74 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: + /pets/{id}: + get: + description: Returns pets based on ID + summary: Find pets by ID + operationId: getPetsById + responses: + '200': + description: pet response + content: + '*/*': + schema: + type: array + items: + $ref: '#/components/schemas/Pet' + default: + description: error payload + content: + text/html: + schema: + $ref: '#/components/schemas/ErrorModel' + query: + description: Returns pets based on ID + summary: Find pets by ID + operationId: queryPetsById + responses: + '200': + description: pet response + content: + '*/*': + schema: + type: array + items: + $ref: '#/components/schemas/Pet' + default: + description: error payload + content: + text/html: + schema: + $ref: '#/components/schemas/ErrorModel' + parameters: + - name: id + in: path + description: ID of pet to use + required: true + schema: + type: array + items: + type: string + style: simple + additionalOperations: + COPY: + description: Copies pet information based on ID + summary: Copies pets by ID + operationId: copyPetsById + responses: + '200': + description: pet response + content: + '*/*': + schema: + type: array + items: + $ref: '#/components/schemas/Pet' + default: + description: error payload + content: + text/html: + schema: + $ref: '#/components/schemas/ErrorModel' \ No newline at end of file diff --git a/tests/schema/pass/path_item_servers_parameters.yaml b/tests/schema/pass/path_item_servers_parameters.yaml new file mode 100644 index 0000000000..7cedc5d16c --- /dev/null +++ b/tests/schema/pass/path_item_servers_parameters.yaml @@ -0,0 +1,112 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: + /things: + summary: Lots of things + servers: + - url: https://things.example.com + get: + summary: Get a list of things + externalDocs: + description: Find more info here + url: https://example.com + parameters: + - $ref: '#/components/parameters/biscuit' + summary: The maximum number of things to return + description: The maximum number of things to return + responses: + default: + description: A list of things + servers: + - url: https://things.example.com + post: + deprecated: false + requestBody: + $ref: '#/components/requestBodies/ThingRequestBody' + responses: + '201': + $ref: '#/components/responses/ThingResponse' + callbacks: + myCallback: + '{$request.query.queryUrl}': + post: + requestBody: + description: Callback payload + content: + application/json: + schema: + $ref: '#/components/schemas/SomePayload' + responses: + '200': + description: callback successfully processed + transactionCallback: + $ref: '#/components/callbacks/transactionCallback' + patch: {} + delete: {} + head: {} + options: {} + trace: {} +components: + callbacks: + transactionCallback: + 'http://notificationServer.com?transactionId={$request.body#/id}&email={$request.body#/email}': + post: + requestBody: + description: Callback payload + content: + application/json: + schema: + $ref: '#/components/schemas/SomePayload' + responses: + '200': + description: callback successfully processed + examples: + ThingExample: + summary: A thing + description: A thing + value: + id: 1 + name: Thing + links: + ThingLink: + description: A link to a thing + operationId: getThing + parameters: + thingId: '$response.body#/id' + server: + url: https://things.example.com + ThingyLink: + $ref: '#/components/links/ThingLink' + parameters: + limit: + name: limit + in: query + required: false + allowEmptyValue: false + allowReserved: false + deprecated: true + description: The maximum number of list items to return + schema: + type: integer + minimum: 0 + biscuit: + name: biscuit + in: cookie + style: form + schema: + type: string + requestBodies: + ThingRequestBody: + content: + application/json: + schema: + type: object + responses: + ThingResponse: + description: A thing + content: + application/json: + schema: + type: object diff --git a/tests/schema/pass/path_no_response.yaml b/tests/schema/pass/path_no_response.yaml index 334608f111..e4876799c9 100644 --- a/tests/schema/pass/path_no_response.yaml +++ b/tests/schema/pass/path_no_response.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API version: 1.0.0 diff --git a/tests/schema/pass/path_var_empty_pathitem.yaml b/tests/schema/pass/path_var_empty_pathitem.yaml index ba92742f10..e79b7cd4fe 100644 --- a/tests/schema/pass/path_var_empty_pathitem.yaml +++ b/tests/schema/pass/path_var_empty_pathitem.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API version: 1.0.0 diff --git a/tests/schema/pass/paths-object-example.yaml b/tests/schema/pass/paths-object-example.yaml new file mode 100644 index 0000000000..2ee08e581e --- /dev/null +++ b/tests/schema/pass/paths-object-example.yaml @@ -0,0 +1,17 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: + /pets: + get: + description: Returns all pets from the system that the user has access to + responses: + '200': + description: A list of pets. + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/pet' \ No newline at end of file diff --git a/tests/schema/pass/request-body-examples.yaml b/tests/schema/pass/request-body-examples.yaml new file mode 100644 index 0000000000..4da1d41bd4 --- /dev/null +++ b/tests/schema/pass/request-body-examples.yaml @@ -0,0 +1,34 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: + /something: + put: + requestBody: + description: user to add to the system + content: + application/json: + schema: + $ref: '#/components/schemas/User' + examples: + user: + summary: User example + externalValue: https://foo.bar/examples/user-example.json + application/xml: + schema: + $ref: '#/components/schemas/User' + examples: + user: + summary: User example in XML + externalValue: https://foo.bar/examples/user-example.xml + text/plain: + examples: + user: + summary: User example in plain text + externalValue: https://foo.bar/examples/user-example.txt + '*/*': + examples: + user: + summary: User example in other format + externalValue: https://foo.bar/examples/user-example.whatever \ No newline at end of file diff --git a/tests/schema/pass/response-object-examples.yaml b/tests/schema/pass/response-object-examples.yaml new file mode 100644 index 0000000000..f55d5733ed --- /dev/null +++ b/tests/schema/pass/response-object-examples.yaml @@ -0,0 +1,43 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +components: + responses: + complex-object-array: + summary: Complex object array + description: A complex object array response + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/VeryComplexType' + simple-string: + description: A simple string response + content: + text/plain: + schema: + type: string + plain-text-with-headers: + description: A simple string response + content: + text/plain: + schema: + type: string + example: 'whoa!' + headers: + X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + schema: + type: integer + X-Rate-Limit-Remaining: + description: The number of remaining requests in the current period + schema: + type: integer + X-Rate-Limit-Reset: + description: The number of seconds left in the current period + schema: + type: integer + no-return-value: + description: object created \ No newline at end of file diff --git a/tests/schema/pass/schema-object-deprecated-example-keyword.yaml b/tests/schema/pass/schema-object-deprecated-example-keyword.yaml new file mode 100644 index 0000000000..969e66f283 --- /dev/null +++ b/tests/schema/pass/schema-object-deprecated-example-keyword.yaml @@ -0,0 +1,17 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: + /user: + parameters: + - in: query + name: example + schema: + # Allow an arbitrary JSON object to keep + # the example simple + type: object + # DEPRECATED: don't use example keyword inside Schema Object + example: + numbers: [1, 2] + flag: null diff --git a/tests/schema/pass/schema.yaml b/tests/schema/pass/schema.yaml index e192529a68..a6d72b9972 100644 --- a/tests/schema/pass/schema.yaml +++ b/tests/schema/pass/schema.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API version: 1.0.0 diff --git a/tests/schema/pass/security-scheme-object-examples.yaml b/tests/schema/pass/security-scheme-object-examples.yaml new file mode 100644 index 0000000000..d3472d5a32 --- /dev/null +++ b/tests/schema/pass/security-scheme-object-examples.yaml @@ -0,0 +1,69 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +security: + - basic: [] + - apiKey: [] + - JWT-bearer: [] + - mutualTLS: [] + - OAuth2: + - write:pets + - read:pets +components: + securitySchemes: + basic: + type: http + scheme: basic + apiKey: + type: apiKey + name: api-key + in: header + JWT-bearer: + type: http + scheme: bearer + bearerFormat: JWT + mutualTLS: + type: mutualTLS + description: Cert must be signed by example.com CA + OAuth2: + type: oauth2 + oauth2MetadataUrl: https://example.com/api/oauth/metadata + flows: + authorizationCode: + authorizationUrl: https://example.com/api/oauth/dialog + refreshUrl: https://example.com/api/oauth/refresh + tokenUrl: https://example.com/api/oauth/token + scopes: + write:pets: modify pets in your account + read:pets: read your pets + password: + tokenUrl: https://example.com/api/oauth/token + scopes: + read:pets: read your pets + refreshUrl: https://example.com/api/oauth/refresh + clientCredentials: + tokenUrl: https://example.com/api/oauth/token + scopes: + read:pets: read your pets + refreshUrl: https://example.com/api/oauth/refresh + deviceAuthorization: + deviceAuthorizationUrl: https://example.com/api/oauth/device + tokenUrl: https://example.com/api/oauth/token + scopes: + read:pets: read your pets + refreshUrl: https://example.com/api/oauth/refresh + OAuth2Old: + deprecated: true + type: oauth2 + flows: + implicit: + authorizationUrl: https://example.com/api/oauth/dialog + scopes: + read:pets: read your pets + refreshUrl: https://example.com/api/oauth/refresh + OpenIdConnect: + type: openIdConnect + openIdConnectUrl: https://example.com/api/oauth/openid + external: + $ref: 'https://example.com/api/openapi.json#/components/externalDocs/ThingExternalDocs' \ No newline at end of file diff --git a/tests/schema/pass/servers.yaml b/tests/schema/pass/servers.yaml index 77a20498da..07992113bf 100644 --- a/tests/schema/pass/servers.yaml +++ b/tests/schema/pass/servers.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: API version: 1.0.0 @@ -6,5 +6,21 @@ paths: {} servers: - url: /v1 description: Run locally. + name: local - url: https://production.com/v1 description: Run on production server. + - url: https://{username}.gigantic-server.com:{port}/{basePath} + description: The production API server + variables: + username: + # note! no enum here means it is an open value + default: demo + description: A user-specific subdomain. Use `demo` for a free sandbox environment. + port: + enum: + - '8443' + - '443' + default: '8443' + basePath: + # open meaning there is the opportunity to use special base paths as assigned by the provider, default is `v2` + default: v2 \ No newline at end of file diff --git a/tests/schema/pass/specification-extensions.yaml b/tests/schema/pass/specification-extensions.yaml new file mode 100644 index 0000000000..8148462f83 --- /dev/null +++ b/tests/schema/pass/specification-extensions.yaml @@ -0,0 +1,6 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: {} +x-tensions: specification extensions are prefixed with `x-` \ No newline at end of file diff --git a/tests/schema/pass/tag-object-example.yaml b/tests/schema/pass/tag-object-example.yaml new file mode 100644 index 0000000000..6e740c8df0 --- /dev/null +++ b/tests/schema/pass/tag-object-example.yaml @@ -0,0 +1,25 @@ +openapi: 3.2.0 +info: + title: API + version: 1.0.0 +paths: {} +tags: + + - name: account-updates + summary: Account Updates + description: Account update operations + kind: nav + + - name: partner + summary: Partner + description: Operations available to the partners network + parent: external + kind: audience + + - name: external + summary: External + description: Operations available to external consumers + kind: audience + externalDocs: + description: Find more info here + url: https://example.com diff --git a/tests/schema/pass/valid_schema_types.yaml b/tests/schema/pass/valid_schema_types.yaml index 4431adcda5..43e7cdc782 100644 --- a/tests/schema/pass/valid_schema_types.yaml +++ b/tests/schema/pass/valid_schema_types.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.1 +openapi: 3.2.1 # this example shows that top-level schemaObjects MAY be booleans diff --git a/tests/schema/pass/webhook-example.yaml b/tests/schema/pass/webhook-example.yaml index 2ac1cda985..c0b505ac63 100644 --- a/tests/schema/pass/webhook-example.yaml +++ b/tests/schema/pass/webhook-example.yaml @@ -1,4 +1,4 @@ -openapi: 3.1.0 +openapi: 3.2.0 info: title: Webhook Example version: 1.0.0 diff --git a/tests/schema/schema.test.mjs b/tests/schema/schema.test.mjs index e7b84f0a74..ad42b15e71 100644 --- a/tests/schema/schema.test.mjs +++ b/tests/schema/schema.test.mjs @@ -13,7 +13,25 @@ await registerOasSchema(); await registerSchema("./src/schemas/validation/schema.yaml"); const fixtures = './tests/schema'; -describe("v3.1", () => { +describe("v3.2", () => { + test("schema.yaml schema test", async () => { + // Files in the pass/fail folders get run against schema-base.yaml. + // This instance is instead run against schema.yaml. + const oad = { + openapi: "3.2.0", + info: { + title: "API", + version: "1.0.0" + }, + components: { + schemas: { + foo: {} + } + } + }; + await expect(oad).to.matchJsonSchema("./src/schemas/validation/schema.yaml"); // <-- "schema.yaml" instead of "schema-base.yaml" + }); + describe("Pass", () => { readdirSync(`${fixtures}/pass`, { withFileTypes: true }) .filter((entry) => entry.isFile() && /\.yaml$/.test(entry.name))