Skip to content

Latest commit

 

History

History
3972 lines (3312 loc) · 153 KB

3.0.4.md

File metadata and controls

3972 lines (3312 loc) · 153 KB

OpenAPI Specification

Version 3.0.4

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 RFC2119 RFC8174 when, and only when, they appear in all capitals, as shown here.

This document is licensed under The Apache License, Version 2.0.

Introduction

The OpenAPI Specification (OAS) defines a standard, language-agnostic interface to RESTful APIs which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection. When properly defined, a consumer can understand and interact with the remote service with a minimal amount of implementation logic.

An OpenAPI definition can then be used by documentation generation tools to display the API, code generation tools to generate servers and clients in various programming languages, testing tools, and many other use cases.

Table of Contents

Definitions

OpenAPI Description

An OpenAPI Description (OAD) formally describes the surface of an API and its semantics. It is composed of an entry document and any/all of its referenced documents. An OAD uses and conforms to the OpenAPI Specification.

Path Templating

Path templating refers to the usage of template expressions, delimited by curly braces ({}), to mark a section of a URL path as replaceable using path parameters.

Each template expression in the path MUST correspond to a path parameter that is included in the Path Item itself and/or in each of the Path Item's Operations.

Media Types

Media type definitions are spread across several resources. The media type definitions SHOULD be in compliance with RFC6838.

Some examples of possible media type definitions:

  text/plain; charset=utf-8
  application/json
  application/vnd.github+json
  application/vnd.github.v3+json
  application/vnd.github.v3.raw+json
  application/vnd.github.v3.text+json
  application/vnd.github.v3.html+json
  application/vnd.github.v3.full+json
  application/vnd.github.v3.diff
  application/vnd.github.v3.patch
HTTP Status Codes

The HTTP Status Codes are used to indicate the status of the executed operation. Status codes SHOULD be selected from the available status codes registered in the IANA Status Code Registry.

Undefined and Implementation-Defined Behavior

This specification deems certain situations to have either undefined or implementation-defined behavior.

Behavior described as undefined is likely, at least in some circumstances, to result in outcomes that contradict the specification. This description is used when detecting the contradiction is impossible or impractical. Implementations MAY support undefined scenarios for historical reasons, including ambiguous text in prior versions of the specification. This support might produce correct outcomes in many cases, but relying on it is NOT RECOMMENDED as there is no guarantee that it will work across all tools or with future specification versions, even if those versions are otherwise strictly compatible with this one.

Behavior described as implementation-defined allows implementations to choose which of several different-but-compliant approaches to a requirement to implement. This documents ambiguous requirements that API description authors are RECOMMENDED to avoid in order to maximize interoperability. Unlike undefined behavior, it is safe to rely on implementation-defined behavior if and only if it can be guaranteed that all relevant tools support the same behavior.

Specification

Versions

The OpenAPI Specification is versioned using a major.minor.patch versioning scheme. The major.minor portion of the version string (for example 3.1) SHALL designate the OAS feature set. .patch versions address errors in, or provide clarifications to, this document, not the feature set. Tooling which supports OAS 3.1 SHOULD be compatible with all OAS 3.1.* versions. The patch version SHOULD NOT be considered by tooling, making no distinction between 3.1.0 and 3.1.1 for example.

Occasionally, non-backwards compatible changes may be made in minor versions of the OAS where impact is believed to be low relative to the benefit provided.

An OpenAPI document compatible with OAS 3.*.* contains a required openapi field which designates the version of the OAS that it uses.

Format

An OpenAPI document that conforms to the OpenAPI Specification is itself a JSON object, which may be represented either in JSON or YAML format.

For example, if a field has an array value, the JSON array representation will be used:

{
   "field": [ 1, 2, 3 ]
}

All field names in the specification are case sensitive. This includes all fields that are used as keys in a map, except where explicitly noted that keys are case insensitive.

The schema exposes two types of fields: Fixed fields, which have a declared name, and Patterned fields, which declare a regex pattern for the field name.

Patterned fields MUST have unique names within the containing object.

In order to preserve the ability to round-trip between YAML and JSON formats, YAML version 1.2 is RECOMMENDED along with some additional constraints:

Note: While APIs may be defined by OpenAPI documents in either YAML or JSON format, the API request and response bodies and other content are not required to be JSON or YAML.

OpenAPI Description Structure

An OpenAPI Description (OAD) MAY be made up of a single document or be divided into multiple, connected parts at the discretion of the author. In the latter case, Reference Object and Path Item Object $ref keywords, as well as the Link Object operationRef keyword, are used.

Any document consisting entirely of an OpenAPI Object is known as a complete OpenAPI document. In a multi-document description, the document containing the OpenAPI Object where parsing begins for a specific API's description is known as that API's entry OpenAPI document, or simply entry document.

It is RECOMMENDED that the entry OpenAPI document be named: openapi.json or openapi.yaml.

Structural Interoperability

When parsing an OAD, JSON or YAML objects are parsed into specific Objects (such as Operation Objects, Response Objects, Reference Objects, etc.) based on the parsing context. Depending on how references are arranged, a given JSON or YAML object can be parsed in multiple different contexts:

  • As a full OpenAPI Description document (an OpenAPI Object taking up an entire document)
  • As the Object type implied by its parent Object within the document
  • As a reference target, with the Object type matching the reference source's context

If the same JSON/YAML object is parsed multiple times and the respective contexts require it to be parsed as different Object types, the resulting behavior is implementation defined, and MAY be treated as an error if detected. An example would be referencing an empty Schema Object under #/components/schemas where a Path Item Object is expected, as an empty object is valid for both types. For maximum interoperability, it is RECOMMENDED that OpenAPI Description authors avoid such scenarios.

Resolving Implicit Connections

Data Types

Primitive data types in the OAS are based on the types supported by the JSON Schema Specification Wright Draft 00. Note that integer as a type is also supported and is defined as a JSON number without a fraction or exponent part. null is not supported as a type (see nullable for an alternative solution). Models are defined using the Schema Object, which is an extended subset of JSON Schema Specification Wright Draft 00.

Primitives have an optional modifier property: format. OAS uses several known formats to define in fine detail the data type being used. However, to support documentation needs, the format property is an open string-valued property, and can have any value. Formats such as "email", "uuid", and so on, MAY be used even though they are not defined by this specification. Types that are not accompanied by a format property follow the type definition in the JSON Schema. Tools that do not recognize a specific format MAY default back to the type alone, as if the format is not specified.

The formats defined by the OAS are:

type format Comments
integer int32 signed 32 bits
integer int64 signed 64 bits (a.k.a long)
number float
number double
string byte base64 encoded characters - RFC4648
string binary any sequence of octets
string date As defined by full-date - RFC3339
string date-time As defined by date-time - RFC3339
string password A hint to obscure the value.

Working With Binary Data

Two formats, binary and byte, describe different ways to work with binary data:

  • binary is used where unencoded binary data is allowed, such as when sending a binary payload as an HTTP message body, or as part of a multipart/* payload that allows binary parts
  • byte is used where binary data is embedded in a text-only format such as application/json or application/x-www-form-urlencoded

The maxLength keyword MAY be used to set an expected upper bound on the length of a streaming payload. The keyword can be applied to either string data, including encoded binary data, or to unencoded binary data. For unencoded binary, the length is the number of octets.

Note that the encoding indicated by byte, which inflates the size of data in order to represent it as 7-bit ASCII text, is unrelated to HTTP's Content-Encoding header, which indicates whether and how a message body has been compressed.

Rich Text Formatting

Throughout the specification description fields are noted as supporting CommonMark markdown formatting. Where OpenAPI tooling renders rich text it MUST support, at a minimum, markdown syntax as described by CommonMark 0.27. Tooling MAY choose to ignore some CommonMark features to address security concerns.

Relative References in URLs

Unless specified otherwise, all properties that are URLs MAY be relative references as defined by RFC3986. Relative references are resolved using the URLs defined in the Server Object as a Base URI.

Relative references used in $ref are processed as per JSON Reference, using the URL of the current document as the base URI. See also the Reference Object.

Relative references in CommonMark hyperlinks are resolved in their rendered context, which might differ from the context of the API description.

Schema

In the following description, if a field is not explicitly REQUIRED or described with a MUST or SHALL, it can be considered OPTIONAL.

OpenAPI Object

This is the root document object of the OpenAPI document.

Fixed Fields
Field Name Type Description
openapi string REQUIRED. This string MUST be the semantic version number of the OpenAPI Specification version that the OpenAPI document uses. The openapi field SHOULD be used by tooling specifications and clients to interpret the OpenAPI document. This is not related to the API info.version string.
info Info Object REQUIRED. Provides metadata about the API. The metadata MAY be used by tooling as required.
servers [Server Object] An array of Server Objects, which provide connectivity information to a target server. If the servers property is not provided, or is an empty array, the default value would be a Server Object with a url value of /.
paths Paths Object REQUIRED. The available paths and operations for the API.
components Components Object An element to hold various schemas for the specification.
security [Security Requirement Object] A declaration of which security mechanisms can be used across the API. The list of values includes alternative security requirement objects that can be used. Only one of the security requirement objects need to be satisfied to authorize a request. Individual operations can override this definition. To make security optional, an empty security requirement ({}) can be included in the array.
tags [Tag Object] A list of tags used by the specification with additional metadata. The order of the tags can be used to reflect on their order by the parsing tools. Not all tags that are used by the Operation Object must be declared. The tags that are not declared MAY be organized randomly or based on the tools' logic. Each tag name in the list MUST be unique.
externalDocs External Documentation Object Additional external documentation.

This object MAY be extended with Specification Extensions.

Info Object

The object provides metadata about the API. The metadata MAY be used by the clients if needed, and MAY be presented in editing or documentation generation tools for convenience.

Fixed Fields
Field Name Type Description
title string REQUIRED. The title of the API.
description string A short description of the API. CommonMark syntax MAY be used for rich text representation.
termsOfService string A URL to the Terms of Service for the API. MUST be in the format of a URL.
contact Contact Object The contact information for the exposed API.
license License Object The license information for the exposed API.
version string REQUIRED. The version of the OpenAPI document (which is distinct from the OpenAPI Specification version or the API implementation version).

This object MAY be extended with Specification Extensions.

Info Object Example
{
  "title": "Sample Pet Store App",
  "description": "This is a sample server for a pet store.",
  "termsOfService": "http://example.com/terms/",
  "contact": {
    "name": "API Support",
    "url": "http://www.example.com/support",
    "email": "[email protected]"
  },
  "license": {
    "name": "Apache 2.0",
    "url": "https://www.apache.org/licenses/LICENSE-2.0.html"
  },
  "version": "1.0.1"
}
title: Sample Pet Store App
description: This is a sample server for a pet store.
termsOfService: http://example.com/terms/
contact:
  name: API Support
  url: http://www.example.com/support
  email: [email protected]
license:
  name: Apache 2.0
  url: https://www.apache.org/licenses/LICENSE-2.0.html
version: 1.0.1

Contact Object

Contact information for the exposed API.

Fixed Fields
Field Name Type Description
name string The identifying name of the contact person/organization.
url string The URL pointing to the contact information. MUST be in the format of a URL.
email string The email address of the contact person/organization. MUST be in the format of an email address.

This object MAY be extended with Specification Extensions.

Contact Object Example
{
  "name": "API Support",
  "url": "http://www.example.com/support",
  "email": "[email protected]"
}
name: API Support
url: http://www.example.com/support
email: [email protected]

License Object

License information for the exposed API.

Fixed Fields
Field Name Type Description
name string REQUIRED. The license name used for the API.
url string A URL to the license used for the API. MUST be in the format of a URL.

This object MAY be extended with Specification Extensions.

License Object Example
{
  "name": "Apache 2.0",
  "url": "https://www.apache.org/licenses/LICENSE-2.0.html"
}
name: Apache 2.0
url: https://www.apache.org/licenses/LICENSE-2.0.html

Server Object

An object representing a Server.

Fixed Fields
Field Name Type Description
url string REQUIRED. A URL to the target host. This URL supports Server Variables and MAY be relative, to indicate that the host location is relative to the location where the OpenAPI document is being served. Variable substitutions will be made when a variable is named in {brackets}.
description string An optional string describing the host designated by the URL. CommonMark syntax MAY be used for rich text representation.
variables Map[string, Server Variable Object] A map between a variable name and its value. The value is used for substitution in the server's URL template.

This object MAY be extended with Specification Extensions.

Server Object Example

A single server would be described as:

{
  "url": "https://development.gigantic-server.com/v1",
  "description": "Development server"
}
url: https://development.gigantic-server.com/v1
description: Development server

The following shows how multiple servers can be described, for example, at the OpenAPI Object's servers:

{
  "servers": [
    {
      "url": "https://development.gigantic-server.com/v1",
      "description": "Development server"
    },
    {
      "url": "https://staging.gigantic-server.com/v1",
      "description": "Staging server"
    },
    {
      "url": "https://api.gigantic-server.com/v1",
      "description": "Production server"
    }
  ]
}
servers:
- url: https://development.gigantic-server.com/v1
  description: Development server
- url: https://staging.gigantic-server.com/v1
  description: Staging server
- url: https://api.gigantic-server.com/v1
  description: Production server

The following shows how variables can be used for a server configuration:

{
  "servers": [
    {
      "url": "https://{username}.gigantic-server.com:{port}/{basePath}",
      "description": "The production API server",
      "variables": {
        "username": {
          "default": "demo",
          "description": "this value is assigned by the service provider, in this example `gigantic-server.com`"
        },
        "port": {
          "enum": [
            "8443",
            "443"
          ],
          "default": "8443"
        },
        "basePath": {
          "default": "v2"
        }
      }
    }
  ]
}
servers:
- url: https://{username}.gigantic-server.com:{port}/{basePath}
  description: The production API server
  variables:
    username:
      # note! no enum here means it is an open value
      default: demo
      description: this value is assigned by the service provider, in this example `gigantic-server.com`
    port:
      enum:
        - '8443'
        - '443'
      default: '8443'
    basePath:
      # open meaning there is the opportunity to use special base paths as assigned by the provider, default is `v2`
      default: v2

Server Variable Object

An object representing a Server Variable for server URL template substitution.

Fixed Fields
Field Name Type Description
enum [string] An enumeration of string values to be used if the substitution options are from a limited set. The array SHOULD NOT be empty.
default string REQUIRED. The default value to use for substitution, which SHALL be sent if an alternate value is not supplied. Note this behavior is different than the Schema Object's treatment of default values, because in those cases parameter values are optional. If the enum is defined, the value SHOULD exist in the enum's values.
description string An optional description for the server variable. CommonMark syntax MAY be used for rich text representation.

This object MAY be extended with Specification Extensions.

Components Object

Holds a set of reusable objects for different aspects of the OAS. All objects defined within the components object will have no effect on the API unless they are explicitly referenced from properties outside the components object.

Fixed Fields
Field Name Type Description
schemas Map[string, Schema Object | Reference Object] An object to hold reusable Schema Objects.
responses Map[string, Response Object | Reference Object] An object to hold reusable Response Objects.
parameters Map[string, Parameter Object | Reference Object] An object to hold reusable Parameter Objects.
examples Map[string, Example Object | Reference Object] An object to hold reusable Example Objects.
requestBodies Map[string, Request Body Object | Reference Object] An object to hold reusable Request Body Objects.
headers Map[string, Header Object | Reference Object] An object to hold reusable Header Objects.
securitySchemes Map[string, Security Scheme Object | Reference Object] An object to hold reusable Security Scheme Objects.
links Map[string, Link Object | Reference Object] An object to hold reusable Link Objects.
callbacks Map[string, Callback Object | Reference Object] An object to hold reusable Callback Objects.

This object MAY be extended with Specification Extensions.

All the fixed fields declared above are objects that MUST use keys that match the regular expression: ^[a-zA-Z0-9\.\-_]+$.

Field Name Examples:

User
User_1
User_Name
user-name
my.org.User
Components Object Example
"components": {
  "schemas": {
    "GeneralError": {
      "type": "object",
      "properties": {
        "code": {
          "type": "integer",
          "format": "int32"
        },
        "message": {
          "type": "string"
        }
      }
    },
    "Category": {
      "type": "object",
      "properties": {
        "id": {
          "type": "integer",
          "format": "int64"
        },
        "name": {
          "type": "string"
        }
      }
    },
    "Tag": {
      "type": "object",
      "properties": {
        "id": {
          "type": "integer",
          "format": "int64"
        },
        "name": {
          "type": "string"
        }
      }
    }
  },
  "parameters": {
    "skipParam": {
      "name": "skip",
      "in": "query",
      "description": "number of items to skip",
      "required": true,
      "schema": {
        "type": "integer",
        "format": "int32"
      }
    },
    "limitParam": {
      "name": "limit",
      "in": "query",
      "description": "max records to return",
      "required": true,
      "schema" : {
        "type": "integer",
        "format": "int32"
      }
    }
  },
  "responses": {
    "NotFound": {
      "description": "Entity not found."
    },
    "IllegalInput": {
      "description": "Illegal input for operation."
    },
    "GeneralError": {
      "description": "General Error",
      "content": {
        "application/json": {
          "schema": {
            "$ref": "#/components/schemas/GeneralError"
          }
        }
      }
    }
  },
  "securitySchemes": {
    "api_key": {
      "type": "apiKey",
      "name": "api_key",
      "in": "header"
    },
    "petstore_auth": {
      "type": "oauth2",
      "flows": {
        "implicit": {
          "authorizationUrl": "http://example.org/api/oauth/dialog",
          "scopes": {
            "write:pets": "modify pets in your account",
            "read:pets": "read your pets"
          }
        }
      }
    }
  }
}
components:
  schemas:
    GeneralError:
      type: object
      properties:
        code:
          type: integer
          format: int32
        message:
          type: string
    Category:
      type: object
      properties:
        id:
          type: integer
          format: int64
        name:
          type: string
    Tag:
      type: object
      properties:
        id:
          type: integer
          format: int64
        name:
          type: string
  parameters:
    skipParam:
      name: skip
      in: query
      description: number of items to skip
      required: true
      schema:
        type: integer
        format: int32
    limitParam:
      name: limit
      in: query
      description: max records to return
      required: true
      schema:
        type: integer
        format: int32
  responses:
    NotFound:
      description: Entity not found.
    IllegalInput:
      description: Illegal input for operation.
    GeneralError:
      description: General Error
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/GeneralError'
  securitySchemes:
    api_key:
      type: apiKey
      name: api_key
      in: header
    petstore_auth:
      type: oauth2
      flows:
        implicit:
          authorizationUrl: http://example.org/api/oauth/dialog
          scopes:
            write:pets: modify pets in your account
            read:pets: read your pets

Paths Object

Holds the relative paths to the individual endpoints and their operations. The path is appended to the URL from the Server Object in order to construct the full URL. The Paths MAY be empty, due to ACL constraints.

Patterned Fields
Field Pattern Type Description
/{path} Path Item Object A relative path to an individual endpoint. The field name MUST begin with a forward slash (/). The path is appended (no relative URL resolution) to the expanded URL from the Server Object's url field in order to construct the full URL. Path templating is allowed. When matching URLs, concrete (non-templated) paths would be matched before their templated counterparts. Templated paths with the same hierarchy but different templated names MUST NOT exist as they are identical. In case of ambiguous matching, it's up to the tooling to decide which one to use.

This object MAY be extended with Specification Extensions.

Path Templating Matching

Assuming the following paths, the concrete definition, /pets/mine, will be matched first if used:

  /pets/{petId}
  /pets/mine

The following paths are considered identical and invalid:

  /pets/{petId}
  /pets/{name}

The following may lead to ambiguous resolution:

  /{entity}/me
  /books/{id}
Paths Object Example
{
  "/pets": {
    "get": {
      "description": "Returns all pets from the system that the user has access to",
      "responses": {
        "200": {
          "description": "A list of pets.",
          "content": {
            "application/json": {
              "schema": {
                "type": "array",
                "items": {
                  "$ref": "#/components/schemas/pet"
                }
              }
            }
          }
        }
      }
    }
  }
}
/pets:
  get:
    description: Returns all pets from the system that the user has access to
    responses:
      '200':
        description: A list of pets.
        content:
          application/json:
            schema:
              type: array
              items:
                $ref: '#/components/schemas/pet'

Path Item Object

Describes the operations available on a single path. A Path Item MAY be empty, due to ACL constraints. The path itself is still exposed to the documentation viewer but they will not know which operations and parameters are available.

Fixed Fields
Field Name Type Description
$ref string Allows for an external definition of this path item. The referenced structure MUST be in the format of a Path Item Object. In case a Path Item Object field appears both in the defined object and the referenced object, the behavior is undefined.
summary string An optional string summary, intended to apply to all operations in this path.
description string An optional string description, intended to apply to all operations in this path. CommonMark syntax MAY be used for rich text representation.
get Operation Object A definition of a GET operation on this path.
put Operation Object A definition of a PUT operation on this path.
post Operation Object A definition of a POST operation on this path.
delete Operation Object A definition of a DELETE operation on this path.
options Operation Object A definition of a OPTIONS operation on this path.
head Operation Object A definition of a HEAD operation on this path.
patch Operation Object A definition of a PATCH operation on this path.
trace Operation Object A definition of a TRACE operation on this path.
servers [Server Object] An alternative server array to service all operations in this path. If an alternative server object is specified at the Root level, it will be overridden by this value.
parameters [Parameter Object | Reference Object] A list of parameters that are applicable for all the operations described under this path. These parameters can be overridden at the operation level, but cannot be removed there. The list MUST NOT include duplicated parameters. A unique parameter is defined by a combination of a name and location. The list can use the Reference Object to link to parameters that are defined at the OpenAPI Object's components/parameters.

This object MAY be extended with Specification Extensions.

Path Item Object Example
{
  "get": {
    "description": "Returns pets based on ID",
    "summary": "Find pets by ID",
    "operationId": "getPetsById",
    "responses": {
      "200": {
        "description": "pet response",
        "content": {
          "*/*": {
            "schema": {
              "type": "array",
              "items": {
                "$ref": "#/components/schemas/Pet"
              }
            }
          }
        }
      },
      "default": {
        "description": "error payload",
        "content": {
          "text/html": {
            "schema": {
              "$ref": "#/components/schemas/ErrorModel"
            }
          }
        }
      }
    }
  },
  "parameters": [
    {
      "name": "id",
      "in": "path",
      "description": "ID of pet to use",
      "required": true,
      "schema": {
        "type": "array",
        "items": {
          "type": "string"
        }
      },
      "style": "simple"
    }
  ]
}
get:
  description: Returns pets based on ID
  summary: Find pets by ID
  operationId: getPetsById
  responses:
    '200':
      description: pet response
      content:
        '*/*':
          schema:
            type: array
            items:
              $ref: '#/components/schemas/Pet'
    default:
      description: error payload
      content:
        text/html:
          schema:
            $ref: '#/components/schemas/ErrorModel'
parameters:
- name: id
  in: path
  description: ID of pet to use
  required: true
  schema:
    type: array
    items:
      type: string
  style: simple

Operation Object

Describes a single API operation on a path.

Fixed Fields
Field Name Type Description
tags [string] A list of tags for API documentation control. Tags can be used for logical grouping of operations by resources or any other qualifier.
summary string A short summary of what the operation does.
description string A verbose explanation of the operation behavior. CommonMark syntax MAY be used for rich text representation.
externalDocs External Documentation Object Additional external documentation for this operation.
operationId string Unique string used to identify the operation. The id MUST be unique among all operations described in the API. The operationId value is case-sensitive. Tools and libraries MAY use the operationId to uniquely identify an operation, therefore, it is RECOMMENDED to follow common programming naming conventions.
parameters [Parameter Object | Reference Object] A list of parameters that are applicable for this operation. If a parameter is already defined at the Path Item, the new definition will override it but can never remove it. The list MUST NOT include duplicated parameters. A unique parameter is defined by a combination of a name and location. The list can use the Reference Object to link to parameters that are defined at the OpenAPI Object's components/parameters.
requestBody Request Body Object | Reference Object The request body applicable for this operation. The requestBody is only supported in HTTP methods where the HTTP 1.1 specification RFC7231 has explicitly defined semantics for request bodies. In other cases where the HTTP spec is vague, requestBody SHALL be ignored by consumers.
responses Responses Object REQUIRED. The list of possible responses as they are returned from executing this operation.
callbacks Map[string, Callback Object | Reference Object] A map of possible out-of band callbacks related to the parent operation. The key is a unique identifier for the Callback Object. Each value in the map is a Callback Object that describes a request that may be initiated by the API provider and the expected responses.
deprecated boolean Declares this operation to be deprecated. Consumers SHOULD refrain from usage of the declared operation. Default value is false.
security [Security Requirement Object] A declaration of which security mechanisms can be used for this operation. The list of values includes alternative security requirement objects that can be used. Only one of the security requirement objects need to be satisfied to authorize a request. To make security optional, an empty security requirement ({}) can be included in the array. This definition overrides any declared top-level security. To remove a top-level security declaration, an empty array can be used.
servers [Server Object] An alternative server array to service this operation. If an alternative server object is specified at the Path Item Object or Root level, it will be overridden by this value.

This object MAY be extended with Specification Extensions.

Operation Object Example
{
  "tags": [
    "pet"
  ],
  "summary": "Updates a pet in the store with form data",
  "operationId": "updatePetWithForm",
  "parameters": [
    {
      "name": "petId",
      "in": "path",
      "description": "ID of pet that needs to be updated",
      "required": true,
      "schema": {
        "type": "string"
      }
    }
  ],
  "requestBody": {
    "content": {
      "application/x-www-form-urlencoded": {
        "schema": {
          "type": "object",
          "properties": {
            "name": {
              "description": "Updated name of the pet",
              "type": "string"
            },
            "status": {
              "description": "Updated status of the pet",
              "type": "string"
            }
          },
          "required": ["status"]
        }
      }
    }
  },
  "responses": {
    "200": {
      "description": "Pet updated.",
      "content": {
        "application/json": {},
        "application/xml": {}
      }
    },
    "405": {
      "description": "Method Not Allowed",
      "content": {
        "application/json": {},
        "application/xml": {}
      }
    }
  },
  "security": [
    {
      "petstore_auth": [
        "write:pets",
        "read:pets"
      ]
    }
  ]
}
tags:
- pet
summary: Updates a pet in the store with form data
operationId: updatePetWithForm
parameters:
- name: petId
  in: path
  description: ID of pet that needs to be updated
  required: true
  schema:
    type: string
requestBody:
  content:
    application/x-www-form-urlencoded:
      schema:
       properties:
         name:
           description: Updated name of the pet
           type: string
         status:
           description: Updated status of the pet
           type: string
       required:
         - status
responses:
  '200':
    description: Pet updated.
    content:
      application/json: {}
      application/xml: {}
  '405':
    description: Method Not Allowed
    content:
      application/json: {}
      application/xml: {}
security:
- petstore_auth:
  - write:pets
  - read:pets

External Documentation Object

Allows referencing an external resource for extended documentation.

Fixed Fields
Field Name Type Description
description string A short description of the target documentation. CommonMark syntax MAY be used for rich text representation.
url string REQUIRED. The URL for the target documentation. Value MUST be in the format of a URL.

This object MAY be extended with Specification Extensions.

External Documentation Object Example
{
  "description": "Find more info here",
  "url": "https://example.com"
}
description: Find more info here
url: https://example.com

Parameter Object

Describes a single operation parameter.

A unique parameter is defined by a combination of a name and location.

Parameter Locations

There are four possible parameter locations specified by the in field:

  • path - Used together with Path Templating, where the parameter value is actually part of the operation's URL. This does not include the host or base path of the API. For example, in /items/{itemId}, the path parameter is itemId.
  • query - Parameters that are appended to the URL. For example, in /items?id=###, the query parameter is id.
  • header - Custom headers that are expected as part of the request. Note that RFC7230 states header names are case insensitive.
  • cookie - Used to pass a specific cookie value to the API.
Fixed Fields

The rules for serialization of the parameter are specified in one of two ways. Parameter Objects MUST include either a content field or a schema field, but not both. See Appendix B for a discussion of converting values of various types to string representations.

Common Fixed Fields

These fields MAY be used with either content or schema.

Field Name Type Description
name string REQUIRED. The name of the parameter. Parameter names are case sensitive.
  • If in is "path", the name field MUST correspond to a template expression occurring within the path field in the Paths Object. See Path Templating for further information.
  • If in is "header" and the name field is "Accept", "Content-Type" or "Authorization", the parameter definition SHALL be ignored.
  • For all other cases, the name corresponds to the parameter name used by the in property.
in string REQUIRED. The location of the parameter. Possible values are "query", "header", "path" or "cookie".
description string A brief description of the parameter. This could contain examples of use. CommonMark syntax MAY be used for rich text representation.
required boolean Determines whether this parameter is mandatory. If the parameter location is "path", this property is REQUIRED and its value MUST be true. Otherwise, the property MAY be included and its default value is false.
deprecated boolean Specifies that a parameter is deprecated and SHOULD be transitioned out of usage. Default value is false.
allowEmptyValue boolean If true, clients MAY pass a zero-length string value in place of parameters that would otherwise be omitted entirely, which the server SHOULD interpret as the parameter being unused. Default value is false. If style is used, and if behavior is n/a (cannot be serialized), the value of allowEmptyValue SHALL be ignored. Interactions between this field and the parameter's Schema Object are implementation-defined. This field is valid only for query parameters. Use of this property is NOT RECOMMENDED, and it is likely to be removed in a later revision.
Fixed Fields for use with schema

For simpler scenarios, a schema and style can describe the structure and syntax of the parameter. When example or examples are provided in conjunction with the schema object, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the parameter. The example and examples fields are mutually exclusive, and if either is present it SHALL override any example in the schema.

Field Name Type Description
style string Describes how the parameter value will be serialized depending on the type of the parameter value. Default values (based on value of in): for query - form; for path - simple; for header - simple; for cookie - form.
explode boolean When this is true, parameter values of type array or object generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters this property has no effect. When style is form, the default value is true. For all other styles, the default value is false.
allowReserved boolean When this is true, parameter values are serialized using reserved expansion, as defined by RFC6570, which allows RFC3986's reserved character set, as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including % outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed in the query string ([, ], #), or have a special meaning in application/x-www-form-urlencoded (-, &, +); see Appendices C and E for details. This property only applies to parameters with an in value of query. The default value is false.
schema Schema Object | Reference Object The schema defining the type used for the parameter.
example Any Example of the parameter's potential value; see Working With Examples.
examples Map[ string, Example Object | Reference Object] Examples of the parameter's potential value; see Working With Examples.

See also Appendix C: Using RFC6570 Implementations for additional guidance.

Fixed Fields and considerations for use with content

For more complex scenarios, the content property can define the media type and schema of the parameter, as well as give examples of its use.

Field Name Type Description
content Map[string, Media Type Object] A map containing the representations for the parameter. The key is the media type and the value describes it. The map MUST only contain one entry.
Style Values

In order to support common ways of serializing simple parameters, a set of style values are defined.

style type in Comments
matrix primitive, array, object path Path-style parameters defined by RFC6570
label primitive, array, object path Label style parameters defined by RFC6570
simple primitive, array, object path, header Simple style parameters defined by RFC6570. This option replaces collectionFormat with a csv value from OpenAPI 2.0.
form primitive, array, object query, cookie Form style parameters defined by RFC6570. This option replaces collectionFormat with a csv (when explode is false) or multi (when explode is true) value from OpenAPI 2.0.
spaceDelimited array, object query Space separated array values or object properties and values. This option replaces collectionFormat equal to ssv from OpenAPI 2.0.
pipeDelimited array, object query Pipe separated array values or object properties and values. This option replaces collectionFormat equal to pipes from OpenAPI 2.0.
deepObject object query Allows objects with scalar properties to be represented using form parameters. The representation of array or object properties is not defined.

The behavior of applying a style that uses a delimiter to data containing that delimiter is not defined, and is therefore NOT RECOMMENDED. To ensure interoperability, any such delimiter characters need to be escaped prior to serializing with the style, and unescaped after parsing. In the case of spaceDelimited, care must be taken to avoid confusing interactions with URL parameter encoding of spaces.

Style Examples

Assume a parameter named color has one of the following values:

   string -> "blue"
   array -> ["blue","black","brown"]
   object -> { "R": 100, "G": 200, "B": 150 }

The following table shows examples of rendering differences for each value.

style explode empty string array object
matrix false ;color ;color=blue ;color=blue,black,brown ;color=R,100,G,200,B,150
matrix true ;color ;color=blue ;color=blue;color=black;color=brown ;R=100;G=200;B=150
label false . .blue .blue,black,brown .R,100,G,200,B,150
label true . .blue .blue.black.brown .R=100.G=200.B=150
simple false n/a blue blue,black,brown R,100,G,200,B,150
simple true n/a blue blue,black,brown R=100,G=200,B=150
form false color= color=blue color=blue,black,brown color=R,100,G,200,B,150
form true color= color=blue color=blue&color=black&color=brown R=100&G=200&B=150
spaceDelimited false n/a n/a color=blue%20black%20brown color=R%20100%20G%20200%20B%20150
pipeDelimited false n/a n/a color=blue|black|brown color=R|100|G|200|B|150
deepObject true n/a n/a n/a color[R]=100&color[G]=200&color[B]=150

This object MAY be extended with Specification Extensions.

Parameter Object Examples

A header parameter with an array of 64 bit integer numbers:

{
  "name": "token",
  "in": "header",
  "description": "token to be passed as a header",
  "required": true,
  "schema": {
    "type": "array",
    "items": {
      "type": "integer",
      "format": "int64"
    }
  },
  "style": "simple"
}
name: token
in: header
description: token to be passed as a header
required: true
schema:
  type: array
  items:
    type: integer
    format: int64
style: simple

A path parameter of a string value:

{
  "name": "username",
  "in": "path",
  "description": "username to fetch",
  "required": true,
  "schema": {
    "type": "string"
  }
}
name: username
in: path
description: username to fetch
required: true
schema:
  type: string

An optional query parameter of a string value, allowing multiple values by repeating the query parameter:

{
  "name": "id",
  "in": "query",
  "description": "ID of the object to fetch",
  "required": false,
  "schema": {
    "type": "array",
    "items": {
      "type": "string"
    }
  },
  "style": "form",
  "explode": true
}
name: id
in: query
description: ID of the object to fetch
required: false
schema:
  type: array
  items:
    type: string
style: form
explode: true

A free-form query parameter, allowing undefined parameters of a specific type:

{
  "in": "query",
  "name": "freeForm",
  "schema": {
    "type": "object",
    "additionalProperties": {
      "type": "integer"
    },
  },
  "style": "form"
}
in: query
name: freeForm
schema:
  type: object
  additionalProperties:
    type: integer
style: form

A complex parameter using content to define serialization:

{
  "in": "query",
  "name": "coordinates",
  "content": {
    "application/json": {
      "schema": {
        "type": "object",
        "required": [
          "lat",
          "long"
        ],
        "properties": {
          "lat": {
            "type": "number"
          },
          "long": {
            "type": "number"
          }
        }
      }
    }
  }
}
in: query
name: coordinates
content:
  application/json:
    schema:
      type: object
      required:
        - lat
        - long
      properties:
        lat:
          type: number
        long:
          type: number

Request Body Object

Describes a single request body.

Fixed Fields
Field Name Type Description
description string A brief description of the request body. This could contain examples of use. CommonMark syntax MAY be used for rich text representation.
content Map[string, Media Type Object] REQUIRED. The content of the request body. The key is a media type or media type range and the value describes it. For requests that match multiple keys, only the most specific key is applicable. e.g. text/plain overrides text/*
required boolean Determines if the request body is required in the request. Defaults to false.

This object MAY be extended with Specification Extensions.

Request Body Examples

A request body with a referenced schema definition.

{
  "description": "user to add to the system",
  "content": {
    "application/json": {
      "schema": {
        "$ref": "#/components/schemas/User"
      },
      "examples": {
        "user" : {
          "summary": "User Example",
          "externalValue": "http://foo.bar/examples/user-example.json"
        }
      }
    },
    "application/xml": {
      "schema": {
        "$ref": "#/components/schemas/User"
      },
      "examples": {
        "user" : {
          "summary": "User example in XML",
          "externalValue": "http://foo.bar/examples/user-example.xml"
        }
      }
    },
    "text/plain": {
      "examples": {
        "user" : {
          "summary": "User example in Plain text",
          "externalValue": "http://foo.bar/examples/user-example.txt"
        }
      }
    },
    "*/*": {
      "examples": {
        "user" : {
          "summary": "User example in other format",
          "externalValue": "http://foo.bar/examples/user-example.whatever"
        }
      }
    }
  }
}
description: user to add to the system
content:
  application/json:
    schema:
      $ref: '#/components/schemas/User'
    examples:
      user:
        summary: User Example
        externalValue: http://foo.bar/examples/user-example.json
  application/xml:
    schema:
      $ref: '#/components/schemas/User'
    examples:
      user:
        summary: User Example in XML
        externalValue: http://foo.bar/examples/user-example.xml
  text/plain:
    examples:
      user:
        summary: User example in text plain format
        externalValue: http://foo.bar/examples/user-example.txt
  '*/*':
    examples:
      user:
        summary: User example in other format
        externalValue: http://foo.bar/examples/user-example.whatever

Media Type Object

Each Media Type Object provides schema and examples for the media type identified by its key.

When example or examples are provided, the example SHOULD match the specified schema and be in the correct format as specified by the media type and its encoding. The example and examples fields are mutually exclusive, and if either is present it SHALL override any example in the schema. See Working With Examples for further guidance regarding the different ways of specifying examples, including non-JSON/YAML values.

Fixed Fields
Field Name Type Description
schema Schema Object | Reference Object The schema defining the content of the request, response, or parameter.
example Any Example of the media type; see Working With Examples.
examples Map[ string, Example Object | Reference Object] Examples of the media type; see Working With Examples.
encoding Map[string, Encoding Object] A map between a property name and its encoding information. The key, being the property name, MUST exist in the schema as a property. The encoding attribute SHALL only apply to Request Body Objects, and only when the media type is multipart or application/x-www-form-urlencoded. If no Encoding Object is provided for a property, the behavior is determined by the default values documented for the Encoding Object.

This object MAY be extended with Specification Extensions.

Media Type Examples
{
  "application/json": {
    "schema": {
      "$ref": "#/components/schemas/Pet"
    },
    "examples": {
      "cat" : {
        "summary": "An example of a cat",
        "value": {
          "name": "Fluffy",
          "petType": "Cat",
          "color": "White",
          "gender": "male",
          "breed": "Persian"
        }
      },
      "dog": {
        "summary": "An example of a dog with a cat's name",
        "value" : {
          "name": "Puma",
          "petType": "Dog",
          "color": "Black",
          "gender": "Female",
          "breed": "Mixed"
        }
      },
      "frog": {
        "$ref": "#/components/examples/frog-example"
      }
    }
  }
}
application/json:
  schema:
    $ref: "#/components/schemas/Pet"
  examples:
    cat:
      summary: An example of a cat
      value:
        name: Fluffy
        petType: Cat
        color: White
        gender: male
        breed: Persian
    dog:
      summary: An example of a dog with a cat's name
      value:
        name: Puma
        petType: Dog
        color: Black
        gender: Female
        breed: Mixed
    frog:
      $ref: "#/components/examples/frog-example"
Considerations for File Uploads

In contrast with the 2.0 specification, file input/output content in OpenAPI is described with the same semantics as any other schema type. Specifically:

# content transferred in binary (octet-stream):
schema:
  type: string
  format: binary

These examples apply to either input payloads of file uploads or response payloads.

A requestBody for submitting a file in a POST operation may look like the following example:

requestBody:
  content:
    application/octet-stream:
      schema:
        # a binary file of any type
        type: string
        format: binary

In addition, specific media types MAY be specified:

# multiple, specific media types may be specified:
requestBody:
  content:
      # a binary file of type png or jpeg
    'image/jpeg':
      schema:
        type: string
        format: binary
    'image/png':
      schema:
        type: string
        format: binary

To upload multiple files, a multipart media type MUST be used:

requestBody:
  content:
    multipart/form-data:
      schema:
        properties:
          # The property name 'file' will be used for all files.
          file:
            type: array
            items:
              type: string
              format: binary
Support for x-www-form-urlencoded Request Bodies

To submit content using form url encoding via RFC1866, the following definition may be used:

requestBody:
  content:
    application/x-www-form-urlencoded:
      schema:
        type: object
        properties:
          id:
            type: string
            format: uuid
          address:
            # complex types are stringified to support RFC 1866
            type: object
            properties: {}

In this example, the contents in the requestBody MUST be encoded per RFC1866 when passed to the server. In addition, the address field complex object will be serialized to a string representation prior to encoding.

When passing complex objects in the application/x-www-form-urlencoded content type, the default serialization strategy of such properties is described in the Encoding Object's style property as form.

With this example, given an id of f81d4fae-7dec-11d0-a765-00a0c91e6bf6 and a US-style address (with ZIP+4) as follows:

{
  "streetAddress": "123 Example Dr.",
  "city": "Somewhere",
  "state": "CA",
  "zip": "99999+1234"
}

Assuming the most compact representation of the JSON value (with unnecessary whitespace removed), we would expect to see the following request body, where space characters have been replaced with + and +, ", {, and } have been percent-encoded to %2B, %22, %7B, and %7D, respectively:

id=f81d4fae-7dec-11d0-a765-00a0c91e6bf6&address=%7B%22streetAddress%22:%22123+Example+Dr.%22,%22city%22:%22Somewhere%22,%22state%22:%22CA%22,%22zip%22:%2299999%2B1234%22%7D

Note that the id keyword is treated as text/plain per the Encoding Object's default behavior, and is serialized as-is. If it were treated as application/json, then the serialized value would be a JSON string including quotation marks, which would be percent-encoded as %22.

Here is the id parameter (without address) serialized as application/json instead of text/plain, and then encoded per RFC1866:

id=%22f81d4fae-7dec-11d0-a765-00a0c91e6bf6%22
Special Considerations for multipart Content

It is common to use multipart/form-data as a Content-Type when transferring request bodies to operations. In contrast to 2.0, a schema is REQUIRED to define the input parameters to the operation when using multipart content. This supports complex structures as well as supporting mechanisms for multiple file uploads.

When passing in multipart types, boundaries MAY be used to separate sections of the content being transferred — thus, the following default Content-Types are defined for multipart:

  • If the property is a primitive, or an array of primitive values, the default Content-Type is text/plain
  • If the property is complex, or an array of complex values, the default Content-Type is application/json
  • If the property is a type: string with format: binary or format: byte (aka a file object), the default Content-Type is application/octet-stream

Note that only multipart/* media types with named parts can be described as shown here. Note also that while multipart/form-data originally defined a per-part Content-Transfer-Encoding header that could indicate base64 encoding (format: byte), it has been deprecated for use with HTTP as of RFC7578.

Examples:

requestBody:
  content:
    multipart/form-data:
      schema:
        type: object
        properties:
          id:
            type: string
            format: uuid
          address:
            # default Content-Type for objects is `application/json`
            type: object
            properties: {}
          profileImage:
            # default Content-Type for string/binary is `application/octet-stream`
            type: string
            format: binary
          children:
            # default Content-Type for arrays is based on the `inner` type (text/plain here)
            type: array
            items:
              type: string
          addresses:
            # default Content-Type for arrays is based on the `inner` type (object shown, so `application/json` in this example)
            type: array
            items:
              $ref: '#/components/schemas/Address'

An encoding attribute is introduced to give you control over the serialization of parts of multipart request bodies. This attribute is only applicable to request bodies, and only for multipart and application/x-www-form-urlencoded media types.

Encoding Object

A single encoding definition applied to a single schema property. See Appendix B for a discussion of converting values of various types to string representations.

Fixed Fields
Field Name Type Description
contentType string The Content-Type for encoding a specific property. Default value depends on the property type: for string with format being binaryapplication/octet-stream; for other primitive types – text/plain; for object - application/json; for array – the default is defined based on the inner type. The value can be a specific media type (e.g. application/json), a wildcard media type (e.g. image/*), or a comma-separated list of the two types.
headers Map[string, Header Object | Reference Object] A map allowing additional information to be provided as headers, for example Content-Disposition. Content-Type is described separately and SHALL be ignored in this section. This property SHALL be ignored if the request body media type is not a multipart.
style string Describes how a specific property value will be serialized depending on its type. See Parameter Object for details on the style property. The behavior follows the same values as query parameters, including default values. This property SHALL be ignored if the request body media type is not application/x-www-form-urlencoded.
explode boolean When this is true, property values of type array or object generate separate parameters for each value of the array, or key-value-pair of the map. For other types of properties this property has no effect. When style is form, the default value is true. For all other styles, the default value is false. This property SHALL be ignored if the request body media type is not application/x-www-form-urlencoded.
allowReserved boolean When this is true, parameter values are serialized using reserved expansion, as defined by RFC6570, which allows RFC3986's reserved character set, as well as percent-encoded triples, to pass through unchanged, while still percent-encoding all other disallowed characters (including % outside of percent-encoded triples). Applications are still responsible for percent-encoding reserved characters that are not allowed in the query string ([, ], #), or have a special meaning in application/x-www-form-urlencoded (-, &, +); see Appendices C and E for details. This property only applies to parameters with an in value of query. The default value is false.

This object MAY be extended with Specification Extensions.

See also Appendix C: Using RFC6570 Implementations for additional guidance.

Encoding Object Example

multipart/form-data allows for binary parts:

requestBody:
  content:
    multipart/form-data:
      schema:
        type: object
        properties:
          id:
            # default is text/plain
            type: string
            format: uuid
          address:
            # default is application/json
            type: object
            properties: {}
          historyMetadata:
            # need to declare XML format!
            description: metadata in XML format
            type: object
            properties: {}
          profileImage:
            # default is application/octet-stream, need to declare an image type only!
            type: string
            format: binary
      encoding:
        historyMetadata:
          # require XML Content-Type in utf-8 encoding
          contentType: application/xml; charset=utf-8
        profileImage:
          # only accept png/jpeg
          contentType: image/png, image/jpeg
          headers:
            X-Rate-Limit-Limit:
              description: The number of allowed requests in the current period
              schema:
                type: integer

application/x-www-form-urlencoded is a text format, which requires base64-encoding any binary data:

requestBody:
  content:
    application/x-www-form-urlencoded:
      schema:
        type: object
        properties:
          name:
            type: string
          icon:
            # default is text/plain, need to declare an image type only!
            type: string
            format: byte
  encoding:
    icon:
      contentType: image/png, image/jpeg

Responses Object

A container for the expected responses of an operation. The container maps a HTTP response code to the expected response.

The documentation is not necessarily expected to cover all possible HTTP response codes because they may not be known in advance. However, documentation is expected to cover a successful operation response and any known errors.

The default MAY be used as a default response object for all HTTP codes that are not covered individually by the specification.

The Responses Object MUST contain at least one response code, and it SHOULD be the response for a successful operation call.

Fixed Fields
Field Name Type Description
default Response Object | Reference Object The documentation of responses other than the ones declared for specific HTTP response codes. Use this field to cover undeclared responses. A Reference Object can link to a response that the OpenAPI Object's components/responses section defines.
Patterned Fields
Field Pattern Type Description
HTTP Status Code Response Object | Reference Object Any HTTP status code can be used as the property name, but only one property per code, to describe the expected response for that HTTP status code. A Reference Object can link to a response that is defined in the OpenAPI Object's components/responses section. This field MUST be enclosed in quotation marks (for example, "200") for compatibility between JSON and YAML. To define a range of response codes, this field MAY contain the uppercase wildcard character X. For example, 2XX represents all response codes between [200-299]. Only the following range definitions are allowed: 1XX, 2XX, 3XX, 4XX, and 5XX. If a response is defined using an explicit code, the explicit code definition takes precedence over the range definition for that code.

This object MAY be extended with Specification Extensions.

Responses Object Example

A 200 response for a successful operation and a default response for others (implying an error):

{
  "200": {
    "description": "a pet to be returned",
    "content": {
      "application/json": {
        "schema": {
          "$ref": "#/components/schemas/Pet"
        }
      }
    }
  },
  "default": {
    "description": "Unexpected error",
    "content": {
      "application/json": {
        "schema": {
          "$ref": "#/components/schemas/ErrorModel"
        }
      }
    }
  }
}
'200':
  description: a pet to be returned
  content:
    application/json:
      schema:
        $ref: '#/components/schemas/Pet'
default:
  description: Unexpected error
  content:
    application/json:
      schema:
        $ref: '#/components/schemas/ErrorModel'

Response Object

Describes a single response from an API Operation, including design-time, static links to operations based on the response.

Fixed Fields
Field Name Type Description
description string REQUIRED. A short description of the response. CommonMark syntax MAY be used for rich text representation.
headers Map[string, Header Object | Reference Object] Maps a header name to its definition. RFC7230 states header names are case insensitive. If a response header is defined with the name "Content-Type", it SHALL be ignored.
content Map[string, Media Type Object] A map containing descriptions of potential response payloads. The key is a media type or media type range and the value describes it. For responses that match multiple keys, only the most specific key is applicable. e.g. text/plain overrides text/*
links Map[string, Link Object | Reference Object] A map of operations links that can be followed from the response. The key of the map is a short name for the link, following the naming constraints of the names for Component Objects.

This object MAY be extended with Specification Extensions.

Response Object Examples

Response of an array of a complex type:

{
  "description": "A complex object array response",
  "content": {
    "application/json": {
      "schema": {
        "type": "array",
        "items": {
          "$ref": "#/components/schemas/VeryComplexType"
        }
      }
    }
  }
}
description: A complex object array response
content:
  application/json:
    schema:
      type: array
      items:
        $ref: '#/components/schemas/VeryComplexType'

Response with a string type:

{
  "description": "A simple string response",
  "content": {
    "text/plain": {
      "schema": {
        "type": "string"
      }
    }
  }
}
description: A simple string response
content:
  text/plain:
    schema:
      type: string

Plain text response with headers:

{
  "description": "A simple string response",
  "content": {
    "text/plain": {
      "schema": {
        "type": "string",
        "example": "whoa!"
      }
    }
  },
  "headers": {
    "X-Rate-Limit-Limit": {
      "description": "The number of allowed requests in the current period",
      "schema": {
        "type": "integer"
      }
    },
    "X-Rate-Limit-Remaining": {
      "description": "The number of remaining requests in the current period",
      "schema": {
        "type": "integer"
      }
    },
    "X-Rate-Limit-Reset": {
      "description": "The number of seconds left in the current period",
      "schema": {
        "type": "integer"
      }
    }
  }
}
description: A simple string response
content:
  text/plain:
    schema:
      type: string
    example: 'whoa!'
headers:
  X-Rate-Limit-Limit:
    description: The number of allowed requests in the current period
    schema:
      type: integer
  X-Rate-Limit-Remaining:
    description: The number of remaining requests in the current period
    schema:
      type: integer
  X-Rate-Limit-Reset:
    description: The number of seconds left in the current period
    schema:
      type: integer

Response with no return value:

{
  "description": "object created"
}
description: object created

Callback Object

A map of possible out-of band callbacks related to the parent operation. Each value in the map is a Path Item Object that describes a set of requests that may be initiated by the API provider and the expected responses. The key value used to identify the path item object is an expression, evaluated at runtime, that identifies a URL to use for the callback operation.

Patterned Fields
Field Pattern Type Description
{expression} Path Item Object A Path Item Object used to define a callback request and expected responses. A complete example is available.

This object MAY be extended with Specification Extensions.

Key Expression

The key that identifies the Path Item Object is a runtime expression that can be evaluated in the context of a runtime HTTP request/response to identify the URL to be used for the callback request. A simple example might be $request.body#/url. However, using a runtime expression the complete HTTP message can be accessed. This includes accessing any part of a body that a JSON Pointer RFC6901 can reference.

For example, given the following HTTP request:

POST /subscribe/myevent?queryUrl=http://clientdomain.com/stillrunning HTTP/1.1
Host: example.org
Content-Type: application/json
Content-Length: 187

{
  "failedUrl" : "http://clientdomain.com/failed",
  "successUrls" : [
    "http://clientdomain.com/fast",
    "http://clientdomain.com/medium",
    "http://clientdomain.com/slow"
  ]
}

201 Created
Location: http://example.org/subscription/1

The following examples show how the various expressions evaluate, assuming the callback operation has a path parameter named eventType and a query parameter named queryUrl.

Expression Value
$url http://example.org/subscribe/myevent?queryUrl=http://clientdomain.com/stillrunning
$method POST
$request.path.eventType myevent
$request.query.queryUrl http://clientdomain.com/stillrunning
$request.header.content-Type application/json
$request.body#/failedUrl http://clientdomain.com/failed
$request.body#/successUrls/1 http://clientdomain.com/medium
$response.header.Location http://example.org/subscription/1
Callback Object Examples

The following example uses the user provided queryUrl query string parameter to define the callback URL. This is an example of how to use a callback object to describe a WebHook callback that goes with the subscription operation to enable registering for the WebHook.

myCallback:
  '{$request.query.queryUrl}':
    post:
      requestBody:
        description: Callback payload
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/SomePayload'
      responses:
        '200':
          description: callback successfully processed

The following example shows a callback where the server is hard-coded, but the query string parameters are populated from the id and email property in the request body.

transactionCallback:
  'http://notificationServer.com?transactionId={$request.body#/id}&email={$request.body#/email}':
    post:
      requestBody:
        description: Callback payload
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/SomePayload'
      responses:
        '200':
          description: callback successfully processed

Example Object

Fixed Fields
Field Name Type Description
summary string Short description for the example.
description string Long description for the example. CommonMark syntax MAY be used for rich text representation.
value Any Embedded literal example. The value field and externalValue field are mutually exclusive. To represent examples of media types that cannot naturally represented in JSON or YAML, use a string value to contain the example, escaping where necessary.
externalValue string A URL that points to the literal example. This provides the capability to reference examples that cannot easily be included in JSON or YAML documents. The value field and externalValue field are mutually exclusive.

This object MAY be extended with Specification Extensions.

In all cases, the example value SHOULD be compatible with the schema of its associated value. Tooling implementations MAY choose to validate compatibility automatically, and reject the example value(s) if incompatible.

Working With Examples

Example Objects can be used in both Parameter Objects and Media Type Objects. In both Objects, this is done through the examples (plural) field. However, there are two other ways to provide examples: The example (singular) field that is mutually exclusive with examples in both Objects, and the example (singular) field in the Schema Object that appears in the schema field of both Objects. Each of these fields has slightly different considerations.

The Schema Object's example field is used to show example values without regard to how they might be formatted as parameters or within media type representations.

The mutually exclusive fields in the Parameter or Media Type Objects are used to show example values which SHOULD both match the schema and be formatted as they would appear as a serialized parameter or within a media type representation. The exact serialization and encoding is determined by various fields in the Parameter Object, or in the Media Type Object's Encoding Object. Because examples using these fields represent the final serialized form of the data, they SHALL override any example in the corresponding Schema Object.

The singular example field in the Parameter or Media Type object is concise and convenient for simple examples, but does not offer any other advantages over using Example Objects under examples.

Some examples cannot be represented directly in JSON or YAML. For all three ways of providing examples, these can be shown as string values with any escaping necessary to make the string valid in the JSON or YAML format of the OpenAPI Description document. With the Example Object, such values can alternatively be handled through the externalValue field.

Example Object Examples

In a request body:

requestBody:
  content:
    'application/json':
      schema:
        $ref: '#/components/schemas/Address'
      examples:
        foo:
          summary: A foo example
          value: {"foo": "bar"}
        bar:
          summary: A bar example
          value: {"bar": "baz"}
    application/xml:
      examples:
        xmlExample:
          summary: This is an example in XML
          externalValue: https://example.org/examples/address-example.xml
    text/plain:
      examples:
        textExample:
          summary: This is a text example
          externalValue: http://foo.bar/examples/address-example.txt

In a parameter:

parameters:
  - name: zipCode
    in: query
    schema:
      type: string
      format: zip-code
    examples:
      zip-example:
        $ref: '#/components/examples/zip-example'

In a response:

responses:
  '200':
    description: your car appointment has been booked
    content:
      application/json:
        schema:
          $ref: '#/components/schemas/SuccessResponse'
        examples:
          confirmation-success:
            $ref: '#/components/examples/confirmation-success'

Two different uses of JSON strings:

First, a request or response body that is just a JSON string (not an object containing a string):

"application/json": {
  "schema": {
    "type": "string"
  },
  "examples": {
    "jsonBody": {
      "description": "A body of just the JSON string \"json\"",
      "value": "json"
    }
  }
}
application/json:
  schema:
    type: string
  examples:
    jsonBody:
      description: 'A body of just the JSON string "json"'
      value: json

In the above example, we can just show the JSON string (or any JSON value) as-is, rather than stuffing a serialized JSON value into a JSON string, which would have looked like "\"json\"".

In contrast, a JSON string encoded inside of a URL-style form body:

"application/x-www-form-urlencoded": {
  "schema": {
    "type": "object",
    "properties": {
      "jsonValue": {
        "type": "string"
      }
    }
  },
  "encoding": {
    "jsonValue": {
      "contentType": "application/json"
    }
  },
  "examples": {
    "jsonFormValue": {
      "description": "The JSON string \"json\" as a form value",
      "value": "jsonValue=%22json%22"
    }
  }
}
application/x-www-form-urlencoded:
  schema:
    type: object
    properties:
      jsonValue:
        type: string
  encoding:
    jsonValue:
      contentType: application/json
  examples:
    jsonFormValue:
      description: 'The JSON string "json" as a form value'
      value: jsonValue=%22json%22

In this example, the JSON string had to be serialized before encoding it into the URL form value, so the example includes the quotation marks that are part of the JSON serialization, which are then URL percent-encoded.

Link Object

The Link object represents a possible design-time link for a response. The presence of a link does not guarantee the caller's ability to successfully invoke it, rather it provides a known relationship and traversal mechanism between responses and other operations.

Unlike dynamic links (i.e. links provided in the response payload), the OAS linking mechanism does not require link information in the runtime response.

For computing links, and providing instructions to execute them, a runtime expression is used for accessing values in an operation and using them as parameters while invoking the linked operation.

Fixed Fields
Field Name Type Description
operationRef string A relative or absolute URI reference to an OAS operation. This field is mutually exclusive of the operationId field, and MUST point to an Operation Object. Relative operationRef values MAY be used to locate an existing Operation Object in the OpenAPI definition.
operationId string The name of an existing, resolvable OAS operation, as defined with a unique operationId. This field is mutually exclusive of the operationRef field.
parameters Map[string, Any | {expression}] A map representing parameters to pass to an operation as specified with operationId or identified via operationRef. The key is the parameter name to be used (optionally qualified with the parameter location, e.g. path.id for an id parameter in the path), whereas the value can be a constant or an expression to be evaluated and passed to the linked operation.
requestBody Any | {expression} A literal value or {expression} to use as a request body when calling the target operation.
description string A description of the link. CommonMark syntax MAY be used for rich text representation.
server Server Object A server object to be used by the target operation.

This object MAY be extended with Specification Extensions.

A linked operation MUST be identified using either an operationRef or operationId. In the case of an operationId, it MUST be unique and resolved in the scope of the OAS document. Because of the potential for name clashes, the operationRef syntax is preferred for specifications with external references.

Note that it is not possible to provide a constant value to parameters that matches the syntax of a runtime expression. It is possible to have ambiguous parameter names, e.g. name: id, in: path and name: path.id, in: query; this is NOT RECOMMENDED and the behavior is implementation-defined, however implementations SHOULD prefer the qualified interpretation (path.id as a path parameter), as the names can always be qualified to disambiguate them (e.g. using query.path.id for the query paramter).

Examples

Computing a link from a request operation where the $request.path.id is used to pass a request parameter to the linked operation.

paths:
  /users/{id}:
    parameters:
    - name: id
      in: path
      required: true
      description: the user identifier, as userId
      schema:
        type: string
    get:
      responses:
        '200':
          description: the user being returned
          content:
            application/json:
              schema:
                type: object
                properties:
                  uuid: # the unique user id
                    type: string
                    format: uuid
          links:
            address:
              # the target link operationId
              operationId: getUserAddress
              parameters:
                # get the `id` field from the request path parameter named `id`
                userid: $request.path.id
  # the path item of the linked operation
  /users/{userid}/address:
    parameters:
    - name: userid
      in: path
      required: true
      description: the user identifier, as userId
      schema:
        type: string
    # linked operation
    get:
      operationId: getUserAddress
      responses:
        '200':
          description: the user's address

When a runtime expression fails to evaluate, no parameter value is passed to the target operation.

Values from the response body can be used to drive a linked operation.

links:
  address:
    operationId: getUserAddressByUUID
    parameters:
      # get the `uuid` field from the `uuid` field in the response body
      userUuid: $response.body#/uuid

Clients follow all links at their discretion. Neither permissions, nor the capability to make a successful call to that link, is guaranteed solely by the existence of a relationship.

OperationRef Examples

As references to operationId MAY NOT be possible (the operationId is an optional field in an Operation Object), references MAY also be made through a relative operationRef:

links:
  UserRepositories:
    # returns array of '#/components/schemas/repository'
    operationRef: '#/paths/~12.0~1repositories~1%7Busername%7D/get'
    parameters:
      username: $response.body#/username

or an absolute operationRef:

links:
  UserRepositories:
    # returns array of '#/components/schemas/repository'
    operationRef: https://na2.gigantic-server.com/#/paths/~12.0~1repositories~1%7Busername%7D/get
    parameters:
      username: $response.body#/username

Note that in the use of operationRef, the escaped forward-slash is necessary when using JSON Pointers, and it is necessary to URL-encode { and } as %7B and %7D, respectively when using JSON Pointers as URI fragments.

Runtime Expressions

Runtime expressions allow defining values based on information that will only be available within the HTTP message in an actual API call. This mechanism is used by Link Objects and Callback Objects.

The runtime expression is defined by the following ABNF syntax

    expression = ( "$url" / "$method" / "$statusCode" / "$request." source / "$response." source )
    source = ( header-reference / query-reference / path-reference / body-reference )
    header-reference = "header." token
    query-reference = "query." name  
    path-reference = "path." name
    body-reference = "body" ["#" json-pointer ]
    json-pointer    = *( "/" reference-token )
    reference-token = *( unescaped / escaped )
    unescaped       = %x00-2E / %x30-7D / %x7F-10FFFF
       ; %x2F ('/') and %x7E ('~') are excluded from 'unescaped'
    escaped         = "~" ( "0" / "1" )
      ; representing '~' and '/', respectively
    name = *( CHAR )
    token = 1*tchar
    tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." /
      "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA

Here, json-pointer is taken from RFC 6901, char from RFC 7159 and token from RFC 7230.

The name identifier is case-sensitive, whereas token is not.

The table below provides examples of runtime expressions and examples of their use in a value:

Examples
Source Location example expression notes
HTTP Method $method The allowable values for the $method will be those for the HTTP operation.
Requested media type $request.header.accept
Request parameter $request.path.id Request parameters MUST be declared in the parameters section of the parent operation or they cannot be evaluated. This includes request headers.
Request body property $request.body#/user/uuid In operations which accept payloads, references may be made to portions of the requestBody or the entire body.
Request URL $url
Response value $response.body#/status In operations which return payloads, references may be made to portions of the response body or the entire body.
Response header $response.header.Server Single header values only are available

Runtime expressions preserve the type of the referenced value. Expressions can be embedded into string values by surrounding the expression with {} curly braces.

Header Object

Describes a single header for HTTP responses and for individual parts in multipart representations; see the relevant Response Object and Encoding Object documentation for restrictions on which headers can be described.

The Header Object follows the structure of the Parameter Object, including determining its serialization strategy based on whether schema or content is present, with the following changes:

  1. name MUST NOT be specified, it is given in the corresponding headers map.
  2. in MUST NOT be specified, it is implicitly in header.
  3. All traits that are affected by the location MUST be applicable to a location of header (for example, style). This means that allowEmptyValue and allowReserved MUST NOT be used, and style, if used, MUST be limited to simple.
Common Fixed Fields

These fields MAY be used with either content or schema.

Field Name Type Description
description string A brief description of the header. This could contain examples of use. CommonMark syntax MAY be used for rich text representation.
required boolean Determines whether this header is mandatory. The default value is false.
deprecated boolean Specifies that the header is deprecated and SHOULD be transitioned out of usage. Default value is false.
Fixed Fields for use with schema

For simpler scenarios, a schema and style can describe the structure and syntax of the header. When example or examples are provided in conjunction with the schema object, the example MUST follow the prescribed serialization strategy for the header.

Serializing with schema is NOT RECOMMENDED for headers with parameters (name=value pairs following a ;) in their values, or where values might have non-URL-safe characters; see Appendix D for details.

Field Name Type Description
style string Describes how the header value will be serialized. The default (and only legal value for headers) is simple.
explode boolean When this is true, header values of type array or object generate a single header whose value is a comma-separated list of the array items or key-value pairs of the map, see Style Examples. For other data types this property has no effect. The default value is false.
schema Schema Object | Reference Object The schema defining the type used for the header.
example Any Example of the header's potential value. The example SHOULD match the specified schema and encoding properties if present. The example field is mutually exclusive of the examples field. Furthermore, if referencing a schema that contains an example, the example value SHALL override the example provided by the schema. To represent examples of media types that cannot naturally be represented in JSON or YAML, a string value can contain the example with escaping where necessary.
examples Map[ string, Example Object | Reference Object] Examples of the header's potential value. Each example SHOULD contain a value in the correct format as specified in the header encoding. The examples field is mutually exclusive of the example field. Furthermore, if referencing a schema that contains an example, the examples value SHALL override the example provided by the schema.

See also Appendix C: Using RFC6570 Implementations for additional guidance.

Fixed Fields for use with content

For more complex scenarios, the content property can define the media type and schema of the header, as well as give examples of its use. Using content with a text/plain media type is RECOMMENDED for headers where the schema strategy is not appropriate.

Field Name Type Description
content Map[string, Media Type Object] A map containing the representations for the header. The key is the media type and the value describes it. The map MUST only contain one entry.
Header Object Example

A simple header of type integer:

"X-Rate-Limit-Limit": {
  "description": "The number of allowed requests in the current period",
  "schema": {
    "type": "integer"
  }
}
X-Rate-Limit-Limit:
  description: The number of allowed requests in the current period
  schema:
    type: integer

Requiring that a strong ETag header (with a value starting with " rather than W/) is present. Note the use of content, because using schema and style would require the " to be percent-encoded as %22:

"ETag": {
  "required": true,
  "content": {
    "text/plain": {
      "schema": {
        "type": "string",
        "pattern": "^\""
      }
    }
  }
}
ETag:
  required: true
  content:
    text/plain:
      schema:
        type: string
        pattern: ^"

Tag Object

Adds metadata to a single tag that is used by the Operation Object. It is not mandatory to have a Tag Object per tag defined in the Operation Object instances.

Fixed Fields
Field Name Type Description
name string REQUIRED. The name of the tag.
description string A short description for the tag. CommonMark syntax MAY be used for rich text representation.
externalDocs External Documentation Object Additional external documentation for this tag.

This object MAY be extended with Specification Extensions.

Tag Object Example
{
  "name": "pet",
  "description": "Pets operations"
}
name: pet
description: Pets operations

Reference Object

A simple object to allow referencing other components in the specification, internally and externally.

The Reference Object is defined by JSON Reference and follows the same structure, behavior and rules.

For this specification, reference resolution is accomplished as defined by the JSON Reference specification and not by the JSON Schema specification.

Fixed Fields
Field Name Type Description
$ref string REQUIRED. The reference string.

This object cannot be extended with additional properties and any properties added SHALL be ignored.

Reference Object Example
{
  "$ref": "#/components/schemas/Pet"
}
$ref: '#/components/schemas/Pet'
Relative Schema Document Example
{
  "$ref": "Pet.json"
}
$ref: Pet.yaml
Relative Documents With Embedded Schema Example
{
  "$ref": "definitions.json#/Pet"
}
$ref: definitions.yaml#/Pet

Schema Object

The Schema Object allows the definition of input and output data types. These types can be objects, but also primitives and arrays. This object is an extended subset of the JSON Schema Specification Wright Draft 00.

For more information about the properties, see JSON Schema Core and JSON Schema Validation. Unless stated otherwise, the property definitions follow the JSON Schema.

Properties

The following properties are taken directly from the JSON Schema definition and follow the same specifications:

  • title
  • multipleOf
  • maximum
  • exclusiveMaximum
  • minimum
  • exclusiveMinimum
  • maxLength
  • minLength
  • pattern (This string SHOULD be a valid regular expression, according to the Ecma-262 Edition 5.1 regular expression dialect)
  • maxItems
  • minItems
  • uniqueItems
  • maxProperties
  • minProperties
  • required
  • enum

The following properties are taken from the JSON Schema definition but their definitions were adjusted to the OpenAPI Specification.

  • type - Value MUST be a string. Multiple types via an array are not supported.
  • allOf - Inline or referenced schema MUST be of a Schema Object and not a standard JSON Schema.
  • oneOf - Inline or referenced schema MUST be of a Schema Object and not a standard JSON Schema.
  • anyOf - Inline or referenced schema MUST be of a Schema Object and not a standard JSON Schema.
  • not - Inline or referenced schema MUST be of a Schema Object and not a standard JSON Schema.
  • items - Value MUST be an object and not an array. Inline or referenced schema MUST be of a Schema Object and not a standard JSON Schema. items MUST be present if the type is array.
  • properties - Property definitions MUST be a Schema Object and not a standard JSON Schema (inline or referenced).
  • additionalProperties - Value can be boolean or object. Inline or referenced schema MUST be of a Schema Object and not a standard JSON Schema. Consistent with JSON Schema, additionalProperties defaults to true.
  • description - CommonMark syntax MAY be used for rich text representation.
  • format - See Data Type Formats for further details. While relying on JSON Schema's defined formats, the OAS offers a few additional predefined formats.
  • default - The default value represents what would be assumed by the consumer of the input as the value of the schema if one is not provided. Unlike JSON Schema, the value MUST conform to the defined type for the Schema Object defined at the same level. For example, if type is string, then default can be "foo" but cannot be 1.

Alternatively, any time a Schema Object can be used, a Reference Object can be used in its place. This allows referencing definitions instead of defining them inline.

Additional properties defined by the JSON Schema specification that are not mentioned here are strictly unsupported.

Other than the JSON Schema subset fields, the following fields MAY be used for further schema documentation:

Fixed Fields
Field Name Type Description
nullable boolean A true value adds "null" to the allowed type specified by the type keyword, only if type is explicitly defined within the same Schema Object. Other Schema Object constraints retain their defined behavior, and therefore may disallow the use of null as a value. A false value leaves the specified or default type unmodified. The default value is false.
discriminator Discriminator Object Adds support for polymorphism. The discriminator is an object name that is used to differentiate between other schemas which may satisfy the payload description. See Composition and Inheritance for more details.
readOnly boolean Relevant only for Schema "properties" definitions. Declares the property as "read only". This means that it MAY be sent as part of a response but SHOULD NOT be sent as part of the request. If the property is marked as readOnly being true and is in the required list, the required will take effect on the response only. A property MUST NOT be marked as both readOnly and writeOnly being true. Default value is false.
writeOnly boolean Relevant only for Schema "properties" definitions. Declares the property as "write only". Therefore, it MAY be sent as part of a request but SHOULD NOT be sent as part of the response. If the property is marked as writeOnly being true and is in the required list, the required will take effect on the request only. A property MUST NOT be marked as both readOnly and writeOnly being true. Default value is false.
xml XML Object This MAY be used only on properties schemas. It has no effect on root schemas. Adds additional metadata to describe the XML representation of this property.
externalDocs External Documentation Object Additional external documentation for this schema.
example Any A free-form property to include an example of an instance for this schema. To represent examples that cannot be naturally represented in JSON or YAML, a string value can be used to contain the example with escaping where necessary.
deprecated boolean Specifies that a schema is deprecated and SHOULD be transitioned out of usage. Default value is false.

This object MAY be extended with Specification Extensions.

Composition and Inheritance (Polymorphism)

The OpenAPI Specification allows combining and extending model definitions using the allOf property of JSON Schema, in effect offering model composition. allOf takes an array of object definitions that are validated independently but together compose a single object.

While composition offers model extensibility, it does not imply a hierarchy between the models. To support polymorphism, the OpenAPI Specification adds the discriminator field. When used, the discriminator will be the name of the property that decides which schema definition validates the structure of the model. As such, the discriminator field MUST be a required field. There are two ways to define the value of a discriminator for an inheriting instance.

  • Use the schema name.
  • Override the schema name by overriding the property with a new value. If a new value exists, this takes precedence over the schema name. As such, inline schema definitions, which do not have a given id, cannot be used in polymorphism.
XML Modeling

The xml property allows extra definitions when translating the JSON definition to XML. The XML Object contains additional information about the available options.

Schema Object Examples
Primitive Sample
{
  "type": "string",
  "format": "email"
}
type: string
format: email
Simple Model
{
  "type": "object",
  "required": [
    "name"
  ],
  "properties": {
    "name": {
      "type": "string"
    },
    "address": {
      "$ref": "#/components/schemas/Address"
    },
    "age": {
      "type": "integer",
      "format": "int32",
      "minimum": 0
    }
  }
}
type: object
required:
- name
properties:
  name:
    type: string
  address:
    $ref: '#/components/schemas/Address'
  age:
    type: integer
    format: int32
    minimum: 0
Model with Map/Dictionary Properties

For a simple string to string mapping:

{
  "type": "object",
  "additionalProperties": {
    "type": "string"
  }
}
type: object
additionalProperties:
  type: string

For a string to model mapping:

{
  "type": "object",
  "additionalProperties": {
    "$ref": "#/components/schemas/ComplexModel"
  }
}
type: object
additionalProperties:
  $ref: '#/components/schemas/ComplexModel'
Model with Example
{
  "type": "object",
  "properties": {
    "id": {
      "type": "integer",
      "format": "int64"
    },
    "name": {
      "type": "string"
    }
  },
  "required": [
    "name"
  ],
  "example": {
    "name": "Puma",
    "id": 1
  }
}
type: object
properties:
  id:
    type: integer
    format: int64
  name:
    type: string
required:
- name
example:
  name: Puma
  id: 1
Models with Composition
{
  "components": {
    "schemas": {
      "ErrorModel": {
        "type": "object",
        "required": [
          "message",
          "code"
        ],
        "properties": {
          "message": {
            "type": "string"
          },
          "code": {
            "type": "integer",
            "minimum": 100,
            "maximum": 600
          }
        }
      },
      "ExtendedErrorModel": {
        "allOf": [
          {
            "$ref": "#/components/schemas/ErrorModel"
          },
          {
            "type": "object",
            "required": [
              "rootCause"
            ],
            "properties": {
              "rootCause": {
                "type": "string"
              }
            }
          }
        ]
      }
    }
  }
}
components:
  schemas:
    ErrorModel:
      type: object
      required:
      - message
      - code
      properties:
        message:
          type: string
        code:
          type: integer
          minimum: 100
          maximum: 600
    ExtendedErrorModel:
      allOf:
      - $ref: '#/components/schemas/ErrorModel'
      - type: object
        required:
        - rootCause
        properties:
          rootCause:
            type: string
Models with Polymorphism Support
{
  "components": {
    "schemas": {
      "Pet": {
        "type": "object",
        "discriminator": {
          "propertyName": "petType"
        },
        "properties": {
          "name": {
            "type": "string"
          },
          "petType": {
            "type": "string"
          }
        },
        "required": [
          "name",
          "petType"
        ]
      },
      "Cat": {
        "description": "A representation of a cat. Note that `Cat` will be used as the discriminating value.",
        "allOf": [
          {
            "$ref": "#/components/schemas/Pet"
          },
          {
            "type": "object",
            "properties": {
              "huntingSkill": {
                "type": "string",
                "description": "The measured skill for hunting",
                "default": "lazy",
                "enum": [
                  "clueless",
                  "lazy",
                  "adventurous",
                  "aggressive"
                ]
              }
            },
            "required": [
              "huntingSkill"
            ]
          }
        ]
      },
      "Dog": {
        "description": "A representation of a dog. Note that `Dog` will be used as the discriminating value.",
        "allOf": [
          {
            "$ref": "#/components/schemas/Pet"
          },
          {
            "type": "object",
            "properties": {
              "packSize": {
                "type": "integer",
                "format": "int32",
                "description": "the size of the pack the dog is from",
                "default": 0,
                "minimum": 0
              }
            },
            "required": [
              "packSize"
            ]
          }
        ]
      }
    }
  }
}
components:
  schemas:
    Pet:
      type: object
      discriminator:
        propertyName: petType
      properties:
        name:
          type: string
        petType:
          type: string
      required:
      - name
      - petType
    Cat:  # "Cat" will be used as the discriminating value
      description: A representation of a cat
      allOf:
      - $ref: '#/components/schemas/Pet'
      - type: object
        properties:
          huntingSkill:
            type: string
            description: The measured skill for hunting
            enum:
            - clueless
            - lazy
            - adventurous
            - aggressive
        required:
        - huntingSkill
    Dog:  # "Dog" will be used as the discriminating value
      description: A representation of a dog
      allOf:
      - $ref: '#/components/schemas/Pet'
      - type: object
        properties:
          packSize:
            type: integer
            format: int32
            description: the size of the pack the dog is from
            default: 0
            minimum: 0
        required:
        - packSize

Discriminator Object

When request bodies or response payloads may be one of a number of different schemas, a Discriminator Object gives a hint about the expected schema of the document. This hint can be used to aid in serialization, deserialization, and validation. The Discriminator Object does this by implicitly or explicitly associating the possible values of a named property with alternative schemas.

Fixed Fields
Field Name Type Description
propertyName string REQUIRED. The name of the property in the payload that will hold the discriminating value. This property SHOULD be required in the payload schema, as the behavior when the property is absent is undefined.
mapping Map[string, string] An object to hold mappings between payload values and schema names or URI references.
Conditions for Using the Discriminator Object

The Discriminator Object is legal only when using one of the composite keywords oneOf, anyOf, allOf. In both the oneOf and anyOf use cases, where those keywords are adjacent to discriminator, all possible schemas MUST be listed explicitly. To avoid redundancy, the discriminator MAY be added to a parent schema definition, and all schemas building on the parent schema via an allOf construct may be used as an alternate schema. It is implementation-defined as to whether all named Schema Objects under the Components Object, or only those that are otherwise directly referenced are searched for allOf references to the parent schema. However, it is RECOMMENDED to search all named schemas in the Components Object because it is common with the allOf usage for other parts of the API to only directly reference the parent schema.

The behavior of any configuration of oneOf, anyOf, allOf and discriminator that is not described above is undefined.

Options for Mapping Values to Schemas

The value of the property named in propertyName is used as the name of the associated schema under the Components Object, unless a mapping is present for that value. The mapping entry maps a specific property value to either a different schema component name, or to a schema identified by a URI. When using implicit or explicit schema component names, inline oneOf or anyOf subschemas are not considered. The behavior of a mapping value that is both a valid schema name and a valid relative URI reference is implementation-defined, but it is RECOMMENDED that it be treated as a schema name. To ensure that an ambiguous value (e.g. "foo") is treated as a relative URI reference by all implementations, authors MUST prefix it with the "." path segment (e.g. "./foo").

Mapping keys MUST be string values, but tooling MAY convert response values to strings for comparison. However, the exact nature of such conversions are implementation-defined.

Examples

For these examples, assume all schemas are in the entry OpenAPI document; for handling of discriminator in referenced documents see Resolving Implicit Connections.

In OAS 3.0, a response payload MAY be described to be exactly one of any number of types:

MyResponseType:
  oneOf:
  - $ref: '#/components/schemas/Cat'
  - $ref: '#/components/schemas/Dog'
  - $ref: '#/components/schemas/Lizard'

which means the payload MUST, by validation, match exactly one of the schemas described by Cat, Dog, or Lizard. In this case, a discriminator MAY act as a "hint" to shortcut validation and selection of the matching schema which may be a costly operation, depending on the complexity of the schema. We can then describe exactly which field tells us which schema to use:

MyResponseType:
  oneOf:
  - $ref: '#/components/schemas/Cat'
  - $ref: '#/components/schemas/Dog'
  - $ref: '#/components/schemas/Lizard'
  discriminator:
    propertyName: petType

The expectation now is that a property with name petType MUST be present in the response payload, and the value will correspond to the name of a schema defined in the OAS document. Thus the response payload:

{
  "id": 12345,
  "petType": "Cat"
}

Will indicate that the Cat schema be used in conjunction with this payload.

In scenarios where the value of the discriminator field does not match the schema name or implicit mapping is not possible, an optional mapping definition MAY be used:

MyResponseType:
  oneOf:
  - $ref: '#/components/schemas/Cat'
  - $ref: '#/components/schemas/Dog'
  - $ref: '#/components/schemas/Lizard'
  - $ref: https://gigantic-server.com/schemas/Monster/schema.json
  discriminator:
    propertyName: petType
    mapping:
      dog: '#/components/schemas/Dog'
      monster: https://gigantic-server.com/schemas/Monster/schema.json

Here the discriminating value of dog will map to the schema #/components/schemas/Dog, rather than the default (implicit) value of #/components/schemas/dog. If the discriminating value does not match an implicit or explicit mapping, no schema can be determined and validation SHOULD fail.

When used in conjunction with the anyOf construct, the use of the discriminator can avoid ambiguity where multiple schemas may satisfy a single payload.

This example shows the allOf usage, which avoids needing to reference all child schemas in the parent:

components:
  schemas:
    Pet:
      type: object
      required:
      - petType
      properties:
        petType:
          type: string
      discriminator:
        propertyName: petType
        mapping:
          dog: Dog
    Cat:
      allOf:
      - $ref: '#/components/schemas/Pet'
      - type: object
        # all other properties specific to a `Cat`
        properties:
          name:
            type: string
    Dog:
      allOf:
      - $ref: '#/components/schemas/Pet'
      - type: object
        # all other properties specific to a `Dog`
        properties:
          bark:
            type: string
    Lizard:
      allOf:
      - $ref: '#/components/schemas/Pet'
      - type: object
        # all other properties specific to a `Lizard`
        properties:
          lovesRocks:
            type: boolean

a payload like this:

{
  "petType": "Cat",
  "name": "misty"
}

will indicate that the Cat schema be used. Likewise this schema:

{
  "petType": "dog",
  "bark": "soft"
}

will map to Dog because of the definition in the mappings element.

XML Object

A metadata object that allows for more fine-tuned XML model definitions.

When using arrays, XML element names are not inferred (for singular/plural forms) and the name property SHOULD be used to add that information. See examples for expected behavior.

Fixed Fields
Field Name Type Description
name string Replaces the name of the element/attribute used for the described schema property. When defined within items, it will affect the name of the individual XML elements within the list. When defined alongside type being array (outside the items), it will affect the wrapping element and only if wrapped is true. If wrapped is false, it will be ignored.
namespace string The URI of the namespace definition. Value MUST be in the form of an absolute URI.
prefix string The prefix to be used for the name.
attribute boolean Declares whether the property definition translates to an attribute instead of an element. Default value is false.
wrapped boolean MAY be used only for an array definition. Signifies whether the array is wrapped (for example, <books><book/><book/></books>) or unwrapped (<book/><book/>). Default value is false. The definition takes effect only when defined alongside type being array (outside the items).

This object MAY be extended with Specification Extensions.

XML Object Examples

The examples of the XML object definitions are included inside a property definition of a Schema Object with a sample of the XML representation of it.

No XML Element

Basic string property:

{
  "animals": {
    "type": "string"
  }
}
animals:
  type: string
<animals>...</animals>

Basic string array property (wrapped is false by default):

{
  "animals": {
    "type": "array",
    "items": {
      "type": "string"
    }
  }
}
animals:
  type: array
  items:
    type: string
<animals>...</animals>
<animals>...</animals>
<animals>...</animals>
XML Name Replacement
{
  "animals": {
    "type": "string",
    "xml": {
      "name": "animal"
    }
  }
}
animals:
  type: string
  xml:
    name: animal
<animal>...</animal>
XML Attribute, Prefix and Namespace

In this example, a full model definition is shown.

{
  "Person": {
    "type": "object",
    "properties": {
      "id": {
        "type": "integer",
        "format": "int32",
        "xml": {
          "attribute": true
        }
      },
      "name": {
        "type": "string",
        "xml": {
          "namespace": "http://example.com/schema/sample",
          "prefix": "sample"
        }
      }
    }
  }
}
Person:
  type: object
  properties:
    id:
      type: integer
      format: int32
      xml:
        attribute: true
    name:
      type: string
      xml:
        namespace: http://example.com/schema/sample
        prefix: sample
<Person id="123">
    <sample:name xmlns:sample="http://example.com/schema/sample">example</sample:name>
</Person>
XML Arrays

Changing the element names:

{
  "animals": {
    "type": "array",
    "items": {
      "type": "string",
      "xml": {
        "name": "animal"
      }
    }
  }
}
animals:
  type: array
  items:
    type: string
    xml:
      name: animal
<animal>value</animal>
<animal>value</animal>

The external name property has no effect on the XML:

{
  "animals": {
    "type": "array",
    "items": {
      "type": "string",
      "xml": {
        "name": "animal"
      }
    },
    "xml": {
      "name": "aliens"
    }
  }
}
animals:
  type: array
  items:
    type: string
    xml:
      name: animal
  xml:
    name: aliens
<animal>value</animal>
<animal>value</animal>

Even when the array is wrapped, if a name is not explicitly defined, the same name will be used both internally and externally:

{
  "animals": {
    "type": "array",
    "items": {
      "type": "string"
    },
    "xml": {
      "wrapped": true
    }
  }
}
animals:
  type: array
  items:
    type: string
  xml:
    wrapped: true
<animals>
  <animals>value</animals>
  <animals>value</animals>
</animals>

To overcome the naming problem in the example above, the following definition can be used:

{
  "animals": {
    "type": "array",
    "items": {
      "type": "string",
      "xml": {
        "name": "animal"
      }
    },
    "xml": {
      "wrapped": true
    }
  }
}
animals:
  type: array
  items:
    type: string
    xml:
      name: animal
  xml:
    wrapped: true
<animals>
  <animal>value</animal>
  <animal>value</animal>
</animals>

Affecting both internal and external names:

{
  "animals": {
    "type": "array",
    "items": {
      "type": "string",
      "xml": {
        "name": "animal"
      }
    },
    "xml": {
      "name": "aliens",
      "wrapped": true
    }
  }
}
animals:
  type: array
  items:
    type: string
    xml:
      name: animal
  xml:
    name: aliens
    wrapped: true
<aliens>
  <animal>value</animal>
  <animal>value</animal>
</aliens>

If we change the external element but not the internal ones:

{
  "animals": {
    "type": "array",
    "items": {
      "type": "string"
    },
    "xml": {
      "name": "aliens",
      "wrapped": true
    }
  }
}
animals:
  type: array
  items:
    type: string
  xml:
    name: aliens
    wrapped: true
<aliens>
  <aliens>value</aliens>
  <aliens>value</aliens>
</aliens>

Security Scheme Object

Defines a security scheme that can be used by the operations. Supported schemes are HTTP authentication, an API key (either as a header, a cookie parameter or as a query parameter), OAuth2's common flows (implicit, password, client credentials and authorization code) as defined in RFC6749, and OpenID Connect Core.

Fixed Fields
Field Name Type Applies To Description
type string Any REQUIRED. The type of the security scheme. Valid values are "apiKey", "http", "oauth2", "openIdConnect".
description string Any A short description for security scheme. CommonMark syntax MAY be used for rich text representation.
name string apiKey REQUIRED. The name of the header, query or cookie parameter to be used.
in string apiKey REQUIRED. The location of the API key. Valid values are "query", "header" or "cookie".
scheme string http REQUIRED. The name of the HTTP Authentication scheme to be used in the Authorization header as defined in RFC7235. The values used SHOULD be registered in the IANA Authentication Scheme registry. The value is case-insensitive, as defined in RFC7235.
bearerFormat string http ("bearer") A hint to the client to identify how the bearer token is formatted. Bearer tokens are usually generated by an authorization server, so this information is primarily for documentation purposes.
flows OAuth Flows Object oauth2 REQUIRED. An object containing configuration information for the flow types supported.
openIdConnectUrl string openIdConnect REQUIRED. Well-known URL to discover the OpenID provider metadata.

This object MAY be extended with Specification Extensions.

Security Scheme Object Example
Basic Authentication Sample
{
  "type": "http",
  "scheme": "basic"
}
type: http
scheme: basic
API Key Sample
{
  "type": "apiKey",
  "name": "api_key",
  "in": "header"
}
type: apiKey
name: api_key
in: header
JWT Bearer Sample
{
  "type": "http",
  "scheme": "bearer",
  "bearerFormat": "JWT",
}
type: http
scheme: bearer
bearerFormat: JWT
Implicit OAuth2 Sample
{
  "type": "oauth2",
  "flows": {
    "implicit": {
      "authorizationUrl": "https://example.com/api/oauth/dialog",
      "scopes": {
        "write:pets": "modify pets in your account",
        "read:pets": "read your pets"
      }
    }
  }
}
type: oauth2
flows:
  implicit:
    authorizationUrl: https://example.com/api/oauth/dialog
    scopes:
      write:pets: modify pets in your account
      read:pets: read your pets

OAuth Flows Object

Allows configuration of the supported OAuth Flows.

Fixed Fields
Field Name Type Description
implicit OAuth Flow Object Configuration for the OAuth Implicit flow
password OAuth Flow Object Configuration for the OAuth Resource Owner Password flow
clientCredentials OAuth Flow Object Configuration for the OAuth Client Credentials flow. Previously called application in OpenAPI 2.0.
authorizationCode OAuth Flow Object Configuration for the OAuth Authorization Code flow. Previously called accessCode in OpenAPI 2.0.

This object MAY be extended with Specification Extensions.

OAuth Flow Object

Configuration details for a supported OAuth Flow

Fixed Fields
Field Name Type Applies To Description
authorizationUrl string oauth2 ("implicit", "authorizationCode") REQUIRED. The authorization URL to be used for this flow. This MUST be in the form of a URL.
tokenUrl string oauth2 ("password", "clientCredentials", "authorizationCode") REQUIRED. The token URL to be used for this flow. This MUST be in the form of a URL.
refreshUrl string oauth2 The URL to be used for obtaining refresh tokens. This MUST be in the form of a URL.
scopes Map[string, string] oauth2 REQUIRED. The available scopes for the OAuth2 security scheme. A map between the scope name and a short description for it. The map MAY be empty.

This object MAY be extended with Specification Extensions.

OAuth Flow Object Examples
{
  "type": "oauth2",
  "flows": {
    "implicit": {
      "authorizationUrl": "https://example.com/api/oauth/dialog",
      "scopes": {
        "write:pets": "modify pets in your account",
        "read:pets": "read your pets"
      }
    },
    "authorizationCode": {
      "authorizationUrl": "https://example.com/api/oauth/dialog",
      "tokenUrl": "https://example.com/api/oauth/token",
      "scopes": {
        "write:pets": "modify pets in your account",
        "read:pets": "read your pets"
      }
    }
  }
}
type: oauth2
flows:
  implicit:
    authorizationUrl: https://example.com/api/oauth/dialog
    scopes:
      write:pets: modify pets in your account
      read:pets: read your pets
  authorizationCode:
    authorizationUrl: https://example.com/api/oauth/dialog
    tokenUrl: https://example.com/api/oauth/token
    scopes:
      write:pets: modify pets in your account
      read:pets: read your pets

Security Requirement Object

Lists the required security schemes to execute this operation. The name used for each property MUST correspond to a security scheme declared in the Security Schemes under the Components Object.

Security Requirement Objects that contain multiple schemes require that all schemes MUST be satisfied for a request to be authorized. This enables support for scenarios where multiple query parameters or HTTP headers are required to convey security information.

When a list of Security Requirement Objects is defined on the OpenAPI Object or Operation Object, only one of the Security Requirement Objects in the list needs to be satisfied to authorize the request.

Patterned Fields
Field Pattern Type Description
{name} [string] Each name MUST correspond to a security scheme which is declared in the Security Schemes under the Components Object. If the security scheme is of type "oauth2" or "openIdConnect", then the value is a list of scope names required for the execution, and the list MAY be empty if authorization does not require a specified scope. For other security scheme types, the array MUST be empty.
Security Requirement Object Examples
Non-OAuth2 Security Requirement
{
  "api_key": []
}
api_key: []
OAuth2 Security Requirement
{
  "petstore_auth": [
    "write:pets",
    "read:pets"
  ]
}
petstore_auth:
- write:pets
- read:pets
Optional OAuth2 Security

Optional OAuth2 security as would be defined in an OpenAPI Object or an Operation Object:

{
  "security": [
    {},
    {
      "petstore_auth": [
        "write:pets",
        "read:pets"
      ]
    }
  ]
}
security:
  - {}
  - petstore_auth:
    - write:pets
    - read:pets

Specification Extensions

While the OpenAPI Specification tries to accommodate most use cases, additional data can be added to extend the specification at certain points.

The extensions properties are implemented as patterned fields that are always prefixed by "x-".

Field Pattern Type Description
^x- Any Allows extensions to the OpenAPI Schema. The field name MUST begin with x-, for example, x-internal-id. The value can be null, a primitive, an array or an object. Can have any valid JSON format value.

The extensions may or may not be supported by the available tooling, but those may be extended as well to add requested support (if tools are internal or open-sourced).

Security Filtering

Some objects in the OpenAPI Specification MAY be declared and remain empty, or be completely removed, even though they are inherently the core of the API documentation.

The reasoning is to allow an additional layer of access control over the documentation. While not part of the specification itself, certain libraries MAY choose to allow access to parts of the documentation based on some form of authentication/authorization.

Two examples of this:

  1. The Paths Object MAY be empty. It may be counterintuitive, but this may tell the viewer that they got to the right place, but can't access any documentation. They'd still have access to the Info Object which may contain additional information regarding authentication.
  2. The Path Item Object MAY be empty. In this case, the viewer will be aware that the path exists, but will not be able to see any of its operations or parameters. This is different from hiding the path itself from the Paths Object, because the user will be aware of its existence. This allows the documentation provider to finely control what the viewer can see.

Appendix A: Revision History

Version Date Notes
3.0.4 TBD Patch release of the OpenAPI Specification 3.0.4
3.0.3 2020-02-20 Patch release of the OpenAPI Specification 3.0.3
3.0.2 2018-10-08 Patch release of the OpenAPI Specification 3.0.2
3.0.1 2017-12-06 Patch release of the OpenAPI Specification 3.0.1
3.0.0 2017-07-26 Release of the OpenAPI Specification 3.0.0
3.0.0-rc2 2017-06-16 rc2 of the 3.0 specification
3.0.0-rc1 2017-04-27 rc1 of the 3.0 specification
3.0.0-rc0 2017-02-28 Implementer's Draft of the 3.0 specification
2.0 2015-12-31 Donation of Swagger 2.0 to the OpenAPI Initiative
2.0 2014-09-08 Release of Swagger 2.0
1.2 2014-03-14 Initial release of the formal document.
1.1 2012-08-22 Release of Swagger 1.1
1.0 2011-08-10 First release of the Swagger Specification

Appendix B: Data Type Conversion

Serializing typed data to plain text, which can occur in text/plain message bodies or multipart parts, as well as in the application/x-www-form-urlencoded format in either URL query strings or message bodies, involves significant implementation- or application-defined behavior.

Schema Objects validate data based on the JSON Schema data model, which only recognizes four primitive data types: strings (which are only broadly interoperable as UTF-8), numbers, booleans, and null. Notably, integers are not a distinct type from other numbers, with type: integer being a convenience defined mathematically, rather than based on the presence or absence of a decimal point in any string representation.

The Parameter Object and Encoding Object offer features to control how to arrange values from array or object types. They can also be used to control how strings are further encoded to avoid reserved or illegal characters. However, there is no general-purpose specification for converting schema-validated non-UTF-8 primitive data types (or entire arrays or objects) to strings.

Two cases do offer standards-based guidance:

  • RFC3987 §3.1 provides guidance for converting non-Unicode strings to UTF-8, particularly in the context of URIs (and by extension, the form media types which use the same encoding rules)
  • RFC6570 §2.3 specifies which values, including but not limited to null, are considered undefined and therefore treated specially in the expansion process when serializing based on that specification

Implementations of RFC6570 often have their own conventions for converting non-string values, but these are implementation-specific and not defined by the RFC itself. This is one reason for the OpenAPI Specification to leave these conversions as implementation-defined: It allows using RFC6570 implementations regardless of how they choose to perform the conversions.

To control the serialization of numbers, booleans, and null (or other values RFC6570 deems to be undefined) more precisely, schemas can be defined as type: string and constrained using pattern, enum, format, and other keywords to communicate how applications must pre-convert their data prior to schema validation. The resulting strings would not require any further type conversion.

The format keyword can assist in serialization. Some formats (such as date-time or byte) are unambiguous, while others (such as decimal in the Format Registry) are less clear. However, care must be taken with format to ensure that the specific formats are supported by all relevant tools as unrecognized formats are ignored.

Requiring input as pre-formatted, schema-validated strings also improves round-trip interoperability as not all programming languages and environments support the same data types.

Appendix C: Using RFC6570 Implementations

Serialization is defined in terms of RFC6570 URI Templates in two scenarios:

Object Condition
Parameter Object When schema is present
Encoding Object When encoding for application/x-www-form-urlencoded and any of style, explode, or allowReserved are used

Implementations of this specification MAY use an implementation of RFC6570 to perform variable expansion, however, some caveats apply.

Note that when using style: form RFC6570 expansion to produce an application/x-www-form-urlencoded HTTP message body, it is necessary to remove the ? prefix that is produced to satisfy the URI query string syntax.

Note also that not all RFC6570 implementations support all four levels of operators, all of which are needed to fully support the OpenAPI Specification's usage. Using an implementation with a lower level of support will require additional manual construction of URI Templates to work around the limitations.

Equivalences Between Fields and RFC6570 Operators

Certain field values translate to RFC6570 operators (or lack thereof):

field value equivalent
style simple n/a
style matrix ; prefix operator
style label . prefix operator
style form ? prefix operator
allowReserved false n/a
allowReserved true + prefix operator
explode false n/a
explode true * modifier suffix

Multiple style: form parameters are equivalent to a single RFC6570 variable list using the ? prefix operator:

parameters:
- name: foo
  in: query
  schema:
    type: object
  explode: true
- name: bar
  in: query
  schema:
    type: string

This example is equivalent to RFC6570's {?foo*,bar}, and NOT {?foo*}{&bar}, which is problematic because if foo is not defined, the result will be an invalid URI. The & prefix operator has no equivalent in the Parameter Object.

Note that RFC6570 does not specify behavior for compound values beyond the single level addressed by explode. The results of using objects or arrays where no behavior is clearly specified for them is implementation-defined.

Non-RFC6570 Field Values and Combinations

Configurations with no direct RFC6570 equivalent SHOULD also be handled according to RFC6570. Implementations MAY create a properly delimited URI Template with variables for individual names and values using RFC6570 regular or reserved expansion (based on allowReserved).

This includes:

  • the styles pipeDelimited, spaceDelimited, and deepObject, which have no equivalents at all
  • the combination of the style form with allowReserved: true, which is not allowed because only one prefix operator can be used at a time
  • any parameter name that is not a legal RFC6570 variable name

The Parameter Object's name field has a much more permissive syntax than RFC6570 variable name syntax. A parameter name that includes characters outside of the allowed RFC6570 variable character set MUST be percent-encoded before it can be used in a URI Template.

Examples

Let's say we want to use the following data in a form query string, where formulas is exploded, and words is not:

formulas:
  a: x+y
  b: x/y
  c: x^y
words:
- math
- is
- fun

RFC6570-Equivalent Expansion

This array of parameter objects uses regular style: form expansion, fully supported by RFC6570:

parameters:
- name: formulas
  in: query
  schema:
    type: object
    additionalProperties:
      type: string
  explode: true
- name: words
  in: query
  schema:
    type: array
    items:
      type: string

This translates to the following URI Template:

{?formulas*,words}

when expanded with the data given earlier, we get:

?a=x%2By&b=x%2Fy&c=x%5Ey&words=math,is,fun

Expansion With Non-RFC6570-Supported Options

But now let's say that (for some reason), we really want that / in the b formula to show up as-is in the query string, and we want our words to be space-separated like in a written phrase. To do that, we'll add allowReserved: true to formulas, and change to style: spaceDelimited for words:

parameters:
- name: formulas
  in: query
  schema:
    type: object
    additionalProperties:
      type: string
  explode: true
  allowReserved: true
- name: words
  in: query
  style: spaceDelimited
  schema:
    type: array
    items:
      type: string

We can't combine the ? and + RFC6570 prefixes, and there's no way with RFC6570 to replace the , separator with a space character. So we need to restructure the data to fit a manually constructed URI Template that passes all of the pieces through the right sort of expansion.

Here is one such template, using a made-up convention of words.0 for the first entry in the words value, words.1 for the second.

?a={+a}&b={+b}&c={+c}&words={words.0} {words.1} {words.2}

RFC6570 mentions the use of . "to indicate name hierarchy in substructures," but does not define any specific naming convention or behavior for it. Since the . usage is not automatic, we'll need to construct an appropriate input structure for this new template.

We'll also need to pre-process the values for formulas because while / and most other reserved characters are allowed in the query string by RFC3986, [, ], and # are not, and &, =, and + all have special behavior in the application/x-www-form-urlencoded format, which is what we are using in the query string.

Setting allowReserved: true does not make reserved characters that are not allowed in URIs allowed, it just allows them to be passed through expansion unchanged. Therefore, any tooling still needs to percent-encode those characters because reserved expansion will not do it, but it will leave the percent-encoded triples unchanged. See also [Appendix E](#to indicate name hierarchy in substructures) for further guidance on percent-encoding and form media types, including guidance on handling the delimiter characters for spaceDelimited, pipeDelimited, and deepObject in parameter names and values.

So here is our data structure that arranges the names and values to suit the template above, where values for formulas have []#&=+ pre-percent encoded (although only + appears in this example):

a: x%2By
b: x/y
c: x^y
words.0: math
words.1: is
words.2: fun

Expanding our manually assembled template with our restructured data yields the following query string:

?a=x%2By&b=x/y&c=x%5Ey&words=math%20is%20fun

The / and the pre-percent-encoded %2B have been left alone, but the disallowed ^ character (inside a value) and space characters (in the template but outside of the expanded variables) were percent-encoded.

Undefined Values and Manual URI Template Construction

Care must be taken when manually constructing templates to handle the values that RFC6570 considers to be undefined correctly:

formulas: {}
words:
- hello
- world

Using this data with our original RFC6570-friendly URI Template, {?formulas*,words}, produces the following:

?words=hello,world

This means that the manually constructed URI Template and restructured data need to leave out the formulas object entirely so that the words parameter is the first and only parameter in the query string.

Restructured data:

words.0: hello
words.1: world

Manually constructed URI Template:

?words={words.0} {words.1}

Result:

?words=hello%20world

Illegal Variable Names as Parameter Names

In this example, the heart emoji is not legal in URI Template names (or URIs):

parameters:
- name: ❤️
  in: query
  schema:
    type: string

We can't just pass ❤️: love! to an RFC6570 implementation. Instead, we have to pre-percent-encode the name (which is a six-octet UTF-8 sequence) in both the data and the URI Template:

"%E2%9D%A4%EF%B8%8F": love!
{?%E2%9D%A4%EF%B8%8F}

This will expand to the result:

?%E2%9D%A4%EF%B8%8F=love%21

Appendix D: Serializing Headers and Cookies

Appendix E: Percent-Encoding and Form Media Types