Testing is how I know the API does what the contract says. Contract testing, integration testing, and validation against the definition keep implementation and documentation honest with each other. Testing against the contract is what lets me govern quality automatically instead of by hand.
Testing
Policies at this stop
Business Contract Validator
The APIs.json business contract must have a link to the validator for each, providing the ability to run linting rules for each type of contract and see the details of rules as they are applied.
API Mocking (CI/CD)
Require that every API can be mocked directly from its contract so consumers and downstream teams can build against it before the implementation is finished. I lean on mocking because it is what ma...
Contract Testing (CI/CD)
Require that every API is tested against its own contract in the CI/CD pipeline so the running service can never quietly drift from the OpenAPI it publishes. I insist on contract testing because a ...
Linting (CI/CD)
Require that every API contract is automatically linted against our design and governance rules on each commit, so standards are enforced by machines rather than by memory and goodwill. I love lint...
Schema Registry (CI/CD)
Require that the schemas an API relies on are published to a shared schema registry and validated against it in CI/CD, so the shapes of our data are versioned, discoverable, and compatible. I want ...
Validation (Design)
Require that every API defines and enforces validation rules in its contract, using schemas, constraints, required fields, and formats so that bad input is rejected with a clear, consistent error i...
Open Source Tooling Preferred
Require that an API operation prefers open source tooling and applies open licensing to its definitions, SDKs, and supporting tools wherever practical. Open source lets consumers understand, extend...
Input Validation (Security)
Require that every API validates all incoming data against its schema before acting on it, so I want types, formats, lengths, ranges, and required fields checked at the edge and anything that does ...
Testing
Require that security testing has occurred and publishing results for API security.
Technical Contract Validator
The OpenAPI technical contract must have a link to the validator for each, providing the ability to run linting rules for each type of contract and see the details of rules as they are applied.