Pular para o conteúdo
APIOps Cycles
APIOps Helsinki 2026 conference is here! https://helsinki.apiops.info/.

Lista de verificação de auditoria da API

Uma lista de verificação baseada no ciclo de vida para verificar a prontidão da API em design, entrega, publicação e conformidade usando critérios de auditoria e evidências definidos.

Como funciona

Seção intitulada “Como funciona”

Passos

Seção intitulada “Passos”
  1. Utilize a lista de verificação de auditoria da API para garantir que a conceção da API cumpre os requisitos funcionais e não funcionais, incluindo segurança, desempenho e conformidade.
  2. Realize auditorias para avaliar a cobertura do ciclo de vida e verificar se a API atende aos padrões de negócios, design e operacionais.
  3. Certifique-se de que a documentação, os modelos de segurança, a configuração do gateway e os requisitos legais estejam claramente definidos, validados e comprovados por evidências.

Example Run

Seção intitulada “Example Run”
FieldValue
Profileread-only
Generated at2026-04-06T21:06:36.908Z
OpenAPI pathspecs\openapi\api.yaml
Checklist pathspecs\audit\api-audit-checklist.json
Checklist sourcelocal-override
Spectral statuspass
Spectral errors0
Spectral warnings0

Summary

Seção intitulada “Summary”
StatusCount
Pass14
Partial7
Gap12
N/A4
Total37

Stage Summary

Seção intitulada “Stage Summary”
StagePassPartialGapN/ATotal
Strategy11002
Architecture02103
Design1123319
Delivery21418
Publishing01405
Improving00000

Audit Items

Seção intitulada “Audit Items”
StageIdLabelStatusKindGuidelinesStationsCriteriaEvidence tagsExpected evidenceActual evidenceReason
Strategybased-on-clear-business-needsAPI is based on clear business needspartialmanualREST-DOMAIN-01api-product-strategybusiness-goals-defined, market-research-done, stakeholder-approval, metrics-feedback-availabledesign-artifact, documentation, researchspecs/canvases/api-product-strategy/apiValuePropositionCanvas.empty.json, specs/canvases/api-product-strategy/apiBusinessModelCanvas.empty.json
Strategyconcept-items-auditedAll concept checklist items are auditedpassaggregateREST-AUDIT-02api-product-strategy, api-consumer-experiencebusiness-goals-defined, market-research-done, stakeholder-approval, metrics-feedback-available, api-opportunity-documented, api-reusability, value-prop-validated, consumer-segments-identifiedreportaudit/concept-review-report.jsonstrategy
Architectureversioning-decidedVersioning strategy decided and supported by gatewaypartialmanualREST-VERSION-01api-platform-architecture, api-publishingapi-roadmap-defined, api-reusability, api-ready-for-publishingspec, ci-cd, gateway-configspecs/openapi/api.yaml, docs/api/architecture/README.md, docs/api/publishing/README.mdspecs/openapi/api.yaml
Architectureonly-via-gatewayOnly accessible via API gatewaygapmanualREST-PUBLISH-02, REST-CAPACITY-02api-platform-architecture, api-publishingapi-reusability, api-ready-for-publishing, audit-passedgateway-config, infra-config, security-configdocs/api/architecture/README.md, docs/api/publishing/README.md
Architecturerate-limits-enforcedRate limits are enforcedpartialmanualREST-CAPACITY-01, REST-OBS-01, REST-SEC-04api-platform-architectureapi-roadmap-defined, api-reusabilitygateway-config, runtime, monitoringspecs/canvases/api-platform-architecture/capacityCanvas.empty.json, docs/api/architecture/README.md
Designendpoint-descriptions-presentEndpoints have business value and feature descriptionspassopenapiREST-CX-01api-design, api-consumer-experiencedesign-reflects-business-value, value-prop-validated, api-opportunity-documentedspec, design-artifactspecs/openapi/api.yaml, specs/canvases/api-product-strategy/apiValuePropositionCanvas.empty.jsonspecs/openapi/api.yaml
Designhides-raw-backend-dataAPI hides raw backend data and is designed for shared usepartialmanualREST-DOMAIN-01api-designhide-backend-discrepancies, design-reflects-business-valuespec, design-artifactspecs/canvases/api-product-strategy/domainCanvas.empty.json, specs/canvases/api-design/interactionCanvas.empty.json, specs/openapi/api.yamlspecs/openapi/api.yaml
Designdesign-consistentAPI design is consistent with other APIspartialmanualREST-DOMAIN-02, REST-CX-03api-design, api-platform-architectureapi-consistency, architecture-patterns-validated, api-reusabilitydocumentation, design-artifactspecs/canvases/api-design/restCanvas.empty.json, docs/api/design/README.md
Designdescriptive-english-namingData and attribute naming uses descriptive EnglishpassopenapiREST-NAMING-01api-designapi-consistencyspecspecs/openapi/api.yamlspecs/openapi/api.yaml
Designmandatory-fields-specifiedMandatory fields are specifiedpassopenapiREST-VALIDATION-01api-designarchitecture-patterns-validated, api-consistencyspec, contractspecs/openapi/api.yamlspecs/openapi/api.yaml
Designdates-use-isoDates use ISO format with timezonegapopenapiREST-DATA-01api-designapi-consistencyspecspecs/openapi/api.yamlspecs/openapi/api.yaml
Designgeneral-data-uses-standard-valuesGeneral data uses standard valuespassopenapiREST-DATA-02api-designapi-consistency, design-reflects-business-valuespecspecs/openapi/api.yamlspecs/openapi/api.yaml
Designfield-names-avoid-acronymsField names avoid acronyms and use full wordspassopenapiREST-NAMING-02api-designapi-consistencyspecspecs/openapi/api.yamlspecs/openapi/api.yaml
Designpaths-max-two-resourcesEndpoint paths contain max two resources or sub-resourcespassopenapiREST-PATH-01api-designapi-consistencyspecspecs/openapi/api.yamlspecs/openapi/api.yaml
Designexamples-presentEndpoints and attributes include examplespassopenapiREST-CX-02api-design, api-consumer-experiencedesign-reflects-business-value, value-prop-validatedspecspecs/openapi/api.yamlspecs/openapi/api.yaml
Designget-no-request-bodyGET has no request body and returns contentpassopenapiREST-HTTP-GET-01, REST-RESP-200-01api-designapi-consistencyspecspecs/openapi/api.yamlspecs/openapi/api.yaml
Designget-empty-returns-204GET returns 204 if response body is emptynan/aREST-RESP-204-02api-design, api-consumer-experienceapi-consistency, value-prop-validatedspecspecs/openapi/api.yamlspecs/openapi/api.yamlThe current contract returns content for all GET operations.
Design400-errors-specific400 errors provide specific error informationgapopenapiREST-ERROR-400-01api-design, api-consumer-experiencedesign-reflects-business-value, api-consistency, value-prop-validatedspecspecs/openapi/api.yamlGET /items/by-slug/{slug}, GET /categories/{categoryId}/items
Design401-unauthorized401 Unauthorized for wrong credentialsnan/aREST-ERROR-401-01, REST-SEC-01, REST-SEC-03api-design, api-publishingapi-consistency, api-ready-for-publishingspec, security-config, gateway-configspecs/openapi/api.yamlspecs/openapi/api.yamlThe current public storefront contract is intentionally unauthenticated.
Design403-forbidden403 Forbidden for unauthorized operationsnan/aREST-ERROR-403-01, REST-SEC-03api-design, api-publishingapi-consistency, api-ready-for-publishingspec, security-config, gateway-configspecs/openapi/api.yamlspecs/openapi/api.yamlThe current profile is public read-only and exposes no unauthorized operations.
Designspec-contains-schemasSpec contains request and response schemapassopenapiREST-CONTRACT-01api-designarchitecture-patterns-validated, api-consistencyspec, contractspecs/openapi/api.yamlspecs/openapi/api.yaml
Designpseudo-identifiersUUIDs or pseudo-identifiers instead of DB IDsgapopenapiREST-SEC-07api-designhide-backend-discrepancies, api-consistencyspecspecs/openapi/api.yamlproductId, variantId, categoryId
Designno-sensitive-data-in-urlsNo sensitive data in URLspassopenapiREST-SEC-06, REST-SEC-04api-designhide-backend-discrepancies, api-consistencyspecspecs/openapi/api.yamlspecs/openapi/api.yaml
Designhttp-methods-match-resourcesHTTP methods only for intended resourcespassopenapiREST-HTTP-GET-01, REST-HTTP-POST-01, REST-HTTP-PUT-01, REST-HTTP-DELETE-01api-designapi-consistencyspecspecs/openapi/api.yamlspecs/openapi/api.yaml
Deliverydesign-items-auditedAll prototype and design items are auditedpassaggregateREST-AUDIT-02api-design, api-deliveryarchitecture-patterns-validated, design-reflects-business-value, api-consistencyreportaudit/production-readiness-review.jsondesign
Deliveryspec-validated-on-changeSpec validated on every changegapopenapiREST-AUDIT-01api-deliveryarchitecture-patterns-validated, api-consistencyci-cd, spec, test.github/workflows/openapi-lint.yml, specs/openapi/api.yamlspecs/openapi/api.yaml
Deliveryschema-and-examples-passSchema and examples pass validationpassopenapiREST-AUDIT-01, REST-CONTRACT-01api-delivery, api-designapi-consistency, architecture-patterns-validated, api-contract-testedspec, testspecs/openapi/api.yamlspecs/openapi/api.yaml
Deliveryuses-httpsUses HTTPS or encrypted protocolsgapmanualREST-SEC-05api-delivery, api-publishingarchitecture-patterns-validated, api-ready-for-publishingsecurity-config, gateway-configdocs/api/delivery/README.md, docs/api/publishing/README.md
Deliveryinputs-auto-validatedInputs auto-validated by frameworkpartialmanualREST-VALIDATION-01api-deliveryarchitecture-patterns-validated, api-consistencycode, test, specspecs/openapi/api.yaml, docs/api/delivery/README.mdspecs/openapi/api.yaml
Deliveryoutputs-auto-escapedOutputs auto-escaped by frameworknan/aREST-SEC-04api-deliveryarchitecture-patterns-validated, api-consistencycodedocs/api/delivery/README.mdJSON APIs do not typically require output escaping in the same way as HTML rendering.
Deliveryencryption-in-transitEncryption for data in transit and storagegapmanualREST-SEC-05api-delivery, api-publishingarchitecture-patterns-validated, api-ready-for-publishing, audit-passedsecurity-config, infra-config, documentationdocs/api/delivery/README.md, docs/api/publishing/README.md
Deliverymessage-integrityMessage integrity implementedgapmanualREST-OBS-01, REST-SEC-04api-deliveryarchitecture-patterns-validated, api-consistencysecurity-config, monitoring, documentationdocs/api/delivery/README.md, docs/api/architecture/README.md
Publishingpublished-via-api-managementPublished via API managementgapmanualREST-PUBLISH-01api-publishingapi-ready-for-publishing, audit-passedgateway-config, ci-cd, documentation.github/workflows/openapi-lint.yml, docs/api/publishing/README.md
Publishingvisible-in-dev-portalVisible in developer portalgapmanualREST-PUBLISH-03api-publishingapi-documentation-ready, api-ready-for-publishingdocumentation, runtimedocs/api/publishing/README.md
Publishingdocs-auto-generatedDocs auto-generated from spec and schemapartialmanualREST-CONTRACT-02, REST-PUBLISH-03api-publishing, api-deliveryapi-documentation-ready, api-ready-for-publishing, api-consistencyspec, documentation, ci-cdspecs/openapi/api.yaml, docs/api/publishing/README.md, docs/api/audit/design-audit.read-only.mdspecs/openapi/api.yaml
Publishingspec-auto-updatedSpec auto-updated to gateway and dev portalgapmanualREST-CONTRACT-02api-publishing, api-deliveryapi-ready-for-publishing, audit-passed, api-consistencyci-cd, gateway-config, documentation.github/workflows/openapi-lint.yml, docs/api/publishing/README.md, specs/openapi/api.yamlspecs/openapi/api.yaml
Publishingofficial-domainPublished under official organization domaingapmanualREST-PUBLISH-04api-publishingapi-ready-for-publishing, audit-passeddocumentation, runtimedocs/api/publishing/README.md