Skip to content
APIOps Cycles
APIOps Helsinki 2026 conference is here! https://helsinki.apiops.info/.

Better understanding of API audit checklist principles

API Audit Checklist

A lifecycle-based checklist to verify API readiness across design, delivery, publishing, and compliance using defined audit criteria and evidence.

How it works

Section titled “How it works”

Steps

Section titled “Steps”
  1. Use the API Audit Checklist to ensure the API design meets functional and non-functional requirements, including security, performance, and compliance.
  2. Conduct audits to assess lifecycle coverage and verify that the API meets business, design, and operational standards.
  3. Ensure that documentation, security models, gateway configuration, and legal requirements are clearly defined, validated, and supported by evidence.

Example Run

Section titled “Example Run”
FieldValue
Profileread-only
Generated at2026-04-06T21:06:36.908Z
OpenAPI pathspecs\openapi\api.yaml
Checklist pathspecs\audit\api-audit-checklist.json
Checklist sourcelocal-override
Spectral statuspass
Spectral errors0
Spectral warnings0

Summary

Section titled “Summary”
StatusCount
Pass14
Partial7
Gap12
N/A4
Total37

Stage Summary

Section titled “Stage Summary”
StagePassPartialGapN/ATotal
Strategy11002
Architecture02103
Design1123319
Delivery21418
Publishing01405
Improving00000

Audit Items

Section titled “Audit Items”
StageIdLabelStatusKindGuidelinesStationsCriteriaEvidence tagsExpected evidenceActual evidenceReason
Strategybased-on-clear-business-needsAPI is based on clear business needspartialmanualREST-DOMAIN-01api-product-strategybusiness-goals-defined, market-research-done, stakeholder-approval, metrics-feedback-availabledesign-artifact, documentation, researchspecs/canvases/api-product-strategy/apiValuePropositionCanvas.empty.json, specs/canvases/api-product-strategy/apiBusinessModelCanvas.empty.json
Strategyconcept-items-auditedAll concept checklist items are auditedpassaggregateREST-AUDIT-02api-product-strategy, api-consumer-experiencebusiness-goals-defined, market-research-done, stakeholder-approval, metrics-feedback-available, api-opportunity-documented, api-reusability, value-prop-validated, consumer-segments-identifiedreportaudit/concept-review-report.jsonstrategy
Architectureversioning-decidedVersioning strategy decided and supported by gatewaypartialmanualREST-VERSION-01api-platform-architecture, api-publishingapi-roadmap-defined, api-reusability, api-ready-for-publishingspec, ci-cd, gateway-configspecs/openapi/api.yaml, docs/api/architecture/README.md, docs/api/publishing/README.mdspecs/openapi/api.yaml
Architectureonly-via-gatewayOnly accessible via API gatewaygapmanualREST-PUBLISH-02, REST-CAPACITY-02api-platform-architecture, api-publishingapi-reusability, api-ready-for-publishing, audit-passedgateway-config, infra-config, security-configdocs/api/architecture/README.md, docs/api/publishing/README.md
Architecturerate-limits-enforcedRate limits are enforcedpartialmanualREST-CAPACITY-01, REST-OBS-01, REST-SEC-04api-platform-architectureapi-roadmap-defined, api-reusabilitygateway-config, runtime, monitoringspecs/canvases/api-platform-architecture/capacityCanvas.empty.json, docs/api/architecture/README.md
Designendpoint-descriptions-presentEndpoints have business value and feature descriptionspassopenapiREST-CX-01api-design, api-consumer-experiencedesign-reflects-business-value, value-prop-validated, api-opportunity-documentedspec, design-artifactspecs/openapi/api.yaml, specs/canvases/api-product-strategy/apiValuePropositionCanvas.empty.jsonspecs/openapi/api.yaml
Designhides-raw-backend-dataAPI hides raw backend data and is designed for shared usepartialmanualREST-DOMAIN-01api-designhide-backend-discrepancies, design-reflects-business-valuespec, design-artifactspecs/canvases/api-product-strategy/domainCanvas.empty.json, specs/canvases/api-design/interactionCanvas.empty.json, specs/openapi/api.yamlspecs/openapi/api.yaml
Designdesign-consistentAPI design is consistent with other APIspartialmanualREST-DOMAIN-02, REST-CX-03api-design, api-platform-architectureapi-consistency, architecture-patterns-validated, api-reusabilitydocumentation, design-artifactspecs/canvases/api-design/restCanvas.empty.json, docs/api/design/README.md
Designdescriptive-english-namingData and attribute naming uses descriptive EnglishpassopenapiREST-NAMING-01api-designapi-consistencyspecspecs/openapi/api.yamlspecs/openapi/api.yaml
Designmandatory-fields-specifiedMandatory fields are specifiedpassopenapiREST-VALIDATION-01api-designarchitecture-patterns-validated, api-consistencyspec, contractspecs/openapi/api.yamlspecs/openapi/api.yaml
Designdates-use-isoDates use ISO format with timezonegapopenapiREST-DATA-01api-designapi-consistencyspecspecs/openapi/api.yamlspecs/openapi/api.yaml
Designgeneral-data-uses-standard-valuesGeneral data uses standard valuespassopenapiREST-DATA-02api-designapi-consistency, design-reflects-business-valuespecspecs/openapi/api.yamlspecs/openapi/api.yaml
Designfield-names-avoid-acronymsField names avoid acronyms and use full wordspassopenapiREST-NAMING-02api-designapi-consistencyspecspecs/openapi/api.yamlspecs/openapi/api.yaml
Designpaths-max-two-resourcesEndpoint paths contain max two resources or sub-resourcespassopenapiREST-PATH-01api-designapi-consistencyspecspecs/openapi/api.yamlspecs/openapi/api.yaml
Designexamples-presentEndpoints and attributes include examplespassopenapiREST-CX-02api-design, api-consumer-experiencedesign-reflects-business-value, value-prop-validatedspecspecs/openapi/api.yamlspecs/openapi/api.yaml
Designget-no-request-bodyGET has no request body and returns contentpassopenapiREST-HTTP-GET-01, REST-RESP-200-01api-designapi-consistencyspecspecs/openapi/api.yamlspecs/openapi/api.yaml
Designget-empty-returns-204GET returns 204 if response body is emptynan/aREST-RESP-204-02api-design, api-consumer-experienceapi-consistency, value-prop-validatedspecspecs/openapi/api.yamlspecs/openapi/api.yamlThe current contract returns content for all GET operations.
Design400-errors-specific400 errors provide specific error informationgapopenapiREST-ERROR-400-01api-design, api-consumer-experiencedesign-reflects-business-value, api-consistency, value-prop-validatedspecspecs/openapi/api.yamlGET /items/by-slug/{slug}, GET /categories/{categoryId}/items
Design401-unauthorized401 Unauthorized for wrong credentialsnan/aREST-ERROR-401-01, REST-SEC-01, REST-SEC-03api-design, api-publishingapi-consistency, api-ready-for-publishingspec, security-config, gateway-configspecs/openapi/api.yamlspecs/openapi/api.yamlThe current public storefront contract is intentionally unauthenticated.
Design403-forbidden403 Forbidden for unauthorized operationsnan/aREST-ERROR-403-01, REST-SEC-03api-design, api-publishingapi-consistency, api-ready-for-publishingspec, security-config, gateway-configspecs/openapi/api.yamlspecs/openapi/api.yamlThe current profile is public read-only and exposes no unauthorized operations.
Designspec-contains-schemasSpec contains request and response schemapassopenapiREST-CONTRACT-01api-designarchitecture-patterns-validated, api-consistencyspec, contractspecs/openapi/api.yamlspecs/openapi/api.yaml
Designpseudo-identifiersUUIDs or pseudo-identifiers instead of DB IDsgapopenapiREST-SEC-07api-designhide-backend-discrepancies, api-consistencyspecspecs/openapi/api.yamlproductId, variantId, categoryId
Designno-sensitive-data-in-urlsNo sensitive data in URLspassopenapiREST-SEC-06, REST-SEC-04api-designhide-backend-discrepancies, api-consistencyspecspecs/openapi/api.yamlspecs/openapi/api.yaml
Designhttp-methods-match-resourcesHTTP methods only for intended resourcespassopenapiREST-HTTP-GET-01, REST-HTTP-POST-01, REST-HTTP-PUT-01, REST-HTTP-DELETE-01api-designapi-consistencyspecspecs/openapi/api.yamlspecs/openapi/api.yaml
Deliverydesign-items-auditedAll prototype and design items are auditedpassaggregateREST-AUDIT-02api-design, api-deliveryarchitecture-patterns-validated, design-reflects-business-value, api-consistencyreportaudit/production-readiness-review.jsondesign
Deliveryspec-validated-on-changeSpec validated on every changegapopenapiREST-AUDIT-01api-deliveryarchitecture-patterns-validated, api-consistencyci-cd, spec, test.github/workflows/openapi-lint.yml, specs/openapi/api.yamlspecs/openapi/api.yaml
Deliveryschema-and-examples-passSchema and examples pass validationpassopenapiREST-AUDIT-01, REST-CONTRACT-01api-delivery, api-designapi-consistency, architecture-patterns-validated, api-contract-testedspec, testspecs/openapi/api.yamlspecs/openapi/api.yaml
Deliveryuses-httpsUses HTTPS or encrypted protocolsgapmanualREST-SEC-05api-delivery, api-publishingarchitecture-patterns-validated, api-ready-for-publishingsecurity-config, gateway-configdocs/api/delivery/README.md, docs/api/publishing/README.md
Deliveryinputs-auto-validatedInputs auto-validated by frameworkpartialmanualREST-VALIDATION-01api-deliveryarchitecture-patterns-validated, api-consistencycode, test, specspecs/openapi/api.yaml, docs/api/delivery/README.mdspecs/openapi/api.yaml
Deliveryoutputs-auto-escapedOutputs auto-escaped by frameworknan/aREST-SEC-04api-deliveryarchitecture-patterns-validated, api-consistencycodedocs/api/delivery/README.mdJSON APIs do not typically require output escaping in the same way as HTML rendering.
Deliveryencryption-in-transitEncryption for data in transit and storagegapmanualREST-SEC-05api-delivery, api-publishingarchitecture-patterns-validated, api-ready-for-publishing, audit-passedsecurity-config, infra-config, documentationdocs/api/delivery/README.md, docs/api/publishing/README.md
Deliverymessage-integrityMessage integrity implementedgapmanualREST-OBS-01, REST-SEC-04api-deliveryarchitecture-patterns-validated, api-consistencysecurity-config, monitoring, documentationdocs/api/delivery/README.md, docs/api/architecture/README.md
Publishingpublished-via-api-managementPublished via API managementgapmanualREST-PUBLISH-01api-publishingapi-ready-for-publishing, audit-passedgateway-config, ci-cd, documentation.github/workflows/openapi-lint.yml, docs/api/publishing/README.md
Publishingvisible-in-dev-portalVisible in developer portalgapmanualREST-PUBLISH-03api-publishingapi-documentation-ready, api-ready-for-publishingdocumentation, runtimedocs/api/publishing/README.md
Publishingdocs-auto-generatedDocs auto-generated from spec and schemapartialmanualREST-CONTRACT-02, REST-PUBLISH-03api-publishing, api-deliveryapi-documentation-ready, api-ready-for-publishing, api-consistencyspec, documentation, ci-cdspecs/openapi/api.yaml, docs/api/publishing/README.md, docs/api/audit/design-audit.read-only.mdspecs/openapi/api.yaml
Publishingspec-auto-updatedSpec auto-updated to gateway and dev portalgapmanualREST-CONTRACT-02api-publishing, api-deliveryapi-ready-for-publishing, audit-passed, api-consistencyci-cd, gateway-config, documentation.github/workflows/openapi-lint.yml, docs/api/publishing/README.md, specs/openapi/api.yamlspecs/openapi/api.yaml
Publishingofficial-domainPublished under official organization domaingapmanualREST-PUBLISH-04api-publishingapi-ready-for-publishing, audit-passeddocumentation, runtimedocs/api/publishing/README.md