Audit contracts
over HTTP.
Two endpoints, one deterministic ruleset and a clearly labeled heuristic score. Start free, then pay per request for complete findings and machine-applicable artifacts.
Overview
Send the complete OpenAPI document as a JSON string in the specification property. JSON and YAML contracts using OpenAPI 3.0 or 3.1 are accepted.
The web playground also imports direct public HTTPS specification URLs in the browser. GitHub file pages are converted to raw links automatically. URL fetching is not part of the HTTP API, and imported documents are still submitted as specification text.
$ref values are rejected. Bundle the contract into one document before submission. Raw submitted documents are not persisted; paid reports are cached for retry safety as described below.Free score
/v1/openapi/scoreFREEReturns the readiness score, six category metrics, contract summary, and five highest-priority findings.
curl -X POST https://your-domain.example/v1/openapi/score \
-H 'content-type: application/json' \
--data '{"specification":"openapi: 3.1.0\ninfo: ..."}'Rate limits are 10 requests per minute and 100 requests per day for each hashed client address.
Paid audit
/v1/openapi/audit$0.05 test USDC · x402Returns every finding, reviewed JSON Patch candidates, MCP bundles, exclusions, and deterministic SHA-256 hashes.
Without a payment signature the route responds with HTTP 402 and advertises an exact USDC payment on Base Sepolia. It also requires the x402 payment-identifier extension so a logical request can be retried safely.
# Use a separate Base Sepolia buyer wallet; never the seller key.
cp buyer.env.example .env.buyer.local
# Add EVM_PRIVATE_KEY to that ignored file, then run:
pnpm test:paidAudit options
includeJsonPatch— defaults to true.includeMcpTools— defaults to true.includeOperationIds— selects exact operation IDs and explicitly permits selected mutation operations.
Limits & privacy
- 4 MiB and 500-operation application limits, plus bounded nesting, nodes, strings, references, compositions, findings, patches, and MCP output.
- Browser URL imports require a direct public HTTPS file, omit credentials, time out after ten seconds, and depend on the source site's CORS policy.
- 50 YAML aliases and a 20-second processing deadline.
- Semantic external references must be bundled. External documentation, examples, and vendor-extension assets are skipped with a finding rather than rejecting the contract.
- The audit server performs no outbound contract dereferencing.
- No raw request bodies, contracts, or detected secret values in application logs.
- Paid audit reports and hashed idempotency keys expire after 24 hours. Reports can include schemas and other fragments derived from the submitted contract.
Errors
Every application error uses { error: { code, message, request_id, details? } }. Common statuses are 400, 402, 409, 413, 415, 422, 429, and 503.
Use the request ID when correlating a failure with operational telemetry. Error details contain locations and validation issues, never submitted secret values.