OpenAPI Schema Validation: Zero-Config API Security

OpenAPI schema validation is coming to G8KEPR in Q1 2025. Upload your OpenAPI 3.x specification and automatically generate security rules, request/response validation, and rate limits—without writing a single line of code.

The Problem with Manual API Security

Today, securing an API requires manually configuring each endpoint:

❌ Manual Configuration (Error-Prone)

• Write rate limit rules for each endpoint
• Define request validation for each parameter
• Specify response schemas manually
• Keep security config in sync with API changes
• Update docs separately from implementation
• Hope nothing falls through the cracks

Result: Security gaps, stale documentation, and wasted developer time.

✓ OpenAPI-Driven (Automatic)

✓ Upload OpenAPI spec → G8KEPR auto-generates all rules
✓ Request validation based on schema (types, required fields, formats)
✓ Response validation to catch backend bugs
✓ Auto-detect rate limit hints from spec
✓ Single source of truth for API contract
✓ Update spec → Security updates automatically

Result: Zero-config security that stays in sync with your API.

How It Works

1. Upload OpenAPI Spec:
   POST /admin/openapi/upload
   Content-Type: application/json
   { "spec_url": "https://api.yourcompany.com/openapi.json" }

2. G8KEPR Analyzes Spec:
   ✓ Parse paths and operations
   ✓ Extract request schemas
   ✓ Extract response schemas
   ✓ Detect authentication requirements
   ✓ Find rate limit hints (x-rate-limit)
   ✓ Generate validation rules

3. Auto-Generated Rules Applied:
   ✓ Path validation (404 for undefined routes)
   ✓ Method validation (405 for wrong HTTP verbs)
   ✓ Request body validation
   ✓ Query parameter validation
   ✓ Header validation
   ✓ Response validation

4. Requests Are Validated:
   Valid request → Forward to backend
   Invalid request → 400 Bad Request with details
   Invalid response → Log error, optional block

Example OpenAPI Spec

openapi: 3.0.0
info:
  title: User API
  version: 1.0.0

paths:
  /api/users:
    get:
      summary: List users
      x-rate-limit: 1000/hour  # G8KEPR reads this!
      parameters:
        - name: page
          in: query
          schema:
            type: integer
            minimum: 1
            default: 1
        - name: limit
          in: query
          schema:
            type: integer
            minimum: 1
            maximum: 100
            default: 20
      responses:
        '200':
          description: Success
          content:
            application/json:
              schema:
                type: object
                properties:
                  users:
                    type: array
                    items:
                      $ref: '#/components/schemas/User'

  /api/users/{id}:
    get:
      summary: Get user by ID
      parameters:
        - name: id
          in: path
          required: true
          schema:
            type: string
            format: uuid  # G8KEPR validates UUID format!
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/User'

    patch:
      summary: Update user
      x-rate-limit: 100/hour
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                name:
                  type: string
                  minLength: 1
                  maxLength: 100
                email:
                  type: string
                  format: email  # G8KEPR validates email format!
                age:
                  type: integer
                  minimum: 18
                  maximum: 120
      responses:
        '200':
          description: Updated

components:
  schemas:
    User:
      type: object
      required: [id, email, name]
      properties:
        id:
          type: string
          format: uuid
        email:
          type: string
          format: email
        name:
          type: string
        age:
          type: integer

  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT

security:
  - bearerAuth: []

What Gets Validated

1. Path & Method Validation

Request	Validation	Error
GET /api/users	✓ Defined in spec	-
GET /api/products	✗ Not in spec	404 Not Found
POST /api/users	✗ Method not allowed	405 Method Not Allowed
GET /api/users/abc	✗ Invalid UUID format	400 Bad Request

2. Request Body Validation

Example: Updating a user with invalid data:

PATCH /api/users/123e4567-e89b-12d3-a456-426614174000
Content-Type: application/json
{
  "name": "",  // ✗ minLength: 1
  "email": "not-an-email",  // ✗ Invalid email format
  "age": 15  // ✗ minimum: 18
}

Response: 400 Bad Request
{
  "error": "Request validation failed",
  "details": [
    {
      "field": "name",
      "message": "String length must be >= 1",
      "value": ""
    },
    {
      "field": "email",
      "message": "Must be valid email format",
      "value": "not-an-email"
    },
    {
      "field": "age",
      "message": "Must be >= 18",
      "value": 15
    }
  ]
}

3. Query Parameter Validation

GET /api/users?page=0&limit=200

Response: 400 Bad Request
{
  "error": "Query validation failed",
  "details": [
    {
      "param": "page",
      "message": "Must be >= 1",
      "value": 0
    },
    {
      "param": "limit",
      "message": "Must be <= 100",
      "value": 200
    }
  ]
}

Auto-Generated Rate Limits

G8KEPR reads rate limit hints from your OpenAPI spec:

# In your OpenAPI spec:
paths:
  /api/auth/login:
    post:
      x-rate-limit: 5/minute  # Prevent brute force

  /api/search:
    get:
      x-rate-limit: 100/hour  # Expensive operation

  /api/users:
    get:
      x-rate-limit: 1000/hour  # Normal endpoint

# G8KEPR automatically applies these limits!
# No manual configuration needed.

Response Validation (Contract Testing)

Ensure your backend is returning data that matches the spec:

# Backend returns invalid response:
GET /api/users/123

Backend Response:
{
  "id": "123",  // ✗ Should be UUID format
  "email": "missing@example.com",
  "age": "thirty"  // ✗ Should be integer
}

# G8KEPR Options:
1. Log error + forward response (default)
2. Block response + return 500 (strict mode)
3. Auto-fix response (sanitize mode)

# Logged Error:
{
  "level": "error",
  "message": "Response validation failed",
  "endpoint": "GET /api/users/{id}",
  "errors": [
    {"field": "id", "expected": "uuid", "got": "123"},
    {"field": "age", "expected": "integer", "got": "string"}
  ]
}

Continuous Sync

Keep your security rules up to date automatically:

Host OpenAPI Spec at Public URL

https://api.yourcompany.com/openapi.json

G8KEPR Polls URL Every 5 Minutes

Checks for changes using ETag/Last-Modified headers

Auto-Update Rules on Change

Zero-downtime reload, no manual config updates needed

Migration Strategy

Don't have an OpenAPI spec yet? No problem:

Option 1: Generate from Code

# Many frameworks auto-generate OpenAPI:

# FastAPI (Python)
from fastapi import FastAPI
app = FastAPI()
# Access at: /openapi.json

# NestJS (Node.js)
import { DocumentBuilder, SwaggerModule } from '@nestjs/swagger';
const config = new DocumentBuilder().build();
const document = SwaggerModule.createDocument(app, config);

# ASP.NET Core (C#)
builder.Services.AddSwaggerGen();
app.UseSwagger();

Option 2: Record Live Traffic

G8KEPR can learn your API by observing requests/responses:

# Enable learning mode:
openapi:
  learning_mode:
    enabled: true
    duration: 7 days

# G8KEPR will:
# 1. Record all request/response patterns
# 2. Infer schemas from actual data
# 3. Generate OpenAPI spec automatically
# 4. Prompt you to review and approve

# After 7 days:
GET /admin/openapi/generated
# Returns auto-generated OpenAPI spec

Coming Q1 2025

OpenAPI schema validation will be included in the Growth plan ($299/mo) and above. Join the beta to test it with your API specs.

Join Beta Waitlist →