Audit template
api
Audit your API against its published contract — and what the code actually does.
Maps to: RFC 9110HTTP Semantics — the standard defining HTTP methods, status codes, and header fields./9457 · OpenAPIOpenAPI Specification — a standard, language-agnostic description format for HTTP APIs.
specialists, in parallel
Each finding is evidence-bound and survives ≥2-of-3 adversarial skeptics.
How this audit works
Twelve specialist agents review one API surface across resource modeling, HTTP semantics and status codes, the error envelope, auth and object-level authorization, versioning, pagination, idempotencyA property where repeating an operation has the same effect as performing it once., rate limits, schema rigor, docs, webhooks, and observability. Each finding cites a handler file:line, a schema path, or a request/response pair and names the rule it breaks — RFC 9110HTTP Semantics — the standard defining HTTP methods, status codes, and header fields., RFC 9457Problem Details for HTTP APIs — a standard JSON format for machine-readable error responses., OpenAPIOpenAPI Specification — a standard, language-agnostic description format for HTTP APIs. 3.1, the GraphQL spec, or gRPCgRPC Remote Procedure Calls — a high-performance RPC framework using Protocol Buffers over HTTP/2. conventions. Every drift between the published contract and the implementation is logged as its own finding with both locations cited.
Use it when
Opening a private API to partners
An internal endpoint set is about to become a public contract. The audit maps every operation against its OpenAPIOpenAPI Specification — a standard, language-agnostic description format for HTTP APIs. or SDLSchema Definition Language — the syntax for declaring a GraphQL API's types and operations., flags verbs-in-paths and inconsistent collection patterns, and surfaces missing page-size limits and unauthenticated mutating endpoints before external developers depend on them.
After a payments endpoint double-charged
A retry created a second charge in production. The audit checks idempotencyA property where repeating an operation has the same effect as performing it once. keys on money and side-effect POSTs, optimistic concurrencyA control method that detects conflicting concurrent writes via a version check instead of locking. on read-modify-write paths, and webhook delivery semantics, then ships the Idempotency-Key handling and storage as a before/after fix.
Reconciling spec drift before SDK generation
You generate client SDKs from an OpenAPIOpenAPI Specification — a standard, language-agnostic description format for HTTP APIs. spec that no longer matches the handlers. The audit lints the spec and produces a contract-drift matrix per operation — removed fields, narrowed types, changed defaults, wrong status codes — so the generated clients stop breaking against real responses.
What you get
A scorecard graded per dimension plus a priority-sorted tracking issue and one German GitHub issue per finding, each with a management summary and a before/after fix.