Enhance Your API Standards Using Spectral and Postman

The ​​Postman Collection is a fantastic tool for collaborating with your team throughout the API design, development, testing, and documentation stages. But that’s not all—Postman’s API builder also lets you create and manage your APIs with ease.

In a previous post, we talked about measuring a collection’s quality with Spectral. In this post, we’ll show you how to do the same thing with an API, using the same governance rules that we use at Postman.

Postman’s API governance rules

When designing an API, it’s crucial to establish rules to ensure your API will be consistent with design guidelines and also easy for users to understand and use.

The APIs we design at Postman follow level 2 of the Richardson Maturity Model. This means we expose resources and use proper HTTP verbs to manage our APIs. We expanded on this maturity model with additional Spectral rules to improve consistency and quality in our APIs.

At Postman, the design process of REST APIs eventually creates an OpenAPI document. We check several governance rules to evaluate if the API meets our quality standards.

These are some of the governance rules we apply to our OpenAPI definitions during the API design process:

Most of these rules will result in an error response during the validation process. This error response prevents the API from being exposed with rule violations. Some rules are warnings that require human review. You can find the Spectral ruleset for this ruleset in our spectral-ruleset GitHub repository

We use additional custom internal governance rules that ensure our internal workflows in API exposure work properly. We also track previous versions of an OpenAPI spec and also validate the spec to check that:

• There are no breaking changes in the new version.
• The version number is higher than the currently exposed version number.
• We review manually the whole definition (or the changes from the previous version) to ensure consistency.
• API owner contact information must be included in the OpenAPI spec to facilitate contacting them for any questions.

We also use guidelines, recommendations, and reusable OpenAPI code for:

• Pagination (cursor and limit/offset pagination)
• Error responses
• Extended resources
• Polymorphism
• Documentation
• Rate-limiting headers
• Task resources (execute operations on a resource)

If you design your API definition following these recommendations, this can help ensure consistency and improved usability.

Programmatically check your API’s governance rules

If you have a Postman Enterprise plan, you can define your governance rules directly in Postman. These rules apply in the API builder and help indicate any possible problems with the API definition in real-time.

You can also create an automated process that checks the API, then integrate that process into your CI flow. In this case, leverage the Postman API to retrieve your API code and use Spectral to validate it.

Next, we’ll show you how to create an automation tool that reviews an API’s quality using the Postman API, Spectral CLI, and jq. You can find this code in Postman’s postman-api-spectral-linter GitHub repository.

How it works

When you run the tool’s shell script (Bash) command, it:

• Gets the API schema with the Postman API’s Get an API endpoint.
• Gets the API’s bundled OpenAPI definition with the Get a schema. Although Postman enables you to create maintainable multi-file OpenAPI definitions, in this case, we need the definition as a single, bundled file.
• Uses Spectral CLI to validate our ruleset against the API.
• Checks whether the Spectral results contain errors and returns them the script’s exit status. If any of the rules fail, then the command fails.
• Optionally, the script uses the Create an API comment endpoint to add a comment to the API. Postman sends anyone watching the API a notification containing the failing rules.

Here’s the script’s main code:

# Perform a curl request against the Postman API to retrieve the API schema. Save the request body in a file called _api.json
curl -s -H "Accept: application/vnd.api.v10+json" -H "x-api-key: $API_KEY" https://api.postman.com/apis/$API_UID?include=schemas,collections,versions,gitInfo | jq . > _api.json

# extract the schema ID from the first schemas list in the response with jq and save it in a variable
SCHEMA_ID=$(jq -r '.schemas[0].id' _api.json)

# get the bundled schema in a file
curl -s -H "Accept: application/vnd.api.v10+json" -H "x-api-key: $API_KEY" https://api.postman.com/apis/$API_UID/schemas/$SCHEMA_ID?bundled=true | jq . > _api.json

jq -r '.content' _api.json > _api.yaml

# Lint the API using spectral. Save the result in a JSON file
spectral lint _api.yaml --ruleset $RULES_PATH -f json --quiet > _result.json

# search for errors (severity=0) in the result file. If there are errors, exit with a non-zero status code
jq '.[] | select(.severity==0)' -e _result.json >/dev/null

if [ $? -eq 0 ]
  then
    # if COMMENT is true, call the Postman API to create a comment with the result
    if [ $COMMENT = true ]
      then
        COMMENT_BODY=$(jq -r 'map( .code + ": " + .message )' _result.json)
        echo $COMMENT_BODY > _errors.json
        # build a valid json file with {"body": "comment body"} with jq
        cat _errors.json | jq -Rs '{body: .}' > _comment.json
        curl -s -H "x-api-key: $API_KEY" -H "Content-Type: application/json" -X POST --data-binary "@./_comment.json" https://api.postman.com/apis/$API_UID/comments >/dev/null
        echo "Comment created on the API"
    fi
    exit 1
fi

About this code

• At line 2, we use the Postman API to get the API’s information, including its schemas.
• At line 5, we get the schema ID from the previous JSON response and save it as a variable.
• At line 8, we use the Postman API to get the API’s bundled contents.
• At line 10 we extract the content (the OpenAPI definition) and save it into a file.
• At line 13, we use Spectral CLI to check the rules against the ruleset file. Then we dump the results into a temporary _result.json file in JSON format.
• At line 16, we search for errors (severity 0) in the results with jq.
• At line 18, the tool checks if the previous command succeeded with an execution status of 0. In that case:
  • If the argument -c was passed, we use the Postman API’s Create an API comment endpoint to create a comment with the errors in the comment body.
  • We return an error execution status of 1. You can use this status code in scripts to evaluate if the collection contains any errors.

Use the tool

Once you clone the GitHub repository, run the shell script with the following command:

./linter.sh -a <api_uid> [-k <postman_api_key>] [-r path_to_ruleset_file] [-c]

For more details, see the repository’s README.md file.

In this command, the postman_api_key parameter defaults to a POSTMAN_API_KEY environment variable. The path_to_ruleset_file defaults parameter uses the spectral-ruleset/ruleset.yaml ruleset. You can find this ruleset in the postman-api-spectral-linter GitHub repository. You can also extend it by adding new rules or turning off any existing rules you don’t need.

Summary

• The Postman API offers full CRUD capabilities, making it easy to manage your APIs. With a valid API key, you can effortlessly retrieve an API’s OpenAPI definition using the Postman API.
• Define Spectral rules to ensure your API meets your quality standards.
• Automatically check your API governance rules with the Spectral CLI.
• Collaborate on API design using the Postman API Builder.
• Enhance collaboration by adding comments to your APIs with the Postman API.
• Integrate quality checks into your CI/CD workflows to boost overall API quality.

Next steps

• Define your own rules that meet the quality needs you want for your APIs. You can extend the example rules provided in this post.
• Use Postman’s postman-api-spectral-linter tool to automatically notify users when they don’t meet the quality standards and help your team maintain great APIs.

Do you have any use cases related to API quality? We would love to hear about it! Let us know in the comments below!