Static contract review
OpenAPI Contract Security Linter
Paste an OpenAPI or Swagger contract and review authentication coverage, sensitive response fields, OAuth flow risks, query-string secrets, insecure server URLs, and missing failure responses before an API is published.
Current score
--
Paste a contract to begin
Contract input
JSON or YAML, analyzed without live requests.
Ready
Security report
No report yet.
Critical0
High0
Medium0
Low0
Findings will appear here after analysis.
What this checks
- Missing global or operation-level security requirements
- Optional anonymous auth on admin, account, billing, token, or mutating routes
- API keys in query strings, HTTP Basic, OAuth implicit/password flows, and HTTP auth URLs
- Sensitive names in query parameters and success response schemas
- Localhost, private-network, metadata, or HTTP server URLs in public contracts
- Missing 401, 403, and 429 response documentation for secured or mutating operations