T Techclick OpenAPI security

Static contract review

OpenAPI Contract Security Linter

Paste an OpenAPI or Swagger contract and review authentication coverage, sensitive response fields, OAuth flow risks, query-string secrets, insecure server URLs, and missing failure responses before an API is published.

Current score -- Paste a contract to begin

Contract input

JSON or YAML, analyzed without live requests.

Ready

Security report

No report yet.

Critical0
High0
Medium0
Low0
Findings will appear here after analysis.

What this checks

  • Missing global or operation-level security requirements
  • Optional anonymous auth on admin, account, billing, token, or mutating routes
  • API keys in query strings, HTTP Basic, OAuth implicit/password flows, and HTTP auth URLs
  • Sensitive names in query parameters and success response schemas
  • Localhost, private-network, metadata, or HTTP server URLs in public contracts
  • Missing 401, 403, and 429 response documentation for secured or mutating operations

Evidence base