A lightweight OpenAPI validation proxy that validates HTTP responses against OpenAPI specifications in real-time.
- Real-time validation of HTTP responses against OpenAPI 3.x and Swagger 2.0 specifications
- Remote spec loading from HTTP/HTTPS URLs with safety warnings
- Multiple validation modes: strict, warn, report
- Colored logging with timestamps and structured output
- Lightweight: Only 3MB compressed binary
- Zero configuration - works out of the box
# Download the latest release
curl -L https://github.com/sorenjohanson/specgate/releases/latest/download/specgate -o specgate
chmod +x specgategit clone https://github.com/sorenjohanson/specgate.git
cd specgate
go build -ldflags="-s -w" -o specgate# Validate responses against a local OpenAPI spec
./specgate -spec openapi.yaml -upstream http://localhost:3000
# Use a remote OpenAPI spec
./specgate -spec https://api.example.com/openapi.json -upstream https://api.example.com
# Run in strict mode (returns 500 on validation errors)
./specgate -spec openapi.yaml -upstream http://localhost:3000 -mode strict| Flag | Default | Description |
|---|---|---|
-spec |
openapi.yaml |
Path or URL to OpenAPI specification |
-upstream |
http://localhost:3000 |
Upstream API URL to proxy to |
-port |
8080 |
Port for the validation proxy |
-mode |
warn |
Validation mode: strict, warn, or report |
warn(default): Log validation errors but pass through original responsesstrict: Return HTTP 500 with error details when validation failsreport: Log validation results for monitoring (soon!)
- Proxy Setup: SpecGate acts as a reverse proxy between clients and your API
- Request Forwarding: All requests are forwarded to your upstream API unchanged
- Response Validation: JSON responses are validated against your OpenAPI v2.0 or v3.0 spec (note: SpecGate uses kin-openapi behind the scenes, 3.1 support is tracked here)
- Logging: Validation results are logged with colored output for easy monitoring
- Error Handling: Based on the mode, invalid responses are either logged or replaced with errors
Client → SpecGate (validation) → Your API
← (logging) ←
# Start your API server
./your-api-server &
# Run SpecGate to validate responses during development
./specgate -spec api-spec.yaml -upstream http://localhost:3000 -mode strict
# Make requests through the proxy
curl http://localhost:8080/api/usersIt's possible to use SpecGate in production, but it requires re-routing existing requests through the proxy, like in development. Also, please do not use -mode strict in production. This will most likely break your API and increase support overhead!
Please share any issues you find if you do end up using SpecGate in production.
./specgate \
-spec https://api.example.com/openapi.json \
-upstream https://api.example.com \
-port 8080When using a remote spec that doesn't match your upstream URL, SpecGate will warn you:
./specgate -spec https://docs.example.com/spec.json -upstream https://api.other.com
# WARNING: spec URL (https://docs.example.com) does not match upstream URL (https://api.other.com)
# Do you want to continue? (y/N):SpecGate provides colored, structured logging:
- 🔴 ERROR: Validation failures, critical issues
- 🟡 WARN: Undocumented endpoints, non-critical issues
- 🟢 INFO: Startup information, general status
We welcome contributions! Please see CONTRIBUTING.md for detailed guidelines on:
- Setting up your development environment
- Installing Go and required tools
- Development workflow and coding standards
- Testing and building procedures
- Pull request process
This project is licensed under the GNU General Public License v3.0 - see LICENSE for info.
- Built with kin-openapi for OpenAPI validation
- Uses Go's standard library
log/slogfor structured logging