Generating OpenAPI Specifications with AI

Use AI to generate complete OpenAPI 3.x specifications from plain English requirements — endpoints, schemas, examples, and validation rules that serve as your API contract.

Premium Course Content

This lesson is part of a premium course. Upgrade to Pro to unlock all premium courses and content.

Access all premium courses
1000+ AI skill templates included
New content added weekly

← Back to course overview

🔄 Quick Recall: In the previous lesson, you built API design patterns — naming conventions, resource modeling, and response structure standards. Now you’ll turn those patterns into machine-readable OpenAPI specifications using AI as your spec writer.

OpenAPI (formerly Swagger) is the industry standard for describing REST APIs. A well-written OpenAPI spec is simultaneously documentation for humans, a contract for consumers, a source for code generation, and a basis for automated testing. The problem: writing OpenAPI YAML by hand is tedious enough that most teams skip it or let it go stale. AI makes spec generation fast enough that design-first becomes the practical default.

Generating Specs from Requirements

AI prompt for OpenAPI spec generation:

Generate a complete OpenAPI 3.1 specification for the following API. Domain: [DESCRIBE YOUR API — e.g., a task management system with users, projects, tasks, and comments]. Requirements: [LIST THE KEY OPERATIONS — CRUD for each resource, search/filter capabilities, relationships between resources]. Style: [YOUR CONVENTIONS — e.g., camelCase fields, cursor-based pagination, envelope response format, ISO 8601 dates]. Generate the full spec with: (1) info section with title, description, version, and contact, (2) paths for all endpoints with request/response schemas, (3) component schemas for all resources with field descriptions and validation rules, (4) example values for every request and response, (5) security scheme definitions, (6) error response schemas for 400, 401, 403, 404, and 500. Output as valid OpenAPI 3.1 YAML.

What to specify vs. what AI decides:

You Specify	AI Generates
Resources and their relationships	Complete CRUD endpoints for each
Required fields and business rules	Validation rules and constraints
Authentication method	Security scheme definitions
Response format preference	Consistent schemas across all endpoints
Pagination style	Pagination parameters and response metadata
Special operations (search, bulk, etc.)	Endpoint definitions with query parameters

AI prompt for spec review and refinement:

Review this OpenAPI specification for completeness and best practices. [PASTE SPEC OR DESCRIBE WHAT WAS GENERATED]. Check for: (1) Missing endpoints — are there CRUD operations that should exist but don’t? (2) Missing response codes — does each endpoint handle 400 (validation), 401 (auth), 403 (forbidden), 404 (not found), and 500 (server error)? (3) Missing query parameters — should list endpoints support filtering, sorting, or searching? (4) Schema completeness — does each resource have created_at, updated_at? Are relationships properly defined? (5) Example quality — are examples realistic and consistent across related endpoints? (6) Security — is authentication required on appropriate endpoints? List all findings with suggested fixes.

✅ Quick Check: AI generates a spec for your user endpoint. The GET /users/:id response includes the password hash field. Is this a problem? (Answer: Yes — this is a critical security issue. Password hashes should never be returned in API responses, even in specs. The schema should mark password-related fields as writeOnly: true so they only appear in request schemas, not responses. AI occasionally includes all database fields in responses unless you specify otherwise. Always review: “Which fields should a consumer NEVER see?”)

Schema Component Design

AI prompt for reusable schema components:

Design reusable schema components for my API. Domain: [YOUR DOMAIN]. Create: (1) Base schemas — a standard resource base with id, created_at, updated_at that other schemas extend, (2) Request vs. response schemas — separate CreateUserRequest (fields you send) from UserResponse (fields you get back, including read-only fields), (3) Pagination schema — a reusable PaginatedResponse component with cursor, has_more, and total fields, (4) Error schema — a standard error response component with code, message, details, and request_id, (5) Common types — Address, Money, DateRange, PhoneNumber, etc. that multiple resources share. Use OpenAPI’s $ref for all shared components to keep the spec DRY.

Common schema patterns:

Pattern	Use Case	AI Generates
Create vs. Response	Different fields for write vs. read	Separate request/response schemas
Partial update	PATCH requests with optional fields	Schema where all fields are optional
Nested vs. Reference	Related resources in responses	Configurable: embed object or return ID
Polymorphic	Different types (e.g., payment methods)	oneOf/anyOf with discriminator
Paginated collection	List endpoints	Reusable wrapper with items + pagination

Spec-to-Code Workflow

AI prompt for implementation scaffolding:

Given this OpenAPI specification [PASTE OR REFERENCE SPEC], generate implementation scaffolding in [LANGUAGE/FRAMEWORK — e.g., Express.js, FastAPI, Go/Gin]. Create: (1) route definitions matching every path in the spec, (2) request validation middleware using the spec’s schema constraints, (3) response type definitions matching the spec’s schemas, (4) stub handler functions with correct signatures (request params, body, response type), (5) error handling middleware that returns errors in the spec’s error format. The generated code should be a compilable starting point that returns mock data matching the spec’s examples, ready for business logic to be added.

Key Takeaways

AI generates complete OpenAPI 3.x specs from plain English descriptions in 15-20 minutes — eliminating the tedium that causes teams to skip the design phase and go straight to coding
Always review AI-generated specs for business logic decisions, not just syntax: which fields are required, what should be write-only (passwords), what should be read-only (timestamps), and which fields shouldn’t exist in the API at all
Response examples are one of the highest-value additions to any spec — they serve as documentation, contract test fixtures, and mock server data, and AI generates realistic examples automatically
Separate request and response schemas (CreateUserRequest vs. UserResponse) because what you send to create a resource is almost never identical to what you get back — AI handles this distinction cleanly with reusable components
The spec-to-code workflow (requirements → AI-generated spec → review → scaffolded code) is faster than code-first AND produces better results because design decisions happen before implementation commits you to them

Up Next

In the next lesson, you’ll build automated documentation systems — turning your OpenAPI specs into beautiful, interactive developer documentation that stays synchronized with your code.

Knowledge Check

1. Your product manager says: 'We need an API to manage blog posts — create, edit, delete, list with search and pagination, and support categories.' How long does it take to produce a complete OpenAPI spec?

A few hours to write the YAML from scratch 15-20 minutes with AI. Describe the requirements in plain English: 'Blog post management API with CRUD operations. Posts have title, content, author, status (draft/published), categories (many-to-many), created/updated timestamps. List endpoint supports search by title, filter by status and category, cursor-based pagination. Categories are a separate resource with name and slug.' AI generates the complete OpenAPI 3.x spec: paths, schemas, request/response examples, validation rules, and status codes. You review and refine — not write from scratch. The spec that took a day to hand-write now takes under an hour including review Skip the spec — just start coding and document later

2. AI generates an OpenAPI spec for your user endpoint. The 'create user' request schema includes: email (required), name (required), role (required, enum: admin/user/moderator), and password (required). What should you review before accepting?

Looks complete — accept it Review the design decisions AI made, not just the syntax: (1) Should role be settable at creation? Most systems default to 'user' and require admin action for role changes — making it required at creation is a security concern. (2) Should password be in the API request at all? If using OAuth/SSO, there's no password field. If using password auth, it should be write-only (never returned in responses). (3) Are there missing fields? What about a username, phone number, or profile image? (4) What validation rules apply? Email format, password minimum length, name max length? AI generates syntactically correct specs, but the design decisions — what fields exist, which are required, what values are valid — require human judgment about business rules Add more fields — the more data captured upfront, the better

3. Your spec defines a 'list orders' endpoint that returns an array of orders. A teammate suggests adding response examples to the spec. Is it worth the effort?

No — the schema definition is enough Yes — response examples are one of the highest-value additions to any API spec. They serve 3 purposes: (1) Documentation — developers see exactly what the response looks like without making a test call. A schema says 'status is a string enum'; an example shows { "status": "shipped" } in context. (2) Contract testing — examples become test fixtures. The example response is used to verify the actual API returns the expected structure. (3) Mock servers — tools like Prism or Stoplight generate mock APIs from examples, letting consumers build against the API before it's implemented. AI generates realistic examples for every endpoint automatically — names that look like real names, dates that make sense, IDs in the right format Only add examples for complex endpoints — simple ones are self-explanatory

Answer all questions to check

Complete the quiz above first