Compliance & Drift Analysis
The compliance service validates that your running API matches its OpenAPI specification. It catches drift — the gap between what you designed and what you deployed.
How It Works
Section titled “How It Works”The compliance service intercepts API requests and responses (via the gateway’s compliance stages) and validates them against the OAS:
- Request validation — Does the request match a documented operation? Are parameters, headers, and body correct?
- Response validation — Does the response schema match the OAS? Are status codes documented?
- Scoring — Each violation gets a severity (error, warning, info) and the API gets an overall compliance score.
What It Detects
Section titled “What It Detects”| Violation | Severity | Example |
|---|---|---|
| Undocumented endpoint | Error | GET /users/search exists but isn’t in the OAS |
| Schema mismatch | Error | Response returns userName but OAS defines username |
| Missing security | Error | Endpoint accepts unauthenticated requests |
| Wrong status code | Warning | Returns 200 for a creation that should return 201 |
| Missing headers | Warning | Response lacks Cache-Control or Content-Type |
| Type mismatch | Error | Field defined as integer, returned as string |
| Extra fields | Info | Response includes fields not in the OAS |
Compliance Score
Section titled “Compliance Score”Each API gets a compliance score based on the number and severity of violations:
- 90-100 — Clean. Minor informational findings.
- 70-89 — Needs attention. Some schema or documentation gaps.
- Below 70 — Significant drift. Design and implementation are misaligned.
The score is visible in the API catalogue, governance reviews, and the developer portal. Consumers can assess API quality before subscribing.
Design-to-Code Drift
Section titled “Design-to-Code Drift”Drift happens when your API evolves in code without updating the spec. Common causes:
- A developer adds a query parameter but doesn’t update the OAS
- A schema field is renamed in code but the spec still has the old name
- An endpoint is removed but the OAS still documents it
Apiway catches this automatically. The compliance service runs continuously — not just at deploy time, but at runtime against real traffic.
Remediation
Section titled “Remediation”When drift is detected:
- Update the spec — Fix the OAS to match the actual implementation, then redeploy
- Fix the code — Change the implementation to match the spec
- Governance review — Significant drift triggers a governance flow so reviewers are aware
Integration with Governance
Section titled “Integration with Governance”Compliance scores feed into governance decisions:
- Reviewers see the compliance score when approving API changes
- Governance templates can require a minimum compliance score before approval
- Recurring compliance failures can trigger automated governance flows
Accessing Compliance Data
Section titled “Accessing Compliance Data”Reports are available per API, per operation, and per violation type. The compliance service stores results in MongoDB for historical trending — you can track whether your API quality is improving or degrading over time.