VeriSpec
Scan
API readiness for the agent era

Your API works.
But can an AI agent use it?

VeriSpec scans your OpenAPI spec and docs for AI-agent readiness — MCP/tool-call usability, schema completeness, error recovery, auth clarity, and dangerous-action safety. Get a score, the exact gaps, and a fix plan your team can ship.

No API keys. We never call your endpoints. Private by default.

Built for API-first SaaS, DevRel, and platform teams View a sample report
REPORTAcme Payments API
v2026-01-01
0ReadinessC
42
Operations
1
Critical
4
High
Spec validity14/15
Schema quality12/15
Endpoint intent8/10
Examples & docs9/15
Auth & permissions11/15
Spec is ready for AI integration.
View the full sample report
The gap

AI agents are becoming API consumers. Most APIs are still documented only for patient humans.

Agents need more than endpoint names. They need complete schemas, safe action boundaries, typed errors, examples, auth scopes, rate limits, pagination rules, and clear instructions on when to use each endpoint.

POST/users/{id}/action
A human can guess what this does.
An agent should not have to.
What an agent needs
  • Complete request & response schemas
  • Typed errors with recovery guidance
  • Auth scopes & permission boundaries
  • Rate limits, pagination & idempotency
  • Safe-action boundaries for writes
  • When-to-use intent for every endpoint
What VeriSpec checks

Every dimension that matters for machine consumption

Deterministic checks across eight categories — graded, evidence-backed, and weighted into a single readiness score.

Schema & contract

  • OpenAPI completeness & validity
  • Request & response schemas
  • Enums, formats, required fields
  • Examples for every operation

Intent & docs

  • Operation IDs & predictable naming
  • Summaries & “when to use” guidance
  • Workflow / multi-step docs
  • Parameter & field descriptions

Auth & limits

  • Security schemes & scopes
  • Permission boundaries
  • Rate limits & retries
  • Credential handling clarity

Agent safety & MCP

  • Destructive-action labeling
  • Idempotency & dry-run support
  • Typed errors & recovery
  • MCP / tool-call readiness
How it runs

From spec to score in seconds.

Deterministic first, AI second. Every finding points to an exact location in your spec — no hand-waving, no invented issues.

  1. 01
    Parse & normalize
    Validate, dereference, and normalize your OpenAPI document.
  2. 02
    Run deterministic rules
    30+ checks across schema, intent, auth, errors, and safety.
  3. 03
    Score & classify
    Weighted category scores, a 0–100 grade, and risk classes.
  4. 04
    Summarize & fix
    An AI summary and a prioritized, ticket-ready fix pack.
verispec — scan
$ verispec scan ./openapi.yaml
running checks…
Evidence-backed findings

Get more than a score

Every report includes the affected endpoints, severity, impact, a recommended fix, and ticket-ready copy your team can act on.

CriticalAgent safetyDELETE/users/{id}

DELETE /users/{id} is destructive but has no safety guidance

This operation appears to delete a user, but the spec does not describe whether the action is reversible, requires confirmation, supports soft delete, or should be withheld from autonomous agents.

Impact

An AI agent could trigger an irreversible action without enough context or approval boundaries.

Recommendation

Document the side effect, required scope, confirmation requirement, audit behavior, and whether the delete is soft or hard.

evidence/paths/~1users~1{id}/delete
fix · agent.dangerous_action_not_labeled
delete:
  operationId: delete_user
  summary: Permanently delete a user
  x-agent-safety:
    risk: irreversible
    requiresApproval: true
    reversible: false
  responses:
    "204": { description: User deleted }
HighSchema qualityPOST/customers

Missing 2xx response schema for POST /customers

This operation returns a successful response without a defined schema. SDK generators and AI agents need a machine-readable output contract, not prose.

Impact

Agents may not know which fields are returned after creating a customer, making follow-up steps unreliable.

Recommendation

Add a 201 response that references the Customer schema and include at least one JSON example.

evidence/paths/~1customers/post/responses/201
fix · oas.response_schema_missing
responses:
  "201":
    description: Customer created
    content:
      application/json:
        schema:
          $ref: "#/components/schemas/Customer"
        examples:
          created:
            value: { id: "cus_123", email: "jane@acme.com" }
HighAgent safetyPOST/payments

POST /payments has no idempotency guidance

The payment creation endpoint does not document an idempotency key or duplicate-protection behavior.

Impact

Agents retry after timeouts. Without an idempotency key, a retry can double-charge a customer.

Recommendation

Accept an `Idempotency-Key` header and document how duplicate requests are de-duplicated server-side.

evidence/paths/~1payments/post
fix · idempotency.missing_for_mutation
parameters:
  - in: header
    name: Idempotency-Key
    required: true
    schema: { type: string, format: uuid }
    description: Safely retry without creating a duplicate payment.
See all findings in the sample report
MCP / tool-call readiness

See your API as agent tools — before you build them

VeriSpec grades whether each operation can become a clean, safe MCP tool: clear names, complete input schemas, predictable responses, and approval boundaries for dangerous actions.

Generated tool preview
create_customer.tool.ts
{
  name: "create_customer",
  description:
    "Create a new customer record. Requires customer.write scope. " +
    "Do not use for duplicate detection; call search_customers first.",
  inputSchema: {
    type: "object",
    required: ["email", "name"],
    properties: {
      email: { type: "string", format: "email",
        description: "Customer email. Must be unique." },
      name:  { type: "string", description: "Full customer name." }
    }
  },
  safety: { risk: "low_risk_write", requiresApproval: false,
    scopes: ["customer.write"] }
}
Tool candidates & risk
list_invoicesRead-only auto
search_customersRead-only auto
create_customerLow-risk write auto
refund_paymentIrreversible approval
delete_userIrreversible approval

Destructive tools like refund_payment and delete_user are flagged to require human approval — so agents can plan safely.

Who it's for

Built for the teams shipping APIs into the agent era

Founders & CTOs

Know whether developers and AI agents can actually use your API before you launch it.

DevRel & DX leads

Find the docs and schema gaps blocking developer adoption — with shareable proof.

Platform engineering

Automate API quality checks before specs merge, and prevent breaking changes.

AI & automation teams

Test whether your API is safe and clear enough for autonomous agents and MCP tools.

Pricing

Start free. Upgrade when you ship.

Run a free scan to see your score. Upgrade for the full issue list, fix pack, PDF export, recurring scans, team access, and CI monitoring.

Free

One scan to see where you stand.

$0forever
Run a free scan
  • 1 scan (upload or URL)
  • Overall + category scores
  • Top 5 findings
  • Shareable teaser report

Starter

For indie SaaS & API teams.

$99/month
  • 3 API projects
  • 20 scans / month
  • Full findings list
  • HTML / PDF export
  • Fix pack
  • Public readiness badge
Most popular

Growth

For active SaaS & API teams.

$199/month
  • 10 API projects
  • 100 scans / month
  • Scheduled scans + score history
  • Team members
  • Advanced MCP readiness
  • GitHub Action (when available)
  • Priority support

Team

For platform & API teams.

$399/month
  • 25 API projects
  • 500 scans / month
  • Team roles & permissions
  • Public / private reports
  • Custom rules
  • Slack alerts (when available)
  • Jira / Linear export (when available)
Done-for-you audit

We run the audit and hand you a roadmap. Manual review by a founder · Full VeriSpec report · Loom walkthrough · Prioritized API / docs fix roadmap · 30-day follow-up scan.

$999
one-time
Book an audit
FAQ

Answers for skeptical developers

Positioning

VeriSpec is an API readiness and design auditor. It flags agent-safety and permission-design gaps — it is not a penetration test, threat model, or runtime security tool.

What does VeriSpec actually check?

Deterministic checks across eight categories: spec validity, schema quality, endpoint intent & naming, examples & docs coverage, auth/permissions/rate limits, errors & recovery, agent safety & side effects, and MCP/tool-call readiness. Each finding points to an exact location in your spec.

Is this a security scanner or penetration test?

No. VeriSpec is an API readiness and design auditor. It can flag safety and permission-design gaps that matter for AI-agent usage, but it is not a replacement for penetration testing, threat modeling, or runtime API security tooling.

Do I need to provide API keys?

No. The scanner reads your OpenAPI spec and public docs. We never call your protected endpoints, and we don't require credentials for a scan.

What can I scan?

Upload an OpenAPI JSON or YAML file, upload a Postman collection JSON file, paste a URL to a spec, or paste a public docs/Postman Documenter URL. GitHub import and MCP manifests are on the roadmap.

What is MCP readiness?

Model Context Protocol turns API operations into agent tools. VeriSpec grades whether your operations can become clean, safe MCP tools — clear names, complete input schemas, typed responses, and approval boundaries for dangerous actions.

Are my reports private?

Yes. Reports are private by default. You explicitly opt in to generate a shareable public link or an embeddable readiness badge, and you can keep detailed findings hidden.

Audit your API before AI agents do.

Run a free readiness scan in minutes. Get a score, the exact gaps, and a fix plan your team can ship.

Run a free scan View sample report