VeriSpec
Scan
Free API readiness checker

Check if your API is ready for AI agents

Paste an OpenAPI spec URL or upload a file. VeriSpec checks schema completeness, endpoint intent, auth and rate limits, typed errors, dangerous-action safety, and MCP/tool-call readiness — then scores it 0–100.

  • No API keys — we never call your endpoints
  • Evidence-backed findings with exact JSON pointers
  • A prioritized, ticket-ready fix plan

No API keys. We never call your endpoints. Private by default.

What VeriSpec checks

Every dimension that matters for machine consumption

Deterministic checks across eight categories — graded, evidence-backed, and weighted into a single readiness score.

Schema & contract

  • OpenAPI completeness & validity
  • Request & response schemas
  • Enums, formats, required fields
  • Examples for every operation

Intent & docs

  • Operation IDs & predictable naming
  • Summaries & “when to use” guidance
  • Workflow / multi-step docs
  • Parameter & field descriptions

Auth & limits

  • Security schemes & scopes
  • Permission boundaries
  • Rate limits & retries
  • Credential handling clarity

Agent safety & MCP

  • Destructive-action labeling
  • Idempotency & dry-run support
  • Typed errors & recovery
  • MCP / tool-call readiness
FAQ

Answers for skeptical developers

Positioning

VeriSpec is an API readiness and design auditor. It flags agent-safety and permission-design gaps — it is not a penetration test, threat model, or runtime security tool.

What does VeriSpec actually check?

Deterministic checks across eight categories: spec validity, schema quality, endpoint intent & naming, examples & docs coverage, auth/permissions/rate limits, errors & recovery, agent safety & side effects, and MCP/tool-call readiness. Each finding points to an exact location in your spec.

Is this a security scanner or penetration test?

No. VeriSpec is an API readiness and design auditor. It can flag safety and permission-design gaps that matter for AI-agent usage, but it is not a replacement for penetration testing, threat modeling, or runtime API security tooling.

Do I need to provide API keys?

No. The scanner reads your OpenAPI spec and public docs. We never call your protected endpoints, and we don't require credentials for a scan.

What can I scan?

Upload an OpenAPI JSON or YAML file, upload a Postman collection JSON file, paste a URL to a spec, or paste a public docs/Postman Documenter URL. GitHub import and MCP manifests are on the roadmap.

What is MCP readiness?

Model Context Protocol turns API operations into agent tools. VeriSpec grades whether your operations can become clean, safe MCP tools — clear names, complete input schemas, typed responses, and approval boundaries for dangerous actions.

Are my reports private?

Yes. Reports are private by default. You explicitly opt in to generate a shareable public link or an embeddable readiness badge, and you can keep detailed findings hidden.

Audit your API before AI agents do.

Run a free readiness scan in minutes. Get a score, the exact gaps, and a fix plan your team can ship.

Run a free scan View sample report