This is a sample report for a fictional API. Run a scan to generate your own.

0ReadinessC

VeriSpec report Jun 14, 2026

Acme Payments API

v2026-01-01

Acme Payments has a valid OpenAPI spec with strong coverage for read endpoints, but mutation endpoints are missing idempotency guidance, several error responses are undocumented, and destructive billing operations are not clearly labeled for agent safety.

Operations

Critical

High

Category breakdown

Where the points went

Spec validity14/15

Schema quality12/15

Endpoint intent8/10

Examples & docs9/15

Auth & permissions11/15

Errors & recovery5/10

Agent safety7/10

MCP readiness10/10

Fix pack

A prioritized plan, ready for tickets

Ordered by impact on agent and tool-call reliability, with a suggested owner and effort estimate.

01Add typed error responses across mutation endpointsAPIMedium

02Document idempotency keys for payment & refund operationsAPIMedium

03Label refund & cancellation endpoints as side-effectingDocsLow

04Add request/response examples for customer & invoice creationDocsLow

05Rename ambiguous operation IDs for MCP/tool generationPlatformMedium

Findings

7 findings with evidence & fixes

Each finding points to an exact JSON pointer in the spec, with impact, recommendation, and a copy-ready fix.

CriticalAgent safetyDELETE/users/{id}

DELETE /users/{id} is destructive but has no safety guidance

This operation appears to delete a user, but the spec does not describe whether the action is reversible, requires confirmation, supports soft delete, or should be withheld from autonomous agents.

Impact

An AI agent could trigger an irreversible action without enough context or approval boundaries.

Recommendation

Document the side effect, required scope, confirmation requirement, audit behavior, and whether the delete is soft or hard.

evidence/paths/~1users~1{id}/delete

fix · agent.dangerous_action_not_labeled

delete:
  operationId: delete_user
  summary: Permanently delete a user
  x-agent-safety:
    risk: irreversible
    requiresApproval: true
    reversible: false
  responses:
    "204": { description: User deleted }

HighSchema qualityPOST/customers

Missing 2xx response schema for POST /customers

This operation returns a successful response without a defined schema. SDK generators and AI agents need a machine-readable output contract, not prose.

Impact

Agents may not know which fields are returned after creating a customer, making follow-up steps unreliable.

Recommendation

Add a 201 response that references the Customer schema and include at least one JSON example.

evidence/paths/~1customers/post/responses/201

fix · oas.response_schema_missing

responses:
  "201":
    description: Customer created
    content:
      application/json:
        schema:
          $ref: "#/components/schemas/Customer"
        examples:
          created:
            value: { id: "cus_123", email: "jane@acme.com" }

HighAgent safetyPOST/payments

POST /payments has no idempotency guidance

The payment creation endpoint does not document an idempotency key or duplicate-protection behavior.

Impact

Agents retry after timeouts. Without an idempotency key, a retry can double-charge a customer.

Recommendation

Accept an `Idempotency-Key` header and document how duplicate requests are de-duplicated server-side.

evidence/paths/~1payments/post

fix · idempotency.missing_for_mutation

parameters:
  - in: header
    name: Idempotency-Key
    required: true
    schema: { type: string, format: uuid }
    description: Safely retry without creating a duplicate payment.

HighErrors & recoveryPOST/refunds

No documented error responses on POST /refunds

Only a 200 response is documented. There are no typed 4xx/5xx responses describing validation or failure modes.

Impact

Agents cannot recover from failure because they don't know what errors to expect.

Recommendation

Document 400/402/409 responses with a shared Error schema, a request id, and a machine-readable error code.

evidence/paths/~1refunds/post/responses

fix · oas.error_responses_missing

"402":
  description: Refund exceeds available balance
  content:
    application/json:
      schema: { $ref: "#/components/schemas/Error" }

MediumAgent safetyGET/invoices

GET /invoices does not document pagination

This list endpoint returns an array with no documented cursor, page parameter, or total-count behavior.

Impact

Agents cannot reliably traverse all results and may silently process only the first page.

Recommendation

Document cursor-based pagination with `limit` and `starting_after`, and return a `has_more` flag.

evidence/paths/~1invoices/get

fix · pagination.ambiguous

parameters:
  - { in: query, name: limit, schema: { type: integer, default: 20 } }
  - { in: query, name: starting_after, schema: { type: string } }

MediumMCP readinessPOST/billing/doAction

operationId "doAction" is not MCP-friendly

The operationId does not convey intent. Tool generators and agents rely on verb_noun names to choose the right tool.

Impact

An agent is more likely to select the wrong tool or misuse this endpoint.

Recommendation

Rename to an explicit `verb_resource` operationId such as `update_billing_settings`.

evidence/paths/~1billing~1doAction/post/operationId

fix · mcp.tool_name_unclear

post:
  operationId: update_billing_settings
  summary: Update an account's billing settings

MediumAuth & permissions

Rate limits are not documented

No global or per-endpoint rate limit information is present in the spec or docs.

Impact

Agents call APIs in tight loops and unintentionally exceed limits, causing failures.

Recommendation

Document the rate limit window, the `429` response, and the `Retry-After` header behavior.

fix · rate_limits.undocumented

"429":
  description: Too many requests
  headers:
    Retry-After: { schema: { type: integer } }

Run this on your API

MCP / tool-call readiness

See your API as agent tools — before you build them

VeriSpec grades whether each operation can become a clean, safe MCP tool: clear names, complete input schemas, predictable responses, and approval boundaries for dangerous actions.

Generated tool preview

create_customer.tool.ts

{
  name: "create_customer",
  description:
    "Create a new customer record. Requires customer.write scope. " +
    "Do not use for duplicate detection; call search_customers first.",
  inputSchema: {
    type: "object",
    required: ["email", "name"],
    properties: {
      email: { type: "string", format: "email",
        description: "Customer email. Must be unique." },
      name:  { type: "string", description: "Full customer name." }
    }
  },
  safety: { risk: "low_risk_write", requiresApproval: false,
    scopes: ["customer.write"] }
}

Tool candidates & risk

list_invoicesRead-only auto

search_customersRead-only auto

create_customerLow-risk write auto

refund_paymentIrreversible approval

delete_userIrreversible approval

Destructive tools like refund_payment and delete_user are flagged to require human approval — so agents can plan safely.

Audit your API before AI agents do.

Run a free readiness scan in minutes. Get a score, the exact gaps, and a fix plan your team can ship.

Run a free scan View sample report