RESTful APIs are central in developing interoperable, modular, and maintainable software systems in today's enterprises. Also, it is essential to support system evolution, service interoperability, and governance across organizational boundaries to ensure good quality and consistency of these APIs. However, evaluating API design quality, which is part of non-functional requirement tasks, remains a largely manual and ad hoc process, particularly during early development. Using a Design Science Research (DSR) methodology, we elicited user needs, identified 75 API design rules using a literature review, and implemented a configurable rule engine to detect structural violations in OpenAPI specifications. The proposed tool supports organizational adaptability by allowing rules to be customized, enabled, or disabled, enabling integration of domain-specific standards. The evaluation was conducted through structured experiments and thematic analysis involving industry experts. API quality validation contributes to aligning technical designs with requirements and enterprise architecture by strengthening interoperability and governance between enterprise systems. The results show that S.E.O.R.A facilitates early validation of non-functional API requirements, provides actionable and traceable feedback, and aligns well with requirements elicitation and quality assurance processes. It improves the API design process by automating checks that would otherwise require manual inspection, thus supporting consistent and reusable conformance practices. This work contributes to requirements engineering by operationalizing design principles as verifiable constraints and embedding them into a practical validation tool. Future directions include IDE integration, expanded rule coverage, and real-world deployment to support continuous compliance in agile API development lifecycles.
A
Modern internet infrastructure predominantly comprises web applications supporting enterprise
systems such as banking services and other systems, including social media platforms [
RESTful services are typically documented through human-readable texts or informal diagrams.
However, the OpenAPI Specification (OAS), formerly known as Swagger, has emerged as the de
facto industry standard for representing RESTful APIs in a machine-readable format [
As REST APIs grow in scale and complexity, their design quality becomes critical to maintainability
and adoption [
CEUR Workshop
ISSN1613-0073
degradation in API quality [
This paper identifies relevant API Design Rules and proposes a tool named S.E.O.R.A (Static Evaluator
of RESTful APIs) to validate RESTful APIs and address the challenges outlined in the previous paragraph.
S.E.O.R.A assesses RESTful APIs defined using the OpenAPI Specification against a collection of
formalized design rules. The design rules represent quality-related non-functional requirements,
which are derived from previous research on REST principles [
The definition of a “well-designed” REST API remains contested [
Representational State Transfer (REST), which is a conceptual API framework, defines API behavior [
The OpenAPI Specification (OAS) defines a RESTful API interface for exchanging information between
provider and consumer [
Modern systems, such as microservices, use independently upgradable services, requiring more
integration than monolithic architectures [16]. High inter-system dependency complicates API updates/
modifications [ 16], and this added dependency is essential to measure API quality/similarity [17]. Poor
API evolution can degrade quality if bad practices are repeated [
Previous research on REST API quality includes representing APIs as Java interfaces [
On the other hand, regarding the OAS application, prior work introduced EvoMaster, a tool that
generates test cases from an extended OpenAPI version [14]. Using a evolutionary search approach
it achieves high code coverage and detect faults [14]. Variants of EvoMaster also consider operation
dependencies over values and coverage [
REST API design consistency is supported by several rules based on common patterns in development
practices [
The research framework chosen for this paper was Design Science Research (DSR), which focuses on building artifacts to solve real-world practical problems [20]. Artifacts, such as systems, methodologies, and system architectures, developed with DSR allow for an iterative development process using diferent research strategies and methods for five activities [ 20]. The five activities in the framework are to explicate the problem, define requirements, design and develop, demonstrate, and evaluate artifacts [20].
A survey in the form of a document review was conducted, which enabled a broad data collection to
define the gap between the current and the desired state [ 20]. This activity aimed to identify important
API design rules from academic and gray literature, which was combined with previous research on
rule’s priority [
The performed document study selected seven diferent academic sources [
We then preliminary categorized the rules after the possibility of implementing detection for them,
as “Yes” – if they were deemed detectable and relevant, and “No” if not. Common reasons for deeming
rules not detectable include requiring run-time access for dynamic analysis capabilities. All rules were
then categorized according to their perceived importance as established by [
The second activity of the DSR framework was to define the functional and non-functional requirements of the artifact. Semi-structured interviews were conducted with six developers and infrastructure specialists who had professional experience in using and/or designing RESTful APIs, see Table 2. The respondents represented varying levels of seniority and worked at diferent companies. Respondent selection employed a purposive sampling based on respondents’ relevant expertise in the field.
The interviews were conducted via a digital meeting platform. They included a short introduction about the project, followed by questions on which features the respondents would find helpful when using an artifact such as this. The interviews were analyzed using an inductive thematic analysis approach [24]. The interviews were transcribed, coded, and then analyzed to identify themes. The analysis was done on a semantic level and, therefore, based on what was explicitly said by the respondents rather than the meaning [24].
The thematic analysis yielded 82 codes, which were subsequently organized into four main themes: “Functions”, “Tool adaptation”, “Feedback”, and “Communication of results”.
The theme “Functions” included features the respondents mentioned about the artifact’s ability to take the ongoing debate about API quality into consideration by being able to customize feature within the artifact. The ability to add, delete, and customize rules was brought up. In the theme “Tool adaptation” the respondents mentioned that certain industry-wide and company-wide standards exist. Therefore, having the ability to adjust to company- or industry-specific regulations would benefit the tool’s relevance. The respondents mentioned diferent types of feedback that could be useful when using the artifact; these were included in the theme “Feedback”. A priority list of warnings to know what is most critical and the ability to make sure that company-wide rules are followed by warning if a rule has been broken were a few of the types of feedback mentioned. The respondents mentioned diferent ways for the feedback to be visualized, such as CI/CD, command-line, or a dashboard, which were all mentioned under the theme “Communication of results.”.
The third activity of the DSR framework is designing and developing the artifact [20]. There is less of a need for an explicit research strategy for this activity [20]; hence, no explicit strategy is tied to this activity. The artifact was, however, designed and developed iteratively based on the results of the previous activities. The artifact was implemented using technologies previously known and used by us while considering their relevance to the scope of the study.
The developed application, S.E.O.R.A 2, allows users to upload an OpenAPI specification file in JSON /YAML format and receive a list of violations and their corresponding rules. A demonstration of the user interface of the application can be seen in Figure 1.
The application consists of a Python FastAPI backend with 23 rule files (covering 34 rules), along with an OpenAPI parser, which is exposed using a RESTful API. Furthermore, a benefit of using Python - i.e., an interpreted language is that more rules could easily be loaded at run-time in future iterations of the artifact. The front-end consists of a React web application styled with Tailwind.
The developed parser followed the OpenAPI version 3.1 specification format [ 25], which builds a tree-like structure of the OAS where each node represents a URI key.
For example, an OAS with the URIs: – instances/{instance_id}/rules – instances/{instance_id}/ignores would be represented as a tree depicted in Figure 2. Additionally, schema and component references are resolved wherever possible to enable more straightforward rule definitions. While resolving schema references substantially increase the parser’s output size; this trade-of was deemed acceptable given the simplified rule definitions it facilitated.
The fourth activity of demonstrating the artifact was conducted with user tests on three APIs over a digital meeting platform where the respondents controlled a virtual machine with the developed Define requirements ×
Evaluate artifact × × × × × × × × application. In total, eight (8) software developers/specialists partook in the user tests, see Table 2. The same sampling strategies were used as in subsection 3.2.
The respondents were given three OpenAPI specifications [ 26, 27, 28] representing varying quality levels, from poor to well-designed APIs per evaluations by the authors and S.E.O.R.A, and asked to input them into the tool and review the corresponding recommendations and warnings generated by the program. The APIs were selected as they provided the users with examples of potential issues in real-life APIs and a fictional case to demonstrate the solution’s ability to catch trivial issues.
Another suitable strategy for this phase would have been the use of a descriptive case study, which would have provided insight into its usefulness in a real-life environment [20]. However, the findings from this type of case study may be influenced by stakeholder perspectives, potentially resulting in biased outcomes [20].
The fith activity of the DSR framework was to evaluate the artifact. An ex ante evaluation was used to evaluate this artifact. The framework were evaluated with an inductive thematic analysis that was performed based on the evaluating test and the semi-structured interviews that the eight respondents completed when the artifact was demonstrated.
The thematic analysis resulted in 32 codes, which were then organized into three themes: “Improvement opportunities”, “Integration into workflow”, and “Appreciated features”.
During the evaluation test and interviews, the respondents raised some points of improvement under the theme “Improvement opportunities”. These were abilities such as being able to choose which parts of the API get evaluated and being able to disable violation detection for specific parts of the API. The ability of the artifact to be integrated into users’ workflow is important for its relevance; respondents mentioned positive remarks on the artifact’s ability to do so but also mentioned some potential improvements to make it even more adaptable. The ability to connect in as a plugin to an IDE or an an integration to the pipeline were a few ideas that were mentioned under the theme “Integration to workflow”. For the theme “Appreciated features,” the respondents mentioned some features that were greatly appreciated, such as the artifact being able to aid a company in checking that they stay consistent and the ability to both modify and add rules.
Table 3 presents the identified requirements from the second activity, “Define requirements”, along with details regarding their fulfillment obtained during the final activity, “Evaluate artifact’.
This paper developed a software solution that statically evaluates REST APIs using the OAS format. The aim of this artifact was to improve the evaluation process and, hence, the development process of RESTful APIs. The discussion is structured around the findings of this paper and focuses on the evaluation process and its impact on evolution. Integrating S.E.O.R.A into enterprise modeling environments strengthens requirements elicitation, supports design consistency, and promotes organizational interoperability.
The developed artifact performs static evaluation of APIs based on a set of REST design rules.
Consequently, it does not require access to a deployed API, as all evaluations are conducted statically on the
API specification itself. Therefore, this approach avoids issues related to security and communication
between intermediary components [
Nevertheless, the current evaluation solution may entail considerable manual efort to disable
irrelevant rules and incorporate organization-specific guidelines. Moreover, the rule checks are relatively
crude in their detection, which can lead to numerous false positives and interpreting these flagged
violations may also demand significant efort to derive actionable insights. Another limitation lies
in the user interface, which currently lacks functionality for systematically searching, filtering, or
selectively including specific parts of an API specification. Finally, certain design rules, such as the
“Hierarchy design” compliance level three, are not fully verified due to inherent limitations in the
OpenAPI Specification (OAS) format, which does not comprehensively capture relationships between
endpoints beyond their hierarchical structure [
Despite these drawbacks, respondents indicated that the solution could still be valuable if integrated into their routine development workflows. Another benefit of the artifact would be applying it’s modularity for policy-driven API design to ensure sustained quality [19].
The tool provides a method for statically evaluating APIs against a set of established design rules, thereby supporting the maintenance of high-quality API design. APIs assessed by the tool receive a warning for each rule they violate. Each warning includes a descriptive message explaining the violation, which can be interpreted to guide improvements and help prevent poor design quality.
In the context of increasingly modular and interdependent systems, applying an organizational rule
set can help ensure standardized and consistent API quality across services. A systematic approach,
such as the developed solution, can therefore complement manual reviews by automatically detecting
trivial design flaws early, thereby reducing the required efort. However, since the solution evaluates
only the API specification, an inherent limitation that remains is that the internal design of the system
may still sufer from poor quality even if all design rules applied to the exposed interface are satisfied
[
To address the threats to external validity, respondents for both data collection sessions were developers/ specialists in API development and usage. The respondents were from diferent sectors with varying seniority and could therefore provide diferent perspectives regarding experience and requirements. This variability might have resulted in greater organizational flexibility while potentially sacrificing specialized expertise within individual organizations. In addition, we continued to interview new respondents to collect data until we reached saturation, which occurred when we were unable to find any new information or requirements from subsequent interviews. At this point, we decided to stop, as suggested in [29]. Thus, we determined the number of participants based on the level of saturation. Additionally, although real APIs were used for testing, they were not tested in a real development setting, i.e., ex-post evaluation.
While we used ten sources to identify design rules, we argue this provides representative coverage
because: (1) we observed convergence in the rules across sources, suggesting theoretical saturation, and
(2) these sources (specifically [
Regarding internal validity, i.e., factors that might have afected the results, a controlled environment was used, giving each respondents the same conditions, making the results easily comparable. The controlled setting also ensures the focus of the respondents on study-relevant data while reducing the potential impact of external variables.
Another threat to the internal validity of the study is the process used to decide which rules should be implemented. This was mitigated by including multiple authors when deciding to reduce the risk of the process negatively impacting the results.
This study identified a list of API Design Rules from prior research on REST principles [
At the same time, limitations remain. The expressiveness of the OpenAPI Specification bounds the current approach: relationships between endpoints, behavioral contracts, or cross-service workflows are only partially captured, constraining the complete evaluation of higher-order design principles. Moreover, S.E.O.R.A concentrates on static structure; complementary dynamic analyses (e.g., run-time monitoring or mutation testing) are still necessary for comprehensive quality assurance.
Several opportunities exist for further development of the S.E.O.R.A tool and the API Design Rules. Real-world validation of both the tool and its underlying approach are also potential future directions. We suggest the following future directions: 1. Ex-post evaluation in real-world projects While this study used controlled experiments and ex-ante evaluation to assess S.E.O.R.A’s utility, future work should include ex-post evaluation in live software projects. Embedding the tool in actual API development workflows (e.g., during a sprint or release cycle) would ofer insights into long-term adoption, usability, rule efectiveness, and the impact on defect prevention. Observational studies and longitudinal assessments could measure real-world outcomes such as improved design consistency, reduced review time, or higher developer confidence. This could be conducted as an A/B test to compare speed and accuracy. 2. Integration and deployment with other tools S.E.O.R.A could be integrated into CI/CD pipelines using tools such as GitHub and GitLab for automated enforcement of design conformance. It is also possible to package S.E.O.R.A as an Integration Development Environment (IDE) plugin to provide inline feedback similar to Github co-pilot. S.E.O.R.A could also be implemented as a web service and provisioned as a Software-as-a-service ofering to support centralized API governance functions and distributed teams. This future implementation not only improves the accessibility of the tool but also enables organizational-level rule standardization and reuse. 3. Rule engine enhancement and coverage expansion The current rules focus primarily on structural and naming conventions. Future work could expand the rule base by including securityrelated rules, versioning policies, etc. Also, it is possible to introduce rule prioritization schemes based on stakeholder feedback or other relevant parameter. • Investigate interoperability rules across heterogeneous interfaces to support federated or event-driven systems. • Add support for GraphQL schemas, enabling multi-spec validation under a unified framework.
During the preparation of this work, the author(s) used ChatGPT, Claude and Grammarly in order to: Grammar and spelling check, Paraphrase and reword. After using these tool(s)/service(s), the author(s) reviewed and edited the content as needed and take(s) full responsibility for the publication’s content. [12] F. Palma, J. Gonzalez-Huerta, M. Founi, N. Moha, G. Tremblay, Y.-G. Guéhéneuc, Semantic analysis of restful apis for the detection of linguistic patterns and antipatterns, International Journal of Cooperative Information Systems 26 (2017) 1742001. doi:10.1142/S0218843017420011. [13] B. Varanasi, M. Bartkov, Versioning, Paging, and Sorting, Apress, Berkeley, CA, 2022, pp. 147–167.
URL: https://doi.org/10.1007/978-1-4842-7477-4_7. doi:10.1007/978- 1- 4842- 7477- 4_7. [14] A. Arcuri, Restful api automated test case generation with evomaster, ACM Trans. Softw. Eng.
Methodol. 28 (2019). URL: https://doi.org/10.1145/3293455. doi:10.1145/3293455. [15] OpenAPI.org, Best practices, n.d. URL: "https://learn.openapis.org/best-practices.html". [16] A. Lercher, Managing api evolution in microservice architecture, in: Proceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings, ICSE-Companion ’24, Association for Computing Machinery, New York, NY, USA, 2024, p. 195–197.
URL: https://doi.org/10.1145/3639478.3639800. doi:10.1145/3639478.3639800. [17] S. Serbout, C. Pautasso, Apistic: A large collection of openapi metrics, in: Proceedings of the 21st International Conference on Mining Software Repositories, MSR ’24, Association for Computing Machinery, New York, NY, USA, 2024, p. 265–277. URL: https://doi.org/10.1145/3643991.3644932. doi:10.1145/3643991.3644932. [18] C. Rodríguez, M. Baez, F. Daniel, F. Casati, J. C. Trabucco, L. Canali, G. Percannella, Rest apis: A large-scale analysis of compliance with principles and best practices, in: A. Bozzon, P. CudreMaroux, C. Pautasso (Eds.), Web Engineering, Springer International Publishing, Cham, 2016, pp. 21–39. [19] S. Heshmatisafa, M. Seppänen, Exploring api-driven business models: Lessons learned from amadeus’s digital transformation, Digital Business 3 (2023) 100055. URL: https:// www.sciencedirect.com/science/article/pii/S2666954423000030. doi:https://doi.org/10.1016/ j.digbus.2023.100055. [20] P. Johannesson, E. Perjons, An introduction to Design Science, Springer, 2014. [21] T. Fredrich, Restful service best practices, 2013. [22] InfoQ.com, Rest anti-patterns, 2008. URL: https://www.infoq.com/articles/rest-anti-patterns/. [23] Tho, Stack Overflow, Json naming convention (snake_case, camelcase or pascalcase), https://stackoverflow.com/questions/5543490/json-naming-convention-snake-case-camelcase-or-pascalcase, 2022. [24] V. Braun, V. Clarke, Using thematic analysis in psychology, Qualitative Research in Psychology 3 (2006) 77–101. [25] D. Miller, J. Whitlock, M. Gardiner, M. Ralphson, R. Ratovsky, U. Sarid, OpenAPI Specification v3.1.0, https://spec.openapis.org/oas/v3.1.0.html, 2021. Published by the OpenAPI Initiative, part of the Linux Foundation. [26] M. Keikavousi, Fake store api, 2025. URL: https://fakestoreapi.com/docs. [27] T. SendGrid, Twilio sendgrid mail api openapi specification, 2025. URL: https://github.com/twilio/ sendgrid-oai/blob/main/spec/yaml/tsg_mail_v3.yaml. [28] Discord, Discord api openapi specification, 2025. URL: https://github.com/discord/discord-api-spec/ blob/main/specs/openapi.json. [29] G. Guest, A. Bunce, L. Johnson, How many interviews are enough? an experiment with data saturation and variability, Field Methods 18 (2006) 59–82. doi:10.1177/1525822X05279903.