The phrase "OpenAPI spec" is used to mean two different things, and the distinction matters enormously for how your team works. In the first interpretation, the spec is a description of an API that already exists — written after implementation, kept updated through manual effort, and used primarily for documentation. In the second interpretation, the spec is the source of truth — written before implementation, used to generate server stubs, client SDKs, validation middleware, and documentation, and treated with the same version control discipline as production code.
Most teams start with the first interpretation and want to get to the second. The gap between them is not primarily a tooling problem; it is a workflow problem. This post is about what spec-first development actually requires, where it breaks down in practice, and the specific techniques that make the approach durable rather than an aspirational process document that erodes under shipping pressure.
What "Spec as Source of Truth" Actually Requires
Making the spec authoritative means that the spec is the thing you change first when you want to change API behavior. Not the controller code. Not the database schema. The spec.
This sounds straightforward and immediately runs into friction: writing YAML is slower than writing code, and most developers' editors are better at TypeScript or Go than at OpenAPI. The workflow is therefore most effective when the spec-writing step has strong tooling support: a schema that validates as you type, a local preview of the documentation, and a feedback loop tight enough that you see the downstream effects of your spec changes (generated types, validation errors) before you push.
The organizational requirement is that spec changes are the API change. A PR that modifies implementation behavior without a corresponding spec change is a spec violation. This needs to be enforced mechanically — typically by running a diff between the spec on your main branch and the behavior of your implementation in CI, failing the build if they diverge. Tools like schemathesis can run property-based tests against a live server using the spec as the test definition. If GET /users/{id} returns a 500 for inputs the spec says are valid, CI fails.
Structuring a Spec for Long-Term Maintainability
A single openapi.yaml file works fine for a small API. For anything beyond about 20 operations, the $ref system in OpenAPI 3.1 is your primary tool for maintainability. Schemas, parameters, and response definitions can be defined once in components and referenced throughout the spec. A $ref to a shared error schema means updating error structure in one place:
components:
schemas:
ErrorResponse:
type: object
required: [code, message]
properties:
code:
type: string
description: Machine-readable error code
example: "RESOURCE_NOT_FOUND"
message:
type: string
description: Human-readable error description
details:
type: array
items:
$ref: "#/components/schemas/ErrorDetail"
ErrorDetail:
type: object
properties:
field:
type: string
reason:
type: stringFor complex polymorphic types — a response that can be one of several object shapes — OpenAPI 3.1's discriminator combined with oneOf is the correct tool. The discriminator tells SDK generators how to deserialize the response into the correct concrete type, which is critical for generating useful SDKs rather than generic map types:
WebhookEvent:
oneOf:
- $ref: "#/components/schemas/OrderCreatedEvent"
- $ref: "#/components/schemas/OrderUpdatedEvent"
- $ref: "#/components/schemas/OrderCancelledEvent"
discriminator:
propertyName: event_type
mapping:
order.created: "#/components/schemas/OrderCreatedEvent"
order.updated: "#/components/schemas/OrderUpdatedEvent"
order.cancelled: "#/components/schemas/OrderCancelledEvent"JSON Schema composition with allOf handles inheritance patterns. A base resource type (id, created_at, updated_at) referenced with allOf in every resource schema keeps boilerplate out of individual definitions and ensures consistent field naming without copy-pasting.
Spectral: Enforcing Your API Style Guide in CI
An OpenAPI spec that is technically valid but inconsistent across operations will produce an SDK and documentation experience that feels fragmented. Inconsistent naming conventions (snake_case in some schemas, camelCase in others), missing operation IDs, response codes that vary arbitrarily between endpoints, absent description fields on parameters — these are the kind of issues that a reviewer catches some of the time but that a Spectral ruleset catches every time.
Spectral is a JSON/YAML linter that ships with an OpenAPI ruleset and supports custom rules. A minimal starting ruleset for platform teams typically includes: all operations must have an operationId, all operationId values must be camelCase, all schema properties must have a description, all 4xx responses must reference the shared ErrorResponse schema, and deprecated operations must carry a x-sunset-date extension.
# .spectral.yaml
extends: ["spectral:oas"]
rules:
operation-operationId: error
operation-operationId-camel-case:
description: operationId must be camelCase
given: "$.paths[*][get,post,put,patch,delete].operationId"
severity: error
then:
function: pattern
functionOptions:
match: "^[a-z][a-zA-Z0-9]+$"
deprecated-must-have-sunset:
description: Deprecated operations must have x-sunset-date
given: "$.paths[*][*][?(@.deprecated==true)]"
severity: error
then:
field: x-sunset-date
function: definedRunning spectral lint openapi.yaml in CI makes the style guide self-enforcing. A spec that passes Spectral is a spec that will generate a consistent SDK and render well in a documentation portal. A spec that fails Spectral does not merge.
The Drift Problem: Keeping Spec and Implementation Aligned
The most common failure mode in spec-first teams is the spec becoming a lie about the implementation. It starts small: a quick fix to a response handler that adds an undocumented field, a parameter validation rule changed in the code but not updated in the spec. Over weeks this accumulates into a spec that is 85% accurate and 15% wrong in ways you cannot easily identify.
Two mitigations work well in combination. The first is contract testing: tools like schemathesis generate property-based test inputs from the spec and run them against the live server, catching implementation behavior that the spec does not describe. The second is server stub generation: generating the server interface directly from the spec means the implementation starts by satisfying the spec's type contract. In Go or TypeScript, a generated interface that your handler must implement makes it structurally difficult to return a response that the spec does not describe.
We are not saying manual spec maintenance is never workable — teams with small, stable APIs do it successfully. What we are saying is that once your API surface crosses about 30 operations, the probability of spec drift happening and not being caught by code review alone approaches certainty. The investment in automated alignment checking pays for itself in the first incident it prevents.
Downstream Amplification: One Spec, Many Outputs
The payoff for the discipline of spec-first development is that the spec becomes a hub for downstream automation. SDK generation, documentation, mock server generation, breaking-change detection, rate limit policy derivation, portal publishing — all of these can be triggered by a spec update in CI/CD. A platform team that has invested in this pipeline ships a spec change and gets updated SDKs in npm, PyPI, and the Go module proxy, updated documentation on the portal, and updated mock servers for consumer contract testing, all within a single pipeline run.
That level of downstream automation is only achievable if the spec is trusted. A spec that is manually maintained and occasionally wrong cannot drive SDK generation reliably — a single missing required field in the spec will generate an SDK that crashes at a common call site. The workflow discipline of spec-first development is what makes the tooling investment pay off. The two cannot be separated: the tooling is the incentive to keep the spec accurate, and the accurate spec is what makes the tooling valuable.
