A Model Context Protocol (MCP) server for analyzing large OpenAPI/Swagger documents (100K–1M+ lines) with AI agents — without overwhelming their context windows.
Large OpenAPI documents are impractical to feed directly to an LLM. This server keeps documents on disk and exposes targeted query tools — AI agents receive only structured results, never raw OpenAPI content.
Choose your path:
| Mode | Best for | Jump to |
|---|---|---|
| Quick Start | Try it now with GitHub Copilot, no linting setup needed | ↓ |
| With Linting | (optional) Execute spectral rulesets using a linting orchestrator | ↓ |
| With Changelog | (optional) Compare versions, generate changelogs, detect breaking changes | ↓ |
| Local Development | Clone, build, test, or contribute | ↓ |
get_upload_instructions— retrieve instructions for uploading and analyzing documentslist_documents— list documents with pagination and sorting (limit,offset,sortBy,sortOrder)search_datastore— search by name, tags, organization, version, orisLatestflag
get_document_info— retrieve document title, version, serverslist_operations— list all operations; filter by method, optionally exclude deprecatedsearch_operations— search by path, summary, description, operationId, or tagsextract_operations— paginated detailed extraction; filter by method, tag, deprecated (page_sizeup to 200)get_security_schemes— all authentication and authorization schemesget_schemas— all data models and schemasvalidate_structure— basic OpenAPI structure validationget_statistics— operation counts, method distribution
list_rulesets— list available rulesetslint_document— execute a lint job with the specified documents and rulesetget_lint_status— check a lint job statusget_lint_results— retrieve lint findings; filter by severityinvalidate_lint_cache— clear cached results of a lint job
Linting requires the
spectifydorchestrator daemon, not included withnpm install. Tools are always registered and return a 503 when the orchestrator is unavailable — all other tools are unaffected.See With Linting Integration for setup instructions.
compare_documents— generate a changelog between two API versionsdetect_breaking_changes— identify breaking changes between versions
oasdiffis an external Go binary, not included withnpm install. Tools are always registered and return install guidance when the binary is not found onPATH.See With Changelog / API Comparison for setup instructions.
Analyze OpenAPI documents using GitHub Copilot in minutes — no linting setup required.
# Clone the MCP repo
git clone https://github.com/cisco-open/openapi-mcp-analyzer.git
# Install and start MCP (document-store is pulled from npm)
cd openapi-mcp-analyzer
npm install
npm run build
npm startThe server starts two listeners:
- Upload API:
http://localhost:3002— accepts OpenAPI files via HTTP - MCP endpoint:
http://localhost:3001/mcp— serves AI agents
Add to your MCP settings (.vscode/mcp.json or VS Code user settings):
{
"mcpServers": {
"openapi-analysis": {
"url": "http://localhost:3001/mcp",
"transport": "streamable-http"
}
}
}# Using the helper script
./tests/upload.sh path/to/your-api.yaml
# Returns: { "documentId": "abc-123-..." }Or with curl and optional metadata:
curl -X POST http://localhost:3002/upload \
-H "Content-Type: application/x-yaml" \
-H "X-Filename: my-api.yaml" \
-H "X-API-Name: My REST API" \
-H "X-Tags: rest,v2,public" \
-H "X-Organization: Engineering" \
--data-binary @my-api.yamlYou: I uploaded an OpenAPI document with ID abc-123.
What operations does it expose?
Copilot: [calls list_operations]
The API exposes 18 operations across 5 resource types:
- GET /pets, POST /pets, DELETE /pets/{id} (Pets)
- GET /users, POST /users, GET /users/{id}, PUT /users/{id} (Users)
...
You: Are there any deprecated endpoints I should migrate away from?
Copilot: [calls list_operations with deprecated=true]
3 deprecated operations found:
- DELETE /legacy/pets — use DELETE /pets/{id} instead
- GET /v1/status — replaced by GET /health
...
You: Show me the authentication schemes in use.
Copilot: [calls get_security_schemes]
The API uses two auth schemes:
- OAuth 2.0 (Authorization Code flow) — required on all /users endpoints
- API Key (header: X-API-Key) — alternative for /pets endpoints
Add automated linting against configurable rulesets and breaking-change detection between API versions. Linting requires the spectifyd orchestrator daemon. The MCP server starts without it and auto-reconnects — analysis tools are always available.
Option A — automated:
Pre-requisite: you've cloned and built both openapi-mcp-analyzer & linting-orchestrator repos
npm run start+orchestratorOption B — manual (two terminals):
# Terminal 1: run the orchestrator daemon in companion mode and passthrough document-store
spectifyd
# Terminal 2: MCP server connects
npm startWhen connected:
✅ Spectify connection restored — linting features enabled
MCP Tools: 25 total (13 base + 5 linting + 5 batch + 2 oasdiff)
When the orchestrator is unavailable (graceful degradation):
⚠️ Spectify connection failed — linting features disabled
✅ MCP ready (upload, search, analysis work normally)
You: Lint document abc-123 against the 'Contract Completeness' ruleset.
Copilot: [calls lint_document]
Linting complete — 2 errors, 5 warnings.
ERRORS (blocking):
- POST /users: missing operation description (rule: operation-description-required)
- GET /orders/{id}: response 404 not documented (rule: response-codes-defined)
WARNINGS:
- 3 operations missing example values
- 2 schema properties lack descriptions
You: What rulesets are available?
Copilot: [calls list_rulesets]
Available rulesets:
- oas-recommended (default) — 42 rules
- contract-completeness — 18 rules
- custom-internal — 7 rules
You: I have a new version of the API. Are there any breaking changes from abc-123?
Copilot: [calls detect_breaking_changes with base=abc-123, revision=xyz-456]
3 breaking changes detected:
- DELETE /users/{id}: response body schema changed (removed field "legacyId")
- POST /orders: required field "currency" added to request body
- GET /products: path parameter renamed from "product_id" to "id"
For architecture details see ORCHESTRATOR_MCP_INTEGRATION_ARCHITECTURE.md and GRACEFUL_DEGRADATION.md.
Compare two uploaded API versions to generate a changelog or identify breaking changes. This uses oasdiff, an external Go binary that must be installed separately. The MCP server starts without it — comparison tools are always registered and return install guidance when the binary is not found on PATH.
brew install oasdiff # macOS
curl -fsSL https://raw.githubusercontent.com/oasdiff/oasdiff/main/install.sh | sh # Linux/macOS
go install github.com/oasdiff/oasdiff@latest # Go toolchainSee oasdiff.com for more options. No server restart is needed after installing — the MCP server detects the binary on the next tool call.
You: Upload the old version as abc-123 and the new version as xyz-456.
What changed between them?
Copilot: [calls compare_documents with base=abc-123, revision=xyz-456]
Changelog (12 changes):
- GET /pets: added optional query parameter "status"
- POST /orders: added required field "currency" to request body
- DELETE /legacy/pets: endpoint removed
...
You: Are any of those breaking changes?
Copilot: [calls detect_breaking_changes]
3 breaking changes detected:
- POST /orders: required field "currency" added (existing clients will break)
- DELETE /legacy/pets: endpoint removed
- GET /products: path parameter renamed from "product_id" to "id"
- Quick Start Guide
- Architecture
- Linting Integration Architecture
- Graceful Degradation
- Pagination Configuration
- MCP Compatibility Guide
- StreamableHTTP Best Practices
- Logging
- Changelog
- AGENTS.md — instructions for AI coding agents --
- Node.js ≥ 20.x
- The
@cisco_open/linting-document-storedependency is pulled from npm automatically vianpm install. - Optional: a local clone of
linting-orchestratorside-by-side, only if you want to run thespectifydlinting daemon from source:
parent-dir/
├── openapi-mcp-analyzer/ ← this repo
└── linting-orchestrator/ ← optional companion repo (linting daemon)
git clone https://github.com/cisco-open/openapi-mcp-analyzer.git
# Install and build MCP (document-store is pulled from npm)
cd openapi-mcp-analyzer
npm install
npm run buildDependency note:
@cisco_open/linting-document-storeis resolved from the npm registry (latest) inpackage.json. Runnpm installto pull the latest published version.
npm run dev # watch mode (tsc + node --watch)
npm start # production (pre-built)
npm run start+orchestrator # full stack with spectifyd
npm run build # compile TypeScript onlyThe test suite uses Bats (Bash Automated Testing System) — 50 independent test cases across three files.
Automated (starts and stops the server for you):
npm run test:integration # 28 tests — no orchestrator needed
npm run test:integration+orchestrator # 50 tests — full stackManual (server already running in another terminal):
npm run test:base # 14 base tool tests
npm run test:orchestrator # 22 linting tool tests
npm run test:oasdiff # 14 comparison tool tests
npm run test:all # all 50Test coverage:
| Test file | Tests | Tools covered |
|---|---|---|
test-tools.bats |
14 | get_document_info, list_operations, extract_operations, search_operations, get_schemas, get_security_schemes, get_statistics, validate_structure |
test-orchestrator-integration.bats |
22 | lint_document, get_lint_status, get_lint_results, list_rulesets, invalidate_lint_cache |
test-oasdiff-integration.bats |
14 | compare_documents, detect_breaking_changes |
| Total | 50 | All 25 MCP tools |
See tests/README.md for detailed test documentation.
--
| Method | Endpoint | Description |
|---|---|---|
POST |
/upload |
Upload an OpenAPI document |
GET |
/documents |
List all documents with metadata |
GET |
/documents/:id |
Get document metadata |
DELETE |
/documents/:id |
Delete a document |
POST |
/search |
Search documents by metadata |
GET |
/stats |
Cache and datastore statistics |
GET |
/health |
Health check |
Upload headers:
Content-Type:application/jsonorapplication/x-yaml(required)X-Filename: document filename (required)X-API-Name,X-Tags,X-Owner,X-Organization,X-Description: optional metadata
Priority order: CLI arguments > environment variables > config.yaml > defaults.
# config.yaml
logLevel: INFO # DEBUG | INFO | WARN | ERROR (default: DEBUG)
uploadPort: 3002 # HTTP upload server port
mcpPort: 3001 # MCP server port
datastoreDir: ./datastore
datastoreQuotaGB: 10
cacheMaxSize: 100 # max documents in memory cache
defaultPageSize: 50 # default pagination sizeEquivalent environment variables: LOG_LEVEL, UPLOAD_PORT, MCP_PORT, DATASTORE_DIR, DATASTORE_QUOTA_GB, CACHE_MAX_SIZE, DEFAULT_PAGE_SIZE.
See docs/PAGINATION_CONFIG.md and docs/maintainers/LOGGING.md for details.
MCP is designed for structured JSON messages, not multi-megabyte file transfers. A separate HTTP endpoint handles uploads via standard curl or multipart. MCP then exposes targeted query tools — LLMs receive only structured results, never raw OpenAPI content.
curl / upload.sh ──────▶ HTTP Upload API (port 3002)
Fastify + metadata headers
│
DocumentCoordinator
┌───────────────┴────────────────┐
DocumentCache DatastoreManager
(1h TTL, LRU) (./datastore/, no expiry)
└───────────────┬────────────────┘
│
Copilot / Claude ──────▶ MCP Server (port 3001)
StreamableHTTP, stateless
Analyzer + Extractor
- All documents persisted to
./datastore/— no automatic expiry, 10 GB default quota - In-memory cache (1h TTL, max 100 docs) — write-through on upload, cache-aside on miss
- Cache and datastore are architecturally separated (supports future migration to Redis/S3)
- MCP connects to the
spectifyddaemon over HTTP (port 3004 companion mode, 3003 standalone) - Graceful degradation: linting tools return 503 when the orchestrator is unavailable; all other tools unaffected
- Auto-reconnection every 30 seconds
To add a custom analysis tool:
- Add a method to
src/analyzer.ts - Register the tool in
src/mcp-streamable-server.ts - Rebuild:
npm run build
See docs/maintainers/ARCHITECTURE.md for the full system design.
See CONTRIBUTING.md.
See SECURITY.md for our security policy and how to report vulnerabilities.
See CODE_OF_CONDUCT.md.
This software is licensed under the Apache License 2.0. See LICENSE for details.