# API Schema Enforcement
{% hint style="success" %}
This feature is available exclusively with an open-appsec Premium subscription.
{% endhint %}
open-appsec's **Schema Validation** engine (Premium edition only) validates that API input conforms to the schema provided by the admin.
{% hint style="info" %}
When integrated with Kong Gateway, open-appsec's schema enforcement works independently of the Kong's own schema enforcement and is enforced first if activated.
{% endhint %}
The admin provides the schema (using the OpenAPI specification, or OAS in short) and enhances the ability of open-appsec to detect and prevent illegal requests that do not comply.
## What is OpenAPI Specifiction (OAS)
The [OpenAPI Specification (OAS)](https://spec.openapis.org/oas/latest.html) defines a standard, language-agnostic interface to RESTful APIs which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection. When properly defined, a consumer can understand and interact with the remote service with a minimal amount of implementation logic.
An OpenAPI definition can then be used by documentation generation tools to display the API, code generation tools to generate servers and clients in various programming languages, testing tools, and many other use cases.
## How to set up open-appsec Schema Validation
#### Step 1: Create an OpenAPI YAML file of your API
* Create one from your existing API.
* Make sure to have a process where updates in the API specification of the application also recreate the YAML file and upload it to open-appsec for each update.
#### Step 2: Browse to Assets and edit the asset
Once the asset edit window opens, select the **API Protection** tab and scroll to the **Schema Validation** sub-practice.
#### Step 3: Upload the schema file
Click on the **Upload** button the file selection window will appear:
* Click the "Add File" icon to add the OpenAPI YAML file that was created.
* Optionally - you can click the "Download" icon to verify an existing file's content.
* Select the file you wish to be used for schema validation.
* Click OK.
When making the first change to the default Web API Best Practice's configuration such as uploading your unique OpenAPI schema file for Schema Validation purposes, you will be prompted to change the name of the Practice to your own custom practice name.
#### Step 4: Make sure the Mode of the Schema Validation sub-practice is as desired
Setting the Mode to **As Top Level** means inheriting the primary mode of the practice.
Otherwise you can override it only for this specific sub-practice to **Detect**/**Prevent**/**Disable**.
{% hint style="info" %}
It is recommended to initially set the mode to "Detect" to verify the input schema file is correct by looking at the logs created by this capability.\
Afterwards, restore the mode to the desired state.
{% endhint %}
#### Step 5: Enforce Policy
Click **Enforce** above the top banner of the open-appsec portal.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.openappsec.io/additional-security-engines/api-schema-enforcement.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
