| RFC 9727 | api-catalog: A Well-Known URI | June 2025 |
| Smith | Standards Track | [Page] |
This document defines the "api-catalog" well-known URI and link relation. It is intended to facilitate automated discovery and usage of published Application Programming Interfaces (APIs). A request to the api-catalog resource will return a document providing information about, and links to, the Publisher's APIs.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9727.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
An application may publish APIsto encourage requests for interaction from external parties. SuchAPIs must be discovered before they may be used, i.e., the externalparty needs to know what APIs a given Publisher exposes, theirpurpose, any policies for usage, and the endpoint to interact witheach API. To facilitate automated discovery of this information and automated usage of the APIs, this document proposes:¶
a well-known URI[WELL-KNOWN], "api-catalog", that is encoded as a URI reference to an API catalog document describing a Publisher's API endpoints.¶
a link relation[WEB-LINKING], "api-catalog", of which the targetresource is the Publisher's API catalog document.¶
The primary goal of this document is to facilitate the automated discoveryof a Publisher's public API endpoints, along with metadata that describes thepurpose and usage of each API, by specifying a well-known URI that returns anAPI catalog document. The API catalog document is primarily machine-readableto enable automated discovery and usage of APIs, and it may also include linksto human-readable documentation (see the example inAppendix A.1).¶
Non-goals: This document does not mandate paths for API endpoints, i.e., it does not mandate that my_example_api's endpoint should behttps://www.example.com/.well-known/api-catalog/my_example_api, nor even to be hosted at www.example.com (although it is not forbidden to do so).¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED","MAY", and "OPTIONAL" in this document are to be interpreted asdescribed in BCP 14[RFC2119][RFC8174] when, and only when, theyappear in all capitals, as shown here.These words may also appear in this document inlower case as plain English words, absent their normative meanings.¶
The terms "content negotiation" and "status code" are from[HTTP].The term "well-known URI" is from[WELL-KNOWN].The term "link relation" is from[WEB-LINKING].¶
The term "Publisher" refers to an organisation, company, or individual that publishes one or more APIs for use by external third parties. A fictional Publisher named "example" is used throughout this document. The examples use the Fully Qualified Domain Names (FQDNs) "www.example.com", "developer.example.com", "apis.example.com", "apis.example.net", "gaming.example.com", and "iot.example.net", where the .com and .net Top-Level Domains (TLDs) and various subdomains are simply used to illustrate that the "example" Publisher may have their API portfolio distributed across various domains for which they are the authority. Scenarios where the Publisher "example" is not the authority for a given.example. domain are made explicit in the text.¶
In this document, "API" refers to the specification resources required for an external party (or in the case of "private" APIs, an internal party) to implement software that uses the Publisher's API.¶
The specification recommends the use of TLS. Hence, "HTTPS" and "https://" are used throughout.¶
The api-catalog well-known URI is intended for HTTPS servers that publish APIs.¶
The API catalogMUST be named "api-catalog" in a well-known location as described by[WELL-KNOWN].¶
The location of the API catalog document is decided by the Publisher. The /.well-known/api-catalog URI provides a convenient reference tothat location.¶
A Publisher supporting this URI:¶
This document introduces a new link relation[WEB-LINKING], "api-catalog". This identifies a target resource that represents alist of APIs available from the Publisher of the link context. The target resource URI may be /.well-known/api-catalog or anyother URI chosen by the Publisher. For example, the Publisher"example" could include the api-catalog link relation in the HTTPheader and/or content payload when responding to a request tohttps://www.example.com:¶
HTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8Location: /index.htmlLink: </my_api_catalog.json>; rel=api-catalogContent-Length: 356<!DOCTYPE HTML> <html> <head> <title>Welcome to Example Publisher</title> </head> <body> <p> <a href="my_api_catalog.json" rel="api-catalog"> Example Publisher's APIs </a> </p> <p>(remainder of content)</p> </body> </html>¶
When used in an API catalog document, the "item"[RFC6573] link relation identifies a target resource that represents anAPI that is a member of the API catalog.¶
Other link relations may be utilised in an API catalog to conveymetadata descriptions for API links.¶
The API catalog is a document listing a Publisher's APIs. ThePublisher may host the API catalog document at any URI(s) they choose. For example, the API catalog document URI ofhttps://www.example.com/my_api_catalog.json can be requested directly or via a request tohttps://www.example.com/.well-known/api-catalog, which the Publisher will resolve tohttps://www.example.com/my_api_catalog.¶
The API catalogMUST include hyperlinks to APIendpoints. It isRECOMMENDED that the API catalog also includesuseful metadata, such as usage policies, API version information, links to theOpenAPI Specification[OAS] definitions for each API, etc. If the Publisher does not include that metadata directly in the API catalog document, theySHOULD make that metadata available at the API endpoint URIs they have listed (seeAppendix A.2 for an example).¶
The PublisherMUST publish the API catalog document in the Linksetformatapplication/linkset+json (Section 4.2 of [RFC9264]). The LinksetSHOULD include a profile parameter (Section 5 of [RFC9264]) with a Profile URI[RFC7284] value of "https://www.rfc-editor.org/info/rfc9727"to indicate the Linkset is representing an API catalog document asdefined above.Appendix A includes example API catalog documents based on the Linkset format.¶
The PublisherMAY make additional formats available via content negotiation (Section 12 of [HTTP]) to their /.well-known/api-catalog location. A non-exhaustive list of such formats that support the automated discovery and machine (and human) usage of a Publisher's APIs is listed atAppendix A.3. If a Publisher already lists theirAPIs in a format other than Linkset, but wishes to utilise the /.well-known/api-catalog URI, then:¶
TheyMUST also implement a Linkset with, at minimum, hyperlinks toAPI endpoints; seeAppendix A.2.¶
TheyMAY support content negotiation at the /.well-known/api-catalog URI to allow for the return of their existing format.¶
An API catalog may itself contain links to other API catalogs by using the "api-catalog" relation type for each link. An example of this is given inAppendix A.4.¶
A Publisher ("example") may have their APIs hosted across multiple domains that they manage, e.g., atwww.example.com,developer.example.com,apis.example.com,apis.example.net, etc. They may also use a third-party API hosting provider that hosts APIs on a distinct domain.¶
To account for this scenario, it isRECOMMENDED that:¶
The Publisher also publish the api-catalog well-known URI at each of their API domains, e.g.,https://apis.example.com/.well-known/api-catalog,https://developer.example.net/.well-known/api-catalog, etc.¶
An HTTPS GET request to any of these URIs returns the same result, namely, the API catalog document.¶
The Publisher choose one of theirinstances of /.well-known/api-catalog as a canonical reference to the location of the latest API catalog since the physical location of the API catalog document is decided by the Publisher and may change. The Publisher's other instances of /.well-known/api-catalog should redirect to this canonical instance of /.well-known/api-catalog to ensure the latestAPI catalog is returned.¶
For example, if the Publisher's primary API portal ishttps://apis.example.com, thenhttps://apis.example.com/.well-known/api-catalog should resolve to the location of the Publisher's latest API catalog document. If the Publisher is also the domain authority forwww.example.net, which also hosts a selection of their APIs, then a request tohttps://www.example.net/.well-known/api-catalog should redirecttohttps://apis.example.com/.well-known/api-catalog.¶
If the Publisher is not the domain authority forwww.example.net, then the Publisher's API CatalogMAY include a link to the API catalog of the third-party that is the domain authority forwww.example.net. For example, the API catalog available athttps://apis.example.com/.well-known/api-catalog may list APIs hosted atapis.example.com and also link to the API catalog hosted athttps://www.example.net/.well-known/api-catalog using the "api-catalog" link relation:¶
{ "linkset": [ { "anchor": "https://www.example.com/.well-known/api-catalog", "item": [ { "href": "https://developer.example.com/apis/foo_api" }, { "href": "https://developer.example.com/apis/bar_api" }, { "href": "https://developer.example.com/apis/cantona_api" } ], "api-catalog": "https://www.example.net/.well-known/api-catalog" } ]}¶A Publisher may wish to use the api-catalog well-known URI on their internal network to signpost authorised users (e.g., company employees) towards internal/private APIs not intended for third-partyuse. This scenario may incur additional security considerations as noted inSection 8.¶
In cases where a Publisher has a large number of APIs potentiallydeployed across multiple domains, two challenges may arise:¶
Maintaining the catalog entries to ensure they are up to date andcorrecting any errors.¶
Restricting the catalog size to help reduce network and client-processing overheads.¶
In both cases, a Publisher may benefit from grouping their APIs,providing an API catalog document for each group and using the mainAPI catalog hosted at /.well-known/api-catalog to provide links tothese. For example, a Publisher may decide to group their APIsaccording to a business category (e.g., "gaming APIs", "anti-fraudAPIs", etc.), a technology category (e.g., "IOT", "networks", "AI",etc.), or any other criterion. This grouping may be implicit where the Publisher has already published their APIs across multiple domains, e.g., atgaming.example.com,iot.example.net, etc.¶
Section 4.3 shows how the API catalog at/.well-known/api-catalog can use the api-catalog link relation topoint to other API catalogs.¶
The PublisherSHOULD consider caching and compression techniques to reduce the network overhead of large API catalogs.¶
Publishers areRECOMMENDED to follow operational best practice whenhosting API catalog(s), including, but not limited to:¶
Availability. The Publisher should monitor availability of the APIcatalog and consider alternate means to resolve requests to/.well-known/api-catalog during planned downtime of hosts.¶
Performance. Although the performance of APIs listed in an APIcatalog can demand high transactions per second and low-latencyresponse, the retrieval of the API catalog itself to discover thoseAPIs is less likely to incur strict performance demands. That said,the Publisher should monitor the response time to fulfil a requestfor the API catalog and determine any necessary improvements (aswith any other Web resource the Publisher serves). For large APIcatalogs, the Publisher should consider the techniques described inSection 5.3.¶
Usage. Since the goal of the api-catalog well-known URI is tofacilitate discovery of APIs, the Publisher may wish to correlaterequests to the /.well-known/api-catalog URI with subsequent requeststo the API URIs listed in the catalog.¶
Current data. The Publisher should include the removal of stale APIentries from the API catalog as part of their API release lifecycle.The PublisherMAY decide to include metadata regarding legacy APIversions or deprecated APIs to help users of those APIs discoverup-to-date alternatives.¶
Correct metadata. The Publisher should include human and/orautomated checks for syntax errors in the API catalog. Automatedchecks include format validation (e.g., to ensure valid JSON syntax)and linting to enforce business rules, such as removing duplicateentries and ensuring descriptions are correctly named with validvalues. A proofread of the API catalog as part of the API releaselifecycle isRECOMMENDED to detect any errors in business grammar(for example, an API entry that is described with valid syntax, buthas been allocated an incorrect or outdated description.)¶
A Publisher may already utilise an API management framework toproduce their API portfolio. These frameworks typically include thepublication of API endpoint URIs, deprecation and redirection oflegacy API versions, API usage policies and documentation, etc.The api-catalog well-known URI and API catalog document are intendedto complement API management frameworks by facilitating the discoveryof the framework's outputs -- API endpoints, usage policies, anddocumentation -- and are not intended to replace any existingAPI discovery mechanisms the framework has implemented.¶
Providers of such frameworks may include the production of an APIcatalog and the publication of the /.well-known/api-catalog URI as afinal pre-release (or post-release) step in the release managementworkflow. The following steps are recommended.¶
If the /.well-known/api-catalog URI has not been published previously, the framework provider should:¶
Collate and check the metadata for each API that will be includedin the API catalog. This metadata is likely to already exist in theframework.¶
Determine which metadata to include in the API catalog followingthe requirements set out inSection 4.1 and theconsiderations set out inSection 5.¶
Map the chosen metadata to the format(s) described inSection 4.2. The structure suggested inAppendix A.2 may be followed where only the hyperlinks to APIs are to be included in the API catalog. Where possible, the API catalog should include further metadata per the guidance inSection 4.1; in which case, the structuresuggested inAppendix A can be utilised andadapted (ensuring compliance to[RFC9264]) to reflect the natureof the chosen metadata.¶
Publish the /.well-known/api-catalog URI following the guidance setout inSection 2.¶
If the /.well-known/api-catalog URI has previously been published,the framework provider should:¶
Include a step in the release management lifecycle to refresh theAPI catalog following any changes in API hyperlinks or publishedmetadata. This could include placing triggers on certain metadatafields, so that as they are updated in pre-production on the APIframework, the updates are pushed to a pre-production copy of the APIcatalog to be pushed live when the release is published by theframework.¶
The requirements inSection 3 of [WELL-KNOWN] for defining Well-Known URIs are met as described in thefollowing subsections.¶
The api-catalog URISHALL be appended to the /.well-known/path-prefix for "well-known locations".¶
A /.well-known/api-catalog locationMUST support the Linkset[RFC9264] format of application/linkset+json andMAYalso support the other formats via content negotiation.¶
This specification registers the "api-catalog" well-known URI in the "Well-Known URIs" registry as defined by[WELL-KNOWN].¶
This specification registers the "api-catalog" link relation in the "Link Relation Types" registry by following the procedures perSection 2.1.1.1 of [WEB-LINKING].¶
This specification registers "https://www.rfc-editor.org/info/rfc9727" in the "Profile URIs" registry according to[RFC7284].¶
For all scenarios:¶
TLSSHOULD be used, i.e., make /.well-known/api-catalog availableexclusively over HTTPS, to ensure no tampering of the API catalog.¶
The PublisherSHOULD take into account the security considerationsfromSection 4 of [WELL-KNOWN].¶
The PublisherSHOULD perform a security and privacy review of theAPI catalog prior to deployment to ensure it does not leak personal,business, or other sensitive metadata, nor expose any vulnerabilityrelated to the APIs listed.¶
The PublisherSHOULD enforce read-only privileges for externalrequests to .well-known/api-catalog and for internal systems androles that monitor the .well-known/api-catalog URI. Write privilegesSHOULD only be granted to roles that perform updates to the API catalog and/or the forwarding rewrite rules for the.well-known/api-catalog URI.¶
As with any Web offering, it isRECOMMENDED to apply rate-limitingmeasures to help mitigate abuse and prevent denial-of-serviceattacks on the API catalog endpoint.¶
For the public-facing APIs scenario, security teamsSHOULD additionally audit the API catalog to ensure no APIs intended solelyfor internal use have been mistakenly included. For example, acatalog hosted onhttps://developer.example.com should not exposeunnecessary metadata about any internal domains(e.g.,https://internal.example.com).¶
For the internal/private APIs scenario, the PublisherSHOULD takesteps to ensure that appropriate controls, such as Cross-Origin Resource Sharing (CORS) policies andaccess control lists, are in place to ensure only authorised rolesand systems may access an internal api-catalog well-known URI.¶
A comprehensive API catalog that is regularly audited may assistthe Publisher in decommissioning "zombie" APIs, i.e., legacy/obsoleteAPIs that should no longer be available. Such APIs represent asecurity vulnerability as they are unlikely to be supported,monitored, patched, or updated.¶
Note the registration of domain names and associated policies is outof scope of this document.¶
This section is informative and provides and example of an API catalog document using the Linkset format.¶
This example uses the Linkset format[RFC9264] and the followinglink relations defined in[RFC8631]:¶
Client request:¶
GET .well-known/api-catalog HTTP/1.1Host: example.comAccept: application/linkset+json¶
Server response:¶
HTTP/1.1 200 OKDate: Mon, 01 Jun 2023 00:00:01 GMTServer: Apache-Coyote/1.1Content-Type: application/linkset+json; profile="https://www.rfc-editor.org/info/rfc9727"¶
{ "linkset": [ { "anchor": "https://developer.example.com/apis/foo_api", "service-desc": [ { "href": "https://developer.example.com/apis/foo_api/spec", "type": "application/yaml" } ], "status": [ { "href": "https://developer.example.com/apis/foo_api/status", "type": "application/json" } ], "service-doc": [ { "href": "https://developer.example.com/apis/foo_api/doc", "type": "text/html" } ], "service-meta": [ { "href": "https://developer.example.com/apis/foo_api/policies", "type": "text/xml" } ] }, { "anchor": "https://developer.example.com/apis/bar_api", "service-desc": [ { "href": "https://developer.example.com/apis/bar_api/spec", "type": "application/yaml" } ], "status": [ { "href": "https://developer.example.com/apis/bar_api/status", "type": "application/json" } ], "service-doc": [ { "href": "https://developer.example.com/apis/bar_api/doc", "type": "text/plain" } ] }, { "anchor": "https://apis.example.net/apis/cantona_api", "service-desc": [ { "href": "https://apis.example.net/apis/cantona_api/spec", "type": "text/n3" } ], "service-doc": [ { "href": "https://apis.example.net/apis/cantona_api/doc", "type": "text/html" } ] } ]}¶This example also uses the Linkset format[RFC9264] and lists the API endpoints in an array of bookmarks. Each link shares the same context anchor (the well-known URI of the API catalog) and "item"[RFC9264] link relation (to indicate they are an item in the catalog). The intent is that by following a bookmark link, a machine client can discover the purpose and usage policy for each API; hence, the document targeted by the bookmark link should support this.¶
Client request:¶
GET .well-known/api-catalog HTTP/1.1Host: example.comAccept: application/linkset+json¶
Server response:¶
HTTP/1.1 200 OKDate: Mon, 01 Jun 2023 00:00:01 GMTServer: Apache-Coyote/1.1Content-Type: application/linkset+json; profile="https://www.rfc-editor.org/info/rfc9727"¶
{ "linkset": [ { "anchor": "https://www.example.com/.well-known/api-catalog", "item": [ {"href": "https://developer.example.com/apis/foo_api"}, {"href": "https://developer.example.com/apis/bar_api"}, {"href": "https://developer.example.com/apis/cantona_api"} ] } ]}¶A non-exhaustive list of other API catalog document formats includes:¶
In this example, a request to the /.well-known/api-catalog URIreturns an array of links of relation type "api-catalog". This can beuseful to Publishers with a large number of APIs who wish to groupthem in smaller catalogs (as described inSection 5.3).¶
Client request:¶
GET .well-known/api-catalog HTTP/1.1Host: example.comAccept: application/linkset+json¶
Server response:¶
HTTP/1.1 200 OKDate: Mon, 01 Jun 2023 00:00:01 GMTServer: Apache-Coyote/1.1Content-Type: application/linkset+json; profile="https://www.rfc-editor.org/info/rfc9727"¶
{ "linkset": [ { "anchor": "https://www.example.com/.well-known/api-catalog", "api-catalog": [ { "href": "https://apis.example.com/iot/api-catalog" }, { "href": "https://ecommerce.example.com/api-catalog" }, { "href": "https://developer.example.com/gaming/api-catalog" } ] } ]}¶Thanks toJan Algermissen,Phil Archer,Tim Bray,Ben Bucksch,Sanjay Dalal,David Dong,Erik Kline,Mallory Knodel,Murray Kucherawy,Max Maton,Darrel Miller,Mark Nottingham,Roberto Polli,Joey Salazar,Rich Salz,Herbert Van De Sompel,Orie Steele,Tina Tsou,Gunter Van de Velde,Éric Vyncke, andErik Wilde for their reviews, suggestions, and support.¶