Skip to main content

🚀 Beta: All Pro and Team features are free. Install on GitHub →

OpenAPI 2.0 · 3.0 · 3.1

OpenAPI Diff Tool — Detect Every Change, Automatically

Compare any two OpenAPI specifications and get a complete, categorized report of every breaking change, deprecation, and schema modification — in seconds.

What the Diff Engine Detects

CodeRifts goes far beyond a simple text diff. It understands the semantics of your OpenAPI specification and categorizes every change by type and severity.

10 Breaking Change Types

  • Endpoint removed
  • Required request field added
  • Response field removed
  • Response type changed
  • Enum value removed
  • Authentication scheme changed
  • Request body format changed
  • Path parameter renamed
  • Required header added
  • Default value changed

Non-Breaking Changes

  • New endpoint added
  • Optional request field added
  • New response field added
  • Description updated
  • Enum value added
  • New optional header

CodeRifts also detects deprecations, security changes, and documentation drift — giving you a complete picture of what changed and why it matters.

Security changes the semver will not tell you about

Removing an OAuth scope is a breaking change for every consumer that relied on it - their calls start returning 403 while the version number stays green. CodeRifts detects scope removals, security-scheme downgrades (OAuth2 replaced by an API key), and deleted security scheme definitions, and folds them into the risk verdict.

Why Automated OpenAPI Diffing Matters

Manually comparing two versions of an OpenAPI specification is not only tedious but also highly error-prone. As APIs evolve, their specifications can grow to thousands of lines, with complex interdependencies managed through $ref components. A simple text-based diff, like the one you might see in a Git commit, is insufficient because it fails to understand the semantic meaning of the OpenAPI structure.

Automated tooling is essential for managing this complexity. A purpose-built OpenAPI diff tool doesn't just compare text; it parses the specification, resolves all references, and understands the hierarchical structure of the API contract. For example, changing a property from optional to required within a referenced schema is a significant breaking change, but it might appear as a minor, one-word alteration in a text file.Without an automated, semantically-aware diff, teams risk shipping breaking changes unknowingly.

How CodeRifts Performs the Diff

CodeRifts provides a sophisticated diff engine that goes beyond simple comparison to deliver a comprehensive and actionable report. At its core, the process involves parsing both the old and new OpenAPI specifications, whether they are in version 2.0 (Swagger), 3.0, or 3.1. The engine fully resolves all internal and external $ref pointers, creating a complete, canonical representation of each API version.

Once the specs are fully resolved, CodeRifts performs a semantic comparison of the two structures. It categorizes every detected change—from a removed endpoint to a modified response schema—according to its severity: breaking, non-breaking, or deprecation. Each change is then assigned a risk score based on factors like the type of change and its potential impact on consumers. The final output is a rich, interactive report that helps teams make informed decisions.

Use Cases

CI/CD Pipelines

By incorporating CodeRifts into your Continuous Integration and Continuous Deployment (CI/CD) pipeline, you can automatically fail builds that introduce high-risk or unauthorized breaking changes. You can use our CLI or REST API to add a diff check as a required step in your deployment workflow.

Pre-Merge Checks

With the CodeRifts GitHub App, every pull request that modifies an OpenAPI file gets an automatic check. A detailed comment is posted directly on the PR, showing a summary of the changes and a link to the full diff report. This enables developers and reviewers to understand the impact of their changes before they are merged.

API Versioning Strategy

Automated diffing is fundamental to a sound API versioning strategy. By understanding the nature of every change, you can make deliberate decisions about when to release a new minor version (for non-breaking, backward-compatible changes) versus a new major version (for breaking changes).

Migration from Swagger to OpenAPI 3.x

Upgrading a legacy Swagger 2.0 specification to OpenAPI 3.0 or 3.1 can be a complex process with many potential pitfalls. Using the CodeRifts diff tool, you can compare your old Swagger file with the newly converted OpenAPI 3.x file to verify that the API's contract has not been unintentionally altered during the migration.

Three Ways to Diff

🌐

In-Browser

Upload two specs to app.coderifts.com/try and get a full report instantly. No signup required.

🔧

On Every PR

Install the GitHub App and CodeRifts automatically diffs your OpenAPI specs on every pull request. Zero config.

Via API or CLI

Use the REST API or CLI to integrate diff into any CI/CD pipeline, pre-commit hook, or custom workflow.

Diff OpenAPI Specs from Code or an AI Agent

Beyond the browser, the PR, and CI: you can run a full diff verdict programmatically with no API key. This is also how an AI agent checks an API change before it acts on it.

Send two specs to the zero-auth endpoint and get a single structured verdict back — no signup, no key:

curl -s -X POST https://app.coderifts.com/api/v1/demo \
  -H "Content-Type: application/json" \
  -d '{"old_spec": "<your previous OpenAPI>", "new_spec": "<your current OpenAPI>"}'

The response includes decision (ALLOW / WARN / BLOCK), risk_score, safe_for_agent, the detected breaking-change patterns, and the reflex triggers that escalated the decision. One call, one machine-readable answer.

To turn that verdict into a one-line guardrail inside an agent, use the zero-config decorator. It has no dependencies beyond the Python standard library, it is framework-agnostic (LangGraph, AutoGen, or a plain function), and it caches the verdict per spec pair:

from coderifts_guard import coderifts_guard, CodeRiftsBlocked

@coderifts_guard(old_spec=previous_openapi, new_spec=current_openapi)
def run_agent_step(payload):
    # Runs only if CodeRifts does not return BLOCK.
    # On BLOCK it raises CodeRiftsBlocked before any side effect.
    return call_downstream_api(payload)

If the change would break a downstream contract, the decorator raises CodeRiftsBlocked and the agent halts before the unsafe call runs. The full runnable reference implementation — decorator plus an explicit LangGraph guard node — is public at github.com/coderifts/example-langgraph-guard.

Diff OpenAPI Specs from Claude, Cursor, or Any MCP Agent

CodeRifts runs as a hosted Model Context Protocol (MCP) server, so any MCP-compatible agent — Claude Desktop, Cursor, LangGraph, AutoGen, or a custom client — can diff two OpenAPI specs and get a governance verdict before it merges a change or calls a tool. No integration code: connect the server and the agent gets the diff tools natively.

Point any MCP client at the hosted endpoint and authenticate with a Bearer API key:

{
  "mcpServers": {
    "coderifts": {
      "url": "https://app.coderifts.com/mcp",
      "headers": { "Authorization": "Bearer <YOUR_CODERIFTS_API_KEY>" }
    }
  }
}

The agent gets governance tools natively, including preflight_check (full diff plus risk score, blast radius, incident cost, and an ALLOW / WARN / REQUIRE_APPROVAL / BLOCK decision), mcp_diff (compare two MCP manifests for breaking changes), and agent_tool_check (detect whether an API change breaks agent tool calling). Every tool returns the same Decision Spec v1.0 envelope (decision, risk_score, safe_for_agent, breaking_changes, patterns), so the agent can branch on a stable contract.

The endpoint is Streamable HTTP (protocol 2025-06-18) and is listed on the Official MCP Registry as io.github.coderifts/api-governance. For a one-click connect, the full tool list, and a copy-paste config, see the machine-readable page at coderifts.com/for-agents, or the MCP manifest.

More Than a Diff — A Full Governance Report

Every diff includes risk scoring, policy enforcement, security analysis, and an auto-generated changelog. It's not just what changed — it's whether you should ship it.

📊

Risk Score

Every change gets a 0–100 risk score based on severity, blast radius, and affected consumers.

🛡️

Policy Engine

Enforce naming conventions, deprecation timelines, and versioning rules automatically.

🔒

Security Analysis

Detect authentication downgrades, exposed sensitive fields, and OWASP API risks.

📝

Auto-Changelog

Get a human-readable changelog generated from the diff — ready for release notes.

Raw Diff Tools vs CodeRifts

Raw diff tools like oasdiff and the openapi-diff CLI give you the delta. CodeRifts adds a governance layer that decides whether the change is safe to ship.

Tool Approach Setup Governance
Raw diff CLIs (oasdiff, openapi-diff) Raw structural diff plus a breaking or non-breaking classification Assemble your own CI pipeline None - the delta only
CodeRifts Diff plus a decision on whether the change is safe to ship Zero-config GitHub App PR comment 0-100 risk score, policy enforcement, OWASP-aligned security analysis, auto-generated changelog

Frequently Asked Questions

What is an OpenAPI diff?

An OpenAPI diff (or differential) is the result of comparing two versions of an OpenAPI specification to identify all the changes between them. Unlike a simple text diff, a proper OpenAPI diff tool understands the structure and semantics of the specification. It can pinpoint specific changes like a removed endpoint, a modified data type, or a new required parameter, and classify them as breaking or non-breaking.

How do I compare two OpenAPI specs?

You can compare two OpenAPI specs using a specialized tool like CodeRifts. You can use our free in-browser tool by simply uploading your two specification files. For a more automated workflow, you can integrate our GitHub App to get a comparison on every pull request, or use our CLI or REST API to run a comparison in your own scripts or CI/CD pipelines.

What counts as a breaking change?

A breaking change is any modification to an API contract that can cause existing client applications to fail. Common examples include removing an endpoint, adding a new required request parameter, removing a field from a response, or changing the data type of a field. CodeRifts maintains a comprehensive list of over 10 common breaking change types that it detects automatically.

Does CodeRifts support OpenAPI 3.1?

Yes, CodeRifts has full support for OpenAPI 3.1, as well as OpenAPI 3.0 and OpenAPI 2.0 (formerly known as Swagger). Our diff engine is designed to handle the nuances and features of each version, including the latest additions in 3.1 like webhooks and improved JSON Schema compatibility.

Can I use this in CI/CD?

Absolutely. Integrating API diffing into your CI/CD pipeline is a best practice for preventing breaking changes from reaching production. CodeRifts provides both a CLI tool and a REST API that you can easily incorporate into your existing workflows, whether you use Jenkins, GitLab CI, CircleCI, or any other automation server. You can configure your pipeline to fail a build if a high-risk breaking change is detected.

Can I diff OpenAPI specs without an API key?

Yes. The in-browser tool at app.coderifts.com/try requires no signup, and the zero-auth endpoint POST /api/v1/demo returns a full diff verdict with no API key — useful for quick checks and for AI agents. For higher-volume or authenticated use, the REST API uses a free API key (1,000 requests/month free).

How is CodeRifts different from oasdiff or the openapi-diff CLI?

oasdiff (a Go CLI by Tufin) and the openapi-diff npm and Java tools produce a raw structural diff and a breaking or non-breaking classification, which is excellent for CI pipelines you assemble yourself. CodeRifts adds a governance layer on top of the diff: a 0–100 risk score, policy enforcement, OWASP-aligned security analysis, an auto-generated changelog, and zero-config delivery as a GitHub App PR comment. Use a raw diff tool if you only need the delta; use CodeRifts if you need a decision about whether the change is safe to ship.

Can an AI agent diff OpenAPI specs before acting on them?

Yes. CodeRifts serves a full diff verdict over a zero-auth endpoint (POST /api/v1/demo), and a zero-dependency @coderifts_guard decorator turns that verdict into a one-line guardrail for LangGraph, AutoGen, or any Python agent. If a change would break a downstream contract, the agent halts before the unsafe call runs. Reference implementation: github.com/coderifts/example-langgraph-guard.

Can I connect CodeRifts to Claude or Cursor via MCP?

Yes. CodeRifts runs as a hosted MCP server at https://app.coderifts.com/mcp (Streamable HTTP). Add it to Claude Desktop, Cursor, or any MCP client and the agent can diff OpenAPI specs, score breaking-change risk, and get an ALLOW / WARN / REQUIRE_APPROVAL / BLOCK decision before merging or before a tool call. The one-click connect page and full tool list are at coderifts.com/for-agents.

What MCP tools does CodeRifts provide?

CodeRifts exposes eight governance tools over MCP, including preflight_check (diff an API spec change and return risk, blast radius, incident cost, and a merge decision), mcp_diff (compare two MCP manifests for breaking changes), and agent_tool_check (detect whether an API change breaks AI agent tool calling). Each returns the same Decision Spec v1.0 envelope. Full list and connect config: coderifts.com/for-agents.

Try the diff engine now — free.

Upload two OpenAPI specs and see the full report in seconds. No signup, no credit card.

See all 61+ features or compare pricing plans.