Skip to main content
APIContext
Talk to salesStart free
Start HereGuidesConceptsCLIReferenceChangelog

Conformance Explained

Conformance in APIContext measures whether your live API traffic matches a declared contract — typically an OpenAPI Specification (OAS) or a security profile standard like FAPI or UK Open Banking.

Two types of conformance

Schema conformance

APIContext compares each monitor's response against your imported OpenAPI Specification. It checks:

  • Response status codes — is the returned status code documented in the spec?
  • Response body structure — do field names, types, and required fields match the schema?
  • Headers — are required response headers present?

When a live response diverges from the spec, APIContext logs a conformance issue and the deviation contributes to the monitor's CASC Quality Score.

Security profile conformance

APIContext also tests against named security profiles — formal standards that define required behaviour for financial and regulated APIs:

  • FAPI 2.0 — Financial-grade API profile
  • FAPI RW ID2 — Read/Write profile (legacy)
  • FDX API 5.3 — Financial Data Exchange
  • OAuth 2 Security Conformance — baseline OAuth token behaviour
  • Basic Security Profile — general HTTPS, TLS, and header hygiene

Each profile defines a set of assertions. A monitor either passes or fails each assertion, and the aggregate result appears in your project's conformance dashboard.

Conformance vs. monitoring

Regular monitoring answers "is my API up and fast?" Conformance monitoring answers "is my API behaving correctly according to its contract?"

The two complement each other: a monitor can pass its latency and availability checks while still failing conformance if the API's response body changes shape.

How conformance affects the CASC score

Conformance failures contribute a penalty to the CASC Quality Score. The penalty scales with severity:

  • Schema mismatches on high-traffic endpoints have a larger impact
  • Security profile failures always carry significant weight because they represent compliance risk

Setting up conformance monitoring

See Conformance guides for step-by-step instructions on importing a spec, running conformance checks, and interpreting results.

See also