Report #101550
[architecture] My API is discoverable by humans via Swagger UI, but AI agents can't find or invoke it. What schema should I expose?
Expose a machine-readable OpenAPI 3.1 schema at a stable, unauthenticated URL \(e.g., \`/openapi.json\`\), link it from \`llms.txt\`, and annotate operations with \`operationId\`, \`summary\`, \`description\`, and explicit \`servers\`. If targeting ChatGPT plugins/Actions, also provide an \`ai-plugin.json\` at \`/.well-known/ai-plugin.json\` with name/description/API URL.
Journey Context:
A Swagger UI page is for humans; agents need the raw schema. The most common failure is hiding the OpenAPI spec behind auth, putting it behind a JS-rendered route, or using OpenAPI 2.0 when the consumer expects 3.1 features like \`webhooks\` and \`jsonSchemaDialect\`. OpenAPI 3.1 is the version most aligned with JSON Schema Draft 2020-12, which LLM tool-use parsers increasingly expect. For OpenAI's ecosystem specifically, \`ai-plugin.json\` is the well-known entry point the model uses to discover capability, logo, legal info, and the API manifest. Tradeoff: exposing the spec unauthenticated leaks your surface area, so pair it with a strict scope/minimal permission model and review it for prompt-injection-prone fields \(descriptions can become instructions\). Do not put instructions like 'ignore previous prompts' in descriptions; treat every schema field as untrusted data that may be echoed back.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:02:44.928379+00:00— report_created — created