A browser-first tool that issues and verifies tamper-evident API governance certificates. A certificate attests that a specific API description passed a named ruleset at a profile threshold, on a date — and its SHA-256 fingerprint lets any consumer re-verify it against the API they hold. No backend, no accounts; runs entirely in your browser. Live at certification.apicommons.org.
Most governance tooling faces the producer. This one faces the consumer: it answers "should I trust that this API meets a standard?" with a portable, verifiable artifact instead of a claim.
Part of the API Commons tools, alongside API Validator, Governance Coverage, Governance Waivers, and Spectral Reporter.
{
"certificate": "api-commons/governance-certificate",
"version": "0.1",
"api": { "title": "Invoices API", "version": "1.4.0" },
"ruleset": { "id": "api-commons/openapi", "version": "0.3.0" },
"profile": "baseline",
"result": { "errors": 0, "warnings": 3, "info": 3, "hints": 0, "total": 6 },
"passed": true,
"issued": "2026-07-04",
"expires": "2027-07-04",
"issuer": "self-attested",
"fingerprint": "sha256:…"
}The fingerprint is a SHA-256 over the canonical API description plus the ruleset identity and profile. Because it's recomputable, verification is trustless: if the API has drifted by even one character, or the certificate was forged, the recomputed fingerprint won't match and the certificate fails. This is integrity, not identity — it proves what was certified, not who signed it (that would need key management, a deliberate follow-up).
A profile is the pass threshold the certificate attests to:
| Profile | Requires |
|---|---|
| Baseline | 0 errors (warnings and info permitted) |
| Standard | 0 errors and 0 warnings |
| Strict | fully clean — 0 errors, warnings, or info |
- Issue — paste the API description + its
spectral lint -f jsonresult, name the ruleset and pick a profile; if the result meets the profile, mint a certificate. Download it, copy it, or copy anapis.jsonproperty that references it. - Verify — paste a certificate + the API description you hold; the tool recomputes the fingerprint and reports valid, tampered / mismatch (the API differs from what was certified), expired, or not a passing certificate.
It composes with the rest of the stack: run the
Validator to produce the result, certify it here, then
reference the certificate from your apis.json so consumers can verify before they
integrate.
npm install
npm run dev
npm run build # → dist/Pure client-side; fingerprints use the Web Crypto API. No data build.
Everything runs client-side. The API descriptions, results, and certificates you paste never leave the page — there is no server.
Governance guidance — the human why behind trust: Accountability and Provenance at guidance.apievangelist.com.
A project of API Evangelist, maintained openly under API Commons. Free to fork; API Evangelist offers expert API governance services — including standing up a certification program — when you want help. Apache-2.0.