Auto OpenAPI Generation — The Network Doesn’t Lie!

June 13, 2024

Auto OpenAPI Generation - The Network Doesn't Lie

Harish Nataraj

June 14, 2022 · 4 min read


API Visibility Is Key

Visibility of APIs is a fundamental necessity for governance, security, and productivity. Yet most organizations are unable to answer the following critical questions:

1. What APIs do I have?

2. Are OpenAPI schemas for the APIs documented and maintained?

3. Which APIs process sensitive data?

4. Which users access which APIs, under what roles (or scopes)?

5. Which APIs are external vs. internal?

Annotation Based OpenAPI Generation Is Not Scalable

Disparate Set of Open Source Tools

There are a plethora of (language/framework specific) open source tools that generate OpenAPI specifications at build time, by scanning source code.

They use code level annotations added by developers, to language/framework specific resources, methods, and controllers, to generate schema for APIs.

Java Annotations for Swagger-Core

Examples include Swagger-Core, SpringFox, NSwag / Swashbuckle, Swagger-express / HAPI-Swagger, Django-REST-Swagger / Flask-RESTplus, etc.

These Tools Don’t Scale Well

Polyglot Microservices

Modern development environments are polyglot in nature, where you find several small teams, using a variety of technology stacks, and disparate programming languages.

These tools don’t scale well in these environments due to the following reasons:

Consistency is key!

Achieving Consistency Across Teams is Challenging

1. It is hard to achieve consistency (of API documentation) across so many small teams, disparate programming languages, and variety of language frameworks.

2. Developers need to correctly annotate the code in appropriate places, lest the documentation will be incomplete and inaccurate.

3. Developers need to maintain the annotations as they continuously refactor code, lest the documentation will be incomplete and inaccurate.

4. Annotations are static in nature. When APIs return dynamic objects, the auto documented specification will be incorrect, or incomplete.

5. There is no guarantee that what is auto documented, is the actual wire behavior exhibited by the API.

The Network Doesn’t Lie

APIs transact by exchanging JSON data over the network. This makes the network, the ultimate source of truth for API behavior, and schema.

Harnessing the network to auto discover & auto document APIs, in a consistent and scalable manner, has been challenging until recently.

eBPF Based Automatic OpenAPI Generation

Achieve Consistency & Scale, while Preserving Privacy

eBPF is a revolutionary technology, that enables auto-documentation of APIs in a consistent, scalable, and language/framework agnostic manner.

Frictionless & Privacy-Preserving API observability

Levo provides a free service that automatically generates OpenAPI documentation for all your APIs, by passively observing your runtime API traffic via eBPF.

The installation involves a single Helm Chart for Kubernetes, or a single Docker command for other environments. The installation does not require code changes, configuration changes, or SDK additions to your applications.

Ensuring the privacy of your customer data is paramount. You can read more about privacy-preserving features here.

Auto Generate OpenAPI with Sensitive Data Annotations

All APIs active in the runtime environments are auto discovered, and OpenAPI specifications are auto generated for them.

Auto Discovered API Catalog

OpenAPI specifications are annotated with sensitive data types (PII, PSI, PHI, etc).

Auto Generated OpenAPI Specifications

The API documentation is always fresh, and is based on the single source of truth , which is the actual API behavior observed on the network.

Continuously Validate Existing OpenAPI Documentation

Teams building API documentation with an API-First approach, can also benefit.

Cross validate existing OpenAPI documentation with auto generated documentation for accuracy and completeness.

Interested in trying Auto OpenAPI Generation?

Levo is a purpose-built, developer-first API security solution that fully automates API Observability, API Documentation & API Testing in CI/CD pipelines.

Signup for a forever free account, and start auto documenting all your APIs within minutes.

Have questions? Contact us at



elliptical light
  • Runtime Agnostic
  • Cloud Agnostic
  • Programming Language Agnostic

Subscribe for experts insights on application security.

Oops! Something went wrong while submitting the form.