RFC 9727 api-catalog Explained

RFC 9727 introduces a standardized way for organizations to share API information through a well-known URI, /.well-known/api-catalog. Released in June 2025, this standard simplifies API discovery, governance, and lifecycle management by requiring a machine-readable catalog in the Linkset format (application/linkset+json). The catalog includes API endpoints, version details, policies, and links to OpenAPI specifications, ensuring consistent and secure API documentation.

Key Highlights:#

• Location: API catalogs are hosted at /.well-known/api-catalog, accessible via HTTPS.
• Format: Uses the Linkset format with a profile parameter (https://www.rfc-editor.org/info/rfc9727) to ensure compliance.
• Purpose: Improves API discoverability, reduces outdated APIs, and strengthens governance.
• Security: Requires HTTPS, TLS encryption, and read-only access for external users.

RFC 9727 addresses challenges like API sprawl and poor documentation, making it easier for developers to locate, understand, and use APIs while helping organizations maintain consistency and security in their API portfolios.

RFC 9727 Technical Requirements and Structure#

Well-Known URI and Linkset Format Requirements#

RFC 9727 lays out the technical groundwork for implementing API catalogs. Specifically, it mandates that HTTPS HEAD requests to /.well-known/api-catalog must return a Link header containing the RFC-defined relations. This ensures compatibility with various discovery tools and methods. To protect the integrity of API discovery, the catalog must be accessible exclusively over HTTPS, utilizing TLS for secure communication.

The API catalog itself must be published in the Linkset format, using the application/linkset+json content type. Additionally, it must include a profile parameter with the URI https://www.rfc-editor.org/info/rfc9727 to clearly denote compliance with RFC 9727.

Kevin Smith of Vodafone finalized RFC 9727 in June 2025 after 13 revisions spanning two years. He described its purpose succinctly:

A request to the api-catalog resource will return a document detailing the Publisher's APIs.

These technical requirements are designed to enhance API discoverability and ensure consistent catalog management.

API Catalog Content and Metadata#

Beyond the technical setup, the catalog's content is key to improving API discoverability. An RFC 9727-compliant API catalog must provide hyperlinks to API endpoints, allowing automated tools to reliably locate and interact with the APIs. To elevate the catalog from a simple endpoint list to a developer-friendly resource, it should include detailed metadata. This can cover usage policies, API version details, and links to OpenAPI Specification (OAS) definitions.

If embedding this metadata directly in the catalog isn’t feasible, it should instead be accessible at the corresponding API endpoint URIs. This approach gives publishers the flexibility to either centralize the information in the catalog or distribute it across individual endpoints.

The catalog can also use the "item" link relation to identify resources that represent individual APIs. Additionally, RFC 9727 supports catalog federation via the "api-catalog" relation type. This feature enables linking to other API catalogs, paving the way for distributed networks of catalogs while maintaining discoverability.

api-catalog Examples#

Here are some examples, pulled straight from the RFC

Using Linkset with Link Relations#

This example uses the Linkset format (RFC9264) and the following link relations defined in (RFC8631):

• service-desc: Used to link to a description of the API that is primarily intended for machine consumption (for example, the OpenAPI specification, YAML, or JSON file)
• service-doc: Used to link to API documentation that is primarily intended for human consumption.
• service-meta: Used to link to additional metadata about the API and is primarily intended for machine consumption.
• status: Used to link to the API status (e.g., API "health" indication) for machine and/or human consumption.

Client request:

GET .well-known/api-catalog HTTP/1.1 Host: example.com Accept:
application/linkset+json

Server response:

HTTP/1.1 200 OK Date: Mon, 01 Jun 2023 00:00:01 GMT Server: Apache-Coyote/1.1
Content-Type: application/linkset+json;
profile="https://www.rfc-editor.org/info/rfc9727"

{
  "linkset": [
    {
      "anchor": "https://developer.example.com/apis/foo_api",
      "service-desc": [
        {
          "href": "https://developer.example.com/apis/foo_api/spec",
          "type": "application/yaml"
        }
      ],
      "status": [
        {
          "href": "https://developer.example.com/apis/foo_api/status",
          "type": "application/json"
        }
      ],
      "service-doc": [
        {
          "href": "https://developer.example.com/apis/foo_api/doc",
          "type": "text/html"
        }
      ],
      "service-meta": [
        {
          "href": "https://developer.example.com/apis/foo_api/policies",
          "type": "text/xml"
        }
      ]
    },
    {
      "anchor": "https://apis.example.net/apis/cantona_api",
      "service-desc": [
        {
          "href": "https://apis.example.net/apis/cantona_api/spec",
          "type": "text/n3"
        }
      ],
      "service-doc": [
        {
          "href": "https://apis.example.net/apis/cantona_api/doc",
          "type": "text/html"
        }
      ]
    }
  ]
}

Using Linkset with Bookmarks#

You could also just embed a URL within the item property instead:

{
  "linkset": [
    {
      "anchor": "https://www.example.com/.well-known/api-catalog",
      "item": [
        { "href": "https://developer.example.com/apis/foo_api" },
        { "href": "https://developer.example.com/apis/bar_api" },
        { "href": "https://developer.example.com/apis/cantona_api" }
      ]
    }
  ]
}

Nesting API Catalog links#

If your catalog is large, and cleanly segmented, you can consider having a primary catalog which branches out into sub-catalogs (ex. different products).

{
  "linkset": [
    {
      "anchor": "https://www.example.com/.well-known/api-catalog",
      "api-catalog": [
        {
          "href": "https://apis.example.com/iot/api-catalog"
        },
        {
          "href": "https://ecommerce.example.com/api-catalog"
        },
        {
          "href": "https://developer.example.com/gaming/api-catalog"
        }
      ]
    }
  ]
}

Security Requirements and Best Practices#

With the catalog’s structure and content defined, ensuring secure and reliable access becomes a top priority. RFC 9727 emphasizes operational responsibility and data protection as critical components of API catalog management. Publishers are encouraged to adhere to best practices, such as monitoring the catalog’s availability, performance, and metadata accuracy.

To maintain quality, both manual reviews and automated checks should be conducted regularly. These efforts help identify and fix syntax errors, preventing disruptions in automated discovery processes.

Lifecycle management is also a central focus. Removing outdated or deprecated API entries as part of the release cycle reduces risks tied to insecure or obsolete API versions. By prioritizing these security measures, publishers can ensure their API catalogs remain reliable and effective for discovery.

How RFC 9727 Changes API Catalog Management#

RFC 9727 introduces a transformative approach to managing API catalogs. It modernizes API discovery while integrating governance and lifecycle management into a unified framework. By providing standardized discovery tools and governance structures, this specification turns API catalogs from static, hard-to-navigate repositories into dynamic, machine-readable resources that actively support API operations.

Improved API Discovery#

RFC 9727 makes API discovery faster and more reliable. By standardizing the Linkset format, it ensures that discovery tools can interpret catalog information consistently, no matter who publishes it. This eliminates the previous chaos where organizations used different formats and scattered their catalogs across various locations. For developers, this means easier access to API details without the need for extra manual work.

Publishers also gain new flexibility. They can announce APIs through multiple channels, making APIs more visible at key points in a developer's workflow - whether browsing documentation or sending programmatic requests.

The inclusion of metadata is another game-changer. Catalogs can now provide critical details like version histories, usage policies, and links to OpenAPI specifications. This gives developers immediate access to the information they need to evaluate and integrate APIs effectively.

All of this creates a seamless discovery process, laying the groundwork for improved governance and lifecycle management.

Better API Governance#

Beyond discovery, RFC 9727 strengthens API governance. The requirement for a well-known URI ensures that every API domain publishes its catalog in a consistent, predictable location. This fixed setup, combined with enforced metadata standards, allows governance teams to monitor API usage more effectively and ensure compliance.

This centralized system also minimizes risks, such as developers accidentally violating usage policies or working with outdated API versions. By clearly communicating policies and guidelines, organizations reduce confusion and errors.

RFC 9727 also encourages best practices, like regularly monitoring catalog availability and conducting security reviews before deployment. These steps help maintain high-quality catalogs that accurately reflect an organization’s API offerings.

To safeguard catalog integrity, publishers are advised to enforce read-only access for external requests to the well-known URI. This ensures that while APIs remain discoverable, their catalogs are protected from unauthorized modifications.

API Lifecycle Management Benefits#

RFC 9727 simplifies API lifecycle management by embedding catalog updates into release workflows. It suggests that API management tools include catalog maintenance as a standard part of their processes, ensuring catalogs always align with the latest API deployments.

The specification also aids in handling legacy APIs and deprecated endpoints. By allowing publishers to include metadata about older versions, it provides developers with clear migration paths to newer services. Catalogs can communicate deprecation timelines, redirect users to updated versions, and outline usage policies to guide transitions. This transparency reduces the usual headaches associated with API version changes.

Additionally, RFC 9727 tackles the issue of "zombie APIs" - outdated APIs that linger and pose security risks. By requiring publishers to remove obsolete entries during the release cycle, the specification helps maintain clean and secure API inventories. Routine catalog audits become an essential part of this process.

Framework providers can take this a step further by automating lifecycle management. For example, any changes to API links or metadata can trigger automatic catalog updates, keeping discovery information accurate in real time. By aligning catalog updates with API release schedules, organizations can maintain a precise and up-to-date inventory, reflecting the dynamic nature of modern API ecosystems.

Implementing RFC 9727 with Zuplo#

Zuplo’s built-in OpenAPI integration ensures your API catalog stays in line with RFC 9727 without extra effort. This real-time synchronization prevents the common issue of outdated API catalogs when changes occur, as the developer portal automatically reflects updates.

Setting Up RFC 9727 Compliance in Zuplo#

With Zuplo’s programmable features, you can create an RFC 9727-compliant API catalog at /.well-known/api-catalog in Linkset format. Start by developing a custom handler that pulls information from your OpenAPI specifications and formats it to meet RFC 9727 requirements, including details like API versions, usage policies, and links to documentation.

To make your APIs more accessible, configure your developer portal to expose the api-catalog endpoint. This ensures discoverability for both developers and automated tools. Zuplo’s flexibility allows you to fully customize the catalog generation process to align with your specific RFC 9727 needs.

Zuplo Features for RFC 9727 Support#

Zuplo comes packed with features that assist in meeting RFC 9727 requirements. GitOps integration ensures your API catalog stays consistent and up-to-date. Any changes made to API specifications through Git workflows automatically sync with the catalog.

Zuplo’s API governance tools - like API linting, pull requests, and CI workflows - help maintain catalog quality. These tools align with RFC 9727’s recommendation for both human and automated syntax validations. Together, these features simplify compliance and make ongoing catalog management easier.

Maintaining Accurate and Secure Catalogs#

Zuplo’s automation and GitOps workflows ensure your catalog remains accurate and secure throughout its lifecycle. For example, when APIs are deprecated or removed during your release process, the catalog can be updated automatically, addressing RFC 9727’s requirement to remove outdated entries.

Syntax validation is another key area. By integrating automated checks into your CI/CD pipeline, you can catch errors in OpenAPI specifications before they impact production. Since Zuplo natively supports OpenAPI, syntax issues are flagged during the build process, ensuring your catalog remains valid.

Over 10,000 developers trust Zuplo to secure, document, and monetize their APIs

Learn More

Tools and Strategies for RFC 9727 Implementation#

To successfully implement an RFC 9727-compliant API catalog, you’ll need a combination of effective tools and thoughtful strategies. This standard emphasizes both technical precision and operational reliability, so it’s crucial to establish processes that ensure compliance from the outset.

Tools for RFC 9727 Implementation#

JSON schema validators play a key role in ensuring your API catalog meets the required structure and format. These tools, like AJV, catch syntax errors early, preventing issues that could disrupt API discovery. By integrating JSON schema validation into your build process, you can verify catalog compliance before deployment.

Linkset format checkers are specifically designed to validate the application/linkset+json format. They ensure that the catalog correctly implements linkset structures, including relation types, target URIs, and metadata. The Internet Engineering Task Force (IETF) provides reference implementations that can serve as benchmarks.

OpenAPI linting tools help maintain consistency between API specifications and their catalog entries. Tools such as RateMyOpenAPI allow you to enforce custom rules, ensuring every API in the catalog is properly documented and versioned.

CI/CD integration plugins streamline compliance checks throughout your development workflow. Plugins for platforms like GitHub Actions, GitLab CI, and Jenkins can automate validation tests, generate reports, and even block deployments if compliance issues are detected.

Once these tools are in place, the next step is to develop strategies to maintain and monitor your API catalog over time.

API Catalog Maintenance Strategies#

Automated catalog generation simplifies updates by linking catalog creation directly to your OpenAPI specifications. This ensures that your catalog stays current as your APIs evolve. Pair this with version control integration to treat your catalog like code - track changes, review updates, and roll back problematic modifications through Git workflows.

Release lifecycle integration keeps your catalog accurate by embedding updates into your API deployment process. For example, removing outdated API entries during the release lifecycle helps maintain a clean and reliable catalog.

Security maintenance is another critical aspect. Regularly update access controls, review authentication policies, and monitor for unauthorized access attempts. RFC 9727 requires enforcing read-only privileges for external requests and internal monitoring systems, while limiting write access to designated roles. Conducting regular security audits ensures these controls remain effective.

By combining these strategies with ongoing monitoring, you can ensure your catalog remains compliant and efficient.

Tracking API Catalog Usage and Performance#

Tracking usage and performance metrics is essential for understanding how developers interact with your catalog. Analyze requests to the /.well-known/api-catalog URI and correlate them with subsequent API requests to measure engagement. This data can reveal how effectively your catalog supports API discovery.

Performance monitoring is vital for maintaining a responsive and reliable catalog. Key metrics to track include response times, error rates, and overall availability. These factors directly affect the experience of developers and automated tools.

Analytics integration with platforms like Zuplo provides deeper insights into usage patterns. You can identify which APIs are most accessed, when peak discovery times occur, and how different developer groups interact with your catalog. These insights can guide API improvements and better catalog organization.

Rate limiting analysis helps balance accessibility with system protection. RFC 9727 recommends implementing rate-limiting measures to prevent abuse and mitigate denial-of-service attacks. Regular analysis ensures these limits are effective without hindering legitimate users.

Compliance monitoring involves scanning for issues such as missing metadata, broken links, or formatting errors. Keeping an eye on these details ensures your catalog maintains high quality as your API offerings grow.

RFC 9727 also emphasizes the importance of monitoring availability, performance, usage, and metadata accuracy to maintain operational excellence.

Conclusion and Key Takeaways#

RFC 9727 marks an important step in API standardization, offering a framework for API discovery through a well-known URI approach.

By introducing a structured method for API catalogs, RFC 9727 makes programmatic discovery possible - a critical feature for businesses that rely heavily on APIs. This capability helps organizations address the ongoing challenge of "zombie" APIs - outdated or neglected endpoints that can create significant security vulnerabilities.

The standard fosters better collaboration, consistent API management, and scalable governance while reducing risks associated with obsolete endpoints. It also supports the growth of API portfolios by providing a systematic approach to their management, ensuring consistency and improving security through integrated lifecycle governance.

To make adopting RFC 9727 easier, Zuplo streamlines implementation with features like native OpenAPI integration. This ensures that gateway configurations and specifications remain synchronized, removing the manual effort of maintaining accurate API catalogs. As Tom Carden from Rewiring America shared:

"Zuplo is the ultimate one-stop shop for all your API needs. With rate limiting, API key management, and documentation hosting, it saved us weeks of engineering time and let us focus on solving problems unique to our mission."

Zuplo equips organizations with tools to customize compliance, enhance security, and simplify operations with features like OpenAPI synchronization, advanced authentication options, and detailed analytics. These capabilities address the complexities that often hinder successful adoption of standards like RFC 9727.

As API ecosystems grow, RFC 9727 lays the groundwork for effective API management practices. Companies that implement this standard now can benefit from stronger governance, a better developer experience, and more streamlined API lifecycle management. Combining this standard with platforms like Zuplo positions organizations to handle the expanding demands of modern API ecosystems with confidence and security.

FAQs#

How does RFC 9727 make APIs easier to discover and manage?#

RFC 9727 introduces a standardized 'api-catalog' well-known URI and a specific link relation to improve how APIs are discovered and managed. These features allow for automated API discovery on a larger scale, simplifying the process for developers and teams to find, utilize, and oversee APIs.

By organizing and making API information more accessible, RFC 9727 contributes to smoother API lifecycle management, stronger governance, and easier integration with API platforms. This standard marks an important advancement in creating a more streamlined and uniform method for handling API catalogs.

What security measures does RFC 9727 recommend to protect the integrity and reliability of API catalogs?#

RFC 9727 highlights crucial security practices for protecting API catalogs. It advises employing cryptographic techniques like digital signatures or checksums to guarantee data integrity and authenticity. For safeguarding data during transmission, the use of secure transport protocols such as Transport Layer Security (TLS) is strongly recommended.

The document also stresses the importance of access controls and authentication mechanisms to block unauthorized access or tampering. These steps are essential for ensuring the security, reliability, and trust in your organization's API catalogs.

What’s the best way for organizations to create and manage an RFC 9727-compliant API catalog with Zuplo?#

Organizations can rely on Zuplo's programmable API gateway to simplify the process of building and managing an API catalog that adheres to RFC 9727 standards. By automating API discovery, organizing APIs into clear categories, and enabling the creation of remote Model Context Protocol (MCP) servers, Zuplo helps ensure your catalog meets these compliance requirements.

Using Zuplo, you can boost API discoverability, strengthen governance, and streamline lifecycle management. This not only ensures compliance with RFC 9727 but also delivers a well-structured, user-friendly API catalog tailored to your organization's unique needs.