Thymian
Try it now
One command. No config required.
$ npx thymian lint --spec openapi:openapi.yamlThymian Across the API Lifecycle
From specification to production — see where Thymian lints, tests, and analyzes your APIs.
API Design / Spec
Development
CI
Dev / Staging
QA
Production
Built for Developer & AI Workflows
Thymian fits naturally into the development loop — whether you're coding by hand or an AI agent is driving. Generate, validate, fix, repeat.
Generate
Developer or AI AgentWrite or generate an OpenAPI spec or API implementation based on requirements.
Validate
Thymian CLILint specs, test live endpoints, or analyze traffic — same rules, every context.
Fix
Developer or AI AgentRich error context with rule IDs, RFC references, and exact locations enables targeted fixes.
$ npx thymian lint --spec openapi:openapi.yaml
GET /api/v1/users/{id} → 404 NOT FOUND - application/json
✕ error: Origin servers with a clock MUST generate Date header in 2xx, 3xx, and 4xx responses.
rfc9110/origin-server-with-clock-must-generate-date-for-2xx-3xx-4xx
GET /api/v1/users/{id} → 401 UNAUTHORIZED - application/json
✕ error: Server MUST send WWW-Authenticate header for 401 response.
rfc9110/server-must-send-www-authenticate-header-for-401-response
GET /api/v1/users → 200 OK - application/json
⚠ warn: Origin servers SHOULD send ETag for selected representation.
rfc9110/origin-server-should-send-etag
⚠ warn: Origin servers SHOULD send Last-Modified for selected representation.
rfc9110/origin-server-should-send-last-modified
Found 2 errors, 2 warnings and 0 hints.Why It Works
Designed from the ground up for both human developers and AI agents.
Security Conformance
Catch missing authentication headers, incorrect CORS configurations, and non-standard error disclosure before they reach production.
Performance Validation
Enforce Cache-Control policies, validate content encoding headers, and verify response payload conformance against your specifications.
Reliability Guarantees
Ensure consistent error formats (RFC 9457), proper status codes, and specification compliance across all environments — from staging to production.
Rich Error Context
Violations include rule names, RFC references, severity levels, and exact locations — giving any AI agent or developer all the context needed to fix issues.
Deterministic Feedback Loops
Non-interactive mode with explicit flags ensures reproducible results — perfect for agentic retry-and-fix workflows.
Zero Ambiguity
Exit codes, structured results, and typed schemas mean agents never have to parse prose or guess what went wrong.
One Rule. Every Stage. Zero Drift.
Write validation logic once — Thymian applies it across your entire API lifecycle, catching inconsistencies before they reach users.
export default httpRule('consistent-error-responses')
.severity('error')
.type('static', 'test', 'analytics')
.description('Error responses must use problem+json')
.rule(ctx =>
ctx.validateCommonHttpTransactions(
statusCodeRange(400, 599),
not(responseMediaType('application/problem+json'))
)
)
.done();API Design & CI
Validates API specifications before any code is written.
Dev & Staging
Actively tests running endpoints against the same rule.
QA & Production
Analyzes real traffic to verify compliance passively.
Sharable Rule Sets
Package rules as npm modules and share them across teams and projects.
Use built-in sets like @thymian/rules-rfc-9110 or create your
own organizational standards.
@thymian/rules-rfc-9110 @thymian/rules-api-description-validation @your-org/api-standards Built to Be Extended
Virtually everything in Thymian is a plugin. A reactive event bus connects them all — swap, extend, or build your own without touching a single line of framework code or even JavaScript!
Everything Is a Plugin
Core features, integrations, and extensions are all plugins — the framework imposes no hard-coded behavior.
Event-Driven Architecture
Plugins communicate through a reactive event bus with typed events, actions, and error flows.
Loose Coupling
Plugins interact through well-defined APIs and events. Add, remove, or swap plugins without touching others.
Remote Plugins via WebSocket
Connect plugins running in any language or process over WebSockets — perfect for polyglot environments.
Shareable as npm Packages
Publish plugins and rule sets as npm modules. Share validation logic across teams and projects.
Schema-Validated Config
Plugin options are validated at startup via JSON Schema — catch misconfigurations before they cause failures.
import type { ThymianPlugin } from '@thymian/core';
export const myPlugin: ThymianPlugin = {
name: 'my-custom-plugin',
version: '*',
async plugin(bus, logger, options) {
bus.onAction('core.ready', async (payload, ctx) => {
logger.info('Plugin is ready!');
ctx.reply();
});
bus.onAction('core.lint', async (payload, ctx) => {
// Your custom validation logic here
ctx.reply({ results: [] });
});
}
};
Official Plugin Ecosystem
Ready-to-use plugins covering every stage of the API lifecycle — or build your own with the same powerful APIs.
Static analysis of OpenAPI specs and HTTP definitions.
Live endpoint testing against your rule definitions.
Passive analysis of recorded HTTP traffic for compliance.
Load, parse, and validate OpenAPI specifications.
Collect and format validation results into reports.
File-based HTTP request sampling for reproducible tests.
Connect remote plugins over WebSocket for distributed setups.
Dispatch HTTP requests to live endpoints for testing.
Build Your Own in Minutes
Implement the ThymianPlugin interface, hook into lifecycle
events, and publish as an npm package. Local plugins, remote WebSocket
plugins, and shared rule sets all use the same unified API.
How Thymian Is Different
Other tools handle one piece of the puzzle. Thymian unifies spec linting, endpoint testing, and traffic analysis under a single rule engine.
| Capability | Spectral + Prism | Schemathesis | Bruno | REDbot | Thymian |
|---|---|---|---|---|---|
| Static Spec Linting | |||||
| Live Endpoint Testing | |||||
| Traffic Analysis | |||||
| Proxy Mode | |||||
| HTTP Conformance | |||||
| Interactive API Client | |||||
| Mock Server Generation | |||||
| Write Rules Once | |||||
| Extensible Plugin System | |||||
| AI-Optimized Output | |||||
| Sharable Rule Packages |