Score
Designing stateless web APIs and services using HTTP verbs and resource-oriented URIs with standard status codes, caching semantics, content negotiation (JSON), and API specifications (OpenAPI), while addressing idempotency, authentication, and hypermedia where needed.
This work addresses the inefficiency, error-proneness, and technology-stack dependency developers face when authoring and maintaining OpenAPI specifications (OAS). To overcome these challenges, we propose OOPS—the first language- and framework-agnostic, LLM-driven static analysis approach. OOPS constructs an API dependency graph to link cross-file code artifacts and employs a two-stage pipeline—endpoint extraction followed by OAS generation—augmented with a self-refinement mechanism to mitigate LLM context limitations and reduce hallucinations. Evaluated on 12 real-world REST APIs spanning five programming languages and eight frameworks, OOPS achieves F1 scores of 98%, 97%, and 92% in endpoint identification, request/response structure inference, and parameter constraint derivation, respectively, with average input and output token counts below 5.6K and 0.9K, substantially decreasing reliance on manual intervention and handcrafted rules.
This paper addresses the low efficiency in specification authoring, code generation, and iterative debugging during API-first development of RESTful microservices. We propose a multi-agent collaborative framework powered by large language models (LLMs), which decouples OpenAPI specification generation, server-side code synthesis, and feedback-driven refinement—guided by execution logs and error messages—into specialized, interoperable agents. This architecture establishes a closed-loop iterative optimization process, substantially enhancing LLMs’ capability to detect and rectify semantic inconsistencies and runtime defects. Evaluated on the PRAB benchmark, our approach generates functionally complete, business-logic-consistent service code in a single pass for small-to-medium-complexity APIs, reducing average iteration count by 62%. Results demonstrate significant improvements in development efficiency, functional correctness, and system robustness.
Online API documentation is predominantly published in unstructured HTML, necessitating substantial manual effort to convert it into structured specifications (e.g., OpenAPI) for AI agents and automated systems. Method: We propose a collaborative conversion framework integrating domain knowledge, large language models (LLMs), and web-structure-aware rules—enabling the first end-to-end, high-accuracy OpenAPI generation from lengthy, heterogeneous API documentation. Our approach employs multi-stage prompt engineering, structure-guided rule constraints, and rigorous format validation to significantly improve LLM output accuracy and consistency. Contribution/Results: Evaluated on hundreds of real-world API documentation pages, our method achieves full semantic coverage of original specifications. Deployed enterprise-wide, it has saved over thousands of person-hours of manual effort. The generated OpenAPI specifications robustly support LLM-driven service integration and tool-mediated API invocation.
REST API documentation frequently suffers from incompleteness, obsolescence, or inaccessibility, hindering both automated testing efficiency and human comprehension. This paper introduces the first LLM-driven, end-to-end framework for OpenAPI specification inference and black-box API testing—requiring only an API name and an LLM API key. It automatically generates and mutates HTTP requests, then infers specifications and detects defects via response analysis. A novel context-aware prompt masking strategy enables zero-shot discovery of undocumented routes and parameters without model fine-tuning. Evaluated on a standardized benchmark, the framework achieves 85.05% average recall for GET routes and 81.05% for query parameters, successfully uncovering hidden endpoints and diverse server-side errors (e.g., 5xx, logic flaws). The inferred OpenAPI specifications are directly compatible with mainstream API testing tools, enabling seamless integration into existing CI/CD and security validation pipelines.
This work addresses the poor robustness of AI agents in complex web tasks caused by overreliance on browser-based interaction. To this end, we propose a novel API-first interaction paradigm. Methodologically, we design a task-agnostic API-first hybrid agent that integrates LLM-driven API discovery and planning, dynamic schema parsing, and unified modeling of multi-source action spaces; we further construct a systematic evaluation framework using WebArena. Our contributions are threefold: (1) the first systematic empirical validation that APIs can serve as viable mainstream alternatives to browser-based web interaction; (2) the first general-purpose, task-agnostic hybrid agent supporting both API and browser modalities without task-specific fine-tuning; and (3) achieving a 35.8% task success rate on WebArena—surpassing pure browser-based agents by over 20.0 percentage points and establishing a new state-of-the-art for task-agnostic web agents.
This work addresses the challenge that large language models often generate erroneous Web API invocation code due to the complexity and dynamic evolution of API specifications. To mitigate this, the authors propose a novel approach combining retrieval-augmented generation (RAG) with constrained decoding (CD), wherein OpenAPI specifications are automatically compiled into regular expression constraints to guide code generation—a first in the field—and a compact, endpoint-focused retrieval mechanism tailored for OpenAPI is introduced. Experimental results demonstrate that constrained decoding substantially improves generation correctness by effectively preventing invalid URLs, HTTP methods, and parameters. While RAG reduces hallucination in full-call generation, it may introduce redundancy when the target endpoint is already known. This study establishes a new paradigm for specification-driven API code generation.
This study addresses the challenge of effectively detecting anomalies and malicious activities in HTTP REST APIs when comprehensive documentation is unavailable. To this end, the authors propose HRAL, a novel method that, for the first time, automatically learns API structure and normal behavioral patterns directly from network traffic in a fully unsupervised manner—without relying on predefined rules or API specifications. HRAL integrates unsupervised anomaly detection, traffic analysis, and API behavior modeling, and can be synergistically combined with the OWASP ModSecurity Core Rule Set (CRS) engine to achieve comprehensive coverage. Experimental results demonstrate that HRAL achieves an average recall of 82.07% and an F1-score of 87.24%; its performance in documentation-scarce scenarios closely matches that of methods leveraging complete API definitions, and when fused with rule-based detection, it attains a 100% attack detection rate.
This work addresses the challenges of manual Web API integration testing, which is time-consuming, error-prone, and often misaligned with business requirements. The authors propose a novel approach that synergistically combines large language models (LLMs), retrieval-augmented generation (RAG), and prompt engineering to jointly parse natural language business requirements and OpenAPI specifications, thereby automatically generating executable test scripts that are both semantically meaningful and syntactically correct. Evaluated on ten real-world APIs, the method successfully produced valid tests for 89% of the business requirements within three attempts, uncovered multiple previously unknown integration defects, and substantially reduced the manual effort required for test development.
Existing tool interfaces based on static endpoints struggle to express long-running workflows involving complex control flows such as loops, conditional branches, and retries. This work proposes replacing static endpoints with executable tool programs, enabling explicit effect typing and sophisticated workflow control through constraint-guided program construction, effect-aware exactly-once replay mechanisms, and configuration-driven execution policies. Implemented atop MCP-style services and a WebAssembly sandbox, the system demonstrates significant performance improvements in real-world scenarios, reducing end-to-end latency by up to 53.4% and client-side traffic by as much as 96.1%, with particularly pronounced gains under high network latency or increased workflow complexity.
Existing autonomous agents rely on browser automation for web interaction, suffering from inefficiency, poor robustness, and redundant operations. This work proposes Unbrowse, a system that systematically leverages internal website APIs—termed Shadow APIs—as a replacement for conventional browser automation, constructing a shared routing graph to enable efficient and collaborative agent interactions. Key innovations include passively learning routes from real user traffic, a three-tier execution pipeline (local cache, shared graph, browser fallback), a shared discovery mechanism, and a three-layer micropayment model based on the x402 protocol to support voluntary participation and a self-correcting architecture. Experiments across 94 websites demonstrate that, with sufficient caching, Unbrowse achieves a mean response time of 950 ms—3.6× faster than Playwright on average (5.4× at the median)—with some requests completing in under 100 ms.