# Enforce API Standards with Custom Linting in Kong Insomnia 13
Juhi Singh
Tech PMM, Kong
As APIs grow across teams, keeping them consistent becomes difficult. Some APIs follow naming conventions and include clear descriptions, while others don’t. Over time, these differences make APIs harder to understand, review, and maintain.
That is where API linting helps. [_Kong Insomnia_](https://insomnia.rest/features/api-design)_Kong Insomnia_ has already supported API linting workflows through the Inso CLI and local project files. That made it possible to apply custom Spectral rules as part of local development, Git workflows, or CI checks.
With [_Insomnia 13_](https://konghq.com/blog/product-releases/insomnia-13)_Insomnia 13_, that workflow becomes easier and more accessible. Teams can now upload and manage custom Spectral rulesets directly from the Insomnia UI. This means custom linting is no longer limited to local or Git-based workflows. You can apply custom API standards to any Insomnia project type, including cloud projects, without leaving the app.
Developers can validate OpenAPI specs against both baseline OpenAPI rules and team-specific API standards while they are designing APIs in Insomnia. Platform teams can define standards once, and API teams can apply those rules consistently across design, review, local development, and CI.
In this blog, I’ll start with an OpenAPI spec that has a few default linting issues, clean it up using Insomnia’s default OAS linting, then upload a custom ruleset from the UI to enforce additional API style rules.
*Note: In Insomnia 13, custom linting supports Spectral rulesets using the top-level rules and extends properties. Custom JavaScript functions are not permitted, but Spectral built-in core functions are supported.*
## Create or open an API design document
First, open Insomnia and create a new project, or open an existing project that contains an OpenAPI document.
For this walkthrough, I'll use a small KongAir OpenAPI specification. You can download it from the GitHub Gist below and import the kongair-openapi.yaml file into your project.
This spec is intentionally incomplete. It is still useful for the demo because it lets us show two layers of validation: Default OAS linting catches general OpenAPI quality issues. Custom linting catches organization-specific API style rules.
Before uploading any custom rules, look at the linting status in Insomnia. You should see warnings from the Default OAS Ruleset. These may include issues such as: missing `info.contact`, missing operation IDs, missing operation descriptions, and so on.
At this stage, these warnings are not coming from a custom ruleset. They are from Insomnia’s default OpenAPI linting. This is a good first step because it helps ensure the spec is structurally healthy before adding team-specific rules. Now update the spec so it passes the default OAS linting checks.
After updating the spec, the default OAS linting status should be clean or close to clean. At this point, the OpenAPI document is valid and follows the baseline expectations.
## Create a custom Spectral ruleset
Next, we'll create a custom ruleset file named: `kongair-rules.yaml`
This custom Spectral ruleset extends the default OpenAPI ruleset by adding four team-specific standards. It enforces HTTPS server URLs, removes trailing slashes from API paths, encourages resource-based path names instead of verbs, and ensures summaries follow a consistent formatting style.
## Upload the custom ruleset in Insomnia
Now upload the ruleset into Insomnia.
In Insomnia:
- Open the KongAir API 1.0.0 design document.
- Confirm the spec is clean with the Default OAS Ruleset.
- Click the upload icon next to Default OAS Ruleset at the bottom of the editor.
- Select kongair-custom-rules.yaml.
- Insomnia applies the custom ruleset to the OpenAPI document.
- After uploading, Insomnia stores the custom ruleset in the project and renames it as: .spectral.yaml
You can view the uploaded ruleset by selecting Custom Ruleset in Insomnia.
*Note: If you have already uploaded a custom ruleset in this project while testing, remove or reset it before recording the demo. Otherwise, your custom rules may already be active before you reach this step.*
## Review the custom linting issues
After uploading the custom ruleset, the same OpenAPI spec should now show new issues. These issues are not baseline OpenAPI problems. They are team-specific style and governance rules.
- You should see a few validation issues. For example, the `server-url-https` rule flags the server URL because it uses `http://` instead of `https://`.
- The `no-verbs-in-paths` rule reports the `/get-flights` path because API paths should use resource names instead of verbs such as `get`, `create`, `update`, `delete`, or `fetch`.
- You may also see the `summary-no-trailing-period` rule, which flags operation summaries that end with a period. For example, `summary: Get KongAir planned flights`.
## Fix the custom linting issues
Now update the spec to satisfy the custom rules.
The custom validation issues have now been resolved. The server URL has been updated to use `https://`, the `/get-flights` endpoint has been renamed to the resource-based `/flights`, and periods have been removed from the operation summaries. With these changes, the API specification now passes both the default OpenAPI validation rules and the custom team-specific Spectral rules.
## Conclusion
Custom linting in Insomnia 13 brings API governance directly into the API design workflow. Teams can fix default OpenAPI linting issues and apply custom Spectral rulesets to validate APIs against both OpenAPI best practices and their own standards.
This helps catch issues early, keeps APIs consistent across teams, and lets the same rules be reused in local development and CI/CD pipelines, all from within Insomnia.
To get started, open an API design document in Insomnia 13, fix the default OAS linting issues, upload your custom Spectral ruleset, and validate your API against your team's standards.
What You'll Build
To explore the new integration, I'll build a realistic API platform workflow using Konnect, Kong Gateway, and Insomnia.
By the end of this tutorial, I'll have:
A Konnect Control Plane (KongAir Dev)
A local Kong Gateway Data Pl
Juhi Singh
# Migrating Your Collections and Requests from Postman to Insomnia
Local-first: your data stays with you: Insomnia stores everything on your machine by default. No forced cloud sync, no account needed just to send a request. This is helpful if privacy or working in a regulated environment is a priority for you Fre
Juhi Singh
# Why Your API Gateway Should Be Your Testing Environment
You invested in Kong Konnect. You centralized your API governance, locked down your routing, enforced your security policies, and gave your organization a single source of truth for every API in your estate. That work is done, and it is working. So
If you've been online at all this week, chances are that you've heard about the Log4Shell zero-day ( CVE-2021-44228 ) in Log4J, a popular Java logging library. The vulnerability enables Remote Code Execution (RCE), which allows attackers to run arbi
API Fortress is a continuous testing platform for APIs. We've been a friend to Kong since the beginning. In this guest blog post, we explain how our company uses Kong to facilitate the process of virtualizing APIs. Why Mock APIs? As more companies
Patrick Poulin
# Moving from Probabilistic Reasoning to Deterministic Execution
Building Reliable GenAI Architectures
This is the second post in a series. For the first part, see Why We Need to Stop Prompt Hacking . Generative AI systems do not fail because models are weak. They fail because architectures are incomplete. On
The Mirage of the Perfect Prompt
The realization that prompt hacking is a dead end often arrives after significant resources have been spent. I realized this while speaking with an international system integrator in India whose team was exploring
Hugo Guerrero
# How to Test Gateway APIs Directly from Kong Konnect with Insomnia
What You'll Build
To explore the new integration, I'll build a realistic API platform workflow using Konnect, Kong Gateway, and Insomnia.
By the end of this tutorial, I'll have:
A Konnect Control Plane (KongAir Dev)
A local Kong Gateway Data Pl
Juhi Singh
# Migrating Your Collections and Requests from Postman to Insomnia
Local-first: your data stays with you: Insomnia stores everything on your machine by default. No forced cloud sync, no account needed just to send a request. This is helpful if privacy or working in a regulated environment is a priority for you Fre
Juhi Singh
# Why Your API Gateway Should Be Your Testing Environment
You invested in Kong Konnect. You centralized your API governance, locked down your routing, enforced your security policies, and gave your organization a single source of truth for every API in your estate. That work is done, and it is working. So
If you've been online at all this week, chances are that you've heard about the Log4Shell zero-day ( CVE-2021-44228 ) in Log4J, a popular Java logging library. The vulnerability enables Remote Code Execution (RCE), which allows attackers to run arbi
API Fortress is a continuous testing platform for APIs. We've been a friend to Kong since the beginning. In this guest blog post, we explain how our company uses Kong to facilitate the process of virtualizing APIs. Why Mock APIs? As more companies
Patrick Poulin
# Moving from Probabilistic Reasoning to Deterministic Execution
Building Reliable GenAI Architectures
This is the second post in a series. For the first part, see Why We Need to Stop Prompt Hacking . Generative AI systems do not fail because models are weak. They fail because architectures are incomplete. On
The Mirage of the Perfect Prompt
The realization that prompt hacking is a dead end often arrives after significant resources have been spent. I realized this while speaking with an international system integrator in India whose team was exploring
Hugo Guerrero
# How to Test Gateway APIs Directly from Kong Konnect with Insomnia
What You'll Build
To explore the new integration, I'll build a realistic API platform workflow using Konnect, Kong Gateway, and Insomnia.
By the end of this tutorial, I'll have:
A Konnect Control Plane (KongAir Dev)
A local Kong Gateway Data Pl
Juhi Singh
# Migrating Your Collections and Requests from Postman to Insomnia
Local-first: your data stays with you: Insomnia stores everything on your machine by default. No forced cloud sync, no account needed just to send a request. This is helpful if privacy or working in a regulated environment is a priority for you Fre
Juhi Singh
# Why Your API Gateway Should Be Your Testing Environment
You invested in Kong Konnect. You centralized your API governance, locked down your routing, enforced your security policies, and gave your organization a single source of truth for every API in your estate. That work is done, and it is working. So
If you've been online at all this week, chances are that you've heard about the Log4Shell zero-day ( CVE-2021-44228 ) in Log4J, a popular Java logging library. The vulnerability enables Remote Code Execution (RCE), which allows attackers to run arbi
API Fortress is a continuous testing platform for APIs. We've been a friend to Kong since the beginning. In this guest blog post, we explain how our company uses Kong to facilitate the process of virtualizing APIs. Why Mock APIs? As more companies
Patrick Poulin
# Moving from Probabilistic Reasoning to Deterministic Execution
Building Reliable GenAI Architectures
This is the second post in a series. For the first part, see Why We Need to Stop Prompt Hacking . Generative AI systems do not fail because models are weak. They fail because architectures are incomplete. On
The Mirage of the Perfect Prompt
The realization that prompt hacking is a dead end often arrives after significant resources have been spent. I realized this while speaking with an international system integrator in India whose team was exploring
Hugo Guerrero
## Ready to see Kong in action?
Get a personalized walkthrough of Kong's platform tailored to your architecture, use cases, and scale requirements.