SpecDoc

Developer Portals

Every API project in SpecDoc gets a hosted developer portal, a public-facing documentation site your customers can browse and try live requests from.

What's in a portal

Interactive API explorer

Customers can make real API calls directly from the portal using their own credentials or an API key you provide.

Versioned docs

Every spec version published to the Registry is available in the portal. Users can switch between versions.

OpenAPI export

Download the raw OpenAPI file in JSON format directly from the portal.

Code samples

Auto-generated code snippets in cURL, JavaScript, Python, and Go for every operation.

Search

Full-text search across all endpoints, parameters, and descriptions.

Default portal URL

When you publish your first spec, SpecDoc automatically creates a portal at:

https://app.speclayer.net/portal/{projectSlug}

This URL is live immediately and updates within seconds of every successful pipeline run. The portal_url is also printed in your pipeline output after each publish.

Access control

Portals default to private when published via the CLI without a --visibility flag. Set visibility explicitly to control who can view your portal:

private

Only you and your workspace members can view the portal. Viewers must be signed in to SpecLayer. (Default)

protected

Any signed-in SpecLayer user can view the portal. Useful for internal APIs shared across teams.

public

Anyone with the URL can view the portal. No login required. Use for public-facing APIs.

Set visibility when publishing

npx @speclayer/cli publish \
  --spec openapi/api.yaml \
  --project payments-api \
  --visibility public

Enabling the API explorer (CORS)

The interactive API explorer sends requests directly from your customer's browser to your API server. Browsers enforce a security policy called CORS (Cross-Origin Resource Sharing) that blocks these requests unless your API explicitly permits them.

To allow the explorer to reach your API, add the following response header to your server:

Required response header

Access-Control-Allow-Origin: https://app.speclayer.net

How to add it in common frameworks:

Express / Node.js

app.use((req, res, next) => {
  res.setHeader('Access-Control-Allow-Origin', 'https://app.speclayer.net');
  res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS');
  res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
  if (req.method === 'OPTIONS') return res.sendStatus(204);
  next();
});

NestJS

app.enableCors({
  origin: 'https://app.speclayer.net',
  methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
  allowedHeaders: ['Content-Type', 'Authorization'],
});

FastAPI (Python)

from fastapi.middleware.cors import CORSMiddleware

app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://app.speclayer.net"],
    allow_methods=["*"],
    allow_headers=["*"],
)

Django (django-cors-headers)

# settings.py
INSTALLED_APPS += ["corsheaders"]
MIDDLEWARE.insert(0, "corsheaders.middleware.CorsMiddleware")

CORS_ALLOWED_ORIGINS = ["https://app.speclayer.net"]

Nginx

location / {
    add_header Access-Control-Allow-Origin "https://app.speclayer.net";
    add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS";
    add_header Access-Control-Allow-Headers "Content-Type, Authorization";

    if ($request_method = OPTIONS) {
        return 204;
    }
}

If CORS is not configured, your customers will see a "Blocked by CORS" error in the explorer. The Code tab (cURL, JavaScript, Python snippets) is always available as an alternative — those snippets run from a terminal or server where CORS does not apply.

The interactive API explorer always runs requests from your customer's browser directly to your API server. SpecLayer never proxies or logs your API traffic.