Terms Of Service
Breaking up the terms of service into machine-readable, schema defined properties that allow for the legal side of an API to be understood programmatically. Providing a break down of what the legal constraints involved with putting an API to use will help consumers understand if it is a fit for their business needs.
Also known as: ToS, Terms of Use, ToU, Acceptable Use Policy, Service Agreement, EULA
Example
Standards
- OpenAPI Initiative OpenAPI Specification — info.termsOfService
- schema.org schema.org termsOfService
- IANA IANA Link Relation — terms-of-service
- Common Paper Common Paper — Cloud Service Agreement Standard
- Community Terms of Service; Didn't Read (ToS;DR)
- Creative Commons Creative Commons Licenses
- Linux Foundation SPDX License List
HTTP Headers
| Header | Direction | Spec | Description |
|---|---|---|---|
Link |
response | RFC 8288 | May advertise rel="terms-of-service" pointing at the human-readable policy. |
Status Codes
451 Unavailable For Legal Reasons— RFC 7725 — Resource withheld due to legal demand; often references terms or jurisdiction.
OpenAPI Expression
-
info.termsOfService(OpenAPI 3.x §4.8.2 Info Object) — URL to the Terms of Service for the API. -
info.license(OpenAPI 3.x §4.8.2 / License Object) — License governing use of the API description (and often referenced from ToS). -
info.contact(OpenAPI 3.x §4.8.2 / Contact Object) — Legal/contractual contact for ToS questions.
Link Relations
terms-of-service— IANA Link Relations registry — Used in Link headers, Atom, HAL, JSON:API, and HTML .license— RFC 4946 / IANA — Often paired with ToS to describe IP terms.
Governance Rules
info-contact(Spectral built-in) — Info object should include contact details — applies to ToS as well.info-license(Spectral built-in) — Info object should reference a license — complements ToS.info-license-url(Spectral built-in) — License must include a URL.
Risk & Compliance
Compliance:
- GDPR Art. 13/14 — information to be provided to data subjects (often linked from ToS)
- CCPA/CPRA §1798.130 — notice at collection
- EU DSA — clear terms for online intermediary services
- FTC Act §5 — prohibition on unfair or deceptive terms (US)
- Consumer Rights Act 2015 — unfair terms (UK/EU equivalents)
Security: A clear, versioned ToS is itself a security control — it sets acceptable-use boundaries (scraping, automation, abuse), defines incident-response and notification obligations, allocates liability, and authorizes the provider to suspend abusive consumers. Track effective_date and prior versions so consumers can detect breaking legal changes the same way they track API versions.
Tools
- Common Paper — Standardized contract templates
- ToS;DR — Crowd-sourced ToS rating
- Docusign CLM — Contract lifecycle management
- Ironclad — Contract lifecycle management
- PolicyGenius / Termly — Policy generator
- Diff-checker for ToS versions — Change tracking
Suggested Metrics
tos_version_count— Number of distinct ToS versions published; growth signals legal cadence.days_since_last_tos_update— Time since the most recent material change.tos_acceptance_rate— Share of new signups that explicitly accept the current ToS.machine_readable_tos_coverage— Whether info.termsOfService is set across the provider's OpenAPI documents.
Example Implementations
- Stripe — Versioned Services Agreement plus per-product terms.
- GitHub — Customer Agreement, API Terms, Acceptable Use Policies on docs.github.com.
- Google — Google APIs Terms of Service plus per-service supplementary terms.
- Twilio — Master Services Agreement, Acceptable Use Policy.
Related Properties
Tags
- Legal
- TOS
- Terms of Service
- Terms of Use