What’s in a schema
A schema for a Shopify store might include:
Each endpoint carries its parameters, required headers (like
Content-Type: application/json), and enough metadata for an agent to construct a valid HTTP request.
Schema format
Schemas are JSON documents. Here’s a minimal example:Required fields
Optional fields
Capability badges
The registry surfaces capability signals as badges so agents know what a request requires:
These badges appear on the public schema card so agents can decide whether they can handle the site before downloading the full schema.
Contributing a schema
Anyone with an API key can push a schema. There are three paths:Option 1: Discover with the CLI toolkit
Option 2: Let your agent do it
hermai-contribute skill and can run the discovery + push workflow autonomously. See hermai-ai/hermai-skills.
Option 3: Write and push manually
If you already know the site’s API (from DevTools, documentation, or testing), you can write the schema JSON yourself and push it via the API:Validation rules
Every push runs through validation. If any check fails, the push is rejected with a specific error code. Structure checks:
Content governance:
Forbidden fields
These JSON keys are rejected if found anywhere in the schema, at any depth:Capability signals are allowed. The distinction is between metadata that helps agents understand what a site requires (like
requires_stealth: true) and operational secrets that describe how to bypass a defense (like proxy_credentials: "user:pass@host"). The former belongs in schemas; the latter belongs in the CLI runtime.Content addressing
Each schema is hashed (SHA-256 of canonical JSON with sorted keys). The hash becomes the version ID. Pushing the same content twice for the same site is a no-op because the registry recognizes it as a duplicate.Verified badge
Schemas are community-contributed and unverified by default. The Hermai team reviews schemas and awards a verified badge to those that meet quality standards. Agents can filter to verified schemas only:Schema versioning
Each push creates a new version. The registry tracks which version is “latest” for each site. When you query the catalog, you get the latest version by default. Version history is available:Public card vs full package
The registry exposes two views of every schema: Public card (no API key needed): metadata about what the schema does:- Site, category, name, description
- Endpoint names, methods, descriptions
- Variable names and sources (path/query/body)
- Query parameter keys and whether they’re required
- Response field names and types (top level only)
- Capability badges (requires browser, requires session, has auth)
- URL templates with actual URLs
- Header values
- Body templates
- Session configuration
- Variable patterns and defaults