The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be
interpreted as described in RFC 2119 [RFC2119].¶
This specification uses the term "container instance" to refer to both array and
object instances. It uses the term "children instances" to refer to array elements
or object member values.¶
Elements in an array value are said to be unique if no two elements of this array
are equal [json-schema].¶
JSON Schema validation asserts constraints on the structure of instance data.
An instance location that satisfies all asserted constraints is then
annotated with any keywords that contain non-assertion information,
such as descriptive metadata and usage hints. If all locations within
the instance satisfy all asserted constraints, then the instance is
said to be valid against the schema.¶
Each schema object is independently evaluated against each instance location
to which it applies. This greatly simplifies the implementation requirements
for validators by ensuring that they do not need to maintain state across
the document-wide validation process.¶
This specification defines a set of assertion keywords, as well as a small vocabulary
of metadata keywords that can be used to annotate the JSON instance with
useful information. The Section 7 keyword is intended primarily
as an annotation, but can optionally be used as an assertion. The
Section 8 keywords are annotations for working with documents
embedded as JSON strings.¶
Validation keywords in a schema impose requirements for successful validation of an
instance. These keywords are all assertions without any annotation behavior.¶
Meta-schemas that do not use "$vocabulary" SHOULD be considered to
require this vocabulary as if its URI were present with a value of true.¶
The current URI for this vocabulary, known as the Validation vocabulary, is:
<https://json-schema.org/draft/2020-12/vocab/validation>.¶
The current URI for the corresponding meta-schema is:
https://json-schema.org/draft/2020-12/meta/validation.¶
The value of this keyword MUST be either a string or an array. If it is
an array, elements of the array MUST be strings and MUST be unique.¶
String values MUST be one of the six primitive types
("null", "boolean", "object", "array", "number", or "string"),
or "integer" which matches any number with a zero fractional part.¶
If the value of "type" is a string, then an instance validates successfully if
its type matches the type represented by the value of the string.
If the value of "type" is an array, then an instance validates successfully if
its type matches any of the types indicated by the strings in the array.¶
The value of this keyword MUST be an array. This array SHOULD have at
least one element. Elements in the array SHOULD be unique.¶
An instance validates successfully against this keyword if its value is
equal to one of the elements in this keyword's array value.¶
Elements in the array might be of any type, including null.¶
The value of this keyword MAY be of any type, including null.¶
Use of this keyword is functionally equivalent to an
"enum" (Section 6.1.2) with a single value.¶
An instance validates successfully against this keyword if its value is
equal to the value of the keyword.¶
The value of "multipleOf" MUST be a number, strictly greater than 0.¶
A numeric instance is valid only if division by this keyword's value results in
an integer.¶
To ensure consistent validation:
- Use scaled integers (e.g., represent $4.02 as 402 with 'multipleOf: 1')
- If floating-point values are necessary, use binary-friendly numbers (e.g., 0.5, 0.25, 0.125)
¶
The value of "maximum" MUST be a number, representing an inclusive upper limit
for a numeric instance.¶
If the instance is a number, then this keyword validates only if the instance is
less than or exactly equal to "maximum".¶
The value of "exclusiveMaximum" MUST be a number, representing an exclusive upper
limit for a numeric instance.¶
If the instance is a number, then the instance is valid only if it has a value
strictly less than (not equal to) "exclusiveMaximum".¶
The value of "minimum" MUST be a number, representing an inclusive lower limit
for a numeric instance.¶
If the instance is a number, then this keyword validates only if the instance is
greater than or exactly equal to "minimum".¶
The value of "exclusiveMinimum" MUST be a number, representing an exclusive lower
limit for a numeric instance.¶
If the instance is a number, then the instance is valid only if it has a value
strictly greater than (not equal to) "exclusiveMinimum".¶
The value of this keyword MUST be a non-negative integer.¶
A string instance is valid against this keyword if its
length is less than, or equal to, the value of this keyword.¶
The length of a string instance is defined as the number of its
characters as defined by RFC 8259 [RFC8259].¶
The value of this keyword MUST be a non-negative integer.¶
A string instance is valid against this keyword if its
length is greater than, or equal to, the value of this keyword.¶
The length of a string instance is defined as the number of its
characters as defined by RFC 8259 [RFC8259].¶
Omitting this keyword has the same behavior as a value of 0.¶
The value of this keyword MUST be a string. This string SHOULD be a
valid regular expression, according to the ECMA-262 regular expression
dialect.¶
A string instance is considered valid if the regular
expression matches the instance successfully. Recall: regular
expressions are not implicitly anchored.¶
The value of this keyword MUST be a non-negative integer.¶
An array instance is valid against "maxItems" if its size is
less than, or equal to, the value of this keyword.¶
The value of this keyword MUST be a non-negative integer.¶
An array instance is valid against "minItems" if its size is
greater than, or equal to, the value of this keyword.¶
Omitting this keyword has the same behavior as a value of 0.¶
The value of this keyword MUST be a boolean.¶
If this keyword has boolean value false, the instance validates
successfully. If it has boolean value true, the instance validates
successfully if all of its elements are unique.¶
Omitting this keyword has the same behavior as a value of false.¶
The value of this keyword MUST be a non-negative integer.¶
If "contains" is not present within the same schema object,
then this keyword has no effect.¶
An instance array is valid against "maxContains" in two ways, depending on
the form of the annotation result of an adjacent
"contains" [json-schema] keyword. The first way is if
the annotation result is an array and the length of that array is less than
or equal to the "maxContains" value. The second way is if the annotation
result is a boolean "true" and the instance array length is less than or
equal to the "maxContains" value.¶
The value of this keyword MUST be a non-negative integer.¶
If "contains" is not present within the same schema object,
then this keyword has no effect.¶
An instance array is valid against "minContains" in two ways, depending on
the form of the annotation result of an adjacent
"contains" [json-schema] keyword. The first way is if
the annotation result is an array and the length of that array is greater
than or equal to the "minContains" value. The second way is if the
annotation result is a boolean "true" and the instance array length is
greater than or equal to the "minContains" value.¶
A value of 0 is allowed, but is only useful for setting a range
of occurrences from 0 to the value of "maxContains". A value of
0 causes "minContains" and "contains" to always pass validation
(but validation can still fail against a "maxContains" keyword).¶
Omitting this keyword has the same behavior as a value of 1.¶
The value of this keyword MUST be a non-negative integer.¶
An object instance is valid against "maxProperties" if its
number of properties is less than, or equal to, the value of this
keyword.¶
The value of this keyword MUST be a non-negative integer.¶
An object instance is valid against "minProperties" if its
number of properties is greater than, or equal to, the value of this
keyword.¶
Omitting this keyword has the same behavior as a value of 0.¶
The value of this keyword MUST be an array.
Elements of this array, if any, MUST be strings, and MUST be unique.¶
An object instance is valid against this keyword if every item in the array is
the name of a property in the instance.¶
Omitting this keyword has the same behavior as an empty array.¶
The value of this keyword MUST be an object. Properties in
this object, if any, MUST be arrays. Elements in each array,
if any, MUST be strings, and MUST be unique.¶
This keyword specifies properties that are required if a specific
other property is present. Their requirement is dependent on the
presence of the other property.¶
Validation succeeds if, for each name that appears in both
the instance and as a name within this keyword's value, every
item in the corresponding array is also the name of a property
in the instance.¶
Omitting this keyword has the same behavior as an empty object.¶
These general-purpose annotation keywords provide commonly used information
for documentation and user interface display purposes. They are not intended
to form a comprehensive set of features. Rather, additional vocabularies
can be defined for more complex annotation-based applications.¶
Meta-schemas that do not use "$vocabulary" SHOULD be considered to
require this vocabulary as if its URI were present with a value of true.¶
The current URI for this vocabulary, known as the Meta-Data vocabulary, is:
<https://json-schema.org/draft/2020-12/vocab/meta-data>.¶
The current URI for the corresponding meta-schema is:
https://json-schema.org/draft/2020-12/meta/meta-data.¶
The value of both of these keywords MUST be a string.¶
Both of these keywords can be used to decorate a user interface with
information about the data produced by this user interface. A title will
preferably be short, whereas a description will provide explanation about
the purpose of the instance described by this schema.¶
There are no restrictions placed on the value of this keyword. When
multiple occurrences of this keyword are applicable to a single
sub-instance, implementations SHOULD remove duplicates.¶
This keyword can be used to supply a default JSON value associated with a
particular schema. It is RECOMMENDED that a default value be valid against
the associated schema.¶
The value of this keyword MUST be a boolean. When multiple occurrences
of this keyword are applicable to a single sub-instance, applications
SHOULD consider the instance location to be deprecated if any occurrence
specifies a true value.¶
If "deprecated" has a value of boolean true, it indicates that applications
SHOULD refrain from usage of the declared property. It MAY mean the property
is going to be removed in the future.¶
A root schema containing "deprecated" with a value of true indicates that
the entire resource being described MAY be removed in the future.¶
The "deprecated" keyword applies to each instance location to which the
schema object containing the keyword successfully applies. This can
result in scenarios where every array item or object property
is deprecated even though the containing array or object is not.¶
Omitting this keyword has the same behavior as a value of false.¶
The value of these keywords MUST be a boolean. When multiple occurrences
of these keywords are applicable to a single sub-instance, the resulting
behavior SHOULD be as for a true value if any occurrence specifies a true value,
and SHOULD be as for a false value otherwise.¶
If "readOnly" has a value of boolean true, it indicates that the value
of the instance is managed exclusively by the owning authority, and
attempts by an application to modify the value of this property are
expected to be ignored or rejected by that owning authority.¶
An instance document that is marked as "readOnly" for the entire document
MAY be ignored if sent to the owning authority, or MAY result in an
error, at the authority's discretion.¶
If "writeOnly" has a value of boolean true, it indicates that the value
is never present when the instance is retrieved from the owning authority.
It can be present when sent to the owning authority to update or create
the document (or the resource it represents), but it will not be included
in any updated or newly created version of the instance.¶
An instance document that is marked as "writeOnly" for the entire document
MAY be returned as a blank document of some sort, or MAY produce an error
upon retrieval, or have the retrieval request ignored, at the authority's
discretion.¶
For example, "readOnly" would be used to mark a database-generated serial
number as read-only, while "writeOnly" would be used to mark a password
input field.¶
These keywords can be used to assist in user interface instance generation.
In particular, an application MAY choose to use a widget that hides
input values as they are typed for write-only fields.¶
Omitting these keywords has the same behavior as values of false.¶
The value of this keyword MUST be an array.
There are no restrictions placed on the values within the array.
When multiple occurrences of this keyword are applicable to a single
sub-instance, implementations MUST provide a flat array of all
values rather than an array of arrays.¶
This keyword can be used to provide sample JSON values associated with a
particular schema, for the purpose of illustrating usage. It is
RECOMMENDED that these values be valid against the associated schema.¶
Implementations MAY use the value(s) of "default", if present, as
an additional example. If "examples" is absent, "default"
MAY still be used in this manner.¶
JSON Schema validation defines a vocabulary for JSON Schema core and concerns all
the security considerations listed there.¶
JSON Schema validation allows the use of Regular Expressions, which have numerous
different (often incompatible) implementations.
Some implementations allow the embedding of arbitrary code, which is outside the
scope of JSON Schema and MUST NOT be permitted.
Regular expressions can often also be crafted to be extremely expensive to compute
(with so-called "catastrophic backtracking"), resulting in a denial-of-service
attack.¶
Implementations that support validating or otherwise evaluating instance
string data based on "contentEncoding" and/or "contentMediaType" are at
risk of evaluating data in an unsafe way based on misleading information.
Applications can mitigate this risk by only performing such processing
when a relationship between the schema and instance is established
(e.g., they share the same authority).¶
Processing a media type or encoding is subject to the security considerations
of that media type or encoding. For example, the security considerations
of RFC 4329 Scripting Media Types [RFC4329] apply when
processing JavaScript or ECMAScript encoded within a JSON string.¶
Thanks to
Gary Court,
Francis Galiegue,
Kris Zyp,
and Geraint Luff
for their work on the initial drafts of JSON Schema.¶
Thanks to
Jason Desrosiers,
Daniel Perrett,
Erik Wilde,
Evgeny Poberezkin,
Brad Bowman,
Gowry Sankar,
Donald Pipowitch,
Dave Finlay,
Denis Laxalde,
Phil Sturgeon,
Shawn Silverman,
and Karen Etheridge
for their submissions and patches to the document.¶