| name | api-design |
| version | 1.0.0 |
| description | REST and HTTP API design with OpenAPI 3.1, resource modeling, versioning, pagination, idempotency, errors, validation, auth boundaries, and production compatibility. |
| author | skillregistry |
| license | MIT |
| agents | ["cursor","codex"] |
| categories | ["backend","architecture"] |
| tags | ["backend","rest","openapi"] |
API Design
Design APIs that are boring to consume and hard to misuse. Prefer explicit resources, stable contracts, precise validation, idempotent mutations, and machine-readable errors.
Workflow
- Model the resource and lifecycle before choosing endpoints.
- Define request/response schemas with OpenAPI 3.1 and JSON Schema semantics.
- Specify auth, authorization, rate limits, pagination, idempotency, and error behavior.
- Implement validation at the HTTP boundary.
- Add contract tests for representative success and failure cases.
- Document migration/deprecation behavior before changing existing APIs.
Patterns
Use nouns for resources and HTTP methods for actions:
GET /api/sessions
POST /api/sessions
GET /api/sessions/{sessionId}
PATCH /api/sessions/{sessionId}
DELETE /api/sessions/{sessionId}
POST /api/sessions/{sessionId}:compact # command-style only when not CRUD
Use Problem Details for errors:
{
"type": "https://agent.local/problems/validation-error",
"title": "Validation failed",
"status": 400,
"detail": "message is required",
"instance": "/api/chat",
"errors": [{ "path": "message", "code": "too_small" }]
}
OpenAPI 3.1 skeleton:
openapi: 3.1.0
info:
title: Agent Gateway API
version: 1.0.0
paths:
/api/chat:
post:
operationId: createChatTurn
requestBody:
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/ChatRequest"
responses:
"200":
description: Chat response
components:
schemas:
ChatRequest:
type: object
required: [sessionId, message]
properties:
sessionId: { type: string, minLength: 1 }
message: { type: string, minLength: 1, maxLength: 100000 }
Rules
- Use cursor pagination for changing datasets; include
nextCursor.
- Require
Idempotency-Key for retryable create/payment/tool-triggering mutations.
- Keep server-generated IDs opaque.
- Use
PATCH for partial updates and define merge semantics.
- Return
401 for missing/invalid authentication and 403 for authenticated but denied.
- Do not expose internal stack traces, provider raw errors, or secrets.
- Version breaking changes through URL or media type; do not silently alter schemas.
Verification
pnpm exec openapi lint openapi.yaml
pnpm test
curl -i http://localhost:3000/health
Resources
Principles
- Contracts outlive implementations.
- Errors are part of the API.
- Idempotency makes retries safe.
- Backward compatibility is a feature.
- Validate at the boundary.