| name | backend-endpoint |
| description | Create REST/GraphQL API endpoint with validation, error handling, and tests. Auto-invoke when user says "add endpoint", "create API", "new route", or "add route". |
| allowed-tools | Read, Write, Edit, Grep, Glob, Bash |
| version | 2.0.0 |
Backend API Endpoint Generator
Generate production-ready REST or GraphQL endpoints with request validation, error handling, and comprehensive tests.
When to Invoke
Auto-invoke when user mentions:
- "Add endpoint"
- "Create API"
- "New route"
- "Add route"
- "Create API endpoint for [resource]"
What This Does
- Generates route handler with proper HTTP methods
- Adds request validation (body, params, query)
- Implements error handling
- Creates test file with request/response tests
- Follows REST/GraphQL conventions
- Includes authentication middleware (if needed)
Execution Steps
Step 0: Check Existing Patterns (Phase 0)
Before gathering requirements, query the knowledge graph for what we already know about API/endpoint work in this project. Mirrors navigator-research's Phase 0.
PLUGIN_DIR="${CLAUDE_PLUGIN_DIR:-$HOME/.claude/plugins/cache/navigator-marketplace/navigator}"
[ -d "$PLUGIN_DIR" ] || PLUGIN_DIR="$HOME/.claude/plugins/marketplaces/navigator-marketplace"
python3 "$PLUGIN_DIR/skills/nav-graph/functions/graph_manager.py" \
--action query --concept api \
--graph-path .agent/knowledge/graph.json 2>/dev/null | head -40
Also check authentication, validation, and security if the endpoint touches those areas.
If memories surface (PATTERN, PITFALL, DECISION entries), read the full memory files for relevant ones:
ls .agent/knowledge/memories/{patterns,pitfalls,decisions}/ 2>/dev/null
What to do with what you find:
- Patterns: apply them (e.g. "we use Zod for validation, not Joi")
- Pitfalls: avoid them (record in
pitfalls_avoided in Step 8)
- Decisions: respect them (e.g. "we return 404 over 422 for missing resources")
If the graph returns nothing useful, proceed without it. Skip this step only if the knowledge graph is disabled in .agent/.nav-config.json.
Step 1: Gather Endpoint Requirements
Ask user for endpoint details:
Endpoint path: [e.g., /api/users/:id]
HTTP method: [GET, POST, PUT, PATCH, DELETE]
Resource name: [e.g., User, Post, Product]
Framework:
- express (default)
- fastify
- nestjs
- nextjs (App Router Route Handler — app/api/<resource>/route.ts)
- graphql
Authentication required: [yes/no]
Request validation needed: [yes/no]
Validate endpoint path:
- Use predefined function:
functions/route_validator.py
- Ensure RESTful conventions
- Check path parameters syntax
- No trailing slashes
Step 1.5: Verify Understanding (ToM Checkpoint) [EXECUTE]
IMPORTANT: This step MUST be executed for high-stakes operations.
Before generating code, confirm interpretation with user.
Display verification:
I understood you want:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Endpoint: {METHOD} {PATH}
Resource: {RESOURCE_NAME}
Framework: {FRAMEWORK} (detected from package.json / specified)
Auth required: {yes/no}
Validation needed: {yes/no}
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Assumptions I'm making:
- Using {VALIDATION_LIBRARY} for validation (detected from existing validators)
- Error handling follows existing pattern in {ERROR_HANDLER_PATH}
- Route will be registered at {ROUTE_PREFIX} prefix
Proceed with generation? [Y/n]
Skip verification if (HIGH-STAKES ONLY mode):
- Simple CRUD operation (single resource, single path parameter)
- User explicitly said "quick", "just do it", or "skip confirmation"
- No custom authentication logic specified
- Standard GET/POST/PUT/DELETE without complex business logic
Always verify if:
- Multiple path parameters (e.g.,
/users/:userId/posts/:postId)
- Custom authorization logic specified
- Non-standard HTTP methods or patterns
- GraphQL mutations with side effects
- Endpoints involving financial or sensitive data
Step 1.8: Declare Belief State (Optional - ToM Anchor)
Before generating code, optionally declare explicit assumptions (enabled by tom_features.belief_anchors in config).
Display belief state anchor:
📌 BELIEF STATE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
What I know (from context):
✅ Framework: {FRAMEWORK} (from package.json)
✅ TypeScript: {strict/normal} mode (from tsconfig.json)
✅ Validation: {LIBRARY} (from existing validators/)
What I'm assuming (inference):
🔸 Error handler follows pattern in {PATH}
🔸 Routes registered at {PREFIX} prefix
🔸 Using {CONVENTION} commit messages
What I don't know (using defaults):
❓ Request logging preference (will include)
❓ Rate limiting requirements (will skip)
❓ Response envelope format (will use standard)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Adjustments needed before I proceed?
Skip belief anchor if:
tom_features.belief_anchors is false in config- User said "skip", "just do it", "quick"
- Simple endpoint with no custom logic
Show belief anchor if:
- Complex endpoint with multiple integrations
- User profile indicates preference for detailed explanations
- First endpoint in a new project (establishing patterns)
Step 2: Generate Route Handler
Based on HTTP method and framework:
Use predefined function: functions/endpoint_generator.py
python3 functions/endpoint_generator.py \
--path "/api/users/:id" \
--method "GET" \
--resource "User" \
--framework "express" \
--auth true \
--validation true \
--template "templates/express-route-template.ts" \
--output "src/routes/users.ts"
Template includes:
- Route definition
- Request validation middleware
- Controller/handler function
- Error handling
- Response formatting
- TypeScript types
Step 3: Generate Validation Schema
Use predefined function: functions/validation_generator.py
python3 functions/validation_generator.py \
--resource "User" \
--method "POST" \
--fields "name:string:required,email:email:required,age:number:optional" \
--library "zod" \
--output "src/validators/user.validator.ts"
Supported validation libraries:
- Zod (default, TypeScript-first)
- Joi (JavaScript schema)
- Yup (object schema)
- Express-validator (middleware-based)
Output example (Zod):
import { z } from 'zod';
export const createUserSchema = z.object({
name: z.string().min(1),
email: z.string().email(),
age: z.number().optional(),
});
export type CreateUserInput = z.infer<typeof createUserSchema>;
Step 4: Generate Error Handling Middleware
Write the error handler inline (no generator script ships for this — author it directly to match the project's existing error-handling pattern).
Write to src/middleware/errorHandler.ts an error handler that includes:
- HTTP status code mapping
- Error response formatting
- Logging integration
- Development vs production modes
- Validation error handling
Follow the framework's idiom (Express error middleware (err, req, res, next); Next.js route-level try/catch returning NextResponse.json).
Step 5: Generate Test File
Write the test inline, using templates/endpoint-test-template.spec.ts as the reference shape (it ships as a reference template; no generator script drives it). Output to tests/routes/users.test.ts.
The test should cover:
- Success case (200/201)
- Validation errors (400)
- Not found (404)
- Unauthorized (401)
- Server errors (500)
- Edge cases
Example test:
describe('GET /api/users/:id', () => {
it('returns user when found', async () => {
const response = await request(app)
.get('/api/users/123')
.expect(200);
expect(response.body).toMatchObject({
id: '123',
name: expect.any(String),
});
});
it('returns 404 when user not found', async () => {
await request(app)
.get('/api/users/999')
.expect(404);
});
});
Step 6: Generate API Documentation Comment
JSDoc or OpenAPI annotation:
Step 7: Show Endpoint Summary
Display generated files and usage:
✅ Endpoint Created: GET /api/users/:id
Structure:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📁 src/
├── routes/users.ts (Route handler)
├── validators/user.validator.ts (Request validation)
└── middleware/errorHandler.ts (Error handling)
📁 tests/
└── routes/users.test.ts (Integration tests)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Route Registration:
import { userRoutes } from './routes/users';
app.use('/api', userRoutes);
Test:
curl http://localhost:3000/api/users/123
# or
npm test -- users.test.ts
Next Steps:
1. Implement business logic in controller
2. Connect to database/service layer
3. Run tests: npm test
4. Test with Postman/Thunder Client
Step 8: Emit Execution Summary (Graph Ingestion)
After Step 7, emit an execution_summary JSON block. This is the parity equivalent of the research_findings block emitted by navigator-research, ingested into the knowledge graph so future endpoint work can surface what we learned.
Output the block verbatim (replace placeholders with actual values):
{
"execution_summary": {
"skill": "backend-endpoint",
"task": "{METHOD} {PATH}",
"files_created": ["{route, validator, test paths}"],
"files_modified": ["{router registration paths}"],
"tests_added": ["{test file path}"],
"stack_detected": "{e.g. express+typescript+zod}",
"patterns_followed": [
{"summary": "{convention applied — e.g. Zod schema for request validation}", "concepts": ["api"], "confidence": 0.8}
],
"decisions_made": [
{"summary": "{non-obvious choice — e.g. 404 over 422 because resource itself missing}", "concepts": ["api"], "confidence": 0.75, "evidence": "{path:line}"}
],
"pitfalls_avoided": [
{"summary": "{gotcha that future agents should know — e.g. middleware order matters: auth before validator}", "concepts": ["api"], "confidence": 0.85}
],
"assumptions_made": ["{e.g. project uses Express middleware pattern (detected via package.json)}"]
}
}
Ingestion (run from project root):
PLUGIN_DIR="${CLAUDE_PLUGIN_DIR:-$HOME/.claude/plugins/cache/navigator-marketplace/navigator}"
[ -d "$PLUGIN_DIR" ] || PLUGIN_DIR="$HOME/.claude/plugins/marketplaces/navigator-marketplace"
echo '<execution_summary JSON>' | python3 "$PLUGIN_DIR/skills/nav-graph/functions/execution_to_graph.py" -
Rules:
- Only include non-obvious entries — empty/trivial blocks pollute the graph.
- Skip the entire block if there's nothing notable to record.
- Confidence ≥ 0.7 for first-hand execution; 0.75 is a reasonable default.
Predefined Functions
1. route_validator.py
Validates route path follows REST conventions.
Usage:
python3 functions/route_validator.py --path "/api/users/:id" --method "GET"
Checks:
- RESTful naming (plural resources)
- Path parameter syntax (
:id or {id})
- No trailing slashes
- HTTP method matches intent
Returns: Valid path or error message
2. endpoint_generator.py
Generates endpoint handler from template.
Usage:
python3 functions/endpoint_generator.py \
--path "/api/users/:id" \
--method "GET" \
--resource "User" \
--framework "express" \
--auth true \
--validation true \
--template "templates/express-route-template.ts"
Parameters:
--path: API endpoint path--method: HTTP method--resource: Resource name (singular, PascalCase)--framework: Backend framework--auth: Include auth middleware--validation: Include validation middleware--template: Template file path
Returns: Generated endpoint code
3. validation_generator.py
Generates request validation schema.
Usage:
python3 functions/validation_generator.py \
--resource "User" \
--method "POST" \
--fields "name:string:required,email:email:required" \
--library "zod"
Supported field types:
string, number, booleanemail, url, uuidarray, objectdate, datetime
Returns: Validation schema code
Error handling and tests are written inline (Steps 4–5) — no
error_handler_generator.py / test_generator.py ship with this skill.
Templates
express-route-template.ts
Express.js route handler template.
Placeholders (exactly those present in templates/express-route-template.ts):
${ROUTE_PATH} - API endpoint path${HTTP_METHOD} - HTTP method (uppercase)${HTTP_METHOD_LOWER} - HTTP method (lowercase, for the router call)${RESOURCE_NAME} - Resource name (PascalCase)${RESOURCE_NAME_LOWER} - Resource name (lowercase)${MIDDLEWARE_BLOCK} - Auth + validation middleware chain (built by endpoint_generator.py from the --auth/--validation flags)
nextjs-route-template.ts (collection)
Next.js App Router Route Handler for a collection endpoint — no dynamic segment.
When to use: package.json has "next" in deps and the path has no [id]. Output path: app/api/<resource>/route.ts. Exports GET (list) + POST (create).
nextjs-route-dynamic-template.ts (single resource)
Next.js App Router Route Handler for a single resource endpoint with a dynamic segment.
When to use: path includes [id] (or similar). Output path: app/api/<resource>/[id]/route.ts. Exports GET (read), PATCH (update), DELETE.
Picking between them:
POST /api/favourites → collection templateGET /api/favourites/[id] → dynamic template- If unsure, ask the user whether the endpoint operates on a list or a single resource
Both templates encode Next.js 15+/16 conventions:
- Named async exports per HTTP method
params is a Promise<…> — await it (Next.js 15+ change), only on dynamic- Non-dynamic routes do not declare a context parameter (TypeScript infers
Promise<{}> from the file path)
- Returns
NextResponse.json(...) with explicit status codes
- Zod schema for body validation
- See
.agent/philosophy/NEXTJS-PATTERNS.md §E, §H
Prefer Server Actions over Route Handlers for mutations from your own UI (forms, buttons). Use Route Handlers for webhooks, third-party callers, and public REST endpoints. See NEXTJS-PATTERNS.md §F.
Fastify, GraphQL, and Zod-schema generation are produced inline by the
model / validation_generator.py (Zod is built via its ZOD_TYPE_MAP, no
template file). Only the Express + Next.js route templates and the test
template below ship on disk.
endpoint-test-template.spec.ts
Integration test template with supertest (reference shape — written inline in Step 5).
Placeholders:
${ENDPOINT_PATH} - Endpoint to test${HTTP_METHOD} - HTTP method${TEST_CASES} - Generated test cases
Examples
See examples/ directory for reference implementations:
- users-get.ts - GET endpoint with auth
- users-post.ts - POST endpoint with validation
Each example includes:
- Route/resolver implementation
- Validation schema
- Error handling
- Test file
- Usage documentation
Best Practices
REST API Design
- Use plural nouns for resources (
/users, not /user)
- Use HTTP methods correctly (GET=read, POST=create, PUT/PATCH=update, DELETE=remove)
- Nest resources properly (
/users/:userId/posts/:postId)
- Return proper status codes (200, 201, 400, 401, 404, 500)
Request Validation
- Validate all inputs (body, params, query)
- Fail fast (validate before business logic)
- Clear error messages (tell user what's wrong)
- Sanitize inputs (prevent injection attacks)
Error Handling
- Centralized error handler (DRY principle)
- Consistent error format (always same structure)
- Don't expose internals (sanitize stack traces in production)
- Log errors (for debugging)
Security
- Authentication (verify identity)
- Authorization (check permissions)
- Rate limiting (prevent abuse)
- Input sanitization (prevent XSS, SQL injection)
Testing
- Test happy path (success cases)
- Test error cases (validation, auth, not found)
- Test edge cases (empty data, large data)
- Mock external dependencies (database, APIs)
Troubleshooting
Route Not Found (404)
Problem: Endpoint returns 404 even though route is defined
Solutions:
- Check route registration order (specific before generic)
- Verify path matches exactly (case-sensitive)
- Check middleware isn't blocking request
- Validate HTTP method matches
Validation Always Fails
Problem: Valid requests fail validation
Solutions:
- Check field names match exactly
- Verify data types are correct
- Check required vs optional fields
- Inspect validation error message
Tests Failing
Problem: Integration tests don't pass
Solutions:
- Ensure test database is seeded
- Check test fixtures are correct
- Verify mocks are set up properly
- Run tests with
--verbose flag
Success Criteria
This skill succeeds when:
Auto-invoke this skill when creating API endpoints to ensure consistency and security 🔒
