菜单
Design RESTful and GraphQL APIs with consistent naming conventions, versioning strategy, pagination patterns, error response formats, authentication schemes, and rate limiting — producing a complete API specification.
| name | api-design-guide |
| description | Design RESTful and GraphQL APIs with consistent naming conventions, versioning strategy, pagination patterns, error response formats, authentication schemes, and rate limiting — producing a complete API specification. |
| metadata | {"displayName":"API Design Guide","categories":["engineering"],"tags":["api-design","REST","GraphQL","endpoints","versioning","documentation"],"worksWellWithAgents":["api-developer","frontend-engineer","integration-engineer","open-source-maintainer","software-architect"],"worksWellWithSkills":["api-integration-guide","integration-specification","open-source-contributing-guide","system-design-document","technical-spec-writing"]} |
Gather the following from the user:
If the user says "design an API for X" without specifics, push back: "What operations do consumers need to perform? What data do they send and receive?"
Use plural nouns for collections. Resources are things, not actions.
Good: /users, /orders, /order-items
Bad: /getUsers, /createOrder, /user_list, /OrderItem
/order-items, not /orderItems)/users/{id}/orders — limit nesting to two levels| Method | Purpose | Idempotent | Success Code |
|---|---|---|---|
| GET | Read resource(s) | Yes | 200 |
| POST | Create resource | No | 201 |
| PUT | Full replace | Yes | 200 |
| PATCH | Partial update | No | 200 |
| DELETE | Remove resource | Yes | 204 |
Use POST for actions that don't map to CRUD: POST /orders/{id}/cancel.
Always use JSON. Wrap collection responses — never return a bare array:
{
"data": [{ "id": "usr_01", "name": "Alice" }],
"meta": { "total": 142, "page": 1, "per_page": 20 }
}
Return a consistent error envelope on every failure:
{
"error": {
"code": "VALIDATION_ERROR",
"message": "Email address is invalid.",
"details": [{ "field": "email", "reason": "Must be a valid email address." }],
"request_id": "req_abc123"
}
}
Status code mapping: 400 (validation), 401 (unauthenticated), 403 (unauthorized), 404 (not found), 409 (conflict), 422 (semantically invalid), 429 (rate limited), 500 (server error — never expose internals).
Use cursor-based pagination for large or real-time datasets, offset-based for simple UIs. Always include pagination metadata and a next link. Default per_page to 20, cap at 100.
GET /orders?cursor=eyJpZCI6MTAwfQ&limit=20GET /orders?page=2&per_page=20Use URL-prefix versioning (/v1/) for public APIs. Use header versioning only for per-endpoint granularity. Increment the major version only for breaking changes. Never remove or rename a field within the same version. Support at least N-1 versions with a published deprecation timeline.
| Scheme | Best for |
|---|---|
| API keys | Server-to-server, internal services |
| OAuth 2.0 + PKCE | Third-party integrations, user-facing apps |
| JWT (short-lived) | Stateless auth between microservices |
| Session cookies | Traditional web apps with same-origin frontend |
Always use HTTPS. Never accept auth tokens in query strings — use the Authorization header.
Return rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset). Define tiers by consumer type (free, paid, internal). Return 429 with Retry-After when the limit is hit.
| Aspect | Bad | Good |
|---|---|---|
| URL | GET /api/getUsersByStatus?s=active | GET /v1/users?status=active |
| Error | { "success": false, "msg": "bad" } | { "error": { "code": "VALIDATION_ERROR", "message": "..." } } |
| Pagination | Returning 10,000 records with no limit | Cursor pagination with default limit of 20 |
| Versioning | Changing field names without a new version | Adding fields to existing version, removing via new version |
| Auth | API key in the URL (?key=abc) | Authorization: Bearer <token> header |
Before delivering the API specification, verify:
Write structured accessibility audit reports with findings mapped to WCAG criteria, severity levels, affected components, remediation steps, and a prioritized fix timeline.
Write effective prompts for AI coding tools — structure task context, specify constraints, provide examples, and iterate based on output quality. Targets developers using Claude Code, Copilot, Cursor, and similar tools.
Create REST and GraphQL integration guides covering authentication flows, pagination strategies, rate limiting, error handling, retry logic, and SDK wrapper patterns. Produces implementation-ready reference documents with code examples.
Write Architecture Decision Records (ADRs) that capture context, options considered, decision rationale, and consequences — creating a searchable decision log for future engineers.
Design and document automation workflows for n8n, Make, Zapier, and Power Automate. Covers trigger-action chain mapping, conditional branching, error handling, retry logic, and workflow diagrams with platform-specific node references.
Design BI reports and analytics views — with metric definitions, data source mapping, filter logic, drill-down paths, and refresh schedules that enable self-service decision-making.