AgentSkillsCN

api-patterns

API 模式方面的专家工具集

SKILL.md
--- frontmatter
name: api-patterns
description: Expert toolkit for api-patterns

API Patterns

API design principles and decision-making for 2025. Learn to THINK, not copy fixed patterns.

🎯 Selective Reading Rule

Read ONLY files relevant to the request! Check the content map, find what you need.


📑 Content Map

FileDescriptionWhen to Read
api-style.mdREST vs GraphQL vs tRPC decision treeChoosing API type
rest.mdResource naming, HTTP methods, status codesDesigning REST API
response.mdEnvelope pattern, error format, paginationResponse structure
graphql.mdSchema design, when to use, securityConsidering GraphQL
trpc.mdTypeScript monorepo, type safetyTS fullstack projects
versioning.mdURI/Header/Query versioningAPI evolution planning
auth.mdJWT, OAuth, Passkey, API KeysAuth pattern selection
rate-limiting.mdToken bucket, sliding windowAPI protection
documentation.mdOpenAPI/Swagger best practicesDocumentation
security-testing.mdOWASP API Top 10, auth/authz testingSecurity audits

🔗 Related Skills

NeedSkill
API implementation@[skills/backend-development]
Data structure@[skills/database-design]
Security details@[skills/security-hardening]

✅ Decision Checklist

Before designing an API:

  • Asked user about API consumers?
  • Chosen API style for THIS context? (REST/GraphQL/tRPC)
  • Defined consistent response format?
  • Planned versioning strategy?
  • Considered authentication needs?
  • Planned rate limiting?
  • Documentation approach defined?

❌ Anti-Patterns

DON'T:

  • Default to REST for everything
  • Use verbs in REST endpoints (/getUsers)
  • Return inconsistent response formats
  • Expose internal errors to clients
  • Skip rate limiting

DO:

  • Choose API style based on context
  • Ask about client requirements
  • Document thoroughly
  • Use appropriate status codes

Script

ScriptPurposeCommand
scripts/api_validator.pyAPI endpoint validationpython scripts/api_validator.py <project_path>

API Style Selection (2025)

REST vs GraphQL vs tRPC - Hangi durumda hangisi?

Decision Tree

code
Who are the API consumers?
│
├── Public API / Multiple platforms
│   └── REST + OpenAPI (widest compatibility)
│
├── Complex data needs / Multiple frontends
│   └── GraphQL (flexible queries)
│
├── TypeScript frontend + backend (monorepo)
│   └── tRPC (end-to-end type safety)
│
├── Real-time / Event-driven
│   └── WebSocket + AsyncAPI
│
└── Internal microservices
    └── gRPC (performance) or REST (simplicity)

Comparison

FactorRESTGraphQLtRPC
Best forPublic APIsComplex appsTS monorepos
Learning curveLowMediumLow (if TS)
Over/under fetchingCommonSolvedSolved
Type safetyManual (OpenAPI)Schema-basedAutomatic
CachingHTTP nativeComplexClient-based

Selection Questions

  1. Who are the API consumers?
  2. Is the frontend TypeScript?
  3. How complex are the data relationships?
  4. Is caching critical?
  5. Public or internal API?

Authentication Patterns

Choose auth pattern based on use case.

Selection Guide

PatternBest For
JWTStateless, microservices
SessionTraditional web, simple
OAuth 2.0Third-party integration
API KeysServer-to-server, public APIs
PasskeyModern passwordless (2025+)

JWT Principles

code
Important:
├── Always verify signature
├── Check expiration
├── Include minimal claims
├── Use short expiry + refresh tokens
└── Never store sensitive data in JWT

API Documentation Principles

Good docs = happy developers = API adoption.

OpenAPI/Swagger Essentials

code
Include:
├── All endpoints with examples
├── Request/response schemas
├── Authentication requirements
├── Error response formats
└── Rate limiting info

Good Documentation Has

code
Essentials:
├── Quick start / Getting started
├── Authentication guide
├── Complete API reference
├── Error handling guide
├── Code examples (multiple languages)
└── Changelog

GraphQL Principles

Flexible queries for complex, interconnected data.

When to Use

code
✅ Good fit:
├── Complex, interconnected data
├── Multiple frontend platforms
├── Clients need flexible queries
├── Evolving data requirements
└── Reducing over-fetching matters

❌ Poor fit:
├── Simple CRUD operations
├── File upload heavy
├── HTTP caching important
└── Team unfamiliar with GraphQL

Schema Design Principles

code
Principles:
├── Think in graphs, not endpoints
├── Design for evolvability (no versions)
├── Use connections for pagination
├── Be specific with types (not generic "data")
└── Handle nullability thoughtfully

Security Considerations

code
Protect against:
├── Query depth attacks → Set max depth
├── Query complexity → Calculate cost
├── Batching abuse → Limit batch size
├── Introspection → Disable in production

Rate Limiting Principles

Protect your API from abuse and overload.

Why Rate Limit

code
Protect against:
├── Brute force attacks
├── Resource exhaustion
├── Cost overruns (if pay-per-use)
└── Unfair usage

Strategy Selection

TypeHowWhen
Token bucketBurst allowed, refills over timeMost APIs
Sliding windowSmooth distributionStrict limits
Fixed windowSimple counters per windowBasic needs

Response Headers

code
Include in headers:
├── X-RateLimit-Limit (max requests)
├── X-RateLimit-Remaining (requests left)
├── X-RateLimit-Reset (when limit resets)
└── Return 429 when exceeded

Response Format Principles

Consistency is key - choose a format and stick to it.

Common Patterns

code
Choose one:
├── Envelope pattern ({ success, data, error })
├── Direct data (just return the resource)
└── HAL/JSON:API (hypermedia)

Error Response

code
Include:
├── Error code (for programmatic handling)
├── User message (for display)
├── Details (for debugging, field-level errors)
├── Request ID (for support)
└── NOT internal details (security!)

Pagination Types

TypeBest ForTrade-offs
OffsetSimple, jumpablePerformance on large datasets
CursorLarge datasetsCan't jump to page
KeysetPerformance criticalRequires sortable key

Selection Questions

  1. How large is the dataset?
  2. Do users need to jump to specific pages?
  3. Is data frequently changing?

REST Principles

Resource-based API design - nouns not verbs.

Resource Naming Rules

code
Principles:
├── Use NOUNS, not verbs (resources, not actions)
├── Use PLURAL forms (/users not /user)
├── Use lowercase with hyphens (/user-profiles)
├── Nest for relationships (/users/123/posts)
└── Keep shallow (max 3 levels deep)

HTTP Method Selection

MethodPurposeIdempotent?Body?
GETRead resource(s)YesNo
POSTCreate new resourceNoYes
PUTReplace entire resourceYesYes
PATCHPartial updateNoYes
DELETERemove resourceYesNo

Status Code Selection

SituationCodeWhy
Success (read)200Standard success
Created201New resource created
No content204Success, nothing to return
Bad request400Malformed request
Unauthorized401Missing/invalid auth
Forbidden403Valid auth, no permission
Not found404Resource doesn't exist
Conflict409State conflict (duplicate)
Validation error422Valid syntax, invalid data
Rate limited429Too many requests
Server error500Our fault

API Security Testing

Principles for testing API security. OWASP API Top 10, authentication, authorization testing.


OWASP API Security Top 10

VulnerabilityTest Focus
API1: BOLAAccess other users' resources
API2: Broken AuthJWT, session, credentials
API3: Property AuthMass assignment, data exposure
API4: Resource ConsumptionRate limiting, DoS
API5: Function AuthAdmin endpoints, role bypass
API6: Business FlowLogic abuse, automation
API7: SSRFInternal network access
API8: MisconfigurationDebug endpoints, CORS
API9: InventoryShadow APIs, old versions
API10: Unsafe ConsumptionThird-party API trust

Authentication Testing

JWT Testing

CheckWhat to Test
AlgorithmNone, algorithm confusion
SecretWeak secrets, brute force
ClaimsExpiration, issuer, audience
SignatureManipulation, key injection

Session Testing

CheckWhat to Test
GenerationPredictability
StorageClient-side security
ExpirationTimeout enforcement
InvalidationLogout effectiveness

Authorization Testing

Test TypeApproach
HorizontalAccess peer users' data
VerticalAccess higher privilege functions
ContextAccess outside allowed scope

BOLA/IDOR Testing

  1. Identify resource IDs in requests
  2. Capture request with user A's session
  3. Replay with user B's session
  4. Check for unauthorized access

Input Validation Testing

Injection TypeTest Focus
SQLQuery manipulation
NoSQLDocument queries
CommandSystem commands
LDAPDirectory queries

Approach: Test all parameters, try type coercion, test boundaries, check error messages.


Rate Limiting Testing

AspectCheck
ExistenceIs there any limit?
BypassHeaders, IP rotation
ScopePer-user, per-IP, global

Bypass techniques: X-Forwarded-For, different HTTP methods, case variations, API versioning.


GraphQL Security

TestFocus
IntrospectionSchema disclosure
BatchingQuery DoS
NestingDepth-based DoS
AuthorizationField-level access

Security Testing Checklist

Authentication:

  • Test for bypass
  • Check credential strength
  • Verify token security

Authorization:

  • Test BOLA/IDOR
  • Check privilege escalation
  • Verify function access

Input:

  • Test all parameters
  • Check for injection

Config:

  • Check CORS
  • Verify headers
  • Test error handling

Remember: APIs are the backbone of modern apps. Test them like attackers will.


tRPC Principles

End-to-end type safety for TypeScript monorepos.

When to Use

code
✅ Perfect fit:
├── TypeScript on both ends
├── Monorepo structure
├── Internal tools
├── Rapid development
└── Type safety critical

❌ Poor fit:
├── Non-TypeScript clients
├── Public API
├── Need REST conventions
└── Multiple language backends

Key Benefits

code
Why tRPC:
├── Zero schema maintenance
├── End-to-end type inference
├── IDE autocomplete across stack
├── Instant API changes reflected
└── No code generation step

Integration Patterns

code
Common setups:
├── Next.js + tRPC (most common)
├── Monorepo with shared types
├── Remix + tRPC
└── Any TS frontend + backend

Versioning Strategies

Plan for API evolution from day one.

Decision Factors

StrategyImplementationTrade-offs
URI/v1/usersClear, easy caching
HeaderAccept-Version: 1Cleaner URLs, harder discovery
Query?version=1Easy to add, messy
NoneEvolve carefullyBest for internal, risky for public

Versioning Philosophy

code
Consider:
├── Public API? → Version in URI
├── Internal only? → May not need versioning
├── GraphQL? → Typically no versions (evolve schema)
├── tRPC? → Types enforce compatibility

Built with ❤️ from Antigravity Kit & UXUI ProMax MIT © Vudovn