AgentSkillsCN

api-design

设计健壮的 REST API,确保版本控制、分页、错误处理、速率限制与文档编写到位。在创建新的 API 端点、设计资源命名规范、实现分页或筛选功能、添加速率限制,或使用 OpenAPI/Swagger 编写 API 文档时,可使用此技能。

SKILL.md
--- frontmatter
name: "api-design"
description: 'Design robust REST APIs with proper versioning, pagination, error handling, rate limiting, and documentation. Use when creating new API endpoints, designing resource naming conventions, implementing pagination or filtering, adding rate limiting, or documenting APIs with OpenAPI/Swagger.'
metadata:
  author: "AgentX"
  version: "1.0.0"
  created: "2025-01-15"
  updated: "2025-01-15"

API Design

Purpose: Design robust, maintainable, and user-friendly REST APIs.
Focus: Resource naming, HTTP methods, status codes, versioning, documentation.
Note: Language-agnostic patterns applicable to any tech stack.


When to Use This Skill

  • Designing new REST API endpoints
  • Implementing pagination, filtering, or sorting
  • Adding rate limiting or CORS configuration
  • Documenting APIs with OpenAPI/Swagger
  • Designing webhook notification systems

Prerequisites

  • HTTP protocol fundamentals
  • JSON data format understanding

Decision Tree

code
Designing an API endpoint?
├─ What operation?
│   ├─ Read data → GET (idempotent, cacheable)
│   ├─ Create resource → POST (returns 201 + Location header)
│   ├─ Full update → PUT (idempotent, replaces entire resource)
│   ├─ Partial update → PATCH (only changed fields)
│   └─ Remove → DELETE (idempotent, returns 204)
├─ Returns collection?
│   └─ Add pagination (cursor or offset) + filtering + sorting
├─ Versioning needed?
│   ├─ URL path versioning → /api/v1/resources (recommended)
│   └─ Header versioning → Accept: application/vnd.api.v1+json
├─ Error handling?
│   └─ RFC 7807 Problem Details with proper HTTP status codes
└─ Security?
    ├─ Public? → Rate limiting + API key
    └─ Private? → OAuth2/JWT + scopes

RESTful Conventions

Resource Naming

code
✅ Good:
GET    /api/v1/users              # List users
POST   /api/v1/users              # Create user
GET    /api/v1/users/{id}         # Get specific user
PUT    /api/v1/users/{id}         # Update user (full)
PATCH  /api/v1/users/{id}         # Update user (partial)
DELETE /api/v1/users/{id}         # Delete user

GET    /api/v1/users/{id}/orders  # Get user's orders (nested)
POST   /api/v1/users/{id}/orders  # Create order for user

❌ Bad:
GET    /api/v1/get_users
POST   /api/v1/create_user
GET    /api/v1/user_detail?id=123
POST   /api/v1/users/delete/{id}  # Use DELETE method instead

Resource Naming Rules

  • Use nouns, not verbs (users, not getUsers)
  • Use plural form (users, not user)
  • Use kebab-case for multi-word resources (order-items)
  • Keep URLs lowercase
  • Use nesting for relationships (users/{id}/orders)
  • Limit nesting to 2 levels maximum

HTTP Methods

Standard Methods

MethodPurposeIdempotentSafe
GETRetrieve resource(s)YesYes
POSTCreate new resourceNoNo
PUTReplace entire resourceYesNo
PATCHPartial updateNoNo
DELETERemove resourceYesNo
HEADGet metadata onlyYesYes
OPTIONSGet allowed methodsYesYes

Idempotent: Multiple identical requests have same effect as single request
Safe: Read-only, doesn't modify server state

Method Usage Examples

code
# GET - Retrieve
GET /api/v1/users/123
Response: 200 OK
{
  "id": 123,
  "email": "user@example.com",
  "name": "John Doe"
}

# POST - Create
POST /api/v1/users
Body: {"email": "new@example.com", "name": "New User"}
Response: 201 Created
Location: /api/v1/users/124

# PUT - Full replacement
PUT /api/v1/users/123
Body: {"email": "updated@example.com", "name": "Updated Name"}
Response: 200 OK

# PATCH - Partial update
PATCH /api/v1/users/123
Body: {"name": "New Name"}  # Only updates name
Response: 200 OK

# DELETE - Remove
DELETE /api/v1/users/123
Response: 204 No Content

HTTP Status Codes

Success Codes (2xx)

code
200 OK                  # Successful GET, PUT, PATCH
201 Created             # Successful POST (resource created)
202 Accepted            # Request accepted, processing async
204 No Content          # Successful DELETE (no response body)

Client Error Codes (4xx)

code
400 Bad Request         # Invalid request syntax, validation error
401 Unauthorized        # Authentication required or failed
403 Forbidden           # Authenticated but insufficient permissions
404 Not Found           # Resource doesn't exist
405 Method Not Allowed  # HTTP method not supported
409 Conflict            # Resource conflict (e.g., duplicate email)
422 Unprocessable       # Validation error (semantic issue)
429 Too Many Requests   # Rate limit exceeded

Server Error Codes (5xx)

code
500 Internal Server Error  # Unhandled server error
502 Bad Gateway           # Invalid response from upstream server
503 Service Unavailable   # Server temporarily unavailable
504 Gateway Timeout       # Upstream server timeout

API Best Practices

Security

  • ✅ Use HTTPS everywhere
  • ✅ Implement authentication
  • ✅ Validate all inputs
  • ✅ Rate limit requests
  • ✅ Use API keys for server-to-server
  • ✅ Implement CORS properly
  • ✅ Log security events

Performance

  • ✅ Implement caching (ETags, Cache-Control)
  • ✅ Use compression (gzip, brotli)
  • ✅ Paginate large collections
  • ✅ Support field filtering
  • ✅ Use CDN for static content
  • ✅ Monitor API performance

Developer Experience

  • ✅ Provide clear error messages
  • ✅ Use consistent naming
  • ✅ Version your API
  • ✅ Maintain comprehensive docs
  • ✅ Provide SDK/client libraries
  • ✅ Include examples
  • ✅ Offer sandbox environment

Common API Pitfalls

PitfallProblemSolution
OverfetchingReturning too much dataSupport field selection
UnderfetchingRequiring multiple requestsSupport eager loading
No versioningBreaking changes affect clientsVersion from day one
Inconsistent namingHard to useFollow naming conventions
No paginationPerformance issuesAlways paginate collections
Poor error messagesHard to debugReturn detailed errors
No rate limitingAPI abuseImplement rate limits

Resources

API Standards:

Tools:

  • Documentation: Swagger/OpenAPI, Postman, Insomnia
  • Testing: Postman, REST Client, curl
  • Mocking: Prism, MockServer, WireMock

See Also: Skills.mdAGENTS.md

Last Updated: January 27, 2026

Scripts

ScriptPurposeUsage
scaffold-openapi.pyGenerate OpenAPI 3.1 spec from endpoint definitionspython scripts/scaffold-openapi.py --name "My API" --endpoints "GET /users, POST /users"

Troubleshooting

IssueSolution
CORS errors in browserConfigure Access-Control-Allow-Origin header with specific origins, not wildcards
Pagination inconsistencyUse cursor-based pagination for mutable datasets, offset for static
Rate limit bypass attemptsImplement per-user rate limiting with token bucket algorithm

References