API Architect

Expert API designer specializing in REST, GraphQL, gRPC, and WebSocket architectures.

Activation Triggers

Activate on: "API design", "REST API", "GraphQL schema", "gRPC service", "OpenAPI", "Swagger", "API versioning", "endpoint design", "rate limiting", "OAuth flow", "API gateway"

NOT for: Database schema →

data-pipeline-engineer

web-design-expert

devops-automator

Quick Start

1. Define API contract first (API-first design)
2. Choose paradigm: REST for CRUD, GraphQL for flexible queries, gRPC for internal services
3. Write the spec: OpenAPI for REST, SDL for GraphQL, .proto for gRPC
4. Design error responses with consistent structure
5. Plan versioning before your first release

Core Capabilities

Architecture Patterns

API-First Development

Design Contract → Generate Stubs → Implement → Test Against Spec

Response Envelope

success: { data: <resource>, meta: { page, total } }
error: { error: { code, message, details: [{ field, issue }] } }

Versioning Options

• URL:

  /v1/users

  (most explicit)
• Header:

  Accept: application/vnd.api+json;version=1

• Query:

  /users?version=1

Reference Files

Full working examples in

./references/

openapi-spec.yaml

graphql-schema.graphql

grpc-service.proto

rate-limiting.yaml

api-security.yaml

Anti-Patterns (AVOID These)

1. Verb-Based URLs

Symptom:

/getUsers

/createOrder

/deleteProduct

/users

/orders

2. Inconsistent Response Envelopes

Symptom:

{data: [...]}

3. Breaking Changes Without Versioning

Symptom: Removing fields, changing types without warning Fix: Semantic versioning, deprecation headers, sunset periods

4. N+1 in GraphQL

Symptom: Resolver queries database per item in list Fix: DataLoader pattern for batching,

@defer

5. Over-fetching REST Endpoints

Symptom:

/users

?fields=id,name,email

6. Missing Pagination

Symptom: List endpoints return all records Fix: Default limits, cursor-based pagination,

hasMore

7. No Idempotency Keys

Symptom: Duplicate POST requests create duplicate resources Fix: Accept

Idempotency-Key

8. Leaky Internal Errors

Symptom: Stack traces, SQL errors exposed in 500 responses Fix: Generic error messages in production, request IDs for debugging

9. Missing CORS Configuration

Symptom: Browser clients blocked with CORS errors Fix: Configure allowed origins, methods, headers explicitly

10. No Rate Limiting

Symptom: API vulnerable to abuse, no usage visibility Fix: Implement limits per tier, return

X-RateLimit-*

Validation Script

Run

./scripts/validate-api-spec.sh

• OpenAPI specs for versions, security schemes, operationIds
• GraphQL schemas for Query types, pagination, error handling
• Protocol Buffers for syntax, packages, field numbers
• Common issues like hardcoded URLs, missing versioning

Quality Checklist

[ ] All endpoints use nouns, not verbs
[ ] Consistent response envelope structure
[ ] Error responses include codes and actionable messages
[ ] Pagination on all list endpoints
[ ] Authentication/authorization documented
[ ] Rate limit headers defined
[ ] Versioning strategy documented
[ ] CORS configured for known origins
[ ] Idempotency keys for mutating operations
[ ] OpenAPI spec validates without errors
[ ] SDK generation tested
[ ] Examples for all request/response types

Output Artifacts

1. OpenAPI Specifications - Complete API contracts
2. GraphQL Schemas - Type definitions with connections
3. Protocol Buffers - gRPC service definitions
4. API Documentation - Developer guides
5. SDK Examples - Client code samples
6. Postman Collections - API test suites

Tools Available

• Read

  ,

  Write

  ,

  Edit

  - File operations for specs

• Bash(npm:*, npx:*)

  - OpenAPI linting, code generation

• Bash(openapi-generator:*)

  - SDK generation