install
source · Clone the upstream repo
git clone https://github.com/MacPhobos/research-mind
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/MacPhobos/research-mind "$T" && mkdir -p ~/.claude/skills && cp -r "$T/.claude/skills/universal-web-api-design-patterns" ~/.claude/skills/macphobos-research-mind-universal-web-api-design-patterns && rm -rf "$T"
manifest:
.claude/skills/universal-web-api-design-patterns/skill.mdsource content
API Design Patterns
Design robust, scalable APIs using proven patterns for REST, GraphQL, and gRPC with proper versioning, authentication, and error handling.
Quick Reference
API Style Selection:
- REST: Resource-based CRUD, simple clients, HTTP-native caching
- GraphQL: Client-driven queries, complex data graphs, real-time subscriptions
- gRPC: High-performance RPC, microservices, strong typing, streaming
Critical Patterns:
- Versioning: URI (
), header (/v1/users
), content negotiationAccept: application/vnd.api+json;version=1 - Pagination: Offset (simple), cursor (stable), keyset (performant)
- Auth: OAuth2 (delegated), JWT (stateless), API keys (service-to-service)
- Rate limiting: Token bucket, fixed window, sliding window
- Idempotency: Idempotency keys, conditional requests, safe retry
See references/ for deep dives:
rest-patterns.mdgraphql-patterns.mdgrpc-patterns.mdversioning-strategies.mdauthentication.mdCore Principles
Universal API Design Standards
Apply these principles across all API styles:
1. Consistency Over Cleverness
- Follow established conventions for your API style
- Use predictable naming patterns (snake_case or camelCase, pick one)
- Maintain consistent error response formats
- Version breaking changes, never surprise clients
2. Design for Evolution
- Plan for versioning from day one
- Use optional fields with sensible defaults
- Deprecate gracefully with sunset dates
- Document breaking vs non-breaking changes
3. Security by Default
- Require authentication unless explicitly public
- Use HTTPS/TLS for all production endpoints
- Implement rate limiting and throttling
- Validate and sanitize all inputs
- Return minimal error details to clients
4. Developer Experience First
- Provide comprehensive documentation (OpenAPI, GraphQL schema)
- Return meaningful error messages with actionable guidance
- Use standard HTTP status codes correctly
- Include request IDs for debugging
- Offer SDKs and code generators
API Style Decision Tree
When to Choose REST
✅ Use REST when:
- Building CRUD-focused resource APIs
- Clients need HTTP caching (ETags, Cache-Control)
- Wide platform compatibility required (browsers, mobile, IoT)
- Simple, stateless client-server model fits
- Team familiar with HTTP/REST conventions
❌ Avoid REST when:
- Complex data fetching with nested relationships (N+1 queries)
- Real-time updates are primary use case
- Need strong typing and code generation
- High-performance RPC between microservices
Example Use Cases: Public APIs, mobile backends, traditional web services
When to Choose GraphQL
✅ Use GraphQL when:
- Clients need flexible, client-driven queries
- Complex data graphs with nested relationships
- Multiple client types with different data needs
- Real-time subscriptions required
- Strong typing and schema validation needed
❌ Avoid GraphQL when:
- Simple CRUD operations dominate
- HTTP caching is critical (GraphQL uses POST)
- File uploads are primary feature (requires extensions)
- Team lacks GraphQL expertise
- Performance optimization is complex (N+1 problem)
Example Use Cases: Client-facing APIs, dashboards, mobile apps with varied UIs
When to Choose gRPC
✅ Use gRPC when:
- Microservice-to-microservice communication
- High performance and low latency critical
- Bidirectional streaming needed
- Strong typing with Protocol Buffers
- Polyglot environments (language interop)
❌ Avoid gRPC when:
- Browser clients (limited support, needs grpc-web)
- HTTP/JSON required for compatibility
- Human-readable payloads preferred
- Simple request/response patterns
Example Use Cases: Internal microservices, streaming data, service mesh
REST API Patterns
Resource Naming
✅ Good: Plural nouns, hierarchical
GET /users # List users GET /users/123 # Get user POST /users # Create user PUT /users/123 # Update user (full) PATCH /users/123 # Update user (partial) DELETE /users/123 # Delete user GET /users/123/orders # User's orders (sub-resource)
❌ Bad: Verbs, mixed conventions
GET /getUsers # Don't use verbs POST /user/create # Don't use verbs GET /Users/123 # Don't capitalize GET /user/123 # Don't mix singular/plural
HTTP Status Codes
Success Codes:
: Successful GET, PUT, PATCH, DELETE with body200 OK
: Successful POST, return Location header201 Created
: Async operation started202 Accepted
: Successful DELETE, no body204 No Content
Client Error Codes:
: Invalid input, validation error400 Bad Request
: Missing or invalid authentication401 Unauthorized
: Authenticated but insufficient permissions403 Forbidden
: Resource doesn't exist404 Not Found
: State conflict (duplicate, version mismatch)409 Conflict
: Semantic validation error422 Unprocessable Entity
: Rate limit exceeded429 Too Many Requests
Server Error Codes:
: Unexpected error500 Internal Server Error
: Upstream service error502 Bad Gateway
: Temporary outage503 Service Unavailable
: Upstream timeout504 Gateway Timeout
Error Response Format
✅ Consistent error structure
{ "error": { "code": "VALIDATION_ERROR", "message": "Invalid request parameters", "details": [ { "field": "email", "message": "Invalid email format", "code": "INVALID_FORMAT" } ], "request_id": "req_abc123", "documentation_url": "https://api.example.com/docs/errors/validation" } }
Pagination Patterns
Offset Pagination (simple, familiar):
GET /users?limit=20&offset=40
✅ Use for: Small datasets, admin interfaces ❌ Avoid for: Large datasets (skips become expensive), real-time data
Cursor Pagination (stable, efficient):
GET /users?limit=20&cursor=eyJpZCI6MTIzfQ Response: { "data": [...], "next_cursor": "eyJpZCI6MTQzfQ" }
✅ Use for: Infinite scroll, real-time feeds, large datasets ❌ Avoid for: Random access, page numbers
Keyset Pagination (performant):
GET /users?limit=20&after_id=123
✅ Use for: Ordered data, database index friendly ❌ Avoid for: Complex sorting, multiple sort keys
See
references/rest-patterns.mdGraphQL Patterns
Schema Design
✅ Good: Clear types, nullable by default
type User { id: ID! # Non-null ID email: String! # Required field name: String # Optional (nullable by default) createdAt: DateTime! orders: [Order!]! # Non-null array of non-null orders } type Query { user(id: ID!): User users(first: Int, after: String): UserConnection! } type Mutation { createUser(input: CreateUserInput!): CreateUserPayload! } input CreateUserInput { email: String! name: String } type CreateUserPayload { user: User userEdge: UserEdge errors: [UserError!] }
Resolver Patterns
Avoid N+1 Queries with DataLoader:
import DataLoader from 'dataloader'; const userLoader = new DataLoader(async (userIds: string[]) => { const users = await db.users.findMany({ where: { id: { in: userIds } } }); return userIds.map(id => users.find(u => u.id === id)); }); // Resolver batches queries automatically const resolvers = { Order: { user: (order) => userLoader.load(order.userId) } };
Query Complexity Analysis
Prevent expensive queries:
import { createComplexityLimitRule } from 'graphql-validation-complexity'; const server = new ApolloServer({ schema, validationRules: [ createComplexityLimitRule(1000, { onCost: (cost) => console.log('Query cost:', cost), }), ], });
See
references/graphql-patterns.mdgRPC Patterns
Service Definition
syntax = "proto3"; package users.v1; service UserService { rpc GetUser (GetUserRequest) returns (User) {} rpc ListUsers (ListUsersRequest) returns (ListUsersResponse) {} rpc CreateUser (CreateUserRequest) returns (User) {} rpc StreamUsers (StreamUsersRequest) returns (stream User) {} rpc BidiChat (stream ChatMessage) returns (stream ChatMessage) {} } message User { string id = 1; string email = 2; string name = 3; google.protobuf.Timestamp created_at = 4; } message GetUserRequest { string id = 1; } message ListUsersRequest { int32 page_size = 1; string page_token = 2; } message ListUsersResponse { repeated User users = 1; string next_page_token = 2; }
Error Handling
import ( "google.golang.org/grpc/codes" "google.golang.org/grpc/status" ) func (s *server) GetUser(ctx context.Context, req *pb.GetUserRequest) (*pb.User, error) { if req.Id == "" { return nil, status.Error(codes.InvalidArgument, "user ID is required") } user, err := s.db.GetUser(ctx, req.Id) if err != nil { if errors.Is(err, sql.ErrNoRows) { return nil, status.Error(codes.NotFound, "user not found") } return nil, status.Error(codes.Internal, "database error") } return user, nil }
See
references/grpc-patterns.mdVersioning Strategies
URI Versioning (Simple, Explicit)
✅ Most common, easy to understand
GET /v1/users/123 GET /v2/users/123
Pros: Clear, easy to route, browser-friendly Cons: Couples version to URL, duplicates routes
Header Versioning (Clean URLs)
GET /users/123 Accept: application/vnd.myapi.v2+json
Pros: Clean URLs, version separate from resource Cons: Less visible, harder to test manually
Content Negotiation (Granular)
GET /users/123 Accept: application/vnd.myapi.user.v2+json
Pros: Resource-level versioning, backward compatible Cons: Complex, harder to implement
Version Deprecation Process
{ "version": "1.0", "deprecated": true, "sunset_date": "2025-12-31", "migration_guide": "https://docs.api.com/v1-to-v2", "replacement_version": "2.0" }
Include deprecation warnings:
HTTP/1.1 200 OK Deprecation: true Sunset: Sat, 31 Dec 2025 23:59:59 GMT Link: <https://docs.api.com/v1-to-v2>; rel="deprecation"
See
references/versioning-strategies.mdAuthentication & Authorization
OAuth 2.0 (Delegated Access)
Use for: Third-party access, user consent, token refresh
Authorization Code Flow (most secure for web/mobile):
1. Client redirects to /authorize 2. User authenticates, grants permissions 3. Auth server redirects to callback with code 4. Client exchanges code for access token 5. Client uses access token for API requests
# Request token POST /oauth/token Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &code=AUTH_CODE &redirect_uri=https://client.com/callback &client_id=CLIENT_ID &client_secret=CLIENT_SECRET # Response { "access_token": "eyJhbGc...", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA", "scope": "read write" } # Use token GET /v1/users/me Authorization: Bearer eyJhbGc...
JWT (Stateless Auth)
Use for: Microservices, stateless API auth, short-lived tokens
✅ Good: Minimal claims, short expiry
{ "sub": "user_123", "iat": 1516239022, "exp": 1516242622, "scope": "read:users write:orders" }
Validation:
import jwt from 'jsonwebtoken'; const token = req.headers.authorization?.split(' ')[1]; const payload = jwt.verify(token, process.env.JWT_SECRET); req.userId = payload.sub;
API Keys (Service-to-Service)
Use for: Server-to-server, CLI tools, webhooks
GET /v1/users X-API-Key: sk_live_abc123... # Or query parameter (less secure) GET /v1/users?api_key=sk_live_abc123
Key Practices:
- Prefix keys with environment (
,sk_live_
)sk_test_ - Hash keys before storage (bcrypt, scrypt)
- Allow key rotation without downtime
- Support multiple keys per user
- Rate limit per key
See
references/authentication.mdRate Limiting
Token Bucket (Burst-Friendly)
Bucket: 100 tokens, refill 10/second Request costs 1 token Allows bursts up to bucket size
Headers:
HTTP/1.1 200 OK X-RateLimit-Limit: 100 X-RateLimit-Remaining: 73 X-RateLimit-Reset: 1640995200
429 Response:
HTTP/1.1 429 Too Many Requests Retry-After: 60 X-RateLimit-Limit: 100 X-RateLimit-Remaining: 0 X-RateLimit-Reset: 1640995200 { "error": { "code": "RATE_LIMIT_EXCEEDED", "message": "Rate limit exceeded. Try again in 60 seconds.", "limit": 100, "reset_at": "2025-01-01T00:00:00Z" } }
Sliding Window (Fair Distribution)
Counts requests in rolling time window. More accurate than fixed window.
Per-User vs Per-IP
- Per-User: Authenticated requests, fair quotas
- Per-IP: Unauthenticated requests, prevent abuse
- Combined: Both limits, take stricter
Idempotency
Idempotent Methods (HTTP Spec)
Naturally Idempotent: GET, PUT, DELETE, HEAD, OPTIONS Not Idempotent: POST, PATCH
Idempotency Keys
Make POST requests idempotent:
POST /v1/payments Idempotency-Key: uuid-or-client-generated-key Content-Type: application/json { "amount": 1000, "currency": "USD", "customer": "cust_123" }
Server behavior:
- First request: Process and store result with key
- Duplicate request (same key): Return stored result (200 or 201)
- Different request (same key): Return 409 Conflict
Implementation:
const idempotencyKey = req.headers['idempotency-key']; if (idempotencyKey) { const cached = await redis.get(`idempotency:${idempotencyKey}`); if (cached) { return res.status(cached.status).json(cached.body); } } const result = await processPayment(req.body); await redis.setex(`idempotency:${idempotencyKey}`, 86400, { status: 201, body: result });
Conditional Requests
Use ETags for safe updates:
# Get resource with ETag GET /v1/users/123 Response: ETag: "abc123" # Update only if unchanged PUT /v1/users/123 If-Match: "abc123" # 412 Precondition Failed if ETag changed
Caching Strategies
HTTP Caching Headers
# Public, cacheable for 1 hour Cache-Control: public, max-age=3600 # Private (user-specific), revalidate Cache-Control: private, must-revalidate, max-age=0 # No caching Cache-Control: no-store, no-cache, must-revalidate
ETag Validation
# Server returns ETag GET /v1/users/123 Response: ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4" Cache-Control: max-age=3600 # Client conditional request GET /v1/users/123 If-None-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4" # 304 Not Modified if unchanged (saves bandwidth) HTTP/1.1 304 Not Modified
Last-Modified
GET /v1/users/123 Response: Last-Modified: Wed, 21 Oct 2025 07:28:00 GMT # Conditional request GET /v1/users/123 If-Modified-Since: Wed, 21 Oct 2025 07:28:00 GMT # 304 Not Modified if not modified
Webhooks
Event Delivery
POST https://client.com/webhooks/payments Content-Type: application/json X-Webhook-Signature: sha256=abc123... X-Webhook-Id: evt_abc123 X-Webhook-Timestamp: 1640995200 { "id": "evt_abc123", "type": "payment.succeeded", "created": 1640995200, "data": { "object": { "id": "pay_123", "amount": 1000, "status": "succeeded" } } }
Signature Verification
import crypto from 'crypto'; function verifyWebhookSignature( payload: string, signature: string, secret: string ): boolean { const expectedSignature = crypto .createHmac('sha256', secret) .update(payload) .digest('hex'); return crypto.timingSafeEqual( Buffer.from(signature), Buffer.from(`sha256=${expectedSignature}`) ); }
Retry Strategy
- Exponential backoff: 1s, 2s, 4s, 8s, 16s, 32s, 64s
- Timeout: 5-30 seconds per attempt
- Max attempts: 3-7 attempts
- Dead letter queue: Store failed events
- Manual retry: UI for re-sending failed events
API Documentation
OpenAPI/Swagger (REST)
openapi: 3.0.0 info: title: User API version: 1.0.0 paths: /users/{id}: get: summary: Get user by ID parameters: - name: id in: path required: true schema: type: string responses: '200': description: Successful response content: application/json: schema: $ref: '#/components/schemas/User' '404': description: User not found components: schemas: User: type: object required: [id, email] properties: id: type: string email: type: string format: email name: type: string
GraphQL Schema (Self-Documenting)
GraphQL introspection provides automatic documentation. Use descriptions:
""" Represents a user account in the system. Created via the createUser mutation. """ type User { """Unique identifier for the user""" id: ID! """Email address, must be unique""" email: String! """Optional display name""" name: String }
API Documentation Best Practices
- Interactive examples: Provide working code samples
- Authentication guide: Step-by-step auth setup
- Error catalog: Document all error codes with examples
- Rate limits: Clearly state limits and headers
- Changelog: Track breaking and non-breaking changes
- Migration guides: Version upgrade instructions
- SDKs: Provide client libraries for popular languages
Anti-Patterns
❌ Over-fetching (REST): Returning entire objects when fields are unused ✅ Solution: Support field selection (
?fields=id,name,email❌ Under-fetching (REST): Requiring multiple requests for related data ✅ Solution: Support expansion (
?expand=orders,profile❌ Chatty APIs: Too many round-trips for common operations ✅ Solution: Batch endpoints, compound documents, or GraphQL
❌ Ignoring HTTP semantics: Using GET for mutations, wrong status codes ✅ Solution: Follow HTTP spec, use correct methods and status codes
❌ Exposing internal structure: URLs/schemas mirror database ✅ Solution: Design resource-oriented APIs independent of storage
❌ Missing versioning: Breaking changes without version increments ✅ Solution: Version from day one, never break existing versions
❌ Poor error messages: Generic "An error occurred" ✅ Solution: Specific, actionable error messages with codes
❌ No rate limiting: APIs vulnerable to abuse ✅ Solution: Implement rate limiting from the start
Testing Strategies
Contract Testing
// Pact contract test import { PactV3 } from '@pact-foundation/pact'; const provider = new PactV3({ consumer: 'FrontendApp', provider: 'UserAPI' }); it('gets a user by ID', () => { provider .given('user 123 exists') .uponReceiving('a request for user 123') .withRequest({ method: 'GET', path: '/users/123' }) .willRespondWith({ status: 200, body: { id: '123', email: 'user@example.com' } }); });
Load Testing
// k6 load test import http from 'k6/http'; import { check } from 'k6'; export const options = { stages: [ { duration: '30s', target: 20 }, { duration: '1m', target: 20 }, { duration: '10s', target: 0 } ], thresholds: { http_req_duration: ['p(95)<500'], // 95% under 500ms http_req_failed: ['rate<0.01'] // <1% errors } }; export default function () { const res = http.get('https://api.example.com/users'); check(res, { 'status is 200': (r) => r.status === 200, 'response time < 500ms': (r) => r.timings.duration < 500 }); }
Related Skills
- graphql: Deep GraphQL schema design, resolvers, Apollo Server
- typescript: Type-safe API clients and servers
- nodejs-backend: Express/Fastify REST API implementation
- django: Django REST Framework patterns
- fastapi: FastAPI Python REST/GraphQL APIs
- flask: Flask-RESTful patterns
References
- rest-patterns.md: Deep REST coverage (HATEOAS, filtering, field selection)
- graphql-patterns.md: GraphQL subscriptions, relay cursor connections, federation
- grpc-patterns.md: Streaming patterns, interceptors, service mesh integration
- versioning-strategies.md: Detailed versioning approaches and migration patterns
- authentication.md: OAuth flows, JWT best practices, API key rotation, RBAC
Additional Resources
- REST API Design Rulebook - O'Reilly REST guide
- GraphQL Best Practices - Official GraphQL guide
- gRPC Best Practices - Official gRPC guide
- RFC 7807: Problem Details for HTTP APIs - Standard error format
- OpenAPI Specification - REST documentation standard