zhongwei/gh-hermeticormus-hermetic-line-plugins-backend-development
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
faf9b31fb0ec058e90fdd4f9277b8a4e61fdc1c3
gh-hermeticormus-hermetic-l…/skills/api-design-principles/assets/api-design-checklist.md
Zhongwei Li faf9b31fb0 Initial commit
2025-11-29 18:43:11 +08:00

3.8 KiB
Raw Blame History

API Design Checklist

Pre-Implementation Review

Resource Design

  • Resources are nouns, not verbs
  • Plural names for collections
  • Consistent naming across all endpoints
  • Clear resource hierarchy (avoid deep nesting >2 levels)
  • All CRUD operations properly mapped to HTTP methods

HTTP Methods

  • GET for retrieval (safe, idempotent)
  • POST for creation
  • PUT for full replacement (idempotent)
  • PATCH for partial updates
  • DELETE for removal (idempotent)

Status Codes

  • 200 OK for successful GET/PATCH/PUT
  • 201 Created for POST
  • 204 No Content for DELETE
  • 400 Bad Request for malformed requests
  • 401 Unauthorized for missing auth
  • 403 Forbidden for insufficient permissions
  • 404 Not Found for missing resources
  • 422 Unprocessable Entity for validation errors
  • 429 Too Many Requests for rate limiting
  • 500 Internal Server Error for server issues

Pagination

  • All collection endpoints paginated
  • Default page size defined (e.g., 20)
  • Maximum page size enforced (e.g., 100)
  • Pagination metadata included (total, pages, etc.)
  • Cursor-based or offset-based pattern chosen

Filtering & Sorting

  • Query parameters for filtering
  • Sort parameter supported
  • Search parameter for full-text search
  • Field selection supported (sparse fieldsets)

Versioning

  • Versioning strategy defined (URL/header/query)
  • Version included in all endpoints
  • Deprecation policy documented

Error Handling

  • Consistent error response format
  • Detailed error messages
  • Field-level validation errors
  • Error codes for client handling
  • Timestamps in error responses

Authentication & Authorization

  • Authentication method defined (Bearer token, API key)
  • Authorization checks on all endpoints
  • 401 vs 403 used correctly
  • Token expiration handled

Rate Limiting

  • Rate limits defined per endpoint/user
  • Rate limit headers included
  • 429 status code for exceeded limits
  • Retry-After header provided

Documentation

  • OpenAPI/Swagger spec generated
  • All endpoints documented
  • Request/response examples provided
  • Error responses documented
  • Authentication flow documented

Testing

  • Unit tests for business logic
  • Integration tests for endpoints
  • Error scenarios tested
  • Edge cases covered
  • Performance tests for heavy endpoints

Security

  • Input validation on all fields
  • SQL injection prevention
  • XSS prevention
  • CORS configured correctly
  • HTTPS enforced
  • Sensitive data not in URLs
  • No secrets in responses

Performance

  • Database queries optimized
  • N+1 queries prevented
  • Caching strategy defined
  • Cache headers set appropriately
  • Large responses paginated

Monitoring

  • Logging implemented
  • Error tracking configured
  • Performance metrics collected
  • Health check endpoint available
  • Alerts configured for errors

GraphQL-Specific Checks

Schema Design

  • Schema-first approach used
  • Types properly defined
  • Non-null vs nullable decided
  • Interfaces/unions used appropriately
  • Custom scalars defined

Queries

  • Query depth limiting
  • Query complexity analysis
  • DataLoaders prevent N+1
  • Pagination pattern chosen (Relay/offset)

Mutations

  • Input types defined
  • Payload types with errors
  • Optimistic response support
  • Idempotency considered

Performance

  • DataLoader for all relationships
  • Query batching enabled
  • Persisted queries considered
  • Response caching implemented

Documentation

  • All fields documented
  • Deprecations marked
  • Examples provided
  • Schema introspection enabled
Reference in New Issue View Git Blame Copy Permalink