Review API design for REST best practices and OpenAPI compliance
Analyzes API design for REST best practices and OpenAPI compliance.
/plugin marketplace add cameronsjo/claude-marketplace/plugin install api@cameronsjofile or endpointComprehensive API design review covering REST best practices, naming conventions, resource modeling, and OpenAPI/Swagger specification compliance.
Review OpenAPI/Swagger spec:
/api-review openapi.yaml
Review specific endpoint implementation:
/api-review src/api/users.ts
Review all API files in directory:
/api-review src/api/
This command uses the api-design skill to conduct thorough API design reviews.
Invoke the skill for comprehensive API review capabilities:
Use the api-design skill to help review this API.
Determine what to review:
If file path provided:
.yaml, .yml, .json)If no path provided:
openapi.yaml, swagger.json, src/api/, api/For OpenAPI/Swagger specs:
For implementation files:
For directories:
**/*api*.{ts,js,py}, **/routes/**, **/controllers/**)Review against API design standards:
JSON Fields (snake_case):
email_address, first_name, user_idemailAddress, firstName, userIdURI Paths (kebab-case):
/v1/identity/validate-otp/v1/identity/validateOtp, /v1/identity/validate_otpField Naming Rules:
password not password_hashauthor not written_bycollected_items not items_collectedcollected_items not collect_itemsdisabled not is_disableduri: redirect_uri not redirect_url_count: node_count not num_nodescreate_time not created_timeURI Structure:
/{version}/{namespace}/{collection}/{id}/{sub-collection}/{sub-id}
Examples:
/v1/users/123/orders/456/v1/getUserOrders?userId=123&orderId=456HTTP Methods:
Collection vs Singular:
/users, /orders (plural)/users/123, /profile (singular)Verify proper HTTP status code usage:
2xx Success:
4xx Client Errors:
5xx Server Errors:
Validate error responses follow standard structure:
{
"error": {
"code": "VALIDATION_ERROR",
"message": "Request validation failed",
"details": [
{
"field": "email_address",
"message": "Invalid email format"
}
]
}
}
Check versioning strategy:
/v1/users, /v2/usersFor collection endpoints:
{
"data": [...],
"pagination": {
"page": 1,
"page_size": 20,
"total_count": 150,
"total_pages": 8
}
}
Query parameters:
page (1-indexed)page_size or limitoffset (alternative to page)Query parameters:
?status=active&role=admin?sort=create_time or ?sort=-create_time (desc)?fields=id,name,email_addressCheck security headers:
Authorization: Bearer {token} for JWTX-API-Key: {key} for API keysValidate CORS configuration:
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Authorization, Content-Type
If OpenAPI spec provided:
operationId uniqueness$ref referencesCreate structured report with:
Executive Summary:
Critical Issues (Must Fix):
Warnings (Should Fix):
Recommendations:
Compliant Patterns (Good Examples):
For each issue, provide:
Example Fix:
❌ Before:
GET /api/getUserById?userId=123
Response: { userId: 123, firstName: "John" }
✅ After:
GET /api/v1/users/123
Response: {
user_id: 123,
first_name: "John"
}
Changes:
/users/123)/v1)user_id, first_name)If reviewing implementation code without OpenAPI spec:
Run through these checks:
Naming:
{verb}_time formatREST:
Responses:
Security:
OpenAPI:
❌ { userId: 1, email: "..." }
✅ { user_id: 1, email_address: "..." }
❌ POST /api/createUser
✅ POST /api/v1/users
❌ 200 for resource not found
✅ 404 for resource not found
❌ { error: "Bad request" }
✅ {
error: {
code: "VALIDATION_ERROR",
message: "Invalid request",
details: [{ field: "email_address", message: "Required" }]
}
}
Console output:
Optional report file:
api-review-report.mdLast Updated: 2025-11-13 Based on: REST Best Practices