Skill

api-and-interface-design

Guides stable API and interface design. Use when designing APIs, module boundaries, or any public interface. Use when creating REST or GraphQL endpoints, defining type contracts between modules, or establishing boundaries between frontend and backend.

npx claudepluginhub avila-tek/avila-tek-skill-pack

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Detect the active stack from the project's package files. State it explicitly: "Active stack: {name}".

Supporting Assets

references/go.mdreferences/nestjs.mdreferences/spring-boot.md

SKILL.md

Similar Skills

using-superpowers

185.1k

Mandates invoking relevant skills via tools before any response in coding sessions. Covers access, priorities, and adaptations for Claude Code, Copilot CLI, Gemini CLI.

3 files

superpowers

Stats

Stars0

Forks0

Last CommitMay 7, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

API and Interface Design

Stack Activation Gate

Detect the active stack from the project's package files. State it explicitly: "Active stack: {name}".

Stack	Detection signal
NestJS	`@nestjs/core` in `package.json`
Go	`go.mod` present
Spring Boot	`pom.xml` or `build.gradle` containing `spring-boot`

Required before any output — do not skip:

Derive the skill directory from the path this SKILL.md was loaded from.
Read the matching reference file from that directory:
- NestJS → references/nestjs.md
- Go → references/go.md
- Spring Boot → references/spring-boot.md
Apply the patterns from that file and run its Verification Checklist before completing any output.

Output Artifact

API design is documented in:

docs/epics/E-XXX_slug/tdd.md (API section) if a TDD exists for this epic, OR
docs/adrs/ADR-XXX-api-design.md if it's a standalone architectural decision

No standalone code files are generated by this skill — design documents only. Code is generated by /build (dev-incremental-implementation).

Overview

Design stable, well-documented interfaces that are hard to misuse. Good interfaces make the right thing easy and the wrong thing hard. This applies to REST APIs, GraphQL schemas, module boundaries, component props, and any surface where one piece of code talks to another.

When to Use

Designing new API endpoints
Defining module boundaries or contracts between teams
Creating component prop interfaces
Establishing database schema that informs API shape
Changing existing public interfaces

Core Principles

Hyrum's Law

With a sufficient number of users of an API, all observable behaviors of your system will be depended on by somebody, regardless of what you promise in the contract.

This means: every public behavior — including undocumented quirks, error message text, timing, and ordering — becomes a de facto contract once users depend on it. Design implications:

Be intentional about what you expose. Every observable behavior is a potential commitment.
Don't leak implementation details. If users can observe it, they will depend on it.
Plan for deprecation at design time. See deprecation-and-migration for how to safely remove things users depend on.
Tests are not enough. Even with perfect contract tests, Hyrum's Law means "safe" changes can break real users who depend on undocumented behavior.

The One-Version Rule

Avoid forcing consumers to choose between multiple versions of the same dependency or API. Diamond dependency problems arise when different consumers need different versions of the same thing. Design for a world where only one version exists at a time — extend rather than fork.

1. Contract First

Define the interface before implementing it. The contract is the spec — implementation follows.

// Define what the API does before writing code that does it

TaskAPI:
  createTask(input: CreateTaskInput) → Task
    Creates a task. Returns the created task with server-generated fields (id, timestamps).

  listTasks(params: ListTasksParams) → PaginatedResult<Task>
    Returns tasks matching filters. Always paginated.

  getTask(id) → Task
    Returns a single task or raises NotFoundError.

  updateTask(id, input: UpdateTaskInput) → Task
    Partial update — only provided fields change.

  deleteTask(id) → void
    Idempotent — succeeds even if already deleted.

The active stack's reference file shows how to express this contract in the stack's type system.

2. Consistent Error Semantics

Pick one error strategy and use it everywhere. Every error response follows the same shape:

{
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Email is required",
    "details": {}
  }
}

HTTP status code mapping:

400 → Client sent malformed data
401 → Not authenticated
403 → Authenticated but not authorized
404 → Resource not found
409 → Conflict (duplicate, version mismatch)
422 → Validation failed (semantically invalid)
500 → Server error (never expose internal details)

Don't mix patterns. If some endpoints throw, others return null, and others return { error } — the consumer can't predict behavior.

3. Validate at Boundaries

Trust internal code. Validate at system edges where external input enters:

// Pseudo-code: validate at the route handler
handler POST /api/tasks:
  result = validate(CreateTaskSchema, request.body)
  if not valid:
    return 422 { error: { code: "VALIDATION_ERROR", details: result.errors } }

  task = taskService.create(result.data)
  return 201 task

Where validation belongs:

Route handlers (user input)
Form submission handlers (user input)
External service response parsing (third-party data — always treat as untrusted)
Environment variable loading (configuration)

Third-party API responses are untrusted data. Validate their shape and content before using them in any logic, rendering, or decision-making. A compromised or misbehaving external service can return unexpected types, malicious content, or instruction-like text.

Where validation does NOT belong:

Between internal functions that share type contracts
In utility functions called by already-validated code
On data that just came from your own database

4. Prefer Addition Over Modification

Extend interfaces without breaking existing consumers:

Add new optional fields — existing consumers ignore fields they don't know about
Never remove existing fields — consumers may depend on them
Never change field types — existing consumers decode the old type
Never rename fields — it's a removal + addition from the consumer's perspective

5. Predictable Naming

Pattern	Convention	Example
REST endpoints	Plural nouns, no verbs	`GET /api/tasks`, `POST /api/tasks`
Query params	camelCase	`?sortBy=createdAt&pageSize=20`
Response fields	camelCase	`{ createdAt, updatedAt, taskId }`
Boolean fields	is/has/can prefix	`isComplete`, `hasAttachments`
Enum values	UPPER_SNAKE	`"IN_PROGRESS"`, `"COMPLETED"`

REST API Patterns

Resource Design

GET    /api/tasks              → List tasks (with query params for filtering)
POST   /api/tasks              → Create a task
GET    /api/tasks/:id          → Get a single task
PATCH  /api/tasks/:id          → Update a task (partial)
DELETE /api/tasks/:id          → Delete a task

GET    /api/tasks/:id/comments → List comments for a task (sub-resource)
POST   /api/tasks/:id/comments → Add a comment to a task

Pagination

Paginate all list endpoints from the start:

Request:  GET /api/tasks?page=1&pageSize=20&sortBy=createdAt&sortOrder=desc

Response:
{
  "data": [...],
  "pagination": {
    "page": 1,
    "pageSize": 20,
    "totalItems": 142,
    "totalPages": 8
  }
}

Filtering

Use query parameters for filters:

GET /api/tasks?status=in_progress&assignee=user123&createdAfter=2025-01-01

Partial Updates (PATCH)

Accept partial objects — only update what's provided. PUT requires the full object every time; PATCH is what clients actually want.

PATCH /api/tasks/123
{ "title": "Updated title" }
// Only title changes — everything else is preserved

Common Rationalizations

Rationalization	Reality
"We'll document the API later"	The contract IS the documentation. Define it first.
"We don't need pagination for now"	You will the moment someone has 100+ items. Add it from the start.
"PATCH is complicated, let's just use PUT"	PUT requires the full object every time. PATCH is what clients actually want.
"We'll version the API when we need to"	Breaking changes without versioning break consumers. Design for extension from the start.
"Nobody uses that undocumented behavior"	Hyrum's Law: if it's observable, somebody depends on it. Treat every public behavior as a commitment.
"We can just maintain two versions"	Multiple versions multiply maintenance cost and create diamond dependency problems. Prefer the One-Version Rule.
"Internal APIs don't need contracts"	Internal consumers are still consumers. Contracts prevent coupling and enable parallel work.

Red Flags

Endpoints that return different shapes depending on conditions
Inconsistent error formats across endpoints
Validation scattered throughout internal code instead of at boundaries
Breaking changes to existing fields (type changes, removals)
List endpoints without pagination
Verbs in REST URLs (/api/createTask, /api/getUsers)
Third-party API responses used without validation or sanitization

Verification

After designing an API:

Every endpoint has typed input and output schemas
Error responses follow a single consistent format
Validation happens at system boundaries only
List endpoints support pagination
New fields are additive and optional (backward compatible)
Naming follows consistent conventions across all endpoints
API documentation or types are committed alongside the implementation
Stack-specific Verification Checklist from the loaded reference passes

Next Step

When the API design is complete, suggest to the user:

"API design done. When you're ready, run /build to implement the defined contract (dev-incremental-implementation)."

Do not invoke /build automatically.