From app-dev
This skill should be used when the user asks to "design a REST API", "structure API endpoints", "choose HTTP status codes", "set up API versioning", "implement API pagination", or mentions "REST API", "API design", "endpoint design", "OpenAPI", "Swagger", "API versioning", "HTTP status codes", "API authentication", "rate limiting", "pagination", "HATEOAS". Provides REST API design patterns, OpenAPI specification guidance, authentication strategies, and API versioning.
npx claudepluginhub iwritec0de/claude-plugin-marketplace --plugin app-devThis skill uses the workspace's default tool permissions.
```
Provides Ktor server patterns for routing DSL, plugins (auth, CORS, serialization), Koin DI, WebSockets, services, and testApplication testing.
Conducts multi-source web research with firecrawl and exa MCPs: searches, scrapes pages, synthesizes cited reports. For deep dives, competitive analysis, tech evaluations, or due diligence.
Provides demand forecasting, safety stock optimization, replenishment planning, and promotional lift estimation for multi-location retailers managing 300-800 SKUs.
GET /api/v1/resources — List (with pagination)
GET /api/v1/resources/:id — Get single
POST /api/v1/resources — Create
PUT /api/v1/resources/:id — Full update
PATCH /api/v1/resources/:id — Partial update
DELETE /api/v1/resources/:id — Delete
# Nested resources
GET /api/v1/users/:id/posts — User's posts
POST /api/v1/users/:id/posts — Create post for user
# Actions (non-CRUD)
POST /api/v1/orders/:id/cancel — Action on resource
POST /api/v1/auth/login — Authentication
POST /api/v1/auth/refresh — Token refresh
/users, not /user)/user-profiles, not /userProfiles)/users, not /getUsers)| Code | When to Use |
|---|---|
| 200 | Successful GET, PUT, PATCH, or DELETE |
| 201 | Successful POST (resource created). Include Location header. |
| 204 | Successful DELETE with no response body |
| 400 | Invalid request (validation error, malformed JSON) |
| 401 | Not authenticated (missing or invalid credentials) |
| 403 | Authenticated but not authorized |
| 404 | Resource not found |
| 409 | Conflict (duplicate resource, version mismatch) |
| 422 | Semantically invalid (valid JSON, but business logic rejects it) |
| 429 | Rate limit exceeded. Include Retry-After header. |
| 500 | Server error (never expose internals) |
{
"id": "uuid",
"name": "Example",
"createdAt": "2025-01-01T00:00:00Z"
}
{
"data": { ... },
"meta": {
"page": 1,
"perPage": 20,
"total": 150
}
}
{
"error": {
"code": "VALIDATION_ERROR",
"message": "Invalid request body",
"details": [
{
"field": "email",
"message": "Must be a valid email address"
}
]
}
}
GET /api/users?cursor=abc123&limit=20
Response:
{
"data": [...],
"pagination": {
"nextCursor": "def456",
"hasMore": true
}
}
GET /api/users?page=2&perPage=20
Response:
{
"data": [...],
"pagination": {
"page": 2,
"perPage": 20,
"total": 150,
"totalPages": 8
}
}
Authorization: Bearer eyJhbGciOiJSUzI1NiIs...
Access token: short-lived (15-60 min)
Refresh token: long-lived (7-30 days), stored securely
X-API-Key: sk_live_abc123...
Use for: server-to-server, public data APIs
Never for: user-facing authentication
Include headers in responses:
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1672531200
Retry-After: 60
Common limits:
/api/v1/users
/api/v2/users
Accept: application/vnd.myapi.v2+json
/api/users?version=2
# Immutable resources
Cache-Control: public, max-age=31536000, immutable
# Dynamic but cacheable
Cache-Control: public, max-age=60, stale-while-revalidate=30
# Never cache
Cache-Control: no-store
# ETag for conditional requests
ETag: "abc123"
If-None-Match: "abc123" → 304 Not Modified
Content-Type: application/json
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000