From playbooks-virtuoso
Designs and reviews REST/GraphQL APIs using principles for resource modeling, endpoint naming, versioning, errors, pagination, auth, and standards.
npx claudepluginhub krzysztofsurdy/code-virtuoso --plugin playbooks-virtuosoThis skill is limited to using the following tools:
Principles and patterns for designing APIs that are consistent, predictable, and easy to evolve. Applies to any language or framework — the focus is on protocol-level design decisions, not implementation details.
Provides REST and GraphQL API design principles including resource hierarchies, HTTP semantics, schema design, versioning, pagination, and filtering patterns for new APIs or reviews.
Designs REST and GraphQL APIs with resource-oriented principles, HTTP methods, status codes, pagination, filtering, sorting, and schema design. Use when designing new APIs or improving existing ones.
Guides REST and GraphQL API design principles including resource-oriented architecture, HTTP methods, schema-first development, versioning strategies, pagination, and filtering patterns. Use for new API design, spec reviews, refactoring, and team standards.
Share bugs, ideas, or general feedback.
Principles and patterns for designing APIs that are consistent, predictable, and easy to evolve. Applies to any language or framework — the focus is on protocol-level design decisions, not implementation details.
A well-designed API treats its surface as a product: consumers should be able to predict behavior, recover from errors, and integrate without reading source code.
| Aspect | REST | GraphQL |
|---|---|---|
| Best for | CRUD-heavy, resource-oriented domains | Complex, interconnected data with varied client needs |
| Data fetching | Fixed response shapes per endpoint | Client specifies exact fields needed |
| Over-fetching | Common — endpoints return full resources | Eliminated — clients request only what they need |
| Under-fetching | Common — requires multiple round trips | Eliminated — single query can span relations |
| Caching | Built-in HTTP caching (ETags, Cache-Control) | Requires custom caching (normalized stores, persisted queries) |
| File uploads | Native multipart support | Requires workarounds (multipart spec or separate endpoint) |
| Real-time | Webhooks, SSE, or polling | Subscriptions built into the spec |
| Tooling maturity | Mature — OpenAPI, Postman, HTTP clients | Growing — Apollo, Relay, GraphiQL |
| Learning curve | Lower — leverages existing HTTP knowledge | Higher — schema language, resolvers, query optimization |
| Error handling | HTTP status codes + response body | Always 200 — errors in response errors array |
| Versioning | URL path, headers, or query params | Schema evolution via deprecation + additive changes |
Choose REST when: your domain maps naturally to resources and CRUD operations, you need HTTP caching, or your clients are simple (mobile apps, third-party integrations).
Choose GraphQL when: clients have highly varied data needs, you are aggregating multiple backend services, or you want a strongly typed contract between frontend and backend.
Both are valid. Many systems use REST for external/public APIs and GraphQL for internal frontend-backend communication.
REST APIs model the domain as resources and use HTTP semantics to operate on them.
Core rules:
/orders, not /getOrders/users, /users/{id}/users/{id}/orders is fine; /users/{id}/orders/{id}/items/{id}/variants is notAccept and Content-Type headersHATEOAS (Hypermedia as the Engine of Application State) adds discoverability by including links in responses. Useful for public APIs but often overkill for internal services:
{
"id": 42,
"status": "shipped",
"_links": {
"self": { "href": "/orders/42" },
"cancel": { "href": "/orders/42/cancel", "method": "POST" },
"customer": { "href": "/customers/7" }
}
}
See REST Patterns Reference for detailed conventions.
GraphQL APIs expose a strongly typed schema that clients query declaratively.
Core rules:
Schema-first example:
type User {
id: ID!
name: String!
email: String!
orders(first: Int, after: String): OrderConnection!
}
type Order {
id: ID!
total: Float!
status: OrderStatus!
createdAt: DateTime!
}
enum OrderStatus {
PENDING
CONFIRMED
SHIPPED
DELIVERED
CANCELLED
}
See GraphQL Patterns Reference for detailed conventions.
A consistent error format is one of the most impactful API design decisions. Consumers should be able to parse errors programmatically without inspecting message strings.
RFC 7807 Problem Details format (recommended for REST):
{
"type": "https://api.example.com/errors/insufficient-funds",
"title": "Insufficient Funds",
"status": 422,
"detail": "Account balance is $10.00 but the transfer requires $50.00.",
"instance": "/transfers/abc-123",
"errors": [
{
"field": "amount",
"code": "insufficient_funds",
"message": "Transfer amount exceeds available balance"
}
]
}
Key principles:
type or code — clients should branch on codes, not messagesdetail for debuggingGraphQL error conventions:
{
"data": { "createOrder": null },
"errors": [
{
"message": "Insufficient funds",
"extensions": {
"code": "INSUFFICIENT_FUNDS",
"field": "amount"
}
}
]
}
APIs evolve. Versioning strategies determine how you ship changes without breaking existing consumers.
| Strategy | Mechanism | Pros | Cons |
|---|---|---|---|
| URL path | /v1/users | Explicit, easy to route | URL pollution, hard to deprecate |
| Accept header | Accept: application/vnd.api+json;version=2 | Clean URLs, HTTP-correct | Less visible, harder to test casually |
| Query param | /users?version=2 | Simple to implement | Easy to forget, caching complications |
Practical guidance:
See API Evolution Reference for detailed strategies.
Every list endpoint needs pagination. The choice between cursor and offset affects performance, consistency, and client complexity.
| Approach | How it works | Pros | Cons |
|---|---|---|---|
| Offset | ?offset=20&limit=10 | Simple, supports "jump to page N" | Inconsistent with real-time inserts/deletes, slow on large tables |
| Cursor | ?after=abc123&limit=10 | Stable with real-time data, performant at scale | Cannot jump to arbitrary pages |
Best practices:
hasNextPage, hasPreviousPage, totalCount (if cheap to compute)totalCount is expensive, make it optional or return an estimateCursor pagination response example:
{
"data": [ ... ],
"pagination": {
"hasNextPage": true,
"hasPreviousPage": false,
"startCursor": "eyJpZCI6MX0=",
"endCursor": "eyJpZCI6MTB9"
}
}
Authentication verifies identity (who are you?). Authorization verifies permissions (what can you do?).
| Mechanism | Use case | Notes |
|---|---|---|
| API keys | Server-to-server, simple integrations | Easy to implement; rotate regularly; never expose in client code |
| OAuth 2.0 | Third-party access, delegated permissions | Industry standard; use Authorization Code + PKCE for SPAs/mobile |
| JWT (Bearer tokens) | Stateless auth for microservices | Include only essential claims; set short expiry; validate signature and claims |
| Session cookies | Browser-based web apps | Pair with CSRF protection; use Secure, HttpOnly, SameSite flags |
Best practices:
Authorization: Bearer <token> header, not in query strings401 Unauthorized for missing/invalid credentials, 403 Forbidden for insufficient permissions| Antipattern | Problem | Fix |
|---|---|---|
| Chatty API | Clients need 10+ requests to render a page | Aggregate related data; consider GraphQL or composite endpoints |
| God endpoint | Single endpoint accepts wildly different payloads via flags | Split into focused endpoints with clear semantics |
| Inconsistent naming | Mix of snake_case, camelCase, plural/singular | Pick one convention and enforce it project-wide |
| Missing pagination | List endpoints return unbounded results | Always paginate collections; set max page size |
| Breaking changes without versioning | Renaming or removing fields breaks clients silently | Use versioning or additive-only evolution |
| Leaking internals | Database column names, auto-increment IDs in URLs | Map to stable external identifiers (UUIDs, slugs) |
| Ignoring idempotency | Retrying a POST creates duplicate resources | Support idempotency keys for non-idempotent operations |
| 200 for everything | Errors return HTTP 200 with an error body | Use appropriate HTTP status codes |
| Timestamps without timezone | 2024-01-15 14:30:00 is ambiguous | Always use ISO 8601 with timezone: 2024-01-15T14:30:00Z |
Before shipping or reviewing an API, verify: