Provides state-of-the-art API design and audit guidance covering REST/HTTP, GraphQL, gRPC, WebSockets/SSE/realtime, webhooks, versioning, and API security. Use when designing new APIs or auditing existing ones for correctness, evolvability, and operational robustness.
How this skill is triggered — by the user, by Claude, or both
Slash command
/sota-skills:sota-api-designThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Expert-level rules for building and auditing API surfaces: HTTP/REST semantics,
Expert-level rules for building and auditing API surfaces: HTTP/REST semantics, GraphQL, gRPC/protobuf, realtime (WebSocket/SSE/WebTransport), webhooks, contract evolution, and the security/operational envelope around all of them. Rules are imperative with rationale and good/bad examples; every rules file ends with an audit checklist. Use the index table below to load only the files relevant to the task — do not read all files for a narrow question.
When designing or implementing an API:
rules/04 §1 first if the choice
(REST vs GraphQL vs gRPC vs realtime transport) is open. Default: gRPC
service-to-service, REST at the edge, GraphQL only for multi-client shape
diversity, SSE for server-push, WS only for true bidirectional.rules/01, rules/02).rules/02).rules/01 §6, rules/07).rules/05);
signing, retries, SSRF egress controls (rules/06) before writing code.rules/07).When reviewing an existing API:
200 {"error":…}, missing deadlines, unbounded WS
send buffers, unsigned webhooks, SSRF in webhook egress, origin-reflection
CORS, tenant ID taken from the request body.operationIds,
missing preflight cache, suboptimal cache headers, missing pagination link
hints.[SEVERITY] <one-line title>
Where: <file:line | endpoint | schema element>
Rule: <rules-file §section>
Issue: <what is wrong, with the observed evidence (code/HTTP exchange)>
Impact: <concrete consequence — who breaks, what leaks, what corrupts>
Fix: <specific change; example snippet/header/schema where load-bearing>
Order findings by severity; one finding per root cause; no speculative findings without evidence in code or spec.
| File | Read this when... |
|---|---|
rules/01-rest-http-design.md | Designing/auditing REST endpoints: resource modeling, methods/status codes, cursor pagination, filtering, partial responses, idempotency keys, ETags/conditional requests, HATEOAS pragmatism, RFC 9457 errors, OpenAPI-first, contract testing. |
rules/02-versioning-evolution.md | Changing an existing API, adding/removing fields, choosing URL vs header versioning, planning deprecation (Sunset/Deprecation headers), enum/schema evolution, tolerant readers, CI breaking-change gates. |
rules/03-graphql.md | Any GraphQL work: schema/nullability/connections design, N+1 and dataloaders, depth/cost/alias limits, persisted-query allowlists, error channels (userErrors vs errors), resolver authz, when GraphQL is the wrong choice. |
rules/04-grpc-protocols.md | gRPC/protobuf work or protocol selection: field-number/reserved evolution rules, deadlines and cancellation propagation, streaming patterns, rich error details, gRPC-Web/Connect, L7 load balancing, REST vs GraphQL vs gRPC decision table. |
rules/05-realtime-websockets-sse.md | WebSocket/SSE/realtime features: transport choice (WS vs SSE vs WebTransport), upgrade auth & CSWSH, heartbeats, reconnect backoff + resume tokens, ordering/delivery guarantees, backpressure, close codes, SSE replay, pub/sub fanout scaling, presence; WebRTC server hardening (TURN relay abuse, DTLS-SRTP, signaling) when self-hosted. |
rules/06-webhooks.md | Sending or receiving webhooks: HMAC signing + timestamp + rotation, replay protection, retry/backoff design, ordering caveats, idempotent consumers, outbox dispatch, reconciliation APIs, SSRF defenses for user-supplied URLs. |
rules/07-security-operations.md | Cross-cutting security/ops on any API: authn scheme selection (keys/OAuth2/mTLS), rate limiting + 429/Retry-After, quotas, request size limits, timeout budgets, CORS, audit logging, multi-tenant isolation, cross-tenant testing. |
200 {"error":…} — correct status codes, single RFC 9457
problem+json error shape API-wide, machine-readable codes, trace ID, no
internals leaked. (rules/01 §3, §9)npx claudepluginhub martinholovsky/sota-skills --plugin sota-skillsPrevents silent decimal mismatch bugs across EVM chains with runtime lookup, chain-aware caching, and safe normalization for bots, dashboards, and DeFi tools.