Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

hoangnguyen0403/common-api-design

Name: common-api-design
Author: hoangnguyen0403

skills/common/common-api-design/SKILL.md

npx skillsauth add hoangnguyen0403/agent-skills-standard common-api-design

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Common API Design Standards

Priority: P1 (OPERATIONAL)

🔧 HTTP Verb Semantics

GET read-only, idempotent — never mutates state.
POST create or trigger; PUT full replace; PATCH partial update; DELETE remove.
Non-CRUD actions as sub-resources: POST /orders/:id/cancel.

📡 Status Code Correctness

200 success; 201 created (add Location header); 204 no body.
400 validation (with details[]); 401 unauthenticated; 403 unauthorized; 404 not found.
409 conflict; 422 business rule violation; 429 rate limit (add Retry-After); 500 unhandled.

📦 URL Design Rules

Lowercase, kebab-case: /user-profiles, not /UserProfiles or /user_profiles.
Plural nouns: /orders, /products. Not /order, /getProducts.
No verbs in paths (except action sub-resources): /orders/:id/cancel ✅, /cancelOrder ❌.
Hierarchy: Use nesting only up to 2 levels: /users/:id/orders ✅, /users/:id/orders/:orderId/items/:itemId ❌.

🔢 API Versioning

Strategy: URL path versioning default: /v1/users, /v2/users.
Header versioning (Api-Version: 2) acceptable for internal APIs.
Never mix versions in same controller — each version gets its own route module.
Support prev major ≥ 6 months after new release.
Deprecation: Deprecation: true + Sunset: <date> headers when version will be retired.

📄 Pagination

Prefer cursor-based (cursor + limit) for large/live datasets; offset only for small static ones.
Default limit: 20, max 100. Reject requests exceeding max.
Response envelope: { data: [], pagination: { nextCursor, hasNextPage } }.

📝 OpenAPI Contract

Generate from code annotations — not hand-written YAML.
Every API needs OpenAPI 3.1 spec.
Include: request/response schemas, error shapes, auth requirements, examples.
Review spec in PR — breaking changes need version bump.

🔒 API Security Baseline

Require auth on all routes by default; use @Public() or equivalent opt-out.
Validate and sanitize all query params, path params, and request bodies.
Set Content-Type: application/json explicitly. Reject unexpected content types.
Include X-Content-Type-Options: nosniff and X-Frame-Options: DENY headers.

Anti-Patterns

No GET mutations: Search engines and CDNs cache GET — mutating state catastrophic.
No 200 for errors: { "success": false, "data": null } with HTTP 200 breaks monitoring.
No deeply nested URLs: Hard to document, version, and cache.
No breaking changes without versioning: Removing/renaming fields in-place breaks consumers silently.

References

URL Examples, Status Codes & Pagination Envelope

hoangnguyen0403/common-api-design

skills/common/common-api-design/SKILL.md

Apply REST API conventions — HTTP semantics, status codes, versioning, pagination, and OpenAPI standards for any framework. Use when designing endpoints, choosing HTTP methods, implementing pagination, or writing OpenAPI specs.

487 stars

development

Updated May 10, 2026

$ install --global

skillsauth

npx skillsauth add hoangnguyen0403/agent-skills-standard common-api-design

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 10, 2026, 2:35 AM139.6s3 files scanned

SKILL.md

name:: common-api-design
description:: Apply REST API conventions — HTTP semantics, status codes, versioning, pagination, and OpenAPI standards for any framework. Use when designing endpoints, choosing HTTP methods, implementing pagination, or writing OpenAPI specs.

Common API Design Standards

Priority: P1 (OPERATIONAL)

🔧 HTTP Verb Semantics

GET read-only, idempotent — never mutates state.
POST create or trigger; PUT full replace; PATCH partial update; DELETE remove.
Non-CRUD actions as sub-resources: POST /orders/:id/cancel.

📡 Status Code Correctness

200 success; 201 created (add Location header); 204 no body.
400 validation (with details[]); 401 unauthenticated; 403 unauthorized; 404 not found.
409 conflict; 422 business rule violation; 429 rate limit (add Retry-After); 500 unhandled.

📦 URL Design Rules

Lowercase, kebab-case: /user-profiles, not /UserProfiles or /user_profiles.
Plural nouns: /orders, /products. Not /order, /getProducts.
No verbs in paths (except action sub-resources): /orders/:id/cancel ✅, /cancelOrder ❌.
Hierarchy: Use nesting only up to 2 levels: /users/:id/orders ✅, /users/:id/orders/:orderId/items/:itemId ❌.

🔢 API Versioning

Strategy: URL path versioning default: /v1/users, /v2/users.
Header versioning (Api-Version: 2) acceptable for internal APIs.
Never mix versions in same controller — each version gets its own route module.
Support prev major ≥ 6 months after new release.
Deprecation: Deprecation: true + Sunset: <date> headers when version will be retired.

📄 Pagination

Prefer cursor-based (cursor + limit) for large/live datasets; offset only for small static ones.
Default limit: 20, max 100. Reject requests exceeding max.
Response envelope: { data: [], pagination: { nextCursor, hasNextPage } }.

📝 OpenAPI Contract

Generate from code annotations — not hand-written YAML.
Every API needs OpenAPI 3.1 spec.
Include: request/response schemas, error shapes, auth requirements, examples.
Review spec in PR — breaking changes need version bump.

🔒 API Security Baseline

Require auth on all routes by default; use @Public() or equivalent opt-out.
Validate and sanitize all query params, path params, and request bodies.
Set Content-Type: application/json explicitly. Reject unexpected content types.
Include X-Content-Type-Options: nosniff and X-Frame-Options: DENY headers.

Anti-Patterns

No GET mutations: Search engines and CDNs cache GET — mutating state catastrophic.
No 200 for errors: { "success": false, "data": null } with HTTP 200 breaks monitoring.
No deeply nested URLs: Hard to document, version, and cache.
No breaking changes without versioning: Removing/renaming fields in-place breaks consumers silently.

References

URL Examples, Status Codes & Pagination Envelope

Related Skills

hoangnguyen0403/common-software-requirements

development

VerifiedTrustedCommunity

Standardize SRS and FRS specifications for technical behavior, interfaces, data contracts, quality constraints, and verification mapping. Use when writing SRS, functional specification, system behavior requirements, API/data contracts, or non-functional thresholds.

503SKILL.mdUpdated May 23, 2026

hoangnguyen0403/common-software-requirements

hoangnguyen0403/common-business-requirements

development

VerifiedTrustedCommunity

Standardize BRD and BRD-lite discovery for business goals, stakeholder impact, current-to-future state, and measurable value outcomes. Use when creating BRD, business case, project justification, ROI narrative, or AS-IS to TO-BE scope.

503SKILL.mdUpdated May 23, 2026

hoangnguyen0403/common-business-requirements

hoangnguyen0403/common-tdd

development

VerifiedTrustedCommunity

Implements a strict Red-Green-Refactor loop to ensure zero production code is written without a prior failing test. Use when: creating new features, fixing bugs, or expanding test coverage.

503SKILL.mdUpdated May 10, 2026

hoangnguyen0403/common-tdd

hoangnguyen0403/common-product-requirements

testing

VerifiedTrustedCommunity

Standardize PRD discovery and drafting for product scope, user outcomes, requirement IDs, and acceptance criteria. Use when creating PRD, product requirements, feature specification, or acceptance criteria plan.

503SKILL.mdUpdated May 10, 2026

hoangnguyen0403/common-product-requirements

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/hoangnguyen0403/agent-skills-standard.git

# Copy into Claude Code skills folder (global)
cp -r agent-skills-standard/skills/common/common-api-design ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

hoangnguyen0403/agent-skills-standard

487 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT