jon23d/rest-api-design
frontier/skills/rest-api-design/SKILL.md
Use when designing, reviewing, or documenting HTTP REST API endpoints, resources, contracts, or schemas.
$ install --global
skillsauthnpx skillsauth add jon23d/skillz rest-api-designInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 6, 2026, 10:36 AM4.2s1 file scanned
SKILL.md
- name:
- rest-api-design
- description:
- Use when designing, reviewing, or documenting HTTP REST API endpoints, resources, contracts, or schemas.
REST API Design
Core Principles
1. Resource Orientation
- Nouns, not Verbs:
/users,/orders. Never/createUseror/getOrders. - Plural Roots: Always use plural nouns for collections:
/users, not/user. - Kebab-case URLs:
/pending-orders, not/pendingOrdersor/PendingOrders.
2. HTTP Verbs & Semantics
| Method | Use Case | Idempotent? | Safe? |
|--------|----------|-------------|-------|
| GET | Read resources | Yes | Yes |
| POST | Create new resource | No | No |
| PUT | Replace complete resource | Yes | No |
| PATCH | Partial update | No | No |
| DELETE | Remove resource | Yes | No |
3. Nesting & Relationships
- Creation: Use nesting for ownership.
POST /projects/{id}/tasks - Retrieval: Prefer flat resources for speed if ID is unique.
GET /tasks/{taskId} - Limit Depth: Max 2 levels deep.
/orgs/{id}/repos/{id}/issuesis the limit.
4. Actions & Non-CRUD
For operations that don't fit CRUD (e.g., "publish", "ban", "archive"):
- Field Update (Preferred):
PATCH /articles/{id}with{ "status": "published" } - Sub-resource Creation:
PUT /articles/{id}/publication - Controller Resource:
POST /articles/{id}/actions/publish(last resort)
Naming Conventions
URL Structure
- Lower-case kebab-case:
GET /user-profiles - Resources are nouns:
POST /projects(notPOST /createProject) - Plural for collections:
GET /users(except singletons like/me)
Query Parameters (camelCase)
q: Search query stringlimit: Max results per pageoffset: Starting index (0-based)page: Page number (1-based)fields: Comma-separated list of fields to includeembed: Comma-separated list of related resources to includesortBy: Sort field name
Request & Response JSON (camelCase)
createdAt,userId(default for JS/TS clients)- Exception: follow existing project convention if different (e.g.,
snake_casein Python/Ruby/Go). Check existing API responses first.
Versioning
- URL Versioning (Preferred):
GET /v1/users - Header Versioning:
Accept: application/vnd.myapi.v1+json - Do not mix strategies.
Standard Formats & Envelopes
Pagination
{
"data": [ ...items... ],
"meta": {
"pagination": {
"total": 100,
"count": 20,
"perPage": 20,
"currentPage": 2,
"totalPages": 5,
"links": {
"next": "https://api.example.com/v1/users?page=3",
"prev": "https://api.example.com/v1/users?page=1"
}
}
}
}
Envelope Pattern
Always wrap collections in a data key. Never return naked arrays.
Dates and Times
ISO 8601 UTC: "createdAt": "2023-10-27T14:30:00.000Z". Always UTC (Z suffix). Never epoch seconds.
Resource Identifiers
String-based IDs (UUIDs or prefixed IDs like usr_123abc) to prevent enumeration. Avoid sequential integers for public interfaces.
Error Responses (RFC 7807)
{
"type": "about:blank",
"title": "Invalid Request",
"status": 400,
"detail": "Email is required.",
"instance": "/v1/users",
"errors": [
{ "field": "email", "message": "Must be a valid email address" }
]
}
Standard Status Codes
Success (2xx): 200 OK, 201 Created (with Location header), 202 Accepted (async), 204 No Content (deletion/update with no body).
Client Error (4xx): 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 405 Method Not Allowed, 409 Conflict, 422 Unprocessable Entity, 429 Too Many Requests.
Server Error (5xx): 500 Internal Server Error, 503 Service Unavailable.
Common Mistakes
- Returning
200 OKfor errors → use 4xx/5xx - Using
POSTfor updates → usePATCH/PUT - Trailing slashes → remove them
- Versioning in headers only → put version in URL
Related Skills
jon23d/zod-env
development
VerifiedTrustedCommunity
Use when adding or modifying environment variable handling in TypeScript projects or monorepos — especially when using process.env directly, missing startup validation, sharing env schemas across packages, or encountering "undefined is not a string" errors at runtime from missing env vars.
2SKILL.mdUpdated Apr 16, 2026
jon23d/writing-skills
testing
VerifiedTrustedCommunity
Use when creating a new skill, editing an existing skill, writing a SKILL.md, or verifying a skill works before deployment.
2SKILL.mdUpdated Apr 16, 2026
jon23d/ui-design
development
VerifiedTrustedCommunity
React UI design principles and conventions. Load when building or modifying any user interface or React components. Covers application type detection, visual standards, component design and structure, Mantine (business apps) and Tailwind (consumer apps), accessibility, responsiveness, state management, data fetching, testing, and in-app help patterns.
2SKILL.mdUpdated Apr 16, 2026
jon23d/ts-linting
development
VerifiedTrustedCommunity
Use when setting up ESLint and/or Prettier in a TypeScript project, adding linting to an existing TypeScript codebase, or configuring typescript-eslint, eslint-config-prettier, or related packages.
2SKILL.mdUpdated Apr 16, 2026