klod68/api-design-standards
.claude/skills/api-design-standards/SKILL.md
Use when designing or reviewing RESTful HTTP APIs, endpoint routing, status codes, pagination, error responses, or OpenAPI specs in .NET projects.
$ install --global
skillsauthnpx skillsauth add klod68/littlerae api-design-standardsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 2:09 AM401.3s1 file scanned
SKILL.md
name: api-design-standards description: "Use when designing or reviewing RESTful HTTP APIs, endpoint routing, status codes, pagination, error responses, or OpenAPI specs in .NET projects."
Skill: RESTful API Design Standards
Identity
| Field | Value |
|---|---|
| Name | RESTful API Design Standards |
| Domain | Web API, HTTP, REST |
| Level | Feature |
| Tags | api, rest, http, endpoints, pagination, openapi |
When to Apply
Activate this skill when the task involves:
- Designing or reviewing HTTP API endpoints
- Resource naming, URI structure, or route patterns
- HTTP method semantics and status code selection
- Pagination, filtering, or sorting strategies
- API error response formatting
- OpenAPI / Swagger specification
Rules
These rules layer on top of base architectural standards. On conflict, these win.
<!-- SHARED:rules/api-design.md -->API Design — RESTful Conventions
Apply these rules in addition to _base.md for projects exposing HTTP APIs (Minimal API or MVC controllers).
Resource Naming
- URIs identify resources (nouns), never actions (verbs):
/orders,/users/{id}/addresses— never/getOrdersor/createUser. - Use plural nouns for collection endpoints:
/products,/categories. - Use kebab-case for multi-word segments:
/order-items,/shipping-addresses— never camelCase or snake_case in URIs. - Nest resources only one level deep:
/users/{id}/orders— never/users/{id}/orders/{orderId}/items/{itemId}. Accessitemsdirectly:/order-items/{itemId}. - API version prefix:
/api/v1/orders— version in the path, not headers, unless the project has an explicit versioning strategy that overrides this default.
HTTP Method Semantics
| Method | Semantics | Idempotent | Safe | Typical Status |
|--------|-----------|------------|------|----------------|
| GET | Read resource(s) | Yes | Yes | 200 OK |
| POST | Create resource | No | No | 201 Created + Location header |
| PUT | Full replace of resource | Yes | No | 204 No Content |
| PATCH | Partial update | No | No | 204 No Content |
| DELETE | Remove resource | Yes | No | 204 No Content or 404 Not Found |
- Never use
GETfor operations with side effects. POSTis the only method for non-idempotent operations — never overloadGETwith query parameters that trigger actions.PUTreplaces the entire resource — if only updating partial fields, usePATCH.
Pagination
- Collection endpoints must support pagination — never return unbounded result sets.
- Use query parameters:
?page=1&pageSize=20(offset-based) or?cursor=abc&limit=20(cursor-based). - Response includes pagination metadata in the body — never in custom headers.
{
"items": [...],
"page": 1,
"pageSize": 20,
"totalCount": 142,
"totalPages": 8
}
- Default page size is a policy value (settings class) — never hardcoded. Cap at a maximum (e.g., 100).
- Cursor-based pagination is preferred for large datasets — offset pagination degrades with deep pages.
Filtering, Sorting, Searching
- Filtering uses query parameters matching property names:
?status=active&category=electronics. - Sorting uses a
sortparameter with+/-prefix:?sort=-createdAt,+name(descending by date, ascending by name). - Full-text search uses a
qparameter:?q=wireless+headphones. - Never expose raw SQL or OData syntax in query parameters — define an explicit filter vocabulary.
Error Responses
- All errors use RFC 7807
ProblemDetailsformat — never plain strings or custom error shapes. - Validation errors return
400 Bad Requestwith aValidationProblemDetailsbody including field-level errors. - Business rule violations return
422 Unprocessable Entitywith a descriptiveProblemDetails. - Always include
type,title,status, anddetail—instanceis optional. - Never expose stack traces, internal paths, or connection strings in error responses.
{
"type": "https://api.example.com/errors/insufficient-stock",
"title": "Insufficient Stock",
"status": 422,
"detail": "Product SKU-123 has only 3 units available; 10 were requested.",
"instance": "/api/v1/orders"
}
Request & Response Conventions
- Every endpoint has dedicated request and response DTOs — never reuse domain entities.
- Response DTOs are flat — avoid deep nesting. Use links or IDs for related resources instead of embedding.
nullfields are omitted from JSON output (JsonIgnoreCondition.WhenWritingNull) — never send explicitnullfor absent optional fields.- Date/time values are ISO 8601 in UTC:
"2024-12-15T14:30:00Z"— never local time or Unix timestamps. - Monetary values include amount and currency:
{ "amount": 49.99, "currency": "USD" }— never bare numbers.
HATEOAS (When Applicable)
- Include
_linksfor discoverable related actions only when the project adopts HATEOAS — not mandatory for internal APIs. - Minimum links:
self, collection-levelnext/prevfor paginated resources. - Link relations follow IANA registered types where applicable.
Idempotency
PUTandDELETEare naturally idempotent — no extra work needed.- For
POSToperations that must be idempotent (payment, order creation), accept anIdempotency-Keyheader. - Store the key and response for a configurable window — return the cached response on duplicate requests.
Rate Limiting
- Public endpoints must declare rate limits — use .NET 7+
RateLimitermiddleware. - Return
429 Too Many Requestswith aRetry-Afterheader. - Rate limit policies are per-endpoint or per-group — never a single global limit for all endpoints.
- Authentication endpoints have stricter limits than data endpoints.
OpenAPI / Documentation
- Every public API endpoint has XML documentation on its handler method.
- Use
[ProducesResponseType]or.Produces<T>()for all possible status codes — not just the happy path. - Include
[Description]or[EndpointSummary]for OpenAPI metadata. - Schema examples use
[Example]attributes or Swashbuckle filters — never rely on default serialization output.
Common Anti-Patterns
| Anti-Pattern | Fix |
|---|---|
| Verb in URI (/getOrders, /createUser) | Use nouns + HTTP methods: GET /orders, POST /users |
| Unbounded collection endpoint | Add pagination with default + max page size |
| Domain entity as response body | Map to dedicated response DTO |
| Custom error format per endpoint | Use RFC 7807 ProblemDetails everywhere |
| 200 OK for everything | Use semantically correct status codes |
| CamelCase in URIs | Use kebab-case: /order-items |
| Version in Accept header only | Default to URL prefix: /api/v1/ |
| Hardcoded page size | Move to settings class with documented default and max cap |
| Stack traces in error responses | Use ProblemDetails without internal details |
| Local timestamps in responses | Always use ISO 8601 UTC |
See Also
api-contracts.md— Interface-first design, return type abstractions, contract versioningminimal-api.md— Minimal API endpoint organization, handlers, filters, validationauth.md— Authentication, authorization, OAuth/OIDC, secrets managementresult-error-handling.md— Result object pattern, error constants, exception boundaries
Related Skills
klod68/interceptor-pipeline
tools
VerifiedTrustedCommunity
Use when cross-cutting concerns (logging, metrics, validation, authorization) are tangled into command handlers or service methods, when building database command pipelines with reorderable concerns, or when HTTP client pipelines or message handlers need composable, independently-replaceable processing stages. Covers ICommandInterceptor interface, InterceptorPipeline with reverse-chain construction, zero-cost Empty sentinel to skip overhead when no interceptors are registered, and ConfigureAwait(false) discipline for library code. Domain: Architecture, Cross-Cutting Concerns. Level: Intermediate. Tags: interceptor, pipeline, middleware, decorator, cross-cutting-concerns.
1SKILL.mdUpdated Apr 17, 2026
klod68/integration-testing-webapplicationfactory
development
VerifiedTrustedCommunity
Use when writing integration tests for Razor Pages, MVC, or Minimal API applications to validate routing, middleware, page rendering, and HTTP behavior without a browser or live server, or when adding fast smoke tests to a CI pipeline. Covers WebApplicationFactory<Program> setup with public partial class Program, in-memory test server, AngleSharp HTML parsing, CSS selector assertions, redirect and status code testing, and a shared static fixture pattern for minimal per-test startup overhead. Domain: Testing, ASP.NET Core. Level: Intermediate. Tags: integration-testing, webapplicationfactory, razor-pages, anglesharp, http-testing.
1SKILL.mdUpdated Apr 17, 2026
klod68/index-design-strategy
development
VerifiedTrustedCommunity
Use when designing indexes for new tables, diagnosing slow queries that are not using indexes efficiently, reviewing index fragmentation and maintenance, or when the current indexing strategy results in key lookups, table scans, or missing index warnings. Covers clustered index key selection (narrow, unique, ever-increasing), non-clustered index design for query patterns, covering indexes with INCLUDE columns, filtered indexes for subset queries, composite index column ordering, DMV-based monitoring for missing and unused indexes, and rebuild vs reorganize maintenance thresholds. Domain: Database, Performance. Level: Intermediate. Tags: index, sql-server, covering-index, filtered-index, performance, dmv, maintenance.
1SKILL.mdUpdated Apr 17, 2026
klod68/in-memory-search-registry
development
VerifiedTrustedCommunity
Use when building a searchable in-memory catalog or registry for documentation sites, admin panels, or type/API browsers where you need keyword matching, fuzzy search, and ranked results without an external search engine or database. Covers RegistryService with weighted scoring across name, description, keywords, and method names; Levenshtein fuzzy matching; synonym expansion; category and subcategory filtering; and singleton DI registration for datasets of hundreds to low thousands of items. Domain: Search, Data Access Patterns. Level: Intermediate. Tags: search, registry, fuzzy-matching, in-memory, catalog, filtering.
1SKILL.mdUpdated Apr 17, 2026