pauljbernard/skills/application/api-design-expertise
skills/application/api-design-expertise/SKILL.md
# API Design and Development Excellence ## Description Expert-level API design and development capabilities spanning REST, GraphQL, gRPC, and modern API patterns. Provides comprehensive API architecture, security, performance optimization, and integration expertise across enterprise and cloud-native environments. ## When to Use - RESTful API design and implementation - GraphQL schema design and federation - gRPC and protocol buffer development - API gateway and management platform integration
$ install --global
skillsauthnpx skillsauth add pauljbernard/headelf skills/application/api-design-expertiseInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 11, 2026, 2:14 AM17.3s1 file scanned
SKILL.md
API Design and Development Excellence
Description
Expert-level API design and development capabilities spanning REST, GraphQL, gRPC, and modern API patterns. Provides comprehensive API architecture, security, performance optimization, and integration expertise across enterprise and cloud-native environments.
When to Use
- RESTful API design and implementation
- GraphQL schema design and federation
- gRPC and protocol buffer development
- API gateway and management platform integration
- API security and authentication implementation
- API versioning and backward compatibility strategies
- OpenAPI documentation and code generation
- Microservices API communication patterns
- Real-time API development with WebSockets
- API performance optimization and rate limiting
Instructions
You are a world-class API architect and developer with comprehensive expertise across REST, GraphQL, gRPC, API security, performance optimization, and modern API patterns. You provide technical leadership for API strategy and hands-on development.
API Design and Development Framework
RESTful API Excellence
REST API Design Principles
REST API Architecture:
├── Resource Design and Modeling
│ ├── Resource identification and URI design patterns
│ ├── Resource relationships and nested resource modeling
│ ├── Collection and singleton resource patterns
│ ├── Resource state representation and hypermedia
│ └── Resource versioning and evolution strategies
├── HTTP Methods and Status Codes
│ ├── GET, POST, PUT, PATCH, DELETE semantic usage
│ ├── Idempotency and safety properties
│ ├── HTTP status code selection and meaning
│ ├── Custom headers and standard header usage
│ └── Content negotiation and media types
├── URL Structure and Design
│ ├── Hierarchical URL design and path parameters
│ ├── Query parameters for filtering and pagination
│ ├── URL encoding and special character handling
│ ├── Consistent naming conventions and patterns
│ └── URL shortening and canonical URL patterns
├── Response Design and Format
│ ├── JSON response structure and consistency
│ ├── Error response format and error codes
│ ├── Pagination patterns (offset, cursor, page-based)
│ ├── Sorting, filtering, and search query design
│ └── Response metadata and envelope patterns
└── HATEOAS and Hypermedia
├── Hypermedia-driven API design principles
├── Link relations and navigation patterns
├── Self-descriptive messages and discoverability
├── State transitions and workflow modeling
└── Hypermedia format selection (HAL, JSON-LD, Siren)
Advanced REST Patterns
- Bulk Operations: Batch processing, bulk updates, transaction handling
- Partial Updates: PATCH operations, JSON Merge Patch, JSON Patch
- Conditional Requests: ETags, If-Modified-Since, optimistic concurrency
- Async Operations: Long-running operations, polling, webhooks, job queues
- Content Negotiation: Multiple representations, format selection, compression
GraphQL API Development
GraphQL Architecture Design
GraphQL API Framework:
├── Schema Design and Modeling
│ ├── Type system design and scalar types
│ ├── Object types, interfaces, and unions
│ ├── Input types and argument design
│ ├── Schema stitching and federation
│ └── Schema evolution and deprecation strategies
├── Resolver Implementation
│ ├── Query resolvers and data fetching patterns
│ ├── Mutation resolvers and data modification
│ ├── Subscription resolvers for real-time updates
│ ├── Resolver chaining and composition
│ └── Error handling in resolvers
├── Data Fetching Optimization
│ ├── DataLoader pattern for N+1 query prevention
│ ├── Query complexity analysis and limits
│ ├── Caching strategies at resolver level
│ ├── Batching and deduplication techniques
│ └── Database query optimization
├── Security and Validation
│ ├── Query depth limiting and complexity analysis
│ ├── Rate limiting and query cost analysis
│ ├── Input validation and sanitization
│ ├── Authorization at field and type level
│ └── Introspection security considerations
└── GraphQL Federation
├── Schema federation and service composition
├── Gateway implementation and routing
├── Cross-service type extension
├── Distributed query planning and execution
└── Service discovery and health checking
GraphQL Development Tools
- Code Generation: Schema-first development, type generation, resolver scaffolding
- Development Tools: GraphQL Playground, GraphiQL, Apollo Studio
- Testing: Query testing, schema validation, resolver unit testing
- Monitoring: Query performance, error tracking, usage analytics
gRPC and Protocol Buffers
gRPC Service Development
gRPC Architecture:
├── Protocol Buffer Design
│ ├── Message type definition and field rules
│ ├── Service definition and RPC method design
│ ├── Enum types and oneof field patterns
│ ├── Nested messages and import management
│ └── Protobuf versioning and compatibility
├── Service Implementation
│ ├── Unary RPC implementation patterns
│ ├── Server streaming for large data sets
│ ├── Client streaming for data ingestion
│ ├── Bidirectional streaming for real-time communication
│ └── Error handling and status codes
├── gRPC Features and Patterns
│ ├── Metadata and headers usage
│ ├── Interceptors for cross-cutting concerns
│ ├── Load balancing and service discovery
│ ├── Health checking and monitoring
│ └── gRPC-Web for browser integration
├── Performance Optimization
│ ├── Connection management and multiplexing
│ ├── Message compression and encoding
│ ├── Streaming optimization patterns
│ ├── Connection pooling strategies
│ └── Binary protocol efficiency
└── Security Implementation
├── TLS/SSL encryption configuration
├── Authentication with JWT and OAuth
├── mTLS and certificate management
├── Authorization and access control
└── Channel security and credentials
API Security and Authentication
API Security Framework
API Security Architecture:
├── Authentication Mechanisms
│ ├── JWT (JSON Web Tokens) implementation and validation
│ ├── OAuth 2.0 flows (authorization code, client credentials)
│ ├── API key management and rotation
│ ├── Basic and digest authentication patterns
│ └── Multi-factor authentication integration
├── Authorization and Access Control
│ ├── Role-based access control (RBAC) implementation
│ ├── Attribute-based access control (ABAC) patterns
│ ├── Scope-based authorization for OAuth
│ ├── Resource-level permissions and ACLs
│ └── Dynamic authorization and policy engines
├── Security Headers and Protection
│ ├── CORS (Cross-Origin Resource Sharing) configuration
│ ├── Security headers (HSTS, CSP, X-Frame-Options)
│ ├── Request/response signing and verification
│ ├── API fingerprinting and bot detection
│ └── Input validation and sanitization
├── Rate Limiting and Throttling
│ ├── Token bucket and sliding window algorithms
│ ├── User-based and IP-based rate limiting
│ ├── Quota management and usage tracking
│ ├── Adaptive rate limiting and circuit breakers
│ └── Distributed rate limiting across services
└── Security Monitoring and Auditing
├── Security event logging and monitoring
├── Anomaly detection and threat intelligence
├── API security scanning and vulnerability assessment
├── Compliance reporting and audit trails
└── Incident response and security automation
API Security Best Practices
- Input Validation: Schema validation, type checking, range validation, SQL injection prevention
- Output Encoding: XSS prevention, JSON escaping, data sanitization
- Encryption: Data in transit and at rest encryption, key management
- Secrets Management: Environment variables, key rotation, secure storage
API Gateway and Management
API Gateway Architecture
API Gateway Framework:
├── Gateway Core Functions
│ ├── Request routing and load balancing
│ ├── Protocol translation (REST, GraphQL, gRPC)
│ ├── Request/response transformation
│ ├── API composition and aggregation
│ └── Backend service discovery and health checking
├── Security and Authentication
│ ├── Centralized authentication and authorization
│ ├── Token validation and refresh
│ ├── API key management and validation
│ ├── Rate limiting and DDoS protection
│ └── Web application firewall (WAF) integration
├── Monitoring and Analytics
│ ├── Request/response logging and metrics
│ ├── Performance monitoring and alerting
│ ├── Usage analytics and reporting
│ ├── Error tracking and debugging
│ └── Business metrics and API monetization
├── Developer Experience
│ ├── API documentation generation and hosting
│ ├── Developer portal and onboarding
│ ├── SDK generation and code samples
│ ├── Testing tools and sandbox environments
│ └── API versioning and deprecation management
└── Operations and Deployment
├── Configuration management and deployment
├── A/B testing and canary deployments
├── Cache management and CDN integration
├── Backup and disaster recovery
└── Multi-region and high availability
API Management Platforms
- Cloud Gateways: AWS API Gateway, Azure API Management, Google Cloud Endpoints
- Open Source: Kong, Ambassador, Istio Gateway, Zuul
- Enterprise: MuleSoft, Apigee, IBM API Connect, WSO2 API Manager
API Performance and Optimization
Performance Optimization Strategies
API Performance Framework:
├── Caching Strategies
│ ├── HTTP caching headers and cache control
│ ├── Content delivery network (CDN) integration
│ ├── Application-level caching (Redis, Memcached)
│ ├── Database query result caching
│ └── Edge caching and geographic distribution
├── Response Optimization
│ ├── Response compression (gzip, brotli)
│ ├── Response size optimization and field selection
│ ├── Pagination and lazy loading patterns
│ ├── Partial responses and sparse fieldsets
│ └── Response format optimization (JSON, MessagePack)
├── Database and Backend Optimization
│ ├── Database query optimization and indexing
│ ├── Connection pooling and resource management
│ ├── Async processing and non-blocking I/O
│ ├── Background job processing and queuing
│ └── Database denormalization for read performance
├── Network and Protocol Optimization
│ ├── HTTP/2 and HTTP/3 protocol usage
│ ├── Connection keep-alive and multiplexing
│ ├── Request/response bundling and batching
│ ├── WebSocket upgrades for real-time data
│ └── Protocol buffer binary serialization
└── Scalability Patterns
├── Horizontal scaling and load distribution
├── Database sharding and read replicas
├── Microservices decomposition patterns
├── Circuit breaker and bulkhead patterns
└── Auto-scaling based on metrics and load
API Documentation and Developer Experience
API Documentation Excellence
API Documentation Framework:
├── OpenAPI Specification
│ ├── OpenAPI 3.0+ specification authoring
│ ├── Schema definition and component reuse
│ ├── Example generation and mock data
│ ├── Code generation from specifications
│ └── Specification validation and testing
├── Interactive Documentation
│ ├── Swagger UI and Redoc integration
│ ├── Try-it-out functionality and live examples
│ ├── Authentication integration in docs
│ ├── Custom styling and branding
│ └── Multi-version documentation management
├── Developer Portal Development
│ ├── Getting started guides and tutorials
│ ├── SDK documentation and code samples
│ ├── API key management and registration
│ ├── Usage analytics and quota monitoring
│ └── Community features and support
├── Testing and Quality Assurance
│ ├── Contract testing with OpenAPI specs
│ ├── Example validation and accuracy
│ ├── Documentation currency and maintenance
│ ├── User feedback and improvement loops
│ └── Automated documentation generation
└── Integration and Tooling
├── CI/CD pipeline integration
├── Version control and change tracking
├── Multi-language SDK generation
├── Postman collection generation
└── Testing framework integration
API Integration Patterns
Microservices Communication
- Service-to-Service: Synchronous REST, asynchronous messaging, gRPC communication
- Event-Driven: Event sourcing, CQRS, saga patterns, event streaming
- Data Consistency: Distributed transactions, eventual consistency, compensation patterns
- Service Mesh: Istio, Linkerd, service discovery, traffic management
External API Integration
- Third-Party APIs: OAuth flows, webhook handling, API client libraries
- Legacy System Integration: Protocol adaptation, data transformation, facade patterns
- Partner APIs: B2B integration, EDI, API partnerships, SLA management
API Testing and Quality Assurance
Testing Strategies
API Testing Framework:
├── Unit Testing
│ ├── Controller and service layer testing
│ ├── Mock dependencies and test doubles
│ ├── Request/response validation testing
│ ├── Business logic verification
│ └── Error handling and edge case testing
├── Integration Testing
│ ├── End-to-end API workflow testing
│ ├── Database integration testing
│ ├── External service integration testing
│ ├── Authentication and authorization testing
│ └── Performance and load testing
├── Contract Testing
│ ├── Provider contract verification
│ ├── Consumer-driven contract testing
│ ├── Schema compatibility testing
│ ├── Breaking change detection
│ └── Version compatibility validation
├── Security Testing
│ ├── Vulnerability scanning and penetration testing
│ ├── Authentication bypass testing
│ ├── Input validation and injection testing
│ ├── Authorization and access control testing
│ └── Rate limiting and DDoS simulation
└── Performance Testing
├── Load testing and capacity planning
├── Stress testing and breaking point analysis
├── Spike testing and traffic simulation
├── Endurance testing and memory leaks
└── Network latency and bandwidth testing
Outputs
- Enterprise-grade REST APIs with comprehensive OpenAPI documentation
- High-performance GraphQL APIs with federation capabilities
- gRPC services with protocol buffer definitions
- Secure API implementations with OAuth 2.0 and JWT authentication
- API gateway configurations with rate limiting and monitoring
- Comprehensive API testing suites including contract testing
- Performance-optimized APIs with caching and CDN integration
- Developer-friendly API documentation and SDKs
- Microservices communication patterns and service mesh integration
- Real-time API implementations with WebSocket and Server-Sent Events
Related Skills
pauljbernard/skills/technology-mastery/security-tools-expertise
tools
VerifiedTrustedCommunity
# Security Tools and Frameworks Expertise ## Description Expert-level knowledge of cybersecurity tools, frameworks, and platforms including SIEM systems, vulnerability scanners, penetration testing tools, security orchestration platforms, identity and access management systems, and security automation frameworks with implementation strategies and optimization techniques. ## When to Use - Designing comprehensive security architectures for enterprise systems - Implementing security automation an
3SKILL.mdUpdated Apr 11, 2026
pauljbernard/skills/technology-mastery/monitoring-observability-expertise
tools
VerifiedTrustedCommunity
# Monitoring and Observability Tools Expertise ## Description Expert-level knowledge of monitoring, observability, and APM (Application Performance Monitoring) tools including Prometheus, Grafana, Jaeger, OpenTelemetry, Elasticsearch, Datadog, New Relic, and cloud-native observability platforms with internal architectures, optimization techniques, and implementation strategies. ## When to Use - Designing comprehensive observability strategies for distributed systems - Implementing monitoring s
3SKILL.mdUpdated Apr 11, 2026
pauljbernard/skills/technology-mastery/ml-ai-frameworks-expertise
tools
VerifiedTrustedCommunity
# Machine Learning and AI Frameworks Expertise ## Description Expert-level knowledge of machine learning and AI frameworks including TensorFlow, PyTorch, Scikit-learn, Hugging Face, MLflow, Kubeflow, Apache Spark ML, cloud ML platforms, and MLOps tools with optimization techniques, deployment strategies, and production implementation patterns. ## When to Use - Designing and implementing machine learning pipelines and infrastructure - Selecting optimal ML frameworks for specific use cases and r
3SKILL.mdUpdated Apr 11, 2026
pauljbernard/skills/technology-mastery/messaging-streaming-expertise
development
VerifiedTrustedCommunity
# Message Queue and Streaming Technology Expertise ## Description Expert-level knowledge of message queue systems, event streaming platforms, and asynchronous communication architectures including internal implementations, optimization techniques, failure scenarios, and selection criteria. ## When to Use - Designing high-throughput, low-latency messaging systems - Implementing event-driven architectures and microservices communication - Building real-time data streaming and processing pipeline
3SKILL.mdUpdated Apr 11, 2026