API Development
Orchestrate the full API development lifecycle by coordinating design, implementation, testing, and documentation into a single workflow.
When to Use This Skill
- - Building a new API from scratch
- Adding endpoints to an existing API
- Redesigning or refactoring an API
- Planning API versioning and migration
- Running a complete API development cycle (design → build → test → document → deploy)
Orchestration Flow
Follow these steps in order. Each step routes to the appropriate skill or tool.
1. Design the API
Load the api-design skill to establish resource models, URL structure, HTTP method semantics, error formats, and pagination strategy.
Deliverables: Resource list, endpoint map, request/response schemas, error format
2. Generate OpenAPI Spec
Produce a machine-readable OpenAPI 3.x specification from the design. Use the OpenAPI template in api-design/assets/openapi-template.yaml as a starting point.
Deliverables: openapi.yaml with all endpoints, schemas, auth schemes, and examples
3. Scaffold Endpoints
Generate route files, request/response types, and validation schemas for each endpoint. Group routes by resource.
Deliverables: Route files, type definitions, validation schemas per resource
4. Implement Business Logic
Write service-layer logic with input validation, authorization checks, database queries, and proper error propagation. Keep controllers thin — business logic lives in the service layer.
Deliverables: Service modules, repository layer, middleware (auth, rate limiting, CORS)
5. Test
Write tests at three levels:
- - Unit tests — service logic, validation, error handling
- Integration tests — endpoint behavior with real DB
- Contract tests — response shapes match OpenAPI spec
Deliverables: Test suite with coverage for happy paths, error cases, edge cases, and auth
6. Document
Generate human-readable API documentation with usage examples and SDK snippets. Ensure every endpoint has description, parameters, request/response examples, and error codes.
Deliverables: API docs, changelog, authentication guide
7. Version and Deploy
Apply a versioning strategy, tag the release, update changelogs, and deploy through the pipeline. Follow the api-versioning skill for deprecation and migration guidance.
Deliverables: Version tag, changelog entry, deployment confirmation
API Design Decision Table
Choose the right paradigm for your use case.
| Criteria | REST | GraphQL | gRPC |
|---|
| Best for | CRUD-heavy public APIs | Complex relational data, client-driven queries | Internal microservices, high-throughput |
| Data fetching |
Fixed response shape per endpoint | Client specifies exact fields | Strongly typed protobuf messages |
|
Over/under-fetching | Common problem | Solved by design | Minimal — schema is explicit |
|
Caching | Native HTTP caching (ETags, Cache-Control) | Requires custom caching | No built-in HTTP caching |
|
Real-time | Polling or WebSockets | Subscriptions (built-in) | Bidirectional streaming |
|
Tooling | Mature — OpenAPI, Postman, curl | Growing — Apollo, Relay, GraphiQL | Mature — protoc, grpcurl, Buf |
|
Learning curve | Low | Medium | Medium-High |
|
Versioning | URL or header versioning | Schema evolution with
@deprecated | Package versioning in
.proto |
Rule of thumb: Default to REST for public APIs. Use GraphQL when clients need flexible queries across related data. Use gRPC for internal service-to-service communication.
API Checklist
Run through this checklist before marking any API work as complete.
Authentication & Authorization
- - [ ] Authentication mechanism chosen (JWT, OAuth2, API key)
- [ ] Authorization rules enforced at every endpoint
- [ ] Tokens validated and scoped correctly
- [ ] Secrets stored securely (never in code or logs)
Rate Limiting
- - [ ] Rate limits configured per endpoint or consumer tier
- [ ]
RateLimit-* headers included in responses - [ ]
429 Too Many Requests returned with Retry-After header - [ ] Rate limit strategy documented for consumers
Pagination
- - [ ] All collection endpoints paginated
- [ ] Pagination style chosen (cursor-based or offset-based)
- [ ]
page_size bounded with a sensible maximum - [ ] Total count or
hasNextPage indicator included
Filtering & Sorting
- - [ ] Filter parameters validated and sanitized
- [ ] Sort fields allow-listed (no arbitrary column sorting)
- [ ] Default sort order defined and documented
Error Handling
- - [ ] Consistent error response schema across all endpoints
- [ ] Correct HTTP status codes (4xx for client, 5xx for server)
- [ ] Validation errors return field-level detail
- [ ] Internal errors never leak stack traces or sensitive data
Versioning
- - [ ] Versioning strategy selected and applied uniformly
- [ ] Breaking vs non-breaking change policy documented
- [ ] Deprecation timeline communicated via
Sunset header
CORS
- - [ ] Allowed origins configured (no wildcard
* in production with credentials) - [ ] Allowed methods and headers explicitly listed
- [ ] Preflight (
OPTIONS) requests handled correctly
Documentation
- - [ ] OpenAPI / Swagger spec generated and up to date
- [ ] Every endpoint has description, parameters, and example responses
- [ ] Authentication requirements documented
- [ ] Error codes and meanings listed
- [ ] Changelog maintained for each version
Security
- - [ ] Input validation on all fields
- [ ] SQL injection prevention
- [ ] HTTPS enforced
- [ ] Sensitive data never in URLs or logs
- [ ] CORS configured correctly
Monitoring
- - [ ] Structured logging with request IDs
- [ ] Error tracking configured (Sentry, Datadog, etc.)
- [ ] Performance metrics collected (latency, error rate)
- [ ] Health check endpoint available (
/health) - [ ] Alerts configured for error rate spikes
Skill Routing Table
| Need | Skill | Purpose |
|---|
| API design principles | INLINECODE15 | Resource modeling, HTTP semantics, pagination, error formats |
| Versioning strategy |
api-versioning | Version lifecycle, deprecation, migration patterns |
| Authentication |
auth-patterns | JWT, OAuth2, sessions, RBAC, MFA |
| Error handling |
error-handling | Error types, retry patterns, circuit breakers, HTTP errors |
| Rate limiting |
rate-limiting | Algorithms, HTTP headers, tiered limits, distributed limiting |
| Caching |
caching | Cache strategies, HTTP caching, invalidation, Redis patterns |
| Database migrations |
database-migrations | Schema evolution, zero-downtime patterns, rollback strategies |
NEVER Do
- 1. NEVER skip the design phase — jumping straight to code produces inconsistent APIs that are expensive to fix
- NEVER expose database schema directly — API resources are not database tables; design around consumer use cases
- NEVER ship without authentication — every production endpoint must have an auth strategy
- NEVER return inconsistent error formats — every error response must follow the same schema
- NEVER break a published API without a versioning plan — breaking changes require a new version, migration guide, and deprecation timeline
- NEVER deploy without tests and documentation — untested APIs ship bugs, undocumented APIs frustrate developers
API 开发
通过将设计、实现、测试和文档整合到单一工作流中,统筹管理完整的 API 开发生命周期。
何时使用此技能
- - 从零开始构建新 API
- 为现有 API 添加端点
- 重新设计或重构 API
- 规划 API 版本管理和迁移
- 运行完整的 API 开发周期(设计 → 构建 → 测试 → 文档 → 部署)
编排流程
按顺序执行以下步骤。每个步骤将路由到相应的技能或工具。
1. 设计 API
加载 api-design 技能,以建立资源模型、URL 结构、HTTP 方法语义、错误格式和分页策略。
交付物: 资源列表、端点映射、请求/响应模式、错误格式
2. 生成 OpenAPI 规范
根据设计生成机器可读的 OpenAPI 3.x 规范。使用 api-design/assets/openapi-template.yaml 中的 OpenAPI 模板作为起点。
交付物: 包含所有端点、模式、认证方案和示例的 openapi.yaml
3. 搭建端点骨架
为每个端点生成路由文件、请求/响应类型和验证模式。按资源对路由进行分组。
交付物: 每个资源的路由文件、类型定义、验证模式
4. 实现业务逻辑
编写包含输入验证、授权检查、数据库查询和正确错误传播的服务层逻辑。保持控制器精简——业务逻辑位于服务层。
交付物: 服务模块、仓储层、中间件(认证、速率限制、CORS)
5. 测试
在三个层级编写测试:
- - 单元测试 — 服务逻辑、验证、错误处理
- 集成测试 — 使用真实数据库的端点行为
- 契约测试 — 响应形状与 OpenAPI 规范匹配
交付物: 覆盖正常路径、错误情况、边界情况和认证的测试套件
6. 文档
生成包含使用示例和 SDK 代码片段的人类可读 API 文档。确保每个端点都有描述、参数、请求/响应示例和错误码。
交付物: API 文档、变更日志、认证指南
7. 版本管理与部署
应用版本管理策略,标记发布版本,更新变更日志,并通过流水线部署。遵循 api-versioning 技能获取弃用和迁移指导。
交付物: 版本标签、变更日志条目、部署确认
API 设计决策表
为您的用例选择正确的范式。
| 标准 | REST | GraphQL | gRPC |
|---|
| 最佳适用场景 | CRUD 密集型公共 API | 复杂关系数据、客户端驱动查询 | 内部微服务、高吞吐量 |
| 数据获取 |
每个端点固定响应形状 | 客户端指定确切字段 | 强类型 protobuf 消息 |
|
过度/不足获取 | 常见问题 | 设计上已解决 | 最小化——模式明确 |
|
缓存 | 原生 HTTP 缓存(ETags、Cache-Control) | 需要自定义缓存 | 无内置 HTTP 缓存 |
|
实时 | 轮询或 WebSockets | 订阅(内置) | 双向流 |
|
工具链 | 成熟——OpenAPI、Postman、curl | 成长中——Apollo、Relay、GraphiQL | 成熟——protoc、grpcurl、Buf |
|
学习曲线 | 低 | 中 | 中高 |
|
版本管理 | URL 或头部版本管理 | 使用 @deprecated 进行模式演进 | .proto 中的包版本管理 |
经验法则: 公共 API 默认使用 REST。当客户端需要对相关数据进行灵活查询时使用 GraphQL。内部服务间通信使用 gRPC。
API 检查清单
在标记任何 API 工作完成前,请逐项检查此清单。
认证与授权
- - [ ] 已选择认证机制(JWT、OAuth2、API 密钥)
- [ ] 每个端点都强制执行授权规则
- [ ] 令牌已正确验证和作用域限定
- [ ] 密钥安全存储(绝不放在代码或日志中)
速率限制
- - [ ] 已为每个端点或消费者层级配置速率限制
- [ ] 响应中包含 RateLimit-* 头部
- [ ] 返回 429 Too Many Requests 并附带 Retry-After 头部
- [ ] 已为消费者记录速率限制策略
分页
- - [ ] 所有集合端点均已分页
- [ ] 已选择分页样式(基于游标或基于偏移量)
- [ ] page_size 有合理的最大值限制
- [ ] 包含总数或 hasNextPage 指示器
过滤与排序
- - [ ] 过滤参数已验证和清理
- [ ] 排序字段已列入白名单(不允许任意列排序)
- [ ] 已定义并记录默认排序顺序
错误处理
- - [ ] 所有端点使用一致的错误响应模式
- [ ] 正确的 HTTP 状态码(4xx 客户端错误,5xx 服务器错误)
- [ ] 验证错误返回字段级详细信息
- [ ] 内部错误绝不泄露堆栈跟踪或敏感数据
版本管理
- - [ ] 已选择并统一应用版本管理策略
- [ ] 已记录破坏性变更与非破坏性变更策略
- [ ] 通过 Sunset 头部传达弃用时间线
CORS
- - [ ] 已配置允许的来源(生产环境中使用凭据时不允许通配符 *)
- [ ] 明确列出允许的方法和头部
- [ ] 正确处理预检(OPTIONS)请求
文档
- - [ ] 已生成并保持最新的 OpenAPI / Swagger 规范
- [ ] 每个端点都有描述、参数和示例响应
- [ ] 已记录认证要求
- [ ] 列出错误码及其含义
- [ ] 为每个版本维护变更日志
安全
- - [ ] 所有字段进行输入验证
- [ ] 防止 SQL 注入
- [ ] 强制使用 HTTPS
- [ ] 敏感数据绝不放在 URL 或日志中
- [ ] 正确配置 CORS
监控
- - [ ] 使用请求 ID 进行结构化日志记录
- [ ] 已配置错误跟踪(Sentry、Datadog 等)
- [ ] 收集性能指标(延迟、错误率)
- [ ] 提供健康检查端点(/health)
- [ ] 为错误率峰值配置告警
技能路由表
| 需求 | 技能 | 目的 |
|---|
| API 设计原则 | api-design | 资源建模、HTTP 语义、分页、错误格式 |
| 版本管理策略 |
api-versioning | 版本生命周期、弃用、迁移模式 |
| 认证 | auth-patterns | JWT、OAuth2、会话、RBAC、MFA |
| 错误处理 | error-handling | 错误类型、重试模式、断路器、HTTP 错误 |
| 速率限制 | rate-limiting | 算法、HTTP 头部、分层限制、分布式限制 |
| 缓存 | caching | 缓存策略、HTTP 缓存、失效、Redis 模式 |
| 数据库迁移 | database-migrations | 模式演进、零停机模式、回滚策略 |
绝对禁止
- 1. 绝对不要跳过设计阶段 — 直接编码会产生不一致的 API,修复成本高昂
- 绝对不要直接暴露数据库模式 — API 资源不是数据库表;围绕消费者用例进行设计
- 绝对不要在无认证的情况下发布 — 每个生产端点都必须有认证策略
- 绝对不要返回不一致的错误格式 — 每个错误响应必须遵循相同的模式
- 绝对不要在无版本管理计划的情况下破坏已发布的 API — 破坏性变更需要新版本、迁移指南和弃用时间线
- 绝对不要在无测试和文档的情况下部署 — 未经测试的 API 会发布错误,无文档的 API 会让开发者感到沮丧
