analyzing-api-layer
Use when analyzing REST/GraphQL API endpoints, contracts, authentication, and client-facing interfaces
Best use case
analyzing-api-layer is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when analyzing REST/GraphQL API endpoints, contracts, authentication, and client-facing interfaces
Teams using analyzing-api-layer should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/analyzing-api-layer/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How analyzing-api-layer Compares
| Feature / Agent | analyzing-api-layer | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when analyzing REST/GraphQL API endpoints, contracts, authentication, and client-facing interfaces
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Analyzing API Layer
**Output:** `docs/unwind/layers/api/` (folder with index.md + section files)
**Principles:** See `analysis-principles.md` - completeness, machine-readable, link to source, no commentary, incremental writes.
## Output Structure
```
docs/unwind/layers/api/
├── index.md # Endpoint summary table, route count
├── endpoints.md # All controller/route definitions
├── auth.md # Authentication & authorization config
├── contracts.md # OpenAPI/AsyncAPI/TSRest specs [CRITICAL]
└── errors.md # Error handling patterns
```
For large codebases (20+ route files), split by domain:
```
docs/unwind/layers/api/
├── index.md
├── users-api.md
├── orders-api.md
└── ...
```
## Process (Incremental Writes)
**Step 1: Setup**
```bash
mkdir -p docs/unwind/layers/api/
```
Write initial `index.md`:
```markdown
# API Layer
## Sections
- [Endpoints](endpoints.md) - _pending_
- [Authentication](auth.md) - _pending_
- [API Contracts](contracts.md) - _pending_
- [Error Handling](errors.md) - _pending_
## Endpoint Summary
_Analysis in progress..._
```
**Step 2: Analyze and write contracts.md** [CRITICAL - DO FIRST]
1. Search for OpenAPI, AsyncAPI, TSRest, GraphQL specs
2. Include COMPLETE specs (not summaries)
3. Write `contracts.md` immediately
4. Update `index.md`
**Step 3: Analyze and write endpoints.md**
1. Find all controller/route classes
2. Include actual code with annotations
3. Write `endpoints.md` immediately
4. Update `index.md`
**Step 4: Analyze and write auth.md**
1. Find security configuration
2. Document permission matrix
3. Write `auth.md` immediately
4. Update `index.md`
**Step 5: Analyze and write errors.md**
1. Find error handlers, exception mappers
2. Write `errors.md` immediately
3. Update `index.md`
**Step 6: Finalize index.md**
Add endpoint summary table with final counts
## Output Format
```markdown
# API Layer
## Endpoints
### UserController
[UserController.java](https://github.com/owner/repo/blob/main/src/controller/UserController.java)
```java
@RestController
@RequestMapping("/api/v1/users")
@RequiredArgsConstructor
public class UserController {
private final UserService userService;
private final UserMapper userMapper;
@PostMapping
@ResponseStatus(HttpStatus.CREATED)
public UserResponse createUser(@Valid @RequestBody CreateUserRequest request) {
User user = userService.createUser(request);
return userMapper.toResponse(user);
}
@GetMapping("/me")
@PreAuthorize("isAuthenticated()")
public UserResponse getCurrentUser(@AuthenticationPrincipal UserDetails user) {
return userMapper.toResponse(userService.getByEmail(user.getUsername()));
}
@GetMapping("/{id}")
@PreAuthorize("hasRole('ADMIN')")
public UserResponse getUser(@PathVariable Long id) {
return userMapper.toResponse(userService.getUser(id));
}
}
```
[Continue for ALL controllers...]
## Endpoint Summary
| Method | Path | Auth | Handler |
|--------|------|------|---------|
| POST | /api/v1/users | None | UserController.createUser |
| GET | /api/v1/users/me | User | UserController.getCurrentUser |
| GET | /api/v1/users/{id} | Admin | UserController.getUser |
| POST | /api/v1/orders | User | OrderController.createOrder |
[List ALL endpoints...]
## OpenAPI Specification
```yaml
openapi: 3.0.0
info:
title: User API
version: 1.0.0
paths:
/api/v1/users:
post:
operationId: createUser
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/CreateUserRequest'
responses:
'201':
content:
application/json:
schema:
$ref: '#/components/schemas/UserResponse'
```
## Security Configuration
[SecurityConfig.java](https://github.com/owner/repo/blob/main/src/config/SecurityConfig.java)
```java
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.csrf(csrf -> csrf.disable())
.sessionManagement(session -> session.sessionCreationPolicy(STATELESS))
.authorizeHttpRequests(auth -> auth
.requestMatchers("/api/v1/auth/**").permitAll()
.requestMatchers("/api/v1/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
)
.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class)
.build();
}
}
```
## Error Responses
```java
@RestControllerAdvice
public class GlobalExceptionHandler {
@ExceptionHandler(UserNotFoundException.class)
@ResponseStatus(HttpStatus.NOT_FOUND)
public ErrorResponse handleNotFound(UserNotFoundException ex) {
return new ErrorResponse("USER_NOT_FOUND", ex.getMessage());
}
}
```
## Unknowns
- [List anything unclear]
```
## Additional Requirements
### API Specification Discovery [CRITICAL - MUST PRESERVE]
Search for existing API specifications - these define external contracts and MUST be used AS-IS in any migration to maintain compatibility.
**Search for these file patterns:**
| Spec Type | Common Locations | File Patterns |
|-----------|------------------|---------------|
| OpenAPI/Swagger | `docs/`, `api/`, root | `openapi.yaml`, `openapi.json`, `swagger.yaml`, `swagger.json`, `api.yaml` |
| AsyncAPI | `docs/`, `api/`, root | `asyncapi.yaml`, `asyncapi.json` |
| TSRest | `src/contracts/`, `src/api/` | `contract.ts`, `*Contract.ts`, `*.contract.ts` |
| tRPC | `src/server/`, `src/trpc/` | `router.ts`, `*.router.ts` |
| GraphQL | `src/schema/`, `src/graphql/` | `schema.graphql`, `*.graphql`, `typeDefs.ts` |
| Protobuf | `proto/`, `src/proto/` | `*.proto` |
| JSON Schema | `schemas/`, `src/schemas/` | `*.schema.json` |
**Process:**
1. Search for all spec files using glob patterns
2. Include COMPLETE spec files in documentation (not summaries)
3. Mark as `[CRITICAL - EXTERNAL CONTRACT]`
4. Note any generated client code that depends on specs
**Output Format:**
```markdown
## API Specifications [CRITICAL - EXTERNAL CONTRACT]
### OpenAPI Specification
**Location:** `docs/openapi.yaml`
**Version:** 3.0.0
**Endpoints Defined:** 45
```yaml
# INCLUDE COMPLETE SPEC - DO NOT SUMMARIZE
openapi: 3.0.0
info:
title: MyService API
version: 2.1.0
paths:
/api/v1/users:
...
[FULL SPEC HERE]
```
### TSRest Contract
**Location:** `src/contracts/api.contract.ts`
```typescript
// INCLUDE COMPLETE CONTRACT
import { initContract } from '@ts-rest/core';
const c = initContract();
export const apiContract = c.router({
users: {
create: {
method: 'POST',
path: '/api/users',
...
}
}
});
```
### AsyncAPI (Event Contracts)
**Location:** `docs/asyncapi.yaml`
```yaml
# INCLUDE COMPLETE SPEC
asyncapi: 2.6.0
info:
title: MyService Events
channels:
user.created:
...
```
```
**Why This Matters:**
- External clients depend on these contracts
- Breaking changes cause integration failures
- Rebuild MUST maintain exact contract compatibility
- These specs are the source of truth for API shape
### Complete Route Inventory [MUST]
List ALL route files with exact count:
```markdown
## Route Inventory
**Total:** 43 route modules
| # | File | Base Path | Endpoints |
|---|------|-----------|-----------|
| 1 | auth.ts | /api/auth | 8 |
| 2 | users.ts | /api/users | 5 |
| ... | ... | ... | ... |
```
### Missing Documentation Tracking
If a route file exists but is not fully documented, note it:
```markdown
## Documentation Gaps
| Route File | Status | Reason |
|------------|--------|--------|
| onyx.ts | NOT DOCUMENTED | Admin/debug routes |
| playground.ts | NOT DOCUMENTED | Development only |
```
### External API Contracts [MUST]
For any external integrations, document the contract:
```markdown
### GitHub Integration [MUST]
**Endpoints Consumed:**
- GET /user/installations
- GET /orgs/:org/teams
- POST /app/installations/:id/access_tokens
**Webhook Events:**
- installation.created
- installation.deleted
```
### Permission Documentation [MUST]
For each endpoint, document required permissions:
```markdown
| Endpoint | Method | Auth | Permission |
|----------|--------|------|------------|
| /api/budgets | GET | Required | budget:read |
| /api/budgets | POST | Required | budget:create |
| /api/budgets/:id | DELETE | Required | budget:delete (admin) |
```
## Mandatory Tagging
**Every endpoint, route, and contract must have a [MUST], [SHOULD], or [DON'T] tag in its heading.**
Default categorizations for API layer:
- **[MUST]**: All endpoints, authentication flows, external API contracts, permissions
- **[SHOULD]**: Error handling patterns, rate limiting, logging middleware
- **[DON'T]**: Framework-specific middleware config, CORS setup details
Example:
```markdown
### POST /api/users [MUST]
### AuthMiddleware [MUST]
### OpenAPI spec [MUST]
### ErrorHandler [SHOULD]
```
See `analysis-principles.md` section 9 for full tagging rules.
## Refresh Mode
If `docs/unwind/layers/api/` exists, compare current state and add `## Changes Since Last Review` section to `index.md`.Related Skills
bronze-layer-setup
End-to-end Bronze layer creation for testing and demos. Creates table DDLs, generates fake data with Faker, copies from existing sources, and configures Asset Bundle jobs. Covers Unity Catalog compliance, Change Data Feed, automatic liquid clustering, and governance metadata. Use when setting up Bronze layer tables, creating test/demo data, rapid prototyping Medallion Architecture, or bootstrapping a new Databricks project. For Faker-specific patterns (corruption rates, function signatures, provider examples), load the faker-data-generation skill.
analyzing-user-feedback
Help users synthesize and act on customer feedback. Use when someone is analyzing NPS responses, processing support tickets, reviewing user research, synthesizing feedback from multiple channels, or trying to identify patterns in customer input.
analyzing-unknown-codebases
Analyze unfamiliar codebases systematically to produce subsystem catalog entries - emphasizes strict contract compliance and confidence marking
analyzing-text-patterns
Extract and analyze recurring patterns from log messages, span names, and event names using punctuation-based template discovery. Use when you need to understand log diversity, identify common message structures, detect unusual formats, or prepare for log parser development. Works by removing variable content and preserving structural markers.
analyzing-taint-flow
Tracks untrusted input propagation from sources to sinks in binary code to identify injection vulnerabilities. Use when analyzing data flow, tracing user input to dangerous functions, or detecting command/SQL injection.
Analyzing Spreadsheets
Analyzes Excel spreadsheets, summarizes trends, and recommends charts when users mention spreadsheets, Excel workbooks, or .xlsx files.
analyzing-research-papers
Expert methodology for analyzing and summarizing research papers, extracting key contributions, methodological details, and contextualizing findings. Use when reading papers from PDFs, DOIs, or URLs to create structured summaries for researchers.
analyzing-projects
Analyzes codebases to understand structure, tech stack, patterns, and conventions. Use when onboarding to a new project, exploring unfamiliar code, or when asked "how does this work?" or "what's the architecture?"
analyzing-patterns
Automatically activated when user asks to "find patterns in...", "identify repeated code...", "analyze the architecture...", "what design patterns are used...", or needs to understand code organization, recurring structures, or architectural decisions
analyzing-logs
Analyze application logs for performance insights and issue detection including slow requests, error patterns, and resource usage. Use when troubleshooting performance issues or debugging errors. Trigger with phrases like "analyze logs", "find slow requests", or "detect error patterns".
analyzing-implementations
Documents HOW code works with surgical precision - traces data flow, explains implementation details, provides file:line references. Purely documentarian, no critiques or suggestions for improvement.
analyzing-funding-landscape
Analyzes venture capital, investment trends, funding rounds, investor strategies, M&A activity, and funding patterns in specific markets or industries. Use when the user requests funding analysis, VC landscape research, investment trend analysis, or wants to understand investor activity and funding dynamics.