api-architecture

API versioning, security, authentication, rate limiting, monitoring, error handling, and documentation strategies for production APIs. Use when planning API infrastructure, implementing security concerns, or designing monitoring strategies.

16 stars

bydiegosouzapw

View on GitHub Installation ↓

Best use case

api-architecture is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using api-architecture should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/api-architecture/SKILL.md --create-dirs "https://raw.githubusercontent.com/diegosouzapw/awesome-omni-skill/main/skills/development/api-architecture/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/api-architecture/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How api-architecture Compares

Feature / Agent	api-architecture	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# API Architecture

Master architectural concerns that apply across all API types for production-ready systems.

## When to Use This Skill

- Planning API versioning strategies
- Implementing authentication and authorization
- Setting up rate limiting and quotas
- Designing error handling strategies
- Planning monitoring and observability
- Generating API documentation
- Securing APIs against attacks
- Implementing caching strategies

## API Versioning

### URL Versioning (Recommended)

Clear and easy to route: `/api/v1/users`, `/api/v2/users`

### Header Versioning

Clean URLs: `Accept: application/vnd.api+json; version=2`

### Query Parameter Versioning

Easy to test: `GET /api/users?version=2`

## Security Best Practices

### Authentication

**Bearer Token (JWT):**
```
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
401 Unauthorized - Missing/invalid token
403 Forbidden - Valid token, insufficient permissions
```

**API Keys:**
```
X-API-Key: your-api-key-here
```

### Authorization Patterns

- Role-based access control (RBAC)
- Attribute-based access control (ABAC)
- Scope-based permissions (OAuth 2.0)

### Input Validation

- Validate all input at API boundaries
- Use schemas for validation (Pydantic, JSON Schema)
- Sanitize user input to prevent injection attacks
- Validate file uploads

## Rate Limiting

### Implementation Pattern

```python
class RateLimiter:
    def __init__(self, calls: int, period: int):
        self.calls = calls
        self.period = period
        self.cache = {}

    def check(self, key: str) -> bool:
        now = datetime.now()
        if key not in self.cache:
            self.cache[key] = []

        self.cache[key] = [
            ts for ts in self.cache[key]
            if now - ts < timedelta(seconds=self.period)
        ]

        if len(self.cache[key]) >= self.calls:
            return False

        self.cache[key].append(now)
        return True
```

### Headers

```
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 742
X-RateLimit-Reset: 1640000000

429 Too Many Requests
Retry-After: 3600
```

## Monitoring and Observability

### Health Check Endpoints

```python
@app.get("/health")
async def health_check():
    return {"status": "healthy", "version": "1.0.0"}

@app.get("/health/detailed")
async def detailed_health():
    return {
        "status": "healthy",
        "checks": {
            "database": await check_database(),
            "cache": await check_cache()
        }
    }
```

### Logging Strategy

- Log all API requests/responses
- Include request ID for tracing
- Log authentication/authorization events
- Log errors with full context
- Use structured logging (JSON format)

### Metrics to Track

- Request count by endpoint
- Response times (latency)
- Error rates by status code
- Active connections
- Rate limit usage

## Caching Strategies

### HTTP Caching

```
Cache-Control: public, max-age=3600     # Client caching
Cache-Control: no-cache, no-store       # No caching

ETag: "hash"
If-None-Match: "hash"
→ 304 Not Modified
```

### Server-Side Caching

- In-memory caching (Redis)
- Database query caching
- API response caching
- Cache invalidation strategies

## Error Handling

### Standardized Error Format

```json
{
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Request validation failed",
    "details": [{"field": "email", "message": "Invalid"}],
    "timestamp": "2025-10-16T12:00:00Z",
    "path": "/api/users"
  }
}
```

### Status Code Guidelines

- 2xx Success: 200, 201, 204
- 4xx Errors: 400, 401, 403, 404, 422, 429
- 5xx Server: 500, 503

## Documentation Standards

### OpenAPI/Swagger

```python
app = FastAPI(
    title="My API",
    docs_url="/docs",
    redoc_url="/redoc"
)

@app.get("/api/users/{user_id}", tags=["Users"])
async def get_user(user_id: str):
    """Retrieve user by ID."""
    pass
```

### GraphQL Documentation

- GraphQL introspection (free documentation)
- Use `@deprecated` for backward compatibility
- Document complex types with descriptions

## Best Practices Summary

1. **Versioning** - Plan for breaking changes early
2. **Security** - Implement defense in depth
3. **Rate Limiting** - Protect from abuse
4. **Monitoring** - Observe production APIs
5. **Documentation** - Keep in sync with code
6. **Error Handling** - Standardize responses
7. **Caching** - Balance freshness and performance
8. **Logging** - Collect actionable data
9. **Metrics** - Track important signals
10. **Testing** - Security and performance tests

## Cross-Skill References

- **rest-api-design** - REST-specific patterns
- **graphql-api-design** - GraphQL-specific patterns
- **api-testing** - Testing security and monitoring

Related Skills

android-architecture

from diegosouzapw/awesome-omni-skill

Use when implementing MVVM, clean architecture, dependency injection with Hilt, or structuring Android app layers.

analyzer-architecture-review

from diegosouzapw/awesome-omni-skill

analyzerアプリケーションのアーキテクチャレビュー。Port&Adapterアーキテクチャ（ヘキサゴナルアーキテクチャ）のルールに従っているかをチェックします。新しいPort/Adapter/Usecase/Model追加時、PRレビュー時、またはアーキテクチャ違反の検出が必要な時に使用します。Port層の関数型定義、依存関係の方向、New*関数パターン、レイヤー分離などを検証します。

analyze-project-architecture

from diegosouzapw/awesome-omni-skill

LLM-based architectural analysis that transforms raw project data into meaningful structure

analyze-architecture

from diegosouzapw/awesome-omni-skill

Comprehensive brownfield architecture analysis for existing codebases. Discovers structure, identifies patterns, assesses quality, calculates production readiness, and provides actionable recommendations. Use when analyzing existing codebases to understand architecture, assess quality, or prepare for modernization.

aidb-architecture

from diegosouzapw/awesome-omni-skill

Comprehensive architectural reference for AIDB core and MCP integration. Covers 6-layer architecture (MCP, Service, Session, Adapter, DAP Client, Protocol), component organization, data flow patterns, and design decisions. Use when explaining overall system design or understanding how layers interact.

agentic_architecture

from diegosouzapw/awesome-omni-skill

Enforces high-level architectural thinking, separation of concerns, and scalability checks before coding.

agentic-jumpstart-architecture

from diegosouzapw/awesome-omni-skill

Architecture guidelines for Jarvy CLI - codebase structure, tool implementation patterns, registry system, platform-specific code organization, and module conventions.

Advanced Clean Hexagonal Architecture

from diegosouzapw/awesome-omni-skill

Apply Clean Architecture and Hexagonal (Ports & Adapters) patterns for domain isolation and testability. Use when designing system boundaries, creating ports/adapters, or structuring domain-driven applications.

ADR (Architecture Decision Record)

from diegosouzapw/awesome-omni-skill

Create and maintain Architecture Decision Records following a consistent template

acc-architecture-doc-template

from diegosouzapw/awesome-omni-skill

Generates ARCHITECTURE.md files for PHP projects. Creates layer documentation, component descriptions, and architectural diagrams.

1k-architecture

from diegosouzapw/awesome-omni-skill

OneKey monorepo architecture and code organization. Use when understanding project structure, package relationships, import rules, or component organization. Triggers on architecture, structure, packages, imports, hierarchy, dependencies, monorepo, organization.

microservices-architecture

from diegosouzapw/awesome-omni-skill

Microservices architecture patterns and best practices. Use when designing distributed systems, breaking down monoliths, or implementing service communication.