api-endpoint-builder
Build REST API endpoints when designing or implementing API routes with security best practices. Not for client-side fetching or non-API logic.
Best use case
api-endpoint-builder is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Build REST API endpoints when designing or implementing API routes with security best practices. Not for client-side fetching or non-API logic.
Teams using api-endpoint-builder should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/api-endpoint-builder/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How api-endpoint-builder Compares
| Feature / Agent | api-endpoint-builder | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Build REST API endpoints when designing or implementing API routes with security best practices. Not for client-side fetching or non-API logic.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# API Endpoint Builder
Build REST API endpoints following security and performance best practices.
## Workflow
Execute this process for building API endpoints:
### 1. Plan the Endpoint
- Determine HTTP method (GET, POST, PUT, DELETE)
- Design path pattern following REST conventions
- Identify required input validation
- Define output format (JSON, status codes)
### 2. Validate Security
- Input validation and sanitization
- Authentication/authorization checks
- Rate limiting considerations
- SQL injection prevention
- XSS protection
### 3. Implement Structure
- Create route handler file
- Add middleware for validation
- Implement error handling
- Add request/response types
- Include logging
### 4. Add Tests
- Unit tests for handler
- Integration tests for route
- Validation test cases
- Error scenario tests
### 5. Verify Compliance
- Check error codes follow conventions
- Verify response format consistency
- Validate security headers
- Test input validation
## Example Implementation
```typescript
// POST /api/users
export async function POST(request: NextRequest) {
try {
// 1. Validate input
const body = await request.json();
const validated = CreateUserSchema.parse(body);
// 2. Check authentication
const user = await authenticate(request);
if (!user || !hasPermission(user, "create_user")) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
// 3. Create user
const newUser = await createUser(validated);
// 4. Return response
return NextResponse.json({ user: sanitizeUser(newUser) }, { status: 201 });
} catch (error) {
if (error instanceof z.ZodError) {
return NextResponse.json(
{ error: "Invalid input", details: error.errors },
{ status: 400 },
);
}
logger.error("Create user failed", { error, userId: user?.id });
return NextResponse.json(
{ error: "Internal server error" },
{ status: 500 },
);
}
}
```
## Best Practices
- **Always validate input** - Use Zod or similar for schema validation
- **Use parameterized queries** - Prevent SQL injection
- **Implement rate limiting** - Protect against abuse
- **Log security events** - Track authentication failures
- **Use proper status codes** - 200 OK, 201 Created, 400 Bad Request, 401 Unauthorized, 403 Forbidden, 500 Internal Server Error
- **Sanitize output** - Prevent XSS attacks
- **Version your APIs** - Use /api/v1/ paths
- **Document responses** - Use OpenAPI/Swagger
## Integration
This skill integrates with:
- `security` - Security patterns and validation
- `backend-patterns` - Backend best practices
- `engineering-lifecycle` - Testing requirements
---
## Genetic Code
This component carries essential Seed System principles for context: fork isolation:
<critical_constraint>
MANDATORY: All components MUST be self-contained (zero .claude/rules dependency)
MANDATORY: Achieve 80-95% autonomy (0-5 AskUserQuestion rounds per session)
MANDATORY: Description MUST use What-When-Not format in third person
MANDATORY: No component references another component by name in description
MANDATORY: Progressive disclosure - references/ for detailed content
MANDATORY: Use XML for control (mission_control, critical_constraint), Markdown for data
No exceptions. Portability invariant must be maintained.
</critical_constraint>
**Delta Standard**: Good Component = Expert Knowledge − What Claude Already Knows
**Recognition Questions**:
- "Would Claude know this without being told?" → Delete (zero delta)
- "Can this work standalone?" → Fix if no (non-self-sufficient)
- "Did I read the actual file, or just see it in grep?" → Verify before claiming
MANDATORY: Use parameterized queries to prevent SQL injection
MANDATORY: Implement proper authentication/authorization checks
MANDATORY: Return appropriate HTTP status codes (400, 401, 403, 500)
MANDATORY: Log security events (authentication failures, errors)
No exceptions. API security is non-negotiable.
</critical_constraint>Related Skills
agent-builder
Build AI agents using pai-agent-sdk with Pydantic AI. Covers agent creation via create_agent(), toolset configuration, session persistence with ResumableState, subagent hierarchies, and browser automation. Use when creating agent applications, configuring custom tools, managing multi-turn sessions, setting up hierarchical agents, or implementing HITL approval flows.
Advisory Board Builder
Recruit, structure, and manage advisory boards for strategic guidance
web-backend-builder
Scaffold backend API, data models, ORM setup, and endpoint inventory with OpenAPI output.
mcp-builder
Guide for creating high-quality MCP (Model Context Protocol) servers that enable LLMs to interact with external services through well-designed tools. Use when building MCP servers to integrate external APIs or services, whether in Python (FastMCP), Node/TypeScript (MCP SDK), or C#/.NET (Microsoft MCP SDK).
mcp-builder-microsoft
Guide for creating high-quality MCP (Model Context Protocol) servers that enable LLMs to interact with external services through well-designed tools. Use when building MCP servers to integrate external APIs or services, whether in Python (FastMCP), Node/TypeScript (MCP SDK), or C#/.NET (Microsoft MCP SDK).
api-request-builder
Build a basic HTTP request (curl or fetch) for an API. Use when a junior developer needs a quick request example.
api-integration-builder
Build reliable third-party API integrations including OAuth, webhooks, rate limiting, error handling, and data sync. Use when integrating with external services (Slack, Stripe, Gmail, etc.), building API connections, handling webhooks, or implementing OAuth flows.
api-endpoint
Create or modify API endpoints in IdeaForge backend. Triggers: new route, controller, service, repository, CRUD operation, Zod validation, API debugging. Pattern: Routes → Controller → Service → Repository.
api-endpoint-scaffold
Scaffold new Next.js API endpoints with authentication, rate limiting, and tests. Use when creating new API routes, adding endpoints, or building API features.
api-endpoint-pattern
Standards for creating and organizing HTTP API endpoints using the Echo framework
api-endpoint-generator
Generates CRUD REST API endpoints with request validation, TypeScript types, consistent response formats, error handling, and documentation. Includes route handlers, validation schemas (Zod/Joi), typed responses, and usage examples. Use when building "REST API", "CRUD endpoints", "API routes", or "backend endpoints".
api-endpoint-design
API endpoint design and testing for vehicle insurance data platform. Use when designing new API endpoints, testing existing ones, validating response formats, or debugging API issues. Covers 11 core endpoints including 3 new pie chart distribution endpoints, parameter validation, error handling, and integration patterns.