api-routes
Generate secure TanStack Start API routes with authentication, rate limiting, validation, and proper error handling. Use when creating API endpoints, REST resources, or backend logic.
Best use case
api-routes is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Generate secure TanStack Start API routes with authentication, rate limiting, validation, and proper error handling. Use when creating API endpoints, REST resources, or backend logic.
Teams using api-routes should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/api-routes/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How api-routes Compares
| Feature / Agent | api-routes | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Generate secure TanStack Start API routes with authentication, rate limiting, validation, and proper error handling. Use when creating API endpoints, REST resources, or backend logic.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# API Route Generator
Create production-ready API endpoints following this project's security-first patterns.
## Quick Start Template
```typescript
import { createFileRoute } from '@tanstack/react-router'
import { eq } from 'drizzle-orm'
import { db } from '@/db'
import { tableName } from '@/db/schema'
import {
errorResponse,
requireAuth,
simpleErrorResponse,
successResponse,
} from '@/lib/api'
import { checkRateLimit } from '@/lib/rate-limit'
export const Route = createFileRoute('/api/resource')({
server: {
handlers: {
GET: async ({ request }) => {
try {
// 1. Rate limiting
const rateLimit = await checkRateLimit(request, 'api')
if (!rateLimit.allowed) {
return new Response(
JSON.stringify({ error: 'Too many requests' }),
{
status: 429,
headers: { 'Retry-After': String(rateLimit.retryAfter) },
},
)
}
// 2. Authentication
const auth = await requireAuth(request)
if (!auth.success) return auth.response
// 3. Business logic
const items = await db.select().from(tableName)
// 4. Success response
return successResponse({ items })
} catch (error) {
return errorResponse('Failed to fetch', error)
}
},
},
},
})
```
## Authentication Patterns
### User Authentication (any logged-in user)
```typescript
const auth = await requireAuth(request)
if (!auth.success) return auth.response
const user = auth.user // { id, email, role }
```
### Admin Authentication
```typescript
const auth = await requireAdmin(request)
if (!auth.success) return auth.response
// Only admins reach here
```
### Optional Authentication (public with user context)
```typescript
import { validateSession } from '@/lib/auth'
const session = await validateSession(request)
const userId = session.success ? session.user.id : null
// Proceed with or without user
```
## Response Helpers
```typescript
import { successResponse, simpleErrorResponse, errorResponse } from '@/lib/api'
// Success with data (200)
return successResponse({ items, total })
// Success with custom status
return successResponse({ item }, 201)
// Validation/client error (400)
return simpleErrorResponse('Email is required')
return simpleErrorResponse('Not found', 404)
// Server error (logs stack in dev)
return errorResponse('Database error', error, 500)
```
## Input Validation
### Required Fields
```typescript
const body = await request.json()
const { email, name, password } = body
if (!email?.trim()) {
return simpleErrorResponse('Email is required')
}
if (!password || password.length < 8) {
return simpleErrorResponse('Password must be at least 8 characters')
}
```
### Localized String Validation
```typescript
type LocalizedString = { en: string; fr?: string; id?: string }
if (!name || typeof name !== 'object' || !('en' in name) || !name.en?.trim()) {
return simpleErrorResponse('Name must have a non-empty "en" property')
}
```
### URL Parameter Validation
```typescript
// For /api/resource/$resourceId routes
const { resourceId } = params
if (!resourceId || !isValidUUID(resourceId)) {
return simpleErrorResponse('Invalid resource ID', 400)
}
```
## CRUD Operations
### List with Pagination, Filtering, Sorting
```typescript
import { and, asc, count, desc, eq, ilike, SQL } from 'drizzle-orm'
GET: async ({ request }) => {
const auth = await requireAuth(request)
if (!auth.success) return auth.response
const url = new URL(request.url)
// Pagination
const page = Math.max(1, parseInt(url.searchParams.get('page') || '1', 10))
const limit = Math.min(
100,
Math.max(1, parseInt(url.searchParams.get('limit') || '10', 10)),
)
// Filtering
const search = url.searchParams.get('q') || ''
const status = url.searchParams.get('status') as 'active' | 'draft' | null
// Sorting
const sortKey = url.searchParams.get('sort') || 'createdAt'
const sortOrder = url.searchParams.get('order') === 'asc' ? 'asc' : 'desc'
// Build conditions
const conditions: SQL[] = []
if (search) {
conditions.push(ilike(tableName.name, `%${search}%`) as SQL)
}
if (status) {
conditions.push(eq(tableName.status, status))
}
const whereClause = conditions.length > 0 ? and(...conditions) : undefined
// Get total count
const [{ total }] = await db
.select({ total: count() })
.from(tableName)
.where(whereClause)
// Get paginated items
const sortColumn =
{
name: tableName.name,
status: tableName.status,
createdAt: tableName.createdAt,
}[sortKey] || tableName.createdAt
const offset = (page - 1) * limit
const items = await db
.select()
.from(tableName)
.where(whereClause)
.orderBy(sortOrder === 'asc' ? asc(sortColumn) : desc(sortColumn))
.limit(limit)
.offset(offset)
return successResponse({
items,
total,
page,
limit,
totalPages: Math.ceil(total / limit),
})
}
```
### Create with Transaction
```typescript
POST: async ({ request }) => {
const auth = await requireAdmin(request)
if (!auth.success) return auth.response
const body = await request.json()
// Validate
if (!body.name?.en?.trim()) {
return simpleErrorResponse('Name is required')
}
try {
const result = await db.transaction(async (tx) => {
// Create main record
const [item] = await tx
.insert(tableName)
.values({
name: body.name,
status: body.status || 'draft',
})
.returning()
// Create related records
if (body.variants?.length) {
await tx.insert(variants).values(
body.variants.map((v, i) => ({
itemId: item.id,
title: v.title,
position: i,
})),
)
}
return item
})
return successResponse({ item: result }, 201)
} catch (error) {
return errorResponse('Failed to create', error)
}
}
```
### Update (PATCH)
```typescript
PATCH: async ({ request, params }) => {
const auth = await requireAdmin(request)
if (!auth.success) return auth.response
const { resourceId } = params
const body = await request.json()
// Check exists
const [existing] = await db
.select()
.from(tableName)
.where(eq(tableName.id, resourceId))
.limit(1)
if (!existing) {
return simpleErrorResponse('Not found', 404)
}
// Update
const [updated] = await db
.update(tableName)
.set({
...body,
updatedAt: new Date(),
})
.where(eq(tableName.id, resourceId))
.returning()
return successResponse({ item: updated })
}
```
### Delete
```typescript
DELETE: async ({ request, params }) => {
const auth = await requireAdmin(request)
if (!auth.success) return auth.response
const { resourceId } = params
await db.delete(tableName).where(eq(tableName.id, resourceId))
return successResponse({ deleted: true })
}
```
## Avoiding N+1 Queries
```typescript
// BAD: N+1 queries
const items = await db.select().from(orders)
for (const item of items) {
const orderItems = await db
.select()
.from(orderItems)
.where(eq(orderItems.orderId, item.id))
item.items = orderItems
}
// GOOD: Batch with Map
const items = await db.select().from(orders)
const itemIds = items.map((i) => i.id)
// Single query for all related data
const allOrderItems = await db.select().from(orderItems)
// Build lookup map
const itemsByOrderId = new Map<string, typeof allOrderItems>()
for (const oi of allOrderItems) {
const existing = itemsByOrderId.get(oi.orderId) || []
existing.push(oi)
itemsByOrderId.set(oi.orderId, existing)
}
// Use map
const itemsWithData = items.map((item) => ({
...item,
orderItems: itemsByOrderId.get(item.id) || [],
}))
```
## Rate Limiting
```typescript
import { checkRateLimit } from '@/lib/rate-limit'
// Available tiers:
// 'auth': 5 requests per 15 minutes (login attempts)
// 'api': 100 requests per minute (general API)
// 'webhook': 50 requests per minute (payment webhooks)
const rateLimit = await checkRateLimit(request, 'api')
if (!rateLimit.allowed) {
return new Response(JSON.stringify({ error: 'Too many requests' }), {
status: 429,
headers: { 'Retry-After': String(rateLimit.retryAfter) },
})
}
```
## Webhook Handlers
```typescript
// src/routes/api/webhooks/stripe.ts
POST: async ({ request }) => {
// Rate limit webhooks
const rateLimit = await checkRateLimit(request, 'webhook')
if (!rateLimit.allowed) {
return new Response('Rate limited', { status: 429 })
}
// Verify signature
const sig = request.headers.get('stripe-signature')
if (!sig) {
return new Response('Missing signature', { status: 400 })
}
const body = await request.text()
try {
const event = stripe.webhooks.constructEvent(
body,
sig,
process.env.STRIPE_WEBHOOK_SECRET!,
)
switch (event.type) {
case 'payment_intent.succeeded':
await handlePaymentSuccess(event.data.object)
break
case 'payment_intent.payment_failed':
await handlePaymentFailed(event.data.object)
break
}
return new Response('OK', { status: 200 })
} catch (error) {
console.error('Webhook error:', error)
return new Response('Webhook error', { status: 400 })
}
}
```
## Security Checklist
- [ ] Rate limiting applied
- [ ] Authentication checked
- [ ] Input validated
- [ ] SQL injection prevented (using Drizzle parameterized queries)
- [ ] Sensitive data not exposed in responses
- [ ] Error messages don't leak internals
- [ ] CSRF protection for state-changing operations
## File Naming
| Route | File |
| ------------------------------- | ---------------------------------------------- |
| `GET /api/products` | `src/routes/api/products/index.ts` |
| `GET /api/products/:id` | `src/routes/api/products/$productId.ts` |
| `POST /api/products/:id/images` | `src/routes/api/products/$productId/images.ts` |
| `POST /api/webhooks/stripe` | `src/routes/api/webhooks/stripe.ts` |
## See Also
- `src/routes/api/products/index.ts` - Full CRUD example
- `src/routes/api/orders/$orderId.ts` - Single resource
- `src/routes/api/checkout/` - Complex flow
- `src/lib/api.ts` - Response helpers
- `src/lib/rate-limit.ts` - Rate limitingRelated Skills
bgo
Automates the complete Blender build-go workflow, from building and packaging your extension/add-on to removing old versions, installing, enabling, and launching Blender for quick testing and iteration.
humanizer-ko
Detects and corrects Korean AI writing patterns to transform text into natural human writing. Based on scientific linguistic research (KatFishNet paper with 94.88% AUC accuracy). Analyzes 19 patterns including comma overuse, spacing rigidity, POS diversity, AI vocabulary overuse, and structural monotony. Use when humanizing Korean text from ChatGPT/Claude/Gemini or removing AI traces from Korean LLM output.
huggingface-accelerate
Simplest distributed training API. 4 lines to add distributed support to any PyTorch script. Unified API for DeepSpeed/FSDP/Megatron/DDP. Automatic device placement, mixed precision (FP16/BF16/FP8). Interactive config, single launch command. HuggingFace ecosystem standard.
hr-pro
Professional, ethical HR partner for hiring, onboarding/offboarding, PTO and leave, performance, compliant policies, and employee relations. Ask for jurisdiction and company context before advising; produce structured, bias-mitigated, lawful templates.
hive-mind-advanced
Advanced Hive Mind collective intelligence system for queen-led multi-agent coordination with consensus mechanisms and persistent memory
hire
Interactive hiring wizard to set up a new AI team member. Guides the user through role design via conversation, generates agent identity files, and optionally sets up performance reviews. Use when the user wants to hire, add, or set up a new AI agent, team member, or assistant. Triggers on phrases like "hire", "add an agent", "I need help with X" (implying a new role), or "/hire".
hic-tad-calling
This skill should be used when users need to identify topologically associating domains (TADs) from Hi-C data in .mcools (or .cool) files or when users want to visualize the TAD in target genome loci. It provides workflows for TAD calling and visualization.
helix-memory
Long-term memory system for Claude Code using HelixDB graph-vector database. Store and retrieve facts, preferences, context, and relationships across sessions using semantic search, reasoning chains, and time-window filtering.
heath-ledger
AI bookkeeping agent for Mercury bank accounts. Pulls transactions, categorizes them (rule-based + AI), and generates Excel workbooks with P&L, Balance Sheet, Cash Flow, and transaction detail. Use when the user wants to do bookkeeping, generate financial statements, categorize bank transactions, connect Mercury, or produce monthly/quarterly/annual books. Triggers on: bookkeeping, P&L, profit and loss, balance sheet, cash flow, financial statements, Mercury bank, categorize transactions, generate books, monthly close.
health-chat
Unified health conversation entry point - automatically loads all health data for each conversation, supports natural language queries, and intelligently routes to appropriate health data processing
hackernews
Comprehensive toolkit for fetching, searching, analyzing, and monitoring Hacker News content. Use when Claude needs to interact with Hacker News for (1) Fetching top/new/best/ask/show/job stories, (2) Searching for specific topics or keywords, (3) Monitoring specific users or tracking their activity, (4) Analyzing trending topics and patterns, (5) Getting story details, comments, or user profiles, or (6) Any other task involving Hacker News data retrieval or analysis.
GSTD A2A Network
Decentralized Agent-to-Agent Autonomous Economy. Connects hardware and agents for distributed compute, hive memory access, and economic settlement.