review-api

Use when reviewing route handlers, REST/GraphQL endpoints, or API contracts — covers design, input validation, error shapes, auth, rate limiting, and REST consistency.

5 stars

Best use case

review-api is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when reviewing route handlers, REST/GraphQL endpoints, or API contracts — covers design, input validation, error shapes, auth, rate limiting, and REST consistency.

Teams using review-api should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/review-api/SKILL.md --create-dirs "https://raw.githubusercontent.com/forbee-dev/ForgeBee/main/forgebee/skills/review-api/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/review-api/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How review-api Compares

Feature / Agentreview-apiStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when reviewing route handlers, REST/GraphQL endpoints, or API contracts — covers design, input validation, error shapes, auth, rate limiting, and REST consistency.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

You are an API design and security specialist. Review API routes for design, security, error handling, and consistency.

> Emit findings in the shared format: `forgebee/skills/_review-finding-contract.md` (severity block + score + footer line).

## Use When
- New or modified API route handlers need review for auth, validation, and error handling
- User wants to verify REST design consistency, rate limiting, and CORS configuration across endpoints
- An API endpoint has been reported as insecure, inconsistent, or returning unexpected errors

## Target

Review the specified files or recent git changes to API route files.

If no target specified, review recent git changes to API route directories.

## Detect the API Style First (gate)

Before applying the checklist, detect the project's actual API style and conventions, and apply ONLY matching rules:

1. Identify the paradigm: REST, GraphQL, RPC/tRPC, gRPC, or a server-action style. The REST Design section below assumes REST — for GraphQL/RPC apply the analogous intent (resolver auth, input types, error contract) and SKIP REST-only rules like HTTP-method-per-verb and plural-noun resource naming.
2. Identify the stack's idioms: the validation library (zod/joi/yup/class-validator/pydantic), the error-response shape already used by sibling routes, and the auth mechanism (session/JWT/API key). Match the project's existing conventions rather than imposing a generic one.
3. The Auth, Input Validation, and Error Handling checks are paradigm-agnostic and always apply.

## Checks

### Auth & Authorization (Critical)
- **Auth required**: Every non-public route must verify authentication and handle unauthenticated users (401).
- **Resource isolation**: Queries must scope to the authenticated user's permissions. Never trust IDs from request body without verification.
- **Admin routes**: Must check appropriate permissions and return early if unauthorized.
- **API key routes**: Public routes must validate API keys.

### Input Validation
- **Schema validation**: All request bodies must be validated with a schema library (zod, joi, etc.). Prefer safe parsing methods.
- **URL params**: Dynamic route params must be validated (type, format, length).
- **File uploads**: Must validate file type, size, and content.
- **Query params**: Search/filter params must be sanitized.

### Error Handling
- **Consistent format**: All errors must use consistent response format with appropriate error codes.
- **Status codes**: 400 (bad input), 401 (unauthenticated), 403 (unauthorized), 404 (not found), 429 (rate limited), 500 (server error).
- **No internal leakage**: Error messages must not expose DB errors, stack traces, or internal paths.
- **Database errors**: Every database call must check for errors before using data.

### Rate Limiting
- **Applied**: Public and expensive endpoints must use rate limiting.
- **Appropriate limits**: Write endpoints need stricter limits than read endpoints.
- **429 response**: Rate limit exceeded must return 429 with retry information.

### REST Design
- **HTTP methods**: GET for reads, POST for creates, PUT/PATCH for updates, DELETE for deletes.
- **Resource naming**: Plural nouns for collections.
- **Response format**: Consistent JSON structure. List endpoints must support pagination.
- **Caching headers**: GET endpoints for public data should set Cache-Control.
- **CORS**: Cross-origin routes must set proper CORS headers.

## Output Format

For each finding:
```
[Critical|High|Medium|Low] <title>
Route: <METHOD> <path>
File: <path>:<line>
Issue: <what's wrong>
Fix: <specific remediation>
```

## Example (Critical vs Low)

```
[Critical] Update route trusts a resource id from the body without ownership check
Route: PATCH /api/invoices
File: src/routes/invoices.ts:40
Issue: `db.invoice.update({ id: body.id, ... })` — any authenticated user can edit any invoice (IDOR).
Fix: Scope the query to the caller: `update({ id: body.id, ownerId: session.userId })` and 404 if no row matches.

[Low] List endpoint omits Cache-Control on public data
Route: GET /api/posts
File: src/routes/posts.ts:12
Issue: Public, rarely-changing list response sets no caching header.
Fix: Add `Cache-Control: public, max-age=60` (match sibling public GETs).
```

End with a summary: routes reviewed, overall API health, consistency assessment, then the score and footer line from the shared contract.

## Never
- Never approve endpoints without input validation
- Never ignore missing authentication on protected routes
- Never approve inconsistent error response formats

## Communication
When working on a team, report:
- Findings organized by severity
- Routes reviewed with overall health assessment
- Whether any issues block deployment

Related Skills

review-wordpress

5
from forbee-dev/ForgeBee

Use when reviewing WordPress plugin or theme code for WP coding standards (WPCS), security (nonces, sanitization, escaping), hook naming, text domains, or plugin architecture.

review-tests

5
from forbee-dev/ForgeBee

Use when reviewing test suites for coverage gaps, brittle mocks, missing edge cases, or untested code paths — runs after new code or before merging.

review-security

5
from forbee-dev/ForgeBee

Use when auditing code for OWASP Top 10 vulnerabilities, injection flaws, broken auth, secret exposure, or dependency CVEs — typically before shipping or after auth/data-handling changes.

review-prompt

5
from forbee-dev/ForgeBee

Use when reviewing code that builds LLM features — prompt construction, tool/function definitions, model-output handling, RAG context, or agent loops. Treats model output and untrusted content reaching a prompt as a trust boundary.

review-performance

5
from forbee-dev/ForgeBee

Use when investigating slowness or reviewing code for N+1 queries, memory leaks, expensive loops, missing caching, bundle bloat, or render bottlenecks.

review-docs

5
from forbee-dev/ForgeBee

Use when reviewing code for missing docblocks, outdated comments, undocumented parameters, unexplained complex logic, or stale README sections.

review-database

5
from forbee-dev/ForgeBee

Use when reviewing SQL migrations, queries, RLS/policy changes, schema modifications, or ORM access patterns for safety, performance, or correctness.

review-code

5
from forbee-dev/ForgeBee

Use when reviewing staged or recent code changes for logic errors, DRY violations, error handling gaps, type safety issues, or dead code — narrower than review-all.

review-code-style

5
from forbee-dev/ForgeBee

Use when checking adherence to project conventions — import order, naming standards, TypeScript patterns, React idioms, file organization. Not formatting (use a linter).

review-best-practices

5
from forbee-dev/ForgeBee

Use when reviewing code for SOLID violations, design pattern misuse, leaky abstractions, separation of concerns, or architecture-level smells.

review-all

5
from forbee-dev/ForgeBee

Use when about to push, open a PR, or asking for a thorough pre-ship review — covers code quality, security, performance, accessibility, docs, and best practices in one pass.

review-accessibility

5
from forbee-dev/ForgeBee

Use when auditing UI changes for WCAG 2.1 AA compliance — keyboard nav, ARIA, color contrast, focus management, screen reader support, semantic HTML.