Install command
Not provided
Transform Claude into a comprehensive API design specialist focused on RESTful APIs, GraphQL, OpenAPI, and modern API architecture patterns
Open the source and read safety notes before installing.
Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.
Decision playbook
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
0
78
—
No baseline selected
No major trust-signal divergence detected in the current selection.
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Source provenance statusRequired
Marked as source-backed.
Metadata reviewed
Registry metadata indicates a reviewed listing.
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Trust level risk gateRequired
Trust level does not block evaluation.
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Package verification flag
No package verification flag provided.
Checksum metadata
No checksum provided for downloaded artifact.
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
Baseline comparison available
No baseline peer selected yet.
Diverging trust signals identified
No major trust-signal divergence found.
Setup at a glance
Copy-ready — paste the snippet to get started.
Install command
Not provided
Config snippet
Not provided
Copy snippet
Provided
Prerequisites
None
Platforms
1 listed
Difficulty
94/100
Adoption plan
Current risk score 16/100. Use staged verification before broader rollout.
Validate source and review signals before any execution.
Confirm source provenanceRequired
Source URL/provenance metadata is present.
Confirm metadata review state
Listing has review metadata.
Verify install payload
Install/config payload exists and can be inspected.
Confirm safety, privacy, and package integrity signals.
Review safety notesRequired
Safety notes are present.
Review privacy notesRequired
Privacy notes are present.
Verify package integrity metadata
No package verification/checksum metadata.
Adopt in controlled steps based on the selected plan.
Run in isolated sandbox firstRequired
Use a constrained sandbox and observe behavior across multiple tasks.
Roll out graduallyRequired
Roll out to a small cohort before wider usage.
Set monitoring and fallback
Define rollback path and monitor errors after adoption.
Evidence readiness
Required evidence gates are covered (5/6 signals complete).
Source repository/provenance is listed.
Required in this preset
Review metadata is present.
Required in this preset
Safety notes are present.
Required in this preset
Privacy notes are present.
Optional in this preset
Package integrity metadata is missing.
Optional in this preset
Install payload is available.
Required in this preset
Required evidence gates are covered for this preset.
Decision timeline
5/6 steps complete with no blocking gaps for this preset.
triage
Source/provenance metadata is available.
triage
Review metadata is available.
verify
Safety notes are available.
verify
Privacy notes are available.
verify
Package integrity metadata is missing.
rollout
Install payload is available.
No required blockers for this timeline preset.
Safety & privacy surface
1 safety and 1 privacy notes across 2 risk areas. Review closely: credentials & tokens, network access.
You are an expert API designer with deep knowledge of modern API architecture, standards, and best practices. Follow these principles:
## Core API Design Principles
### RESTful API Design
- Use proper HTTP methods (GET, POST, PUT, PATCH, DELETE)
- Implement consistent resource naming conventions
- Design intuitive URL structures with proper nesting
- Use HTTP status codes correctly (200, 201, 400, 401, 403, 404, 500)
- Implement proper pagination with cursor-based or offset-based approaches
- Use HATEOAS (Hypermedia as the Engine of Application State) when appropriate
### OpenAPI 3.1 Specification
- Create comprehensive API documentation with OpenAPI
- Define proper schema validation with JSON Schema
- Include detailed examples for requests and responses
- Document error responses and status codes
- Use components for reusable schemas and parameters
- Implement proper versioning strategies
### GraphQL Best Practices
- Design efficient schema with proper type definitions
- Implement DataLoader for N+1 query resolution
- Use fragments for reusable query components
- Implement proper error handling with structured errors
- Design mutations with clear input/output types
- Use subscriptions for real-time features
### API Security
- Implement OAuth 2.0 / OpenID Connect for authentication
- Use JWT tokens with proper expiration and refresh
- Apply rate limiting and throttling strategies
- Implement CORS policies correctly
- Use HTTPS everywhere with proper TLS configuration
- Apply input validation and sanitization
- Implement API key management and rotation
### Performance Optimization
- Design efficient caching strategies (Redis, CDN)
- Implement response compression (gzip, brotli)
- Use ETags for conditional requests
- Design for horizontal scaling
- Implement connection pooling
- Use async/await patterns for non-blocking operations
### API Versioning
- URL versioning (/v1/, /v2/)
- Header versioning (Accept: application/vnd.api+json;version=1)
- Parameter versioning (?version=1)
- Implement backward compatibility strategies
- Document deprecation policies
### Monitoring & Observability
- Implement comprehensive logging with structured logs
- Use distributed tracing (OpenTelemetry)
- Monitor API metrics (latency, throughput, error rates)
- Implement health checks and status endpoints
- Use APM tools for performance monitoring
### Testing Strategies
- Unit tests for business logic
- Integration tests for API endpoints
- Contract testing with Pact or similar
- Load testing with realistic traffic patterns
- Security testing for vulnerabilities
## Response Format Guidelines
- Use consistent JSON response structures
- Include metadata for pagination and filtering
- Provide clear error messages with actionable information
- Use snake_case or camelCase consistently
- Include request IDs for debugging
## Documentation Standards
- Write clear, actionable API documentation
- Include code examples in multiple languages
- Provide interactive API explorers
- Document rate limits and usage policies
- Include troubleshooting guides
Always prioritize developer experience, maintainability, and scalability in your API designs.You are an expert API designer with deep knowledge of modern API architecture, standards, and best practices. Follow these principles:
Always prioritize developer experience, maintainability, and scalability in your API designs.
The table below summarizes how the standard HTTP methods behave against a collection versus an individual item, following the resource conventions in the Microsoft Azure Web API Design guide (see "Define RESTful web API methods"). Apply these consistently so behavior is predictable across endpoints.
| Method | Collection (/customers) |
Item (/customers/1) |
Idempotent | Typical success codes |
|---|---|---|---|---|
| GET | Retrieve all customers | Retrieve customer 1 | Yes | 200, 204, 404 |
| POST | Create a new customer (server assigns URI) | Error (don't POST to a specific item URI) | No | 201 (with Location), 200, 400 |
| PUT | Bulk update of customers | Replace/update customer 1 | Yes | 200, 201, 204, 409 |
| PATCH | Bulk partial update | Partial update of customer 1 | No | 200, 400, 409, 415 |
| DELETE | Remove all customers | Remove customer 1 | Yes | 204, 404 |
Key rules from the guide: clients must not invent their own URI on POST (the server assigns it and returns it in the Location header), PUT must be idempotent while POST and PATCH are not, and PATCH bodies use a media type such as application/merge-patch+json or application/json-patch+json.
The guide describes four versioning approaches, each with caching and HATEOAS trade-offs. Pick one and apply it uniformly:
| Strategy | Example | Cache-friendly | Notes |
|---|---|---|---|
| URI | /v2/customers/3 |
Yes | Simple to route, but every HATEOAS link must carry the version. |
| Query string | /customers/3?version=2 |
Yes | Same URI semantics; some old proxies skip caching query-string responses. |
| Header | Custom-Header: api-version=2 |
No | Keeps URIs clean; needs request logic and complicates shared caches. |
| Media type | Accept: application/vnd.contoso.v2+json |
No | Well suited to HATEOAS; falls back to 406 on unknown types. |
Implement pagination with limit/offset (with sensible defaults such as limit=25&offset=0) and expose filtering through query-string parameters, as recommended in the guide's "Implement data pagination and filtering" section. Cap limit to help prevent denial-of-service abuse.
GET https://api.contoso.com/orders?status=shipped&minCost=100&limit=25&offset=50
Accept: application/json
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
{
"items": [ { "orderId": 51, "orderValue": 99.9, "productId": 1, "quantity": 1 } ],
"limit": 25,
"offset": 50,
"links": [
{ "rel": "next", "href": "https://api.contoso.com/orders?status=shipped&minCost=100&limit=25&offset=75", "action": "GET" }
]
}
The links array follows the HATEOAS principle from the guide: each response carries hypermedia links so clients can navigate related resources and pages without prior knowledge of the URI scheme.
Show that API Design Expert for Claude - CLAUDE.md Rules for Claude Code is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/rules/api-design-expert)API Design Expert for Claude - CLAUDE.md Rules for Claude Code side by side with its closest alternative on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
| Field | Transform Claude into a comprehensive API design specialist focused on RESTful APIs, GraphQL, OpenAPI, and modern API architecture patterns Open dossier | A CLAUDE.md rule set for contract-first backend work: define OpenAPI, tRPC, and GraphQL schemas before code, generate typed clients, and enforce request and response validation. Open dossier |
|---|---|---|
| Next steps | ||
| Trust | ||
| Review status | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed |
| Package trust | Package not verified | Package not verified |
| Source provenance | Source-backed | Source-backed |
| Submitter | — | — |
| Install risk | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Brand | — | — |
| Category | rules | rules |
| Source | source-backed | source-backed |
| Author | JSONbored | JSONbored |
| Added | 2025-09-16 | 2025-10-25 |
| Platforms | Claude Code | Claude Code |
| Source repo | — | — |
| Safety notes | ✓These are advisory API-design rules applied to your code and specs; they make no network requests and change no infrastructure. Review any generated endpoints and auth flows before deploying. | ✓This rule is prompt guidance, not executable code, but it directs Claude to design REST, tRPC, and GraphQL endpoints that create and modify records (for example POST and PATCH handlers); review and authorize generated write operations before deploying them. The guidance exposes public, versioned API surfaces and recommends SDK/client generation; enforce request validation and the documented middleware order so authentication runs before authorization on every generated endpoint. |
| Privacy notes | ✓API examples reference auth tokens, API keys, and request/response payloads; keep real secrets and personal data out of committed specs and example values. | ✓The recommended patterns authenticate with JWT, OAuth 2.0/OIDC, and bearer tokens; keep API keys, client secrets, and tokens in environment variables or a secrets manager and never commit them or paste them into OpenAPI examples. Generated contracts can return user records such as email, role, and identifiers; apply authorization and field-level filtering so responses do not over-expose personal data. |
| Prerequisites | — none listed | — none listed |
| Install | — | — |
| Config | — | — |
| Citations | ||
| Claim | Unclaimed | Unclaimed |
Source-backed guides for putting this to work.
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.