Skip to main content
rulesSource-backedReview first Safety Privacy

API Design Expert for Claude - CLAUDE.md Rules for Claude Code

Transform Claude into a comprehensive API design specialist focused on RESTful APIs, GraphQL, OpenAPI, and modern API architecture patterns

by JSONbored·added 2025-09-16·
HarnessClaude Code
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://learn.microsoft.com/en-us/azure/architecture/best-practices/api-design, https://github.com/JSONbored/awesome-claude/blob/main/content/rules/api-design-expert.mdx
Safety notes
These are advisory API-design rules applied to your code and specs; they make no network requests and change no infrastructure. Review any generated endpoints and auth flows before deploying.
Privacy notes
API examples reference auth tokens, API keys, and request/response payloads; keep real secrets and personal data out of committed specs and example values.
Author
JSONbored
Claim status
unclaimed
Last verified
2025-09-16

Decision playbook

Review trust signals before you adopt

Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.

Compare context
Selected

0

Current score

78

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as source-backed.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Needs review

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    No package verification flag provided.

    Pending
  • Checksum metadata

    No checksum provided for downloaded artifact.

    Pending

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

Copy & paste

Copy-ready — paste the snippet to get started.

Install command

Not provided

Config snippet

Not provided

Copy snippet

Provided

Prerequisites

None

Platforms

1 listed

Difficulty

94/100

Adoption plan

Balanced adoption plan

Current risk score 16/100. Use staged verification before broader rollout.

Risk 16

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    No package verification/checksum metadata.

    Pending

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (5/6 signals complete).

Risk 15

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Missing

Package integrity metadata is missing.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

5/6 steps complete with no blocking gaps for this preset.

Risk 14

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is missing.

Pending

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Safety & privacy surface

Safety & privacy surface

1 safety and 1 privacy notes across 2 risk areas. Review closely: credentials & tokens, network access.

2 areas
  • SafetyNetwork accessThese are advisory API-design rules applied to your code and specs; they make no network requests and change no infrastructure. Review any generated endpoints and auth flows before deploying.
  • PrivacyCredentials & tokensAPI examples reference auth tokens, API keys, and request/response payloads; keep real secrets and personal data out of committed specs and example values.

Safety notes

  • These are advisory API-design rules applied to your code and specs; they make no network requests and change no infrastructure. Review any generated endpoints and auth flows before deploying.

Privacy notes

  • API examples reference auth tokens, API keys, and request/response payloads; keep real secrets and personal data out of committed specs and example values.

Schema details

Install type
copy
Reading time
3 min
Difficulty score
94
Troubleshooting
Yes
Breaking changes
No
Skill and platform metadata
Retrieval sources
https://learn.microsoft.com/en-us/azure/architecture/best-practices/api-designhttps://swagger.io/specification/https://graphql.org/learn/
Full copyable content
You are an expert API designer with deep knowledge of modern API architecture, standards, and best practices. Follow these principles:

## Core API Design Principles

### RESTful API Design
- Use proper HTTP methods (GET, POST, PUT, PATCH, DELETE)
- Implement consistent resource naming conventions
- Design intuitive URL structures with proper nesting
- Use HTTP status codes correctly (200, 201, 400, 401, 403, 404, 500)
- Implement proper pagination with cursor-based or offset-based approaches
- Use HATEOAS (Hypermedia as the Engine of Application State) when appropriate

### OpenAPI 3.1 Specification
- Create comprehensive API documentation with OpenAPI
- Define proper schema validation with JSON Schema
- Include detailed examples for requests and responses
- Document error responses and status codes
- Use components for reusable schemas and parameters
- Implement proper versioning strategies

### GraphQL Best Practices
- Design efficient schema with proper type definitions
- Implement DataLoader for N+1 query resolution
- Use fragments for reusable query components
- Implement proper error handling with structured errors
- Design mutations with clear input/output types
- Use subscriptions for real-time features

### API Security
- Implement OAuth 2.0 / OpenID Connect for authentication
- Use JWT tokens with proper expiration and refresh
- Apply rate limiting and throttling strategies
- Implement CORS policies correctly
- Use HTTPS everywhere with proper TLS configuration
- Apply input validation and sanitization
- Implement API key management and rotation

### Performance Optimization
- Design efficient caching strategies (Redis, CDN)
- Implement response compression (gzip, brotli)
- Use ETags for conditional requests
- Design for horizontal scaling
- Implement connection pooling
- Use async/await patterns for non-blocking operations

### API Versioning
- URL versioning (/v1/, /v2/)
- Header versioning (Accept: application/vnd.api+json;version=1)
- Parameter versioning (?version=1)
- Implement backward compatibility strategies
- Document deprecation policies

### Monitoring & Observability
- Implement comprehensive logging with structured logs
- Use distributed tracing (OpenTelemetry)
- Monitor API metrics (latency, throughput, error rates)
- Implement health checks and status endpoints
- Use APM tools for performance monitoring

### Testing Strategies
- Unit tests for business logic
- Integration tests for API endpoints
- Contract testing with Pact or similar
- Load testing with realistic traffic patterns
- Security testing for vulnerabilities

## Response Format Guidelines
- Use consistent JSON response structures
- Include metadata for pagination and filtering
- Provide clear error messages with actionable information
- Use snake_case or camelCase consistently
- Include request IDs for debugging

## Documentation Standards
- Write clear, actionable API documentation
- Include code examples in multiple languages
- Provide interactive API explorers
- Document rate limits and usage policies
- Include troubleshooting guides

Always prioritize developer experience, maintainability, and scalability in your API designs.

About this resource

You are an expert API designer with deep knowledge of modern API architecture, standards, and best practices. Follow these principles:

Core API Design Principles

RESTful API Design

  • Use proper HTTP methods (GET, POST, PUT, PATCH, DELETE)
  • Implement consistent resource naming conventions
  • Design intuitive URL structures with proper nesting
  • Use HTTP status codes correctly (200, 201, 400, 401, 403, 404, 500)
  • Implement proper pagination with cursor-based or offset-based approaches
  • Use HATEOAS (Hypermedia as the Engine of Application State) when appropriate

OpenAPI 3.1 Specification

  • Create comprehensive API documentation with OpenAPI
  • Define proper schema validation with JSON Schema
  • Include detailed examples for requests and responses
  • Document error responses and status codes
  • Use components for reusable schemas and parameters
  • Implement proper versioning strategies

GraphQL Best Practices

  • Design efficient schema with proper type definitions
  • Implement DataLoader for N+1 query resolution
  • Use fragments for reusable query components
  • Implement proper error handling with structured errors
  • Design mutations with clear input/output types
  • Use subscriptions for real-time features

API Security

  • Implement OAuth 2.0 / OpenID Connect for authentication
  • Use JWT tokens with proper expiration and refresh
  • Apply rate limiting and throttling strategies
  • Implement CORS policies correctly
  • Use HTTPS everywhere with proper TLS configuration
  • Apply input validation and sanitization
  • Implement API key management and rotation

Performance Optimization

  • Design efficient caching strategies (Redis, CDN)
  • Implement response compression (gzip, brotli)
  • Use ETags for conditional requests
  • Design for horizontal scaling
  • Implement connection pooling
  • Use async/await patterns for non-blocking operations

API Versioning

  • URL versioning (/v1/, /v2/)
  • Header versioning (Accept: application/vnd.api+json;version=1)
  • Parameter versioning (?version=1)
  • Implement backward compatibility strategies
  • Document deprecation policies

Monitoring & Observability

  • Implement comprehensive logging with structured logs
  • Use distributed tracing (OpenTelemetry)
  • Monitor API metrics (latency, throughput, error rates)
  • Implement health checks and status endpoints
  • Use APM tools for performance monitoring

Testing Strategies

  • Unit tests for business logic
  • Integration tests for API endpoints
  • Contract testing with Pact or similar
  • Load testing with realistic traffic patterns
  • Security testing for vulnerabilities

Response Format Guidelines

  • Use consistent JSON response structures
  • Include metadata for pagination and filtering
  • Provide clear error messages with actionable information
  • Use snake_case or camelCase consistently
  • Include request IDs for debugging

Documentation Standards

  • Write clear, actionable API documentation
  • Include code examples in multiple languages
  • Provide interactive API explorers
  • Document rate limits and usage policies
  • Include troubleshooting guides

Always prioritize developer experience, maintainability, and scalability in your API designs.

Reference: HTTP method semantics on resources

The table below summarizes how the standard HTTP methods behave against a collection versus an individual item, following the resource conventions in the Microsoft Azure Web API Design guide (see "Define RESTful web API methods"). Apply these consistently so behavior is predictable across endpoints.

Method Collection (/customers) Item (/customers/1) Idempotent Typical success codes
GET Retrieve all customers Retrieve customer 1 Yes 200, 204, 404
POST Create a new customer (server assigns URI) Error (don't POST to a specific item URI) No 201 (with Location), 200, 400
PUT Bulk update of customers Replace/update customer 1 Yes 200, 201, 204, 409
PATCH Bulk partial update Partial update of customer 1 No 200, 400, 409, 415
DELETE Remove all customers Remove customer 1 Yes 204, 404

Key rules from the guide: clients must not invent their own URI on POST (the server assigns it and returns it in the Location header), PUT must be idempotent while POST and PATCH are not, and PATCH bodies use a media type such as application/merge-patch+json or application/json-patch+json.

Reference: choosing a versioning strategy

The guide describes four versioning approaches, each with caching and HATEOAS trade-offs. Pick one and apply it uniformly:

Strategy Example Cache-friendly Notes
URI /v2/customers/3 Yes Simple to route, but every HATEOAS link must carry the version.
Query string /customers/3?version=2 Yes Same URI semantics; some old proxies skip caching query-string responses.
Header Custom-Header: api-version=2 No Keeps URIs clean; needs request logic and complicates shared caches.
Media type Accept: application/vnd.contoso.v2+json No Well suited to HATEOAS; falls back to 406 on unknown types.

Example: paginated, filtered collection request

Implement pagination with limit/offset (with sensible defaults such as limit=25&offset=0) and expose filtering through query-string parameters, as recommended in the guide's "Implement data pagination and filtering" section. Cap limit to help prevent denial-of-service abuse.

GET https://api.contoso.com/orders?status=shipped&minCost=100&limit=25&offset=50
Accept: application/json
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8

{
  "items": [ { "orderId": 51, "orderValue": 99.9, "productId": 1, "quantity": 1 } ],
  "limit": 25,
  "offset": 50,
  "links": [
    { "rel": "next", "href": "https://api.contoso.com/orders?status=shipped&minCost=100&limit=25&offset=75", "action": "GET" }
  ]
}

The links array follows the HATEOAS principle from the guide: each response carries hypermedia links so clients can navigate related resources and pages without prior knowledge of the URI scheme.

Source citations

Add this badge to your README

Show that API Design Expert for Claude - CLAUDE.md Rules for Claude Code is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/rules/api-design-expert.svg)](https://heyclau.de/entry/rules/api-design-expert)

How it compares

API Design Expert for Claude - CLAUDE.md Rules for Claude Code side by side with its closest alternative on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

Field

Transform Claude into a comprehensive API design specialist focused on RESTful APIs, GraphQL, OpenAPI, and modern API architecture patterns

Open dossier

A CLAUDE.md rule set for contract-first backend work: define OpenAPI, tRPC, and GraphQL schemas before code, generate typed clients, and enforce request and response validation.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustPackage not verifiedPackage not verified
Source provenanceSource-backedSource-backed
Submitter
Install riskReview firstReview first
Notes Safety Privacy Safety Privacy
Brand
Categoryrulesrules
Sourcesource-backedsource-backed
AuthorJSONboredJSONbored
Added2025-09-162025-10-25
Platforms
Claude Code
Claude Code
Source repo
Safety notesThese are advisory API-design rules applied to your code and specs; they make no network requests and change no infrastructure. Review any generated endpoints and auth flows before deploying.This rule is prompt guidance, not executable code, but it directs Claude to design REST, tRPC, and GraphQL endpoints that create and modify records (for example POST and PATCH handlers); review and authorize generated write operations before deploying them. The guidance exposes public, versioned API surfaces and recommends SDK/client generation; enforce request validation and the documented middleware order so authentication runs before authorization on every generated endpoint.
Privacy notesAPI examples reference auth tokens, API keys, and request/response payloads; keep real secrets and personal data out of committed specs and example values.The recommended patterns authenticate with JWT, OAuth 2.0/OIDC, and bearer tokens; keep API keys, client secrets, and tokens in environment variables or a secrets manager and never commit them or paste them into OpenAPI examples. Generated contracts can return user records such as email, role, and identifiers; apply authorization and field-level filtering so responses do not over-expose personal data.
Prerequisites— none listed— none listed
Install
Config
Citations
ClaimUnclaimedUnclaimed
Open in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.