Build and review Hono TypeScript APIs for Cloudflare Workers, Bun, Deno, Node.js, Vercel, Netlify, and other Web Standards runtimes with routing, middleware, validation, RPC clients, OpenAPI generation, deployment checks, and production safety review.
The download URL is the external `honojs/hono` source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows., `pnpm create hono@latest` or similar scaffolding commands create project files and may prompt for runtime/framework choices. Confirm the target directory and runtime before running them in an existing repo., Hono apps often run at the edge where secrets, environment bindings, request metadata, body limits, streaming support, and Node.js API compatibility vary by platform., Auth, CORS, cookie, CSRF, JWT, bearer-token, and middleware order mistakes can expose APIs or make browser clients fail in production., Validation middleware can reject, coerce, or transform user input. Review schemas, defaults, unknown-key behavior, async validation, and error responses before shipping., Generated OpenAPI documents and RPC clients become contracts. Review public route visibility, auth requirements, response schemas, and breaking-change impact before publishing them., Webhooks, admin routes, background callbacks, and internal endpoints need explicit verification, idempotency, replay protection, and least-privilege secret handling., Cloudflare Workers, Bun, Deno, Node.js, Vercel, and Netlify adapters do not expose identical runtime behavior. Test the exact adapter and deployment target instead of assuming local parity.
Privacy notes
Hono APIs can process request bodies, headers, cookies, JWT claims, bearer tokens, IP addresses, Cloudflare metadata, logs, traces, validation errors, database records, and webhook payloads., Error handlers, request logs, access logs, debug middleware, AI prompts, screenshots, and issue reports can leak Authorization headers, cookies, session IDs, API keys, user records, and payload samples., OpenAPI schemas, example responses, and RPC types may reveal internal route names, data models, tenant identifiers, admin endpoints, or unreleased API behavior., Use synthetic payloads, fixture data, local test projects, and redacted logs for demos, bug reports, screenshots, and AI-assisted troubleshooting., Review runtime-provider, database, logging, tracing, analytics, and AI-assistant retention policies before exposing real customer traffic or production logs to tooling.
8 safety and 5 privacy notes across 8 risk areas. Review closely: credentials & tokens, permissions & scopes, network access, third-party handling.
8 areas
SafetyNetwork accessThe download URL is the external `honojs/hono` source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
SafetyLocal files`pnpm create hono@latest` or similar scaffolding commands create project files and may prompt for runtime/framework choices. Confirm the target directory and runtime before running them in an existing repo.
SafetyCredentials & tokensHono apps often run at the edge where secrets, environment bindings, request metadata, body limits, streaming support, and Node.js API compatibility vary by platform.
SafetyCredentials & tokensAuth, CORS, cookie, CSRF, JWT, bearer-token, and middleware order mistakes can expose APIs or make browser clients fail in production.
SafetyGeneralValidation middleware can reject, coerce, or transform user input. Review schemas, defaults, unknown-key behavior, async validation, and error responses before shipping.
SafetyGeneralGenerated OpenAPI documents and RPC clients become contracts. Review public route visibility, auth requirements, response schemas, and breaking-change impact before publishing them.
SafetyCredentials & tokensWebhooks, admin routes, background callbacks, and internal endpoints need explicit verification, idempotency, replay protection, and least-privilege secret handling.
SafetyExecution & processesCloudflare Workers, Bun, Deno, Node.js, Vercel, and Netlify adapters do not expose identical runtime behavior. Test the exact adapter and deployment target instead of assuming local parity.
PrivacyCredentials & tokensHono APIs can process request bodies, headers, cookies, JWT claims, bearer tokens, IP addresses, Cloudflare metadata, logs, traces, validation errors, database records, and webhook payloads.
PrivacyCredentials & tokensError handlers, request logs, access logs, debug middleware, AI prompts, screenshots, and issue reports can leak Authorization headers, cookies, session IDs, API keys, user records, and payload samples.
PrivacyPermissions & scopesOpenAPI schemas, example responses, and RPC types may reveal internal route names, data models, tenant identifiers, admin endpoints, or unreleased API behavior.
PrivacyData retentionUse synthetic payloads, fixture data, local test projects, and redacted logs for demos, bug reports, screenshots, and AI-assisted troubleshooting.
PrivacyThird-party handlingReview runtime-provider, database, logging, tracing, analytics, and AI-assistant retention policies before exposing real customer traffic or production logs to tooling.
Safety notes
The download URL is the external `honojs/hono` source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
`pnpm create hono@latest` or similar scaffolding commands create project files and may prompt for runtime/framework choices. Confirm the target directory and runtime before running them in an existing repo.
Hono apps often run at the edge where secrets, environment bindings, request metadata, body limits, streaming support, and Node.js API compatibility vary by platform.
Auth, CORS, cookie, CSRF, JWT, bearer-token, and middleware order mistakes can expose APIs or make browser clients fail in production.
Validation middleware can reject, coerce, or transform user input. Review schemas, defaults, unknown-key behavior, async validation, and error responses before shipping.
Generated OpenAPI documents and RPC clients become contracts. Review public route visibility, auth requirements, response schemas, and breaking-change impact before publishing them.
Webhooks, admin routes, background callbacks, and internal endpoints need explicit verification, idempotency, replay protection, and least-privilege secret handling.
Cloudflare Workers, Bun, Deno, Node.js, Vercel, and Netlify adapters do not expose identical runtime behavior. Test the exact adapter and deployment target instead of assuming local parity.
Privacy notes
Hono APIs can process request bodies, headers, cookies, JWT claims, bearer tokens, IP addresses, Cloudflare metadata, logs, traces, validation errors, database records, and webhook payloads.
Error handlers, request logs, access logs, debug middleware, AI prompts, screenshots, and issue reports can leak Authorization headers, cookies, session IDs, API keys, user records, and payload samples.
OpenAPI schemas, example responses, and RPC types may reveal internal route names, data models, tenant identifiers, admin endpoints, or unreleased API behavior.
Use synthetic payloads, fixture data, local test projects, and redacted logs for demos, bug reports, screenshots, and AI-assisted troubleshooting.
Review runtime-provider, database, logging, tracing, analytics, and AI-assistant retention policies before exposing real customer traffic or production logs to tooling.
Prerequisites
TypeScript project or new service with a selected runtime target, such as Cloudflare Workers, Bun, Deno, Node.js, Vercel, Netlify, or another Web Standards-compatible platform.
Decision to use Hono for HTTP routing, middleware composition, and runtime-portable Request/Response handling rather than a heavier framework.
Package manager, module format, TypeScript strictness, lint/test setup, and deployment provider identified before code generation.
Route inventory covering public routes, authenticated routes, webhooks, health checks, static assets, RPC endpoints, and admin-only operations.
Validation strategy for params, queries, headers, cookies, request bodies, responses, and shared schemas.
Auth, CORS, CSRF, rate-limit, logging, tracing, error-handling, and secret-management policy for the target runtime.
Platform binding plan for resources such as D1, KV, R2, Durable Objects, Queues, databases, caches, or external APIs when the service runs on an edge platform.
# Trigger
"Apply the Hono edge API development skill to this service."
# Required output
1) Runtime, router, middleware, validation, auth, and deployment inventory
2) Hono route, app structure, validator, RPC/OpenAPI, and adapter plan
3) Production checklist for secrets, bindings, CORS, logs, errors, and tests
4) Safety, privacy, rollout, rollback, and compatibility notes
About this resource
Knowledge Freshness
This skill is based on the Hono documentation hub, Cloudflare Workers getting
started guide, validation guide, RPC guide, Zod OpenAPI example, official
honojs/hono repository, and current npm metadata for hono,
@hono/zod-validator, and @hono/zod-openapi reviewed on 2026-06-04.
The official project describes Hono as a web framework built on Web Standards,
with deployment targets that include Cloudflare Workers, Bun, Deno, Node.js,
Vercel, Netlify, Fastly, and other compatible runtimes.
Prefer the live Hono docs and official repository over model memory for current
scaffolding commands, runtime adapters, middleware APIs, validation packages,
RPC client patterns, OpenAPI examples, and deployment behavior.
Scope Note
Use this skill for Hono services, edge APIs, route migrations, middleware
review, validation layers, typed RPC clients, OpenAPI contracts, and deployment
readiness. It is not a generic backend-architecture agent, not the Cloudflare
Workers AI skill, not a tRPC workflow, and not a replacement for
runtime-specific security review.
Core Workflow
Inventory the target runtime, package manager, TypeScript version, module
format, deployment provider, local dev command, test runner, and current API
framework.
Confirm whether this is a new Hono app, an existing Hono service, or a
migration from Express, Fastify, Next.js route handlers, serverless
functions, or another router.
Select the runtime adapter deliberately. Record whether the service will run
on Cloudflare Workers, Bun, Deno, Node.js, Vercel, Netlify, or another Hono
deployment target.
Scaffold or update the Hono app structure without overwriting existing
routing, environment, test, or deployment files.
Define route groups, base paths, health checks, webhooks, admin routes,
public routes, authenticated routes, and versioned APIs before writing
handlers.
Add middleware in a reviewed order: error handling, request ID, logging,
security headers, CORS, auth, rate limiting, compression, validation, and
route-specific policies.
Validate inputs at the boundary. Cover route params, query strings, headers,
cookies, JSON bodies, form data, and multipart uploads where applicable.
Use @hono/zod-validator or another documented validator only after
confirming schema ownership, unknown-key behavior, coercion, defaults, and
error-response shape.
Keep response contracts explicit. For public or client-consumed APIs,
document status codes, success shapes, error shapes, pagination, and
authentication requirements.
If using Hono RPC, confirm client/server type sharing, route exports,
deployment URL handling, error behavior, and whether the public API contract
should remain stable.
If publishing OpenAPI, use the documented @hono/zod-openapi path or a
project-approved equivalent, then review generated schemas for private
routes, auth requirements, examples, and breaking changes.
Wire runtime bindings and secrets through the deployment platform rather
than hardcoding them in code or examples.
Add tests that exercise route matching, validation failures, auth failures,
CORS behavior, webhooks, errors, and representative runtime bindings.
Produce a rollout plan covering local smoke tests, preview deployment,
contract review, observability, rate limits, rollback, and migration
compatibility.
Required Inputs
Runtime target, deployment provider, package manager, TypeScript settings,
and whether the project is an app, API package, worker, or monorepo service.
Current API framework, route inventory, middleware inventory, auth model,
validation approach, and client contract requirements.
Platform bindings, databases, caches, queues, object storage, secrets,
environment names, and local emulation constraints.
Public API consumers, generated clients, OpenAPI consumers, webhooks,
internal clients, and compatibility requirements.
Error, logging, tracing, metrics, sampling, PII redaction, and data-retention
expectations.
Migration constraints, rollout window, fallback plan, and routes that must
remain backward compatible.
Production Rules
Do not assume Node.js APIs exist in edge runtimes. Check the selected Hono
adapter, runtime compatibility, and dependency behavior before adding
packages.
Keep secrets in platform secret stores. Never commit tokens, database URLs,
JWT secrets, webhook secrets, session cookies, or dashboard exports.
Put auth and authorization close to the route or business operation. Global
middleware can help, but admin, tenant, and resource-level checks still need
explicit review.
Treat CORS as a security and product compatibility setting. Avoid wildcard
origins for authenticated browser APIs unless the tradeoff is intentional and
documented.
Validate every untrusted input boundary and return predictable error shapes.
Do not leak raw validator errors that include private values.
Make webhook handlers idempotent and replay-resistant. Verify signatures
before parsing sensitive payloads when the provider supports it.
Review middleware order after every auth, CORS, body parsing, logging,
compression, or error-handling change.
For generated RPC or OpenAPI clients, document breaking-change policy and
test client compatibility before release.
Use synthetic request payloads and redacted logs in prompts, examples, issue
reports, PRs, and screenshots.
Compatibility
Native
Claude Code / Claude: use as a reusable Agent Skill for Hono app
creation, route refactoring, middleware review, validation, RPC/OpenAPI
contracts, and deployment checks.
Codex/OpenAI workflows: use as SKILL.md-style instructions when editing
TypeScript Hono services and edge APIs.
Manual Adaptation
Cursor, Windsurf, Gemini, and Generic AGENTS files: adapt the trigger,
workflow, safety notes, privacy notes, and output contract into repository
rules for Hono API work.
Output Contract
Source evidence: Hono docs, examples, package metadata, and repository URLs
reviewed, with date.
Service inventory: runtime, adapter, routes, middleware, auth, validation,
bindings, deployment environments, consumers, and tests.
Safety and privacy review: secrets, logs, headers, cookies, PII,
cross-origin behavior, webhook verification, and retention risks.
Validation plan: local tests, route smoke tests, runtime-adapter checks,
contract tests, preview deployment, rollback, and monitoring.
Troubleshooting
Route Works Locally But Fails After Deploy
Check the selected adapter, runtime-specific exports, module format, route base
path, environment bindings, and platform logs. Edge runtimes often differ from
local Node.js behavior.
CORS Requests Fail In Browsers
Review allowed origins, credentials mode, preflight headers, methods, and
middleware order. Authenticated browser requests usually need a narrower CORS
policy than public read-only APIs.
Validator Rejects Expected Requests
Inspect route params, content type, request body shape, coercion rules,
unknown-key behavior, async refinements, and whether the client sends JSON,
form data, or multipart data.
RPC Client Types Are Wrong
Confirm the app routes are exported in the documented pattern, the client uses
the correct app type, the server and client packages resolve the same route
definitions, and deployment URL configuration matches the runtime.
OpenAPI Output Exposes Internal Routes
Review which routes are registered with OpenAPI metadata, remove internal or
admin-only examples, mark auth requirements, and avoid real payload samples.
Prompt Starters
"Create a Hono API for this TypeScript service with route groups, validation,
CORS, error handling, and a Cloudflare Workers deployment checklist."
"Review this Hono app for middleware order, auth gaps, validation coverage,
runtime compatibility, and production logging risks."
"Add Hono RPC to this API and produce a client contract review with breaking
change risks."
"Generate an OpenAPI contract for these Hono routes using documented Hono
patterns, then flag any internal fields or private examples."
Duplicate Check
This entry is scoped to Hono's official framework, docs, repository, validator
middleware, RPC workflow, and OpenAPI example path. It is distinct from the
Cloudflare Workers AI Edge Functions skill, generic backend agents, tRPC API
skill, Zod Schema Validation skill, and broad frontend/full-stack agents.
Editorial Disclosure
This catalog entry was drafted from official Hono documentation, official Hono
repository metadata, and current npm package metadata. It is not an affiliate
listing, paid placement, or maintainer-verified package bundle.
Show that Hono Edge API Development Skill is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/skills/hono-edge-api-development)
How it compares
Hono Edge API Development Skill side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
3 trust signals differ across this comparison (Package trust, Source provenance, Submitter).
Build and review Hono TypeScript APIs for Cloudflare Workers, Bun, Deno, Node.js, Vercel, Netlify, and other Web Standards runtimes with routing, middleware, validation, RPC clients, OpenAPI generation, deployment checks, and production safety review.
Agent Skill from mcp-use for turning OpenAPI or Swagger specs into MCP servers with operation-to-tool mapping, auth wiring, Zod schema generation, inspector testing, and streamable HTTP deployment.
✓The download URL is the external `honojs/hono` source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
`pnpm create hono@latest` or similar scaffolding commands create project files and may prompt for runtime/framework choices. Confirm the target directory and runtime before running them in an existing repo.
Hono apps often run at the edge where secrets, environment bindings, request metadata, body limits, streaming support, and Node.js API compatibility vary by platform.
Auth, CORS, cookie, CSRF, JWT, bearer-token, and middleware order mistakes can expose APIs or make browser clients fail in production.
Validation middleware can reject, coerce, or transform user input. Review schemas, defaults, unknown-key behavior, async validation, and error responses before shipping.
Generated OpenAPI documents and RPC clients become contracts. Review public route visibility, auth requirements, response schemas, and breaking-change impact before publishing them.
Webhooks, admin routes, background callbacks, and internal endpoints need explicit verification, idempotency, replay protection, and least-privilege secret handling.
Cloudflare Workers, Bun, Deno, Node.js, Vercel, and Netlify adapters do not expose identical runtime behavior. Test the exact adapter and deployment target instead of assuming local parity.
✓The download URL is the external `nestjs/nest` source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
NestJS changes can alter route behavior, dependency-injection graph, middleware order, guards, authentication, authorization, validation, error handling, and request/response contracts.
Do not commit `.env` files, database URLs, JWT secrets, API keys, OAuth credentials, cloud credentials, service tokens, private certificates, or copied production config.
Global pipes, filters, guards, interceptors, and middleware affect every matching request. Review denial paths, public routes, admin routes, and backward compatibility before enabling them globally.
DTO validation and transformation can silently coerce input. Check `whitelist`, `forbidNonWhitelisted`, transform behavior, nested objects, arrays, and optional fields before trusting sanitized payloads.
Provider constructors, module imports, dynamic modules, lifecycle hooks, and request-scoped providers can create startup failures or performance regressions when used casually.
Database migrations, message handlers, cron jobs, queues, webhooks, and external-service calls should have explicit retry, idempotency, timeout, and rollback behavior.
OpenAPI docs can expose internal DTO fields, route names, auth scheme details, admin endpoints, examples, and deprecated surfaces if generated without review.
✓Generated MCP tools can expose every selected REST operation from a source API, including destructive or account-changing endpoints if the operation filter is too broad.
Large OpenAPI specs can create noisy tool surfaces. Filter by tag or operation list when the API has many endpoints.
Auth wiring may include API keys, bearer tokens, basic auth, OAuth bearer tokens, and environment variables; never put secret values in the spec, generated source, prompts, or PR text.
The skill recommends streamable HTTP for generated mcp-use servers; review deployment auth, CORS, rate limits, logs, and public reachability before publishing.
Human review is needed for generated schemas, tool descriptions, error handling, and write operations before giving an agent access to real accounts.
✓Install Zod with `npm install zod` (or your package manager's equivalent) before use. The library has zero runtime dependencies and does not execute network requests on its own.
Async refinements (`.refine(async fn)`) may call external services if your own callback does — review any async refinement for unintended network or database access.
Privacy notes
✓Hono APIs can process request bodies, headers, cookies, JWT claims, bearer tokens, IP addresses, Cloudflare metadata, logs, traces, validation errors, database records, and webhook payloads.
Error handlers, request logs, access logs, debug middleware, AI prompts, screenshots, and issue reports can leak Authorization headers, cookies, session IDs, API keys, user records, and payload samples.
OpenAPI schemas, example responses, and RPC types may reveal internal route names, data models, tenant identifiers, admin endpoints, or unreleased API behavior.
Use synthetic payloads, fixture data, local test projects, and redacted logs for demos, bug reports, screenshots, and AI-assisted troubleshooting.
Review runtime-provider, database, logging, tracing, analytics, and AI-assistant retention policies before exposing real customer traffic or production logs to tooling.
✓NestJS logs, exception filters, validation errors, request IDs, OpenAPI examples, test fixtures, and AI prompts can expose request payloads, headers, cookies, JWT claims, user IDs, emails, tenant IDs, and internal service names.
Avoid pasting raw production requests, access tokens, cookies, stack traces with sensitive values, database records, or private OpenAPI exports into prompts or public issues.
Use synthetic request data and non-production credentials for examples, tests, screenshots, generated docs, and AI-assisted troubleshooting.
Review logging, telemetry, error reporting, audit events, and model-provider retention before routing customer data through AI-assisted debugging or generated diagnostics.
✓OpenAPI specs can expose private endpoint names, internal domains, auth schemes, schemas, object fields, customer concepts, and operational workflows.
Tool calls can send prompts, arguments, request bodies, auth-scoped API responses, error payloads, and logs through the MCP server, model provider, and deployment platform.
Keep API keys, tokens, OAuth secrets, cookies, private base URLs, customer data, and internal spec comments out of public examples, repository files, issue comments, and screenshots.
For third-party or customer APIs, confirm data retention and logging behavior across the MCP client, mcp-use deployment target, model provider, and API provider.
✓Zod validates data in-process only and does not transmit your schemas, inputs, or error output to any external service.
Schemas that validate emails, passwords, or personal data remain entirely local; no input leaves your runtime environment through Zod itself.
Prerequisites
TypeScript project or new service with a selected runtime target, such as Cloudflare Workers, Bun, Deno, Node.js, Vercel, Netlify, or another Web Standards-compatible platform.
Decision to use Hono for HTTP routing, middleware composition, and runtime-portable Request/Response handling rather than a heavier framework.
Package manager, module format, TypeScript strictness, lint/test setup, and deployment provider identified before code generation.
Route inventory covering public routes, authenticated routes, webhooks, health checks, static assets, RPC endpoints, and admin-only operations.
TypeScript backend project or planned service boundary where NestJS is the intended framework.
Known package manager, Node.js runtime target, deployment target, module format, and build pipeline.
Decision on HTTP adapter, usually Express through `@nestjs/platform-express` unless the app is explicitly using Fastify.
API surface inventory covering controllers, routes, request bodies, query parameters, response shapes, errors, authentication, authorization, and versioning.
An OpenAPI 3.x or Swagger 2.0 spec from a local file, URL, or pasted source.
Node.js and npm or pnpm for `create-mcp-use-app`, TypeScript, swagger-parser, Zod, and mcp-use tooling.
An MCP client or coding agent that can install and use Agent Skills from GitHub.
Known target API base URL, authentication scheme, operation filter, and deployment intent before broad tool generation.
TypeScript 5.0+ (5.5+ recommended for best type inference)
zod ^3.22.0
Node.js 18+ or a modern browser with ES2020+ support