Skip to main content
skillsSource-backed

NestJS Backend API Development Skill

Build and maintain NestJS backend APIs with modules, controllers, providers, dependency injection, configuration, validation pipes, guards, interceptors, exception filters, OpenAPI docs, testing, and production safety review.

Level:advancedType:generalVerified:validated
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://docs.nestjs.com/, https://github.com/nestjs/nest, https://nestjs.com
Safety notes
The download URL is the external `nestjs/nest` source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows., NestJS changes can alter route behavior, dependency-injection graph, middleware order, guards, authentication, authorization, validation, error handling, and request/response contracts., Do not commit `.env` files, database URLs, JWT secrets, API keys, OAuth credentials, cloud credentials, service tokens, private certificates, or copied production config., Global pipes, filters, guards, interceptors, and middleware affect every matching request. Review denial paths, public routes, admin routes, and backward compatibility before enabling them globally., DTO validation and transformation can silently coerce input. Check `whitelist`, `forbidNonWhitelisted`, transform behavior, nested objects, arrays, and optional fields before trusting sanitized payloads., Provider constructors, module imports, dynamic modules, lifecycle hooks, and request-scoped providers can create startup failures or performance regressions when used casually., Database migrations, message handlers, cron jobs, queues, webhooks, and external-service calls should have explicit retry, idempotency, timeout, and rollback behavior., OpenAPI docs can expose internal DTO fields, route names, auth scheme details, admin endpoints, examples, and deprecated surfaces if generated without review.
Privacy notes
NestJS logs, exception filters, validation errors, request IDs, OpenAPI examples, test fixtures, and AI prompts can expose request payloads, headers, cookies, JWT claims, user IDs, emails, tenant IDs, and internal service names., Avoid pasting raw production requests, access tokens, cookies, stack traces with sensitive values, database records, or private OpenAPI exports into prompts or public issues., Use synthetic request data and non-production credentials for examples, tests, screenshots, generated docs, and AI-assisted troubleshooting., Review logging, telemetry, error reporting, audit events, and model-provider retention before routing customer data through AI-assisted debugging or generated diagnostics.
Platform compatibility
claude-code (native-skill), codex (native-skill), windsurf (native-skill), gemini (native-skill), cursor (adapter), cli (manual-context)
Author
oktofeesh1
Submitted by
oktofeesh1
Claim status
unclaimed
Last verified
2026-06-04

Decision playbook

Review trust signals before you adopt

Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.

Compare context
Selected

0

Current score

86

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as source-backed.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Needs review

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    No package verification flag provided.

    Pending
  • Checksum metadata

    No checksum provided for downloaded artifact.

    Pending

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

Package install

Copy-ready — paste the snippet to get started.

Adoption plan

Balanced adoption plan

Current risk score 16/100. Use staged verification before broader rollout.

Risk 16

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    No package verification/checksum metadata.

    Pending

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (5/6 signals complete).

Risk 15

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Missing

Package integrity metadata is missing.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

5/6 steps complete with no blocking gaps for this preset.

Risk 14

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is missing.

Pending

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Prerequisite readiness

Prerequisite readiness

7 prerequisites to line up before setup.

0/7 ready
Install & runtime3Configuration1Permissions & scopes1General2

Safety & privacy surface

Safety & privacy surface

8 safety and 4 privacy notes across 5 risk areas. Review closely: credentials & tokens, permissions & scopes, network access, third-party handling.

5 areas
  • SafetyNetwork accessThe download URL is the external `nestjs/nest` source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
  • SafetyPermissions & scopesNestJS changes can alter route behavior, dependency-injection graph, middleware order, guards, authentication, authorization, validation, error handling, and request/response contracts.
  • SafetyCredentials & tokensDo not commit `.env` files, database URLs, JWT secrets, API keys, OAuth credentials, cloud credentials, service tokens, private certificates, or copied production config.
  • SafetyPermissions & scopesGlobal pipes, filters, guards, interceptors, and middleware affect every matching request. Review denial paths, public routes, admin routes, and backward compatibility before enabling them globally.
  • SafetyGeneralDTO validation and transformation can silently coerce input. Check `whitelist`, `forbidNonWhitelisted`, transform behavior, nested objects, arrays, and optional fields before trusting sanitized payloads.
  • SafetyPermissions & scopesProvider constructors, module imports, dynamic modules, lifecycle hooks, and request-scoped providers can create startup failures or performance regressions when used casually.
  • SafetyNetwork accessDatabase migrations, message handlers, cron jobs, queues, webhooks, and external-service calls should have explicit retry, idempotency, timeout, and rollback behavior.
  • SafetyPermissions & scopesOpenAPI docs can expose internal DTO fields, route names, auth scheme details, admin endpoints, examples, and deprecated surfaces if generated without review.
  • PrivacyNetwork accessNestJS logs, exception filters, validation errors, request IDs, OpenAPI examples, test fixtures, and AI prompts can expose request payloads, headers, cookies, JWT claims, user IDs, emails, tenant IDs, and internal service names.
  • PrivacyCredentials & tokensAvoid pasting raw production requests, access tokens, cookies, stack traces with sensitive values, database records, or private OpenAPI exports into prompts or public issues.
  • PrivacyCredentials & tokensUse synthetic request data and non-production credentials for examples, tests, screenshots, generated docs, and AI-assisted troubleshooting.
  • PrivacyThird-party handlingReview logging, telemetry, error reporting, audit events, and model-provider retention before routing customer data through AI-assisted debugging or generated diagnostics.

Safety notes

  • The download URL is the external `nestjs/nest` source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows.
  • NestJS changes can alter route behavior, dependency-injection graph, middleware order, guards, authentication, authorization, validation, error handling, and request/response contracts.
  • Do not commit `.env` files, database URLs, JWT secrets, API keys, OAuth credentials, cloud credentials, service tokens, private certificates, or copied production config.
  • Global pipes, filters, guards, interceptors, and middleware affect every matching request. Review denial paths, public routes, admin routes, and backward compatibility before enabling them globally.
  • DTO validation and transformation can silently coerce input. Check `whitelist`, `forbidNonWhitelisted`, transform behavior, nested objects, arrays, and optional fields before trusting sanitized payloads.
  • Provider constructors, module imports, dynamic modules, lifecycle hooks, and request-scoped providers can create startup failures or performance regressions when used casually.
  • Database migrations, message handlers, cron jobs, queues, webhooks, and external-service calls should have explicit retry, idempotency, timeout, and rollback behavior.
  • OpenAPI docs can expose internal DTO fields, route names, auth scheme details, admin endpoints, examples, and deprecated surfaces if generated without review.

Privacy notes

  • NestJS logs, exception filters, validation errors, request IDs, OpenAPI examples, test fixtures, and AI prompts can expose request payloads, headers, cookies, JWT claims, user IDs, emails, tenant IDs, and internal service names.
  • Avoid pasting raw production requests, access tokens, cookies, stack traces with sensitive values, database records, or private OpenAPI exports into prompts or public issues.
  • Use synthetic request data and non-production credentials for examples, tests, screenshots, generated docs, and AI-assisted troubleshooting.
  • Review logging, telemetry, error reporting, audit events, and model-provider retention before routing customer data through AI-assisted debugging or generated diagnostics.

Prerequisites

  • TypeScript backend project or planned service boundary where NestJS is the intended framework.
  • Known package manager, Node.js runtime target, deployment target, module format, and build pipeline.
  • Decision on HTTP adapter, usually Express through `@nestjs/platform-express` unless the app is explicitly using Fastify.
  • API surface inventory covering controllers, routes, request bodies, query parameters, response shapes, errors, authentication, authorization, and versioning.
  • Configuration and secret plan for environment variables, validation, local development, staging, production, CI, and deployment providers.
  • DTO and validation strategy using Nest pipes and class-based validation or another explicitly chosen validation library.
  • Testing plan covering unit tests for providers, integration tests for modules, e2e tests for HTTP behavior, and database or external-service boundaries.

Schema details

Install type
package
Reading time
8 min
Difficulty score
78
Troubleshooting
Yes
Breaking changes
No
Source repository stats
Scope
Source repo
Skill and platform metadata
Skill type
general
Skill level
advanced
Verification
validated
Verified at
2026-06-04
Retrieval sources
https://docs.nestjs.com/https://docs.nestjs.com/first-stepshttps://docs.nestjs.com/controllershttps://docs.nestjs.com/providershttps://docs.nestjs.com/techniques/configurationhttps://github.com/nestjs/nest
Tested platforms
ClaudeCodexWindsurfGeminiCursorGeneric AGENTS
PlatformSupportInstall path
claude-codeNative.claude/skills/<skill-name>/SKILL.md
codexNative.agents/skills/<skill-name>/SKILL.md
windsurfNative.windsurf/skills/<skill-name>/SKILL.md
geminiNative.gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md
cursorAdapter.cursor/rules/<skill-name>.mdc
cliManualAGENTS.md or tool-specific context file
Tool listing metadata
Full copyable content
# Trigger
"Apply the NestJS backend API development skill to this service."

# Required output
1) Current NestJS, TypeScript, package manager, module, transport, and runtime inventory
2) Module, controller, provider, DTO, pipe, guard, interceptor, and filter plan
3) Config, validation, OpenAPI, testing, observability, and deployment checklist
4) Safety, privacy, migration, rollback, and secret-handling notes

About this resource

Knowledge Freshness

This skill is based on the NestJS documentation homepage, first steps guide, controllers guide, providers guide, configuration technique guide, and nestjs/nest repository reviewed on 2026-06-04. The official @nestjs/core package metadata was also checked on the same date and reported version 11.1.24, MIT licensing, and the canonical nestjs/nest repository.

Prefer the live NestJS docs and official repository over model memory for current CLI commands, package names, module conventions, HTTP adapter behavior, dependency-injection rules, testing helpers, configuration patterns, validation guidance, and migration notes.

Retrieval Sources

Scope Note

Use this skill for NestJS backend API work: module design, controllers, providers, dependency injection, configuration, request validation, guards, interceptors, filters, testing, OpenAPI docs, and production review. It is not a generic Node.js API guide, not a Hono edge API skill, not a FastAPI skill, and not a database-specific ORM guide.

Core Workflow

  1. Inventory the service: NestJS version, Node.js version, package manager, TypeScript config, app entry point, HTTP adapter, deployment target, module layout, test runner, and existing global pipes, guards, interceptors, and filters.
  2. Confirm the intended service boundary. Identify whether the work is a new app, feature module, controller addition, provider refactor, migration from Express/Fastify, or production-hardening pass.
  3. Map the API contract before coding: routes, methods, params, query strings, request bodies, response DTOs, error shapes, auth requirements, versioning, rate limits, idempotency needs, and backward-compatibility constraints.
  4. Design modules deliberately. Keep imports, exports, providers, dynamic modules, and shared modules explicit so the dependency graph remains clear.
  5. Add or update controllers with thin request handling. Keep transport-specific parsing, auth decisions, DTO validation, and response mapping close to the controller, but move business behavior into providers.
  6. Add providers for application logic and integration boundaries. Prefer constructor injection, explicit interfaces where useful, and testable service methods over hidden globals.
  7. Define DTOs and validation rules. Review required fields, optional fields, nested objects, arrays, enum behavior, transforms, defaults, and how invalid payloads are reported.
  8. Configure validation pipes intentionally. For global pipes, review whitelist, forbidNonWhitelisted, transform, nested validation, and compatibility with existing clients.
  9. Add guards, interceptors, filters, and middleware only where their scope is clear. Confirm route matching, public-route exceptions, admin boundaries, error mapping, logging behavior, and performance impact.
  10. Wire configuration through approved environment handling. Validate required values at startup, avoid client-exposed secrets, and document local, staging, CI, and production differences.
  11. Add OpenAPI docs when useful. Review generated schemas, auth schemes, examples, deprecated routes, and hidden/internal fields before publishing documentation.
  12. Test the module. Cover provider unit tests, controller or module integration tests, e2e HTTP flows, failure cases, validation failures, auth denials, and external-service boundaries with mocks or test doubles.
  13. Review production behavior: startup errors, graceful shutdown, health checks, structured logging, tracing, timeouts, retries, database transactions, message handlers, cron jobs, queues, and rollback.
  14. Produce a concise implementation summary with changed files, API contract changes, validation behavior, auth impact, test coverage, deployment notes, and remaining risks.

Required Inputs

  • NestJS version, Node.js version, package manager, TypeScript settings, app entry point, HTTP adapter, deployment provider, and build command.
  • Existing module tree, controller routes, providers, middleware, global pipes, guards, interceptors, filters, and test setup.
  • API contract requirements: route paths, methods, request DTOs, response DTOs, error shape, auth model, versioning, client compatibility, and OpenAPI needs.
  • Configuration model for environment variables, secrets, validation, local development, CI, preview, staging, and production.
  • External dependencies such as databases, queues, caches, webhooks, OAuth providers, third-party APIs, observability, and feature flags.
  • Migration or rollback constraints for existing routes, clients, database schema, deployed workers, background jobs, and scheduled tasks.

Production Rules

  • Keep controllers thin and providers testable. When a controller starts owning business logic, move that behavior into a provider and test it there.
  • Treat module imports and provider exports as an API. Avoid broad shared modules that hide coupling or make circular dependencies harder to detect.
  • Do not make validation global until existing clients and error handling have been checked. Stricter DTO rules can break integrations that send extra or loosely typed fields.
  • Treat guards and interceptors as security-sensitive. Every public route, admin route, webhook route, and machine-to-machine endpoint needs an explicit expected outcome.
  • Never log secrets, bearer tokens, cookies, raw passwords, refresh tokens, full OAuth payloads, or complete customer request bodies.
  • Review OpenAPI output before publishing it. Generated schemas can expose internal fields, examples, route names, auth details, or undocumented admin surfaces.
  • Prefer explicit timeout, retry, and idempotency behavior around external calls, queues, cron jobs, and webhooks. A provider method that works locally can still duplicate work under retry or deployment restarts.
  • Use e2e tests for the real HTTP behavior that clients rely on: route matching, validation errors, auth denials, response shapes, headers, and status codes.

Validation Checklist

  • Package install and build commands match the project package manager.
  • main.ts bootstraps the intended app module and applies reviewed global pipes, filters, guards, interceptors, and middleware.
  • Modules import and export only what downstream modules require.
  • Controllers declare route paths, methods, DTOs, status codes, and exception behavior deliberately.
  • Providers isolate business logic and external-service access behind testable methods.
  • DTO validation covers required fields, optional fields, nested objects, arrays, enums, transforms, and rejected unknown fields.
  • Configuration fails fast for missing required values without printing secrets.
  • OpenAPI docs hide internal fields and accurately describe auth, request, and response behavior.
  • Unit, integration, and e2e tests cover happy paths, validation failures, authorization failures, and representative external-service errors.
  • Deployment notes cover environment variables, health checks, graceful shutdown, migrations, observability, rollback, and incident recovery.

Troubleshooting

Dependency injection error at startup

Inspect the failing provider token, module imports, module exports, circular dependencies, and dynamic module configuration. Confirm the provider is declared in the module that owns it and exported only when another module needs it.

Validation accepts or rejects the wrong payload

Check DTO decorators, optional fields, nested validation setup, arrays, transform behavior, whitelist, forbidNonWhitelisted, and whether a global pipe is overriding route-level expectations.

Guard blocks a public route

Review the guard scope, route metadata, public-route decorator, global guard registration, controller inheritance, and test coverage for public, private, admin, and webhook routes.

OpenAPI docs show internal fields

Review DTO classes, example values, hidden properties, response decorators, auth decorators, route grouping, and whether internal admin controllers are included in the published document.

E2E tests pass locally but fail in CI

Check environment variables, database lifecycle, port binding, test app module configuration, external-service mocks, timeouts, fake timers, and whether tests share mutable state across files.

Duplicate Check

This entry was checked against the current upstream/main content tree and open pull requests before drafting. Existing content only mentions NestJS in a backend collection and a command example; no dedicated content/skills, content/agents, content/hooks, or content/mcp entry matches NestJS, @nestjs/core, docs.nestjs.com, or nestjs/nest.

Editorial Disclosure

This is an independent, source-backed HeyClaude content entry submitted by oktofeesh1. It is not sponsored by NestJS, the NestJS maintainers, or OpenJS-style ecosystem projects. The linked source archive is the official upstream repository archive and is not repackaged or verified by HeyClaude.

Source citations

Add this badge to your README

Show that NestJS Backend API Development Skill is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/skills/nestjs-backend-api-development.svg)](https://heyclau.de/entry/skills/nestjs-backend-api-development)

How it compares

NestJS Backend API Development Skill side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

3 trust signals differ across this comparison (Package trust, Source provenance, Submitter).

Field

Build and maintain NestJS backend APIs with modules, controllers, providers, dependency injection, configuration, validation pipes, guards, interceptors, exception filters, OpenAPI docs, testing, and production safety review.

Open dossier

Build and review Hono TypeScript APIs for Cloudflare Workers, Bun, Deno, Node.js, Vercel, Netlify, and other Web Standards runtimes with routing, middleware, validation, RPC clients, OpenAPI generation, deployment checks, and production safety review.

Open dossier

Build high-performance async REST APIs with FastAPI, Python's fastest-growing web framework. Automatic OpenAPI/Swagger documentation, type-safe validation with Pydantic, native async/await support, and dependency injection for clean architecture.

Open dossier

Agent Skill from mcp-use for turning OpenAPI or Swagger specs into MCP servers with operation-to-tool mapping, auth wiring, Zod schema generation, inspector testing, and streamable HTTP deployment.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustDiffersPackage not verifiedPackage not verifiedPackage verified2025-10-23Package not verified
Source provenanceDiffersSource-backedSource-backedNo submission linkSource-backed
SubmitterDiffersoktofeesh1oktofeesh1
Install riskReview firstReview firstLow riskReview first
Notes Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓
BrandCloudflare logoCloudflare
Categoryskillsskillsskillsskills
SourceSource-backedSource-backedFirst-partySource-backed
Authoroktofeesh1oktofeesh1JSONboredmcp-use
Added2026-06-042026-06-042025-10-232026-06-18
Platforms
Harness
Source repo
Safety notesThe download URL is the external `nestjs/nest` source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows. NestJS changes can alter route behavior, dependency-injection graph, middleware order, guards, authentication, authorization, validation, error handling, and request/response contracts. Do not commit `.env` files, database URLs, JWT secrets, API keys, OAuth credentials, cloud credentials, service tokens, private certificates, or copied production config. Global pipes, filters, guards, interceptors, and middleware affect every matching request. Review denial paths, public routes, admin routes, and backward compatibility before enabling them globally. DTO validation and transformation can silently coerce input. Check `whitelist`, `forbidNonWhitelisted`, transform behavior, nested objects, arrays, and optional fields before trusting sanitized payloads. Provider constructors, module imports, dynamic modules, lifecycle hooks, and request-scoped providers can create startup failures or performance regressions when used casually. Database migrations, message handlers, cron jobs, queues, webhooks, and external-service calls should have explicit retry, idempotency, timeout, and rollback behavior. OpenAPI docs can expose internal DTO fields, route names, auth scheme details, admin endpoints, examples, and deprecated surfaces if generated without review.The download URL is the external `honojs/hono` source archive, not a HeyClaude-packaged skill archive; review source provenance before using it in automated workflows. `pnpm create hono@latest` or similar scaffolding commands create project files and may prompt for runtime/framework choices. Confirm the target directory and runtime before running them in an existing repo. Hono apps often run at the edge where secrets, environment bindings, request metadata, body limits, streaming support, and Node.js API compatibility vary by platform. Auth, CORS, cookie, CSRF, JWT, bearer-token, and middleware order mistakes can expose APIs or make browser clients fail in production. Validation middleware can reject, coerce, or transform user input. Review schemas, defaults, unknown-key behavior, async validation, and error responses before shipping. Generated OpenAPI documents and RPC clients become contracts. Review public route visibility, auth requirements, response schemas, and breaking-change impact before publishing them. Webhooks, admin routes, background callbacks, and internal endpoints need explicit verification, idempotency, replay protection, and least-privilege secret handling. Cloudflare Workers, Bun, Deno, Node.js, Vercel, and Netlify adapters do not expose identical runtime behavior. Test the exact adapter and deployment target instead of assuming local parity.Installs and runs server packages (pip install fastapi uvicorn pydantic sqlalchemy) and starts an ASGI web server that listens on a network port. Review dependencies and bind to trusted interfaces before exposing endpoints.Generated MCP tools can expose every selected REST operation from a source API, including destructive or account-changing endpoints if the operation filter is too broad. Large OpenAPI specs can create noisy tool surfaces. Filter by tag or operation list when the API has many endpoints. Auth wiring may include API keys, bearer tokens, basic auth, OAuth bearer tokens, and environment variables; never put secret values in the spec, generated source, prompts, or PR text. The skill recommends streamable HTTP for generated mcp-use servers; review deployment auth, CORS, rate limits, logs, and public reachability before publishing. Human review is needed for generated schemas, tool descriptions, error handling, and write operations before giving an agent access to real accounts.
Privacy notesNestJS logs, exception filters, validation errors, request IDs, OpenAPI examples, test fixtures, and AI prompts can expose request payloads, headers, cookies, JWT claims, user IDs, emails, tenant IDs, and internal service names. Avoid pasting raw production requests, access tokens, cookies, stack traces with sensitive values, database records, or private OpenAPI exports into prompts or public issues. Use synthetic request data and non-production credentials for examples, tests, screenshots, generated docs, and AI-assisted troubleshooting. Review logging, telemetry, error reporting, audit events, and model-provider retention before routing customer data through AI-assisted debugging or generated diagnostics.Hono APIs can process request bodies, headers, cookies, JWT claims, bearer tokens, IP addresses, Cloudflare metadata, logs, traces, validation errors, database records, and webhook payloads. Error handlers, request logs, access logs, debug middleware, AI prompts, screenshots, and issue reports can leak Authorization headers, cookies, session IDs, API keys, user records, and payload samples. OpenAPI schemas, example responses, and RPC types may reveal internal route names, data models, tenant identifiers, admin endpoints, or unreleased API behavior. Use synthetic payloads, fixture data, local test projects, and redacted logs for demos, bug reports, screenshots, and AI-assisted troubleshooting. Review runtime-provider, database, logging, tracing, analytics, and AI-assistant retention policies before exposing real customer traffic or production logs to tooling.API endpoints and database integrations can read and persist user-supplied data. Validate and scope what the service stores or logs, and keep database credentials and connection strings out of committed code.OpenAPI specs can expose private endpoint names, internal domains, auth schemes, schemas, object fields, customer concepts, and operational workflows. Tool calls can send prompts, arguments, request bodies, auth-scoped API responses, error payloads, and logs through the MCP server, model provider, and deployment platform. Keep API keys, tokens, OAuth secrets, cookies, private base URLs, customer data, and internal spec comments out of public examples, repository files, issue comments, and screenshots. For third-party or customer APIs, confirm data retention and logging behavior across the MCP client, mcp-use deployment target, model provider, and API provider.
Prerequisites
  • TypeScript backend project or planned service boundary where NestJS is the intended framework.
  • Known package manager, Node.js runtime target, deployment target, module format, and build pipeline.
  • Decision on HTTP adapter, usually Express through `@nestjs/platform-express` unless the app is explicitly using Fastify.
  • API surface inventory covering controllers, routes, request bodies, query parameters, response shapes, errors, authentication, authorization, and versioning.
  • TypeScript project or new service with a selected runtime target, such as Cloudflare Workers, Bun, Deno, Node.js, Vercel, Netlify, or another Web Standards-compatible platform.
  • Decision to use Hono for HTTP routing, middleware composition, and runtime-portable Request/Response handling rather than a heavier framework.
  • Package manager, module format, TypeScript strictness, lint/test setup, and deployment provider identified before code generation.
  • Route inventory covering public routes, authenticated routes, webhooks, health checks, static assets, RPC endpoints, and admin-only operations.
  • Python 3.9+
  • fastapi ^0.104.0
  • uvicorn[standard] ^0.24.0
  • pydantic ^2.0.0
  • An OpenAPI 3.x or Swagger 2.0 spec from a local file, URL, or pasted source.
  • Node.js and npm or pnpm for `create-mcp-use-app`, TypeScript, swagger-parser, Zod, and mcp-use tooling.
  • An MCP client or coding agent that can install and use Agent Skills from GitHub.
  • Known target API base URL, authentication scheme, operation filter, and deployment intent before broad tool generation.
Install
pnpm add @nestjs/core @nestjs/common @nestjs/platform-express reflect-metadata rxjs
pnpm create hono@latest
pip install fastapi uvicorn[standard] pydantic sqlalchemy
npx skills add https://github.com/mcp-use/mcp-use --skill openapi-to-mcp
Config
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.