Explore and script against REST APIs with comprehensive authentication support (API keys, OAuth 2.0, JWT Bearer tokens, Basic Auth), pagination utilities (cursor-based, offset-based, page-based), retry logic with exponential backoff and jitter, error handling for HTTP status codes, rate limiting with Retry-After hea...
Setup downloads/unzips a package, and the harness makes live HTTP requests (including POST/PUT/DELETE) to the APIs you point it at; review endpoints and methods before running against production services.
Privacy notes
API requests carry credentials (API keys, OAuth/JWT tokens) and request/response bodies; keep secrets in environment variables, and review what data is sent to and logged from third-party APIs.
1 safety and 1 privacy notes across 2 risk areas. Review closely: credentials & tokens, network access.
2 areas
SafetyNetwork accessSetup downloads/unzips a package, and the harness makes live HTTP requests (including POST/PUT/DELETE) to the APIs you point it at; review endpoints and methods before running against production services.
PrivacyCredentials & tokensAPI requests carry credentials (API keys, OAuth/JWT tokens) and request/response bodies; keep secrets in environment variables, and review what data is sent to and logged from third-party APIs.
Safety notes
Setup downloads/unzips a package, and the harness makes live HTTP requests (including POST/PUT/DELETE) to the APIs you point it at; review endpoints and methods before running against production services.
Privacy notes
API requests carry credentials (API keys, OAuth/JWT tokens) and request/response bodies; keep secrets in environment variables, and review what data is sent to and logged from third-party APIs.
Prerequisites
Node.js 18+
undici or axios HTTP client library
API credentials (if required)
Network access for API requests
Network access to target API endpoints for making HTTP requests and testing API functionality
API documentation or OpenAPI/Swagger specification (optional but recommended) for automatic client generation and type safety
.gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md
cursor
Adapter
.cursor/rules/<skill-name>.mdc
cli
Manual
AGENTS.md or tool-specific context file
Full copyable content
import { setTimeout as delay } from 'node:timers/promises';
import { fetch } from 'undici';
async function fetchAll(url, token) {
let next = url;
const items = [];
while (next) {
const res = await fetch(next, { headers: { Authorization: `Bearer ${token}` } });
if (!res.ok) {
if (res.status >= 500) { await delay(1000); continue; }
throw new Error(`HTTP ${res.status}`);
}
const data = await res.json();
items.push(...data.items);
next = data.next;
}
return items;
}
About this resource
What This Skill Enables
Claude can interact with REST APIs: make requests, handle authentication (API keys, OAuth, JWT), paginate through results, handle rate limits with retries, and process responses. Build API integration scripts, test endpoints, and extract data from web services.
Compatibility
Native
Claude Code / Claude: native skill usage via SKILL.md.
Codex/OpenAI workflows: compatible with Agent Skills-style SKILL.md content as reusable workflow instructions.
Manual Adaptation
Gemini CLI: native skill usage via .gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md where supported.
Cursor: use the generated .cursor/rules/*.mdc adapter for project rules.
OpenClaw and similar agents: use the same skill content as a reusable prompt/workflow file when native skill import is unavailable.
Prompt: "Fetch data from this REST API endpoint: https://api.example.com/users
Use API key: [your-key]
Show me the first 10 results."
Claude will:
Make GET request with auth header
Parse JSON response
Extract and display data
Handle errors gracefully
Paginated Data Extraction
Prompt: "Fetch all pages from this paginated API:
URL: https://api.example.com/items
Pagination: cursor-based (next_cursor field)
API Key: [your-key]
Save all results to items.json"
Claude will:
Make first request
Loop through pages using cursor
Collect all results
Save to JSON file
Report total count
POST Request with Data
Prompt: "Create a new user via POST request:
URL: https://api.example.com/users
Payload: {name: 'John Doe', email: 'john@example.com'}
Auth: Bearer token [your-token]
Show me the response."
Claude will:
Prepare POST request
Set headers (auth, content-type)
Send JSON payload
Parse response
Display result or error
Batch Operations
Prompt: "Upload all these records to the API:
Read from users.csv
For each row, POST to /users endpoint
Handle rate limits (max 10 requests/second)
Log successes and failures
Retry failures once"
Claude will:
Read CSV data
Iterate through rows
Make POST requests with rate limiting
Retry on failures
Generate success/failure report
Common Workflows
API Testing & Exploration
"Test this API endpoint:
1. Make GET request to /api/products
2. Check status code and headers
3. Validate JSON response schema
4. Show sample of first 3 records
5. Report if any fields are null/missing"
Data Migration
"Migrate data from API A to API B:
1. Fetch all records from source API (paginated)
2. Transform to target API format
3. POST to destination API
4. Handle rate limits (5 req/sec)
5. Log migration progress and errors
Save unmigrated records to errors.json"
Webhook Testing
"Test this webhook:
1. POST sample payload to webhook URL
2. Check response status
3. Validate response format
4. Test with invalid payload
5. Report all results"
API Monitoring
"Monitor API health:
1. Hit /health endpoint every minute for 10 minutes
2. Record response time and status
3. Alert if response time > 1 second
4. Create uptime report
5. Plot response times"
Authentication Methods
API Key Authentication
Header: X-API-Key: your-key
Query parameter: ?api_key=your-key
Custom header format
Bearer Token (JWT)
Header: Authorization: Bearer your-token
Token refresh handling
Expiration detection
Basic Authentication
Header: Authorization: Basic base64(user:pass)
Credentials encoding
OAuth 2.0
Client credentials flow
Authorization code flow
Token refresh logic
Advanced Features
Rate Limiting & Retries
Respect rate limit headers
Exponential backoff
Jitter for retry timing
Max retry attempts
Response Handling
JSON parsing
XML/HTML parsing
Binary data (images, files)
Streaming responses
Error Handling
HTTP status code detection
Custom error messages
Validation errors
Network timeouts
Data Transformation
JSON to CSV conversion
Field mapping and renaming
Data type coercion
Filtering and aggregation
Tips for Best Results
Provide API Docs: Share API documentation link or describe endpoints
Authentication: Be clear about auth method and provide credentials securely
Rate Limits: Mention any known rate limits ("max 100 requests/minute")
Show that REST API Client Harness Skill is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/skills/rest-api-client-harness)
How it compares
REST API Client Harness Skill side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
3 trust signals differ across this comparison (Package trust, Source provenance, Submitter).
Next steps differ across entries — use the actions in the table below to copy install commands and source links per resource.
Explore and script against REST APIs with comprehensive authentication support (API keys, OAuth 2.0, JWT Bearer tokens, Basic Auth), pagination utilities (cursor-based, offset-based, page-based), retry logic with exponential backoff and jitter, error handling for HTTP status codes, rate limiting with Retry-After hea...
Compile Rust, C++, or Go to WebAssembly and run it in the browser, Node.js, and serverless runtimes: wasm-bindgen JS interop, WASI for system access, the Component Model, and SIMD.
Official Flutter team Agent Skills for AI coding agents building Flutter apps, fixing layout issues, adding widget and integration tests, creating widget previews, applying layered architecture, routing, localization, JSON serialization, and HTTP workflows.
Expert MCP remote server trust review capability pack for auditing OAuth flows, transport security, tool permissions, data exfiltration risk, and vendor scope before connecting Claude Code to third-party MCP servers.
✓Setup downloads/unzips a package, and the harness makes live HTTP requests (including POST/PUT/DELETE) to the APIs you point it at; review endpoints and methods before running against production services.
✓The install step downloads and unzips a package, and building modules runs compiler toolchains (wasm-pack, Emscripten, or the WASI SDK); run them in a trusted project directory and review generated build files.
WASI grants modules system access (files, env, sockets); grant only the capabilities a module needs and review WASI imports before running untrusted modules.
✓Flutter skills can modify application code, tests, pubspec dependencies, routing, localization files, serialization code, architecture boundaries, and app entry points.
Integration-test workflows may enable Flutter Driver extensions, add keys to widgets, launch apps through MCP tools, interact with running UI, and create driver scripts.
Do not run device, emulator, browser, Firebase Test Lab, or network-backed integration tests against production services without explicit approval and test credentials.
Architecture and routing changes can alter navigation, state management, API access, caching, offline behavior, and user-visible app flows.
Use project-local conventions and Flutter version constraints before applying generated examples.
✓Remote MCP servers run outside Anthropic control; Claude Code MCP integration does not guarantee vendor security or data isolation.
OAuth tokens issued to an MCP server may grant persistent access to third-party accounts until revoked in the vendor admin console.
Tools that read, write, delete, or execute on external systems can cause irreversible production changes when invoked by the model.
SSE and streamable HTTP transports must use TLS; do not approve cleartext remote endpoints on untrusted networks.
This skill recommends scoping and approval steps; it must not add MCP servers or approve OAuth consent without explicit user authorization.
Privacy notes
✓API requests carry credentials (API keys, OAuth/JWT tokens) and request/response bodies; keep secrets in environment variables, and review what data is sent to and logged from third-party APIs.
✓Compiling and running modules is local, but a module that fetches remote models or data (for example ONNX inference) sends and receives data over the network; review what it downloads and where results go.
✓Flutter projects may contain API URLs, Firebase project IDs, mobile bundle IDs, analytics keys, user fixtures, screenshots, test traces, device logs, crash output, and integration-test artifacts.
MCP app exploration can expose widget trees, screen text, test data, typed inputs, navigation paths, and screenshots from the running app.
HTTP, JSON, localization, and repository-layer work may touch private API schemas, user data models, translations, product copy, and backend payloads.
Keep credentials, private endpoints, screenshots with user data, device logs, Firebase tokens, and proprietary UI flows out of public prompts, issues, PRs, and examples.
✓MCP tool results can contain customer names, ticket contents, database rows, repository secrets, and internal URLs that should not be pasted into public issues.
OAuth consent screens and server logs may expose account emails, organization identifiers, and access tokens if shared without redaction.
Remote server vendors may retain prompts, tool arguments, and responses under their own privacy policies outside Anthropic data handling.
Public trust-review summaries should describe risk categories and mitigations, not full tool schemas or live OAuth tokens.
Prerequisites
Node.js 18+
undici or axios HTTP client library
API credentials (if required)
Network access for API requests
Rust 1.70+ and wasm-pack (recommended)
wasm-bindgen 0.2.87+
WASI SDK 20+ (for WASI modules)
Node.js 18+ for JavaScript integration
Flutter SDK and Dart tooling installed for the target project.
An AI coding assistant or skill host compatible with Agent Skills, preferably using the standard `.agents/skills` install target.
Project-specific Flutter targets, devices, emulators, browsers, test commands, and package constraints available before modifying app code.
For MCP-assisted testing or UI exploration, access to the Dart/Flutter MCP server or equivalent app interaction tools.
The remote MCP server URL, vendor documentation, and intended Claude Code or Desktop use case.
Access to the MCP server manifest, tool list, OAuth client registration details, and transport configuration.
Security or platform stakeholders available to review third-party data access before production rollout.
A concrete integration goal such as issue tracking, CRM lookup, database queries, or deployment automation.