Tanstack Start Best Practices

Name: Tanstack Start Best Practices
Author: deckardger

deckardger/tanstack-agent-skills

Ship TanStack Start apps with correct server routes for webhooks, REST APIs, and external HTTP consumers instead of misusing server functions.

Overview

TanStack Start Best Practices is an agent skill for the Build phase that teaches when and how to create TanStack Start server routes for webhooks, REST endpoints, and external HTTP clients.

Install

npx skills add https://github.com/deckardger/tanstack-agent-skills --skill tanstack-start-best-practices

What is this skill?

Contrasts server functions (internal RPC) vs server routes (REST, webhooks, external consumers)
Shows createFileRoute server handlers with GET/POST and json() responses plus Cache-Control
Calls out webhook pitfalls: signature verification needs raw body access
Documents MEDIUM-priority api-routes guidance within TanStack Start best-practices pack
Steers versioning and standard HTTP semantics away from exposing internal createServerFn endpoints

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 6.7k installs on skills.sh; 180 GitHub stars; 3/3 security scanners passed (skills.sh audits).

What problem does it solve?

You are on TanStack Start but reach for server functions everywhere, which breaks webhooks, caching, and standard API contracts external tools expect.

Who is it for?

Full-stack solo builders shipping TanStack Start who need public APIs or webhook endpoints alongside React UI.

Skip if: Teams on Next.js-only stacks, static SPAs with no TanStack Start server layer, or apps with zero external HTTP consumers.

When should I use this skill?

User is implementing TanStack Start server HTTP surface, webhooks, or public REST and needs best-practice route patterns.

What do I get? / Deliverables

You add file-based API routes with correct HTTP semantics and keep server functions scoped to internal RPC, ready to wire Stripe or partner integrations.

Server route modules under routes/api with GET/POST handlers
Documented split between internal RPC and external HTTP endpoints

Recommended Skills

Frontend Designanthropics/skills

Frontend Design is an agent skill for solo and indie builders who want web interfaces that look intentional, not like ev…516k installs·148k stars

Vercel React Best Practicesvercel-labs/agent-skills

Vercel React Best Practices is an agent skill packaging Vercel Engineering’s performance playbook for React and Next.js.…459k installs·27.7k stars

Remotion Best Practicesremotion-dev/skills

Remotion Best Practices is a domain knowledge agent skill for solo and indie builders who ship video with Remotion—progr…357k installs·3.5k stars

Vercel Composition Patternsvercel-labs/agent-skills

Vercel Composition Patterns is an agent-oriented skill from Vercel Labs that documents how solo and indie builders shoul…204k installs·27.7k stars

Develop Userscriptsxixu-me/skills

Guides building and fixing browser userscripts for Tampermonkey and ScriptCat, emphasizing runtime selection, minimal pe…154k installs·61 stars

Next Best Practicesvercel-labs/next-skills

Next Best Practices is a Vercel Labs agent skill that encodes how to write and review modern Next.js App Router projects…102k installs·919 stars

Journey fit

Primary fit

BuildBackend, data & payments

Canonical shelf is Build because the skill encodes routing and handler patterns while implementing the product’s server surface. Backend subphase fits API routes, raw request bodies, cache headers, and third-party webhook semantics that server functions do not cover well.

Also useful

BuildIntegrations & version control

Also useful

ShipSecurity

How it compares

Framework-native route handlers for external HTTP—not a generic OpenAPI generator or separate Express sidecar.

Common Questions / FAQ

Who is tanstack-start-best-practices for?

Indie full-stack developers using TanStack React Start who want agent-guided conventions for server routes, caching, and integration endpoints.

When should I use tanstack-start-best-practices?

During Build when adding /api routes, fixing webhook handlers, or separating internal server functions from REST; also before Ship when hardening partner-facing endpoints.

Is tanstack-start-best-practices safe to install?

Review the Security Audits panel on this Prism page and inspect the skill repo; the skill describes code patterns and does not require cloud credentials by itself.

SKILL.md

READMESKILL.md - Tanstack Start Best Practices

# api-routes: Create Server Routes for External Consumers

## Priority: MEDIUM

## Explanation

While server functions are ideal for internal RPC, server routes provide traditional REST endpoints for external consumers, webhooks, and integrations. Use server routes when you need standard HTTP semantics, custom response formats, or third-party compatibility.

## Bad Example

```tsx
// Using server functions for webhook endpoints
export const stripeWebhook = createServerFn({ method: 'POST' })
  .handler(async ({ request }) => {
    // Server functions aren't designed for raw request handling
    // No easy access to raw body for signature verification
    // Response format is JSON by default
  })

// Or exposing internal functions to external consumers
export const getUsers = createServerFn()
  .handler(async () => {
    return db.users.findMany()
  })
// No versioning, no standard REST semantics
```

## Good Example: Basic Server Route

```tsx
// routes/api/users.ts
import { createFileRoute } from '@tanstack/react-router'
import { json } from '@tanstack/react-start'

export const Route = createFileRoute('/api/users')({
  server: {
    handlers: {
      GET: async ({ request }) => {
        const users = await db.users.findMany({
          select: { id: true, name: true, email: true },
        })

        return json(users, {
          headers: {
            'Cache-Control': 'public, max-age=60',
          },
        })
      },

      POST: async ({ request }) => {
        const body = await request.json()

        // Validate input
        const parsed = createUserSchema.safeParse(body)
        if (!parsed.success) {
          return json({ error: parsed.error.flatten() }, { status: 400 })
        }

        const user = await db.users.create({ data: parsed.data })
        return json(user, { status: 201 })
      },
    },
  },
})
```

## Good Example: Webhook Handler

```tsx
// routes/api/webhooks/stripe.ts
import { createFileRoute } from '@tanstack/react-router'
import Stripe from 'stripe'

const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!)

export const Route = createFileRoute('/api/webhooks/stripe')({
  server: {
    handlers: {
      POST: async ({ request }) => {
        const signature = request.headers.get('stripe-signature')
        if (!signature) {
          return new Response('Missing signature', { status: 400 })
        }

        // Get raw body for signature verification
        const rawBody = await request.text()

        let event: Stripe.Event
        try {
          event = stripe.webhooks.constructEvent(
            rawBody,
            signature,
            process.env.STRIPE_WEBHOOK_SECRET!
          )
        } catch (err) {
          console.error('Webhook signature verification failed:', err)
          return new Response('Invalid signature', { status: 400 })
        }

        // Handle the event
        switch (event.type) {
          case 'checkout.session.completed':
            await handleCheckoutComplete(event.data.object)
            break
          case 'customer.subscription.updated':
            await handleSubscriptionUpdate(event.data.object)
            break
          default:
            console.log(`Unhandled event type: ${event.type}`)
        }

        return new Response('OK', { status: 200 })
      },
    },
  },
})
```

## Good Example: RESTful Resource with Dynamic Params

```tsx
// routes/api/posts/$postId.ts
import { createFileRoute } from '@tanstack/react-router'
import { json } from '@tanstack/react-start'

export const Route = createFileRoute('/api/posts/$postId')({
  server: {
    handlers: {
      GET: async ({ params }) => {
        const post = await db.posts.findUnique({
          where: { id: params.postId },
        })

        if (!post) {
          return json({ error: 'Post not found' }, { status: 404 })
        }

        return json(post)
      },

      PUT: async ({ request, params }) => {
        const body = await request.json()
        const pars

What is this skill?

Contrasts server functions (internal RPC) vs server routes (REST, webhooks, external consumers)

Shows createFileRoute server handlers with GET/POST and json() responses plus Cache-Control

Calls out webhook pitfalls: signature verification needs raw body access

Documents MEDIUM-priority api-routes guidance within TanStack Start best-practices pack

Steers versioning and standard HTTP semantics away from exposing internal createServerFn endpoints

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 6.7k installs on skills.sh; 180 GitHub stars; 3/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

BuildBackend, data & payments

Also useful

BuildIntegrations & version control

Also useful

ShipSecurity

SKILL.md

READMESKILL.md - Tanstack Start Best Practices

# api-routes: Create Server Routes for External Consumers

## Priority: MEDIUM

## Explanation

While server functions are ideal for internal RPC, server routes provide traditional REST endpoints for external consumers, webhooks, and integrations. Use server routes when you need standard HTTP semantics, custom response formats, or third-party compatibility.

## Bad Example

```tsx
// Using server functions for webhook endpoints
export const stripeWebhook = createServerFn({ method: 'POST' })
  .handler(async ({ request }) => {
    // Server functions aren't designed for raw request handling
    // No easy access to raw body for signature verification
    // Response format is JSON by default
  })

// Or exposing internal functions to external consumers
export const getUsers = createServerFn()
  .handler(async () => {
    return db.users.findMany()
  })
// No versioning, no standard REST semantics
```

## Good Example: Basic Server Route

```tsx
// routes/api/users.ts
import { createFileRoute } from '@tanstack/react-router'
import { json } from '@tanstack/react-start'

export const Route = createFileRoute('/api/users')({
  server: {
    handlers: {
      GET: async ({ request }) => {
        const users = await db.users.findMany({
          select: { id: true, name: true, email: true },
        })

        return json(users, {
          headers: {
            'Cache-Control': 'public, max-age=60',
          },
        })
      },

      POST: async ({ request }) => {
        const body = await request.json()

        // Validate input
        const parsed = createUserSchema.safeParse(body)
        if (!parsed.success) {
          return json({ error: parsed.error.flatten() }, { status: 400 })
        }

        const user = await db.users.create({ data: parsed.data })
        return json(user, { status: 201 })
      },
    },
  },
})
```

## Good Example: Webhook Handler

```tsx
// routes/api/webhooks/stripe.ts
import { createFileRoute } from '@tanstack/react-router'
import Stripe from 'stripe'

const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!)

export const Route = createFileRoute('/api/webhooks/stripe')({
  server: {
    handlers: {
      POST: async ({ request }) => {
        const signature = request.headers.get('stripe-signature')
        if (!signature) {
          return new Response('Missing signature', { status: 400 })
        }

        // Get raw body for signature verification
        const rawBody = await request.text()

        let event: Stripe.Event
        try {
          event = stripe.webhooks.constructEvent(
            rawBody,
            signature,
            process.env.STRIPE_WEBHOOK_SECRET!
          )
        } catch (err) {
          console.error('Webhook signature verification failed:', err)
          return new Response('Invalid signature', { status: 400 })
        }

        // Handle the event
        switch (event.type) {
          case 'checkout.session.completed':
            await handleCheckoutComplete(event.data.object)
            break
          case 'customer.subscription.updated':
            await handleSubscriptionUpdate(event.data.object)
            break
          default:
            console.log(`Unhandled event type: ${event.type}`)
        }

        return new Response('OK', { status: 200 })
      },
    },
  },
})
```

## Good Example: RESTful Resource with Dynamic Params

```tsx
// routes/api/posts/$postId.ts
import { createFileRoute } from '@tanstack/react-router'
import { json } from '@tanstack/react-start'

export const Route = createFileRoute('/api/posts/$postId')({
  server: {
    handlers: {
      GET: async ({ params }) => {
        const post = await db.posts.findUnique({
          where: { id: params.postId },
        })

        if (!post) {
          return json({ error: 'Post not found' }, { status: 404 })
        }

        return json(post)
      },

      PUT: async ({ request, params }) => {
        const body = await request.json()
        const pars

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is tanstack-start-best-practices for?

When should I use tanstack-start-best-practices?

Is tanstack-start-best-practices safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is tanstack-start-best-practices for?

When should I use tanstack-start-best-practices?

Is tanstack-start-best-practices safe to install?

SKILL.md