Api Patterns
Choose REST, GraphQL, tRPC, or gRPC and a matching auth pattern before you commit to an API design for a solo SaaS or agent backend.
Overview
api-patterns is an agent skill most often used in Build (also Validate) that guides REST vs GraphQL vs tRPC vs gRPC/WebSocket choices and matching authentication patterns for API consumers.
Install
npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill api-patternsWhat is this skill?
- Decision tree routes consumers to REST+OpenAPI, GraphQL, tRPC, WebSocket+AsyncAPI, or gRPC
- Side-by-side comparison on learning curve, over/under-fetching, type safety, and HTTP caching
- Auth pattern guide: JWT, session, OAuth 2.0, API keys, and passkey with use-case fit
- Five selection questions (consumers, TypeScript frontend, data complexity, caching, public vs internal)
- Five API style selection questions
- Five authentication patterns in the selection guide
- Decision tree with five consumer branches
Adoption & trust: 987 installs on skills.sh; 40.1k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You know you need an API but keep flip-flopping between REST, GraphQL, and tRPC without a clear rule for your actual consumers, caching needs, and auth model.
Who is it for?
Indie builders designing a first public API, a TypeScript monorepo backend, or microservice boundaries who want a short checklist instead of generic blog advice.
Skip if: Teams that already locked OpenAPI or GraphQL schemas in production with enforced org standards—this skill selects patterns, it does not migrate live traffic.
When should I use this skill?
Before implementing or refactoring an API when consumers, TypeScript usage, data shape complexity, caching, or public-vs-internal boundaries are unclear.
What do I get? / Deliverables
You leave with a justified API style and auth pattern aligned to who calls the API and how data is fetched, so implementation can start with one coherent stack.
- Chosen API style with rationale
- Recommended authentication pattern for the use case
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
API style and auth are decided when you shape the backend contract; that is the canonical Build shelf even though the same decisions recur during validation scoping. Backend subphase covers API surface design, consumer contracts, and authentication—exactly what this decision tree addresses.
Where it fits
Scope whether your MVP exposes REST with OpenAPI or a thinner tRPC surface before promising integrations on a landing page.
Lock GraphQL versus REST before the agent generates resolvers and DTOs for your first customer-facing API.
Choose OAuth 2.0 versus API keys when wiring a third-party SaaS connector.
Reconcile JWT verification and session handling with the auth pattern you picked pre-launch.
How it compares
Use as a pre-coding style guide rather than relying on the agent to invent REST vs GraphQL arguments from scratch each session.
Common Questions / FAQ
Who is api-patterns for?
Solo and indie developers shipping APIs with Claude Code, Cursor, or Codex who need a fast, structured way to choose wire format and auth before scaffolding endpoints.
When should I use api-patterns?
During Validate when scoping integrations and pricing around API access; during Build when designing backend routes for a SaaS or agent tool; and when revisiting Ship/Operate concerns if caching or auth mismatches appear in production.
Is api-patterns safe to install?
It is documentation-style procedural knowledge with no built-in shell or network calls; review the Security Audits panel on this Prism page before adding any third-party skill repo to your agent.
SKILL.md
READMESKILL.md - Api Patterns
# API Style Selection (2025) > REST vs GraphQL vs tRPC - Hangi durumda hangisi? ## Decision Tree ``` Who are the API consumers? │ ├── Public API / Multiple platforms │ └── REST + OpenAPI (widest compatibility) │ ├── Complex data needs / Multiple frontends │ └── GraphQL (flexible queries) │ ├── TypeScript frontend + backend (monorepo) │ └── tRPC (end-to-end type safety) │ ├── Real-time / Event-driven │ └── WebSocket + AsyncAPI │ └── Internal microservices └── gRPC (performance) or REST (simplicity) ``` ## Comparison | Factor | REST | GraphQL | tRPC | |--------|------|---------|------| | **Best for** | Public APIs | Complex apps | TS monorepos | | **Learning curve** | Low | Medium | Low (if TS) | | **Over/under fetching** | Common | Solved | Solved | | **Type safety** | Manual (OpenAPI) | Schema-based | Automatic | | **Caching** | HTTP native | Complex | Client-based | ## Selection Questions 1. Who are the API consumers? 2. Is the frontend TypeScript? 3. How complex are the data relationships? 4. Is caching critical? 5. Public or internal API? # Authentication Patterns > Choose auth pattern based on use case. ## Selection Guide | Pattern | Best For | |---------|----------| | **JWT** | Stateless, microservices | | **Session** | Traditional web, simple | | **OAuth 2.0** | Third-party integration | | **API Keys** | Server-to-server, public APIs | | **Passkey** | Modern passwordless (2025+) | ## JWT Principles ``` Important: ├── Always verify signature ├── Check expiration ├── Include minimal claims ├── Use short expiry + refresh tokens └── Never store sensitive data in JWT ``` # API Documentation Principles > Good docs = happy developers = API adoption. ## OpenAPI/Swagger Essentials ``` Include: ├── All endpoints with examples ├── Request/response schemas ├── Authentication requirements ├── Error response formats └── Rate limiting info ``` ## Good Documentation Has ``` Essentials: ├── Quick start / Getting started ├── Authentication guide ├── Complete API reference ├── Error handling guide ├── Code examples (multiple languages) └── Changelog ``` # GraphQL Principles > Flexible queries for complex, interconnected data. ## When to Use ``` ✅ Good fit: ├── Complex, interconnected data ├── Multiple frontend platforms ├── Clients need flexible queries ├── Evolving data requirements └── Reducing over-fetching matters ❌ Poor fit: ├── Simple CRUD operations ├── File upload heavy ├── HTTP caching important └── Team unfamiliar with GraphQL ``` ## Schema Design Principles ``` Principles: ├── Think in graphs, not endpoints ├── Design for evolvability (no versions) ├── Use connections for pagination ├── Be specific with types (not generic "data") └── Handle nullability thoughtfully ``` ## Security Considerations ``` Protect against: ├── Query depth attacks → Set max depth ├── Query complexity → Calculate cost ├── Batching abuse → Limit batch size ├── Introspection → Disable in production ``` # Rate Limiting Principles > Protect your API from abuse and overload. ## Why Rate Limit ``` Protect against: ├── Brute force attacks ├── Resource exhaustion ├── Cost overruns (if pay-per-use) └── Unfair usage ``` ## Strategy Selection | Type | How | When | |------|-----|------| | **Token bucket** | Burst allowed, refills over time | Most APIs | | **Sliding window** | Smooth distribution | Strict limits | | **Fixed window** | Simple counters per window | Basic needs | ## Response Headers ``` Include in headers: ├── X-RateLimit-Limit (max requests) ├── X-RateLimit-Remaining (requests left) ├── X-RateLimit-Reset (when limit resets) └── Return 429 when exceeded ``` # Response Format Principles > Consistency is key - choose a format and stick to it. ## Common Patterns ``` Choose one: ├── Envelope pattern ({ success, data, error }) ├── Direct data (just return the resource) └── HAL/JSON:API (hypermedia) ``` ## Error Response ``` Include: ├── Error code (for programmatic handling) ├── User message (for dis