# API Design Checklist ## Pre-Implementation Review ### Resource Design - [ ] Resources are nouns, not verbs - [ ] Plural names for collections - [ ] Consistent naming across all endpoints - [ ] Clear resource hierarchy (avoid deep nesting >2 levels) - [ ] All CRUD operations properly mapped to HTTP methods ### HTTP Methods - [ ] GET for retrieval (safe, idempotent) - [ ] POST for creation - [ ] PUT for full replacement (idempotent) - [ ] PATCH for partial updates - [ ] DELETE for removal (idempotent) ### Status Codes - [ ] 200 OK for successful GET/PATCH/PUT - [ ] 201 Created for POST - [ ] 204 No Content for DELETE - [ ] 400 Bad Request for malformed requests - [ ] 401 Unauthorized for missing auth - [ ] 403 Forbidden for insufficient permissions - [ ] 404 Not Found for missing resources - [ ] 422 Unprocessable Entity for validation errors - [ ] 429 Too Many Requests for rate limiting - [ ] 500 Internal Server Error for server issues ### Pagination - [ ] All collection endpoints paginated - [ ] Default page size defined (e.g., 20) - [ ] Maximum page size enforced (e.g., 100) - [ ] Pagination metadata included (total, pages, etc.) - [ ] Cursor-based or offset-based pattern chosen ### Filtering & Sorting - [ ] Query parameters for filtering - [ ] Sort parameter supported - [ ] Search parameter for full-text search - [ ] Field selection supported (sparse fieldsets) ### Versioning - [ ] Versioning strategy defined (URL/header/query) - [ ] Version included in all endpoints - [ ] Deprecation policy documented ### Error Handling - [ ] Consistent error response format - [ ] Detailed error messages - [ ] Field-level validation errors - [ ] Error codes for client handling - [ ] Timestamps in error responses ### Authentication & Authorization - [ ] Authentication method defined (Bearer token, API key) - [ ] Authorization checks on all endpoints - [ ] 401 vs 403 used correctly - [ ] Token expiration handled ### Rate Limiting - [ ] Rate limits defined per endpoint/user - [ ] Rate limit headers included - [ ] 429 status code for exceeded limits - [ ] Retry-After header provided ### Documentation - [ ] OpenAPI/Swagger spec generated - [ ] All endpoints documented - [ ] Request/response examples provided - [ ] Error responses documented - [ ] Authentication flow documented ### Testing - [ ] Unit tests for business logic - [ ] Integration tests for endpoints - [ ] Error scenarios tested - [ ] Edge cases covered - [ ] Performance tests for heavy endpoints ### Security - [ ] Input validation on all fields - [ ] SQL injection prevention - [ ] XSS prevention - [ ] CORS configured correctly - [ ] HTTPS enforced - [ ] Sensitive data not in URLs - [ ] No secrets in responses ### Performance - [ ] Database queries optimized - [ ] N+1 queries prevented - [ ] Caching strategy defined - [ ] Cache headers set appropriately - [ ] Large responses paginated ### Monitoring - [ ] Logging implemented - [ ] Error tracking configured - [ ] Performance metrics collected - [ ] Health check endpoint available - [ ] Alerts configured for errors ## GraphQL-Specific Checks ### Schema Design - [ ] Schema-first approach used - [ ] Types properly defined - [ ] Non-null vs nullable decided - [ ] Interfaces/unions used appropriately - [ ] Custom scalars defined ### Queries - [ ] Query depth limiting - [ ] Query complexity analysis - [ ] DataLoaders prevent N+1 - [ ] Pagination pattern chosen (Relay/offset) ### Mutations - [ ] Input types defined - [ ] Payload types with errors - [ ] Optimistic response support - [ ] Idempotency considered ### Performance - [ ] DataLoader for all relationships - [ ] Query batching enabled - [ ] Persisted queries considered - [ ] Response caching implemented ### Documentation - [ ] All fields documented - [ ] Deprecations marked - [ ] Examples provided - [ ] Schema introspection enabled