api-design
API Design
Design clear, consistent, and developer-friendly REST APIs.
When NOT to Use
- Consuming external APIs — Use
api-integrationfor building clients to call third-party services (Stripe, Twilio, etc.) - Writing tests for APIs — Use
testing-strategyfor contract tests, integration tests, mocking strategies - Reviewing existing API security — Use
security-auditfor vulnerability scanning of live endpoints - Designing auth mechanisms that are the whole task — Use
security-auditif reviewing, this skill if designing from scratch
Core Principles
- Resource-oriented — Design around nouns (resources), not verbs (actions)
- Predictable patterns — Consistent URL structure, response format, and behavior
- Clear contracts — Explicit schemas, documented errors, versioned endpoints
- Developer experience — Meaningful errors, helpful examples, logical defaults
Quick Start Checklist
More from srstomp/pokayokay
architecture-review
Use when auditing project structure, planning refactors, improving code organization, analyzing dependencies and module boundaries, or identifying structural issues. TypeScript/JavaScript-primary with language-agnostic patterns.
301figma-plugin
Use when building Figma plugins, creating design automation tools, implementing sandbox/UI communication, or working with the Figma Plugin API for node manipulation, styles, and components.
79security-audit
Use when reviewing code security, auditing dependencies for CVEs, checking configuration or secret security, assessing authentication and authorization patterns, identifying OWASP vulnerabilities (injection, XSS, CSRF), or addressing security concerns about implementations.
48testing-strategy
Use when designing test architecture, building API test suites, validating API contracts, setting up component or E2E testing, managing test data, debugging flaky tests, reviewing coverage strategy, or organizing test files. Covers test pyramid, mocking (MSW), frontend (React Testing Library, Playwright), and CI integration.
28sdk-development
Use when building TypeScript SDKs, extracting shared code into packages, creating developer tooling libraries, designing clean API surfaces, or publishing to npm (public or private). Covers typed clients, error handling, multi-target bundling (ESM/CJS/browser).
28session-review
Use after completing work sessions to analyze agent behavior patterns, prepare session handoffs for continuity, document completed work, identify blockers, or preserve context for the next session.
27