Backend API Endpoint Generator

Generate production-ready REST or GraphQL endpoints with request validation, error handling, and comprehensive tests.

When to Invoke

Auto-invoke when user mentions:

"Add endpoint"
"Create API"
"New route"
"Add route"
"Create API endpoint for [resource]"

What This Does

Generates route handler with proper HTTP methods
Adds request validation (body, params, query)
Implements error handling
Creates test file with request/response tests
Follows REST/GraphQL conventions
Includes authentication middleware (if needed)

Execution Steps

Step 0: Check Existing Patterns (Phase 0)

Before gathering requirements, query the knowledge graph for what we already know about API/endpoint work in this project. Mirrors navigator-research's Phase 0.

python3 skills/nav-graph/functions/graph_manager.py \
  --action query --concept api \
  --graph-path .agent/knowledge/graph.json 2>/dev/null | head -40

Also check authentication, validation, and security if the endpoint touches those areas.

If memories surface (PATTERN, PITFALL, DECISION entries), read the full memory files for relevant ones:

ls .agent/knowledge/memories/{patterns,pitfalls,decisions}/ 2>/dev/null

What to do with what you find:

Patterns: apply them (e.g. "we use Zod for validation, not Joi")
Pitfalls: avoid them (record in pitfalls_avoided in Step 8)
Decisions: respect them (e.g. "we return 404 over 422 for missing resources")

If the graph returns nothing useful, proceed without it. Skip this step only if the knowledge graph is disabled in .agent/.nav-config.json.

Step 1: Gather Endpoint Requirements

Ask user for endpoint details:

Endpoint path: [e.g., /api/users/:id]
HTTP method: [GET, POST, PUT, PATCH, DELETE]
Resource name: [e.g., User, Post, Product]

Framework:
  - express (default)
  - fastify
  - nestjs
  - nextjs   (App Router Route Handler — app/api/<resource>/route.ts)
  - graphql

Authentication required: [yes/no]
Request validation needed: [yes/no]

Validate endpoint path:

Use predefined function: functions/route_validator.py
Ensure RESTful conventions
Check path parameters syntax
No trailing slashes

Step 1.5: Verify Understanding (ToM Checkpoint) [EXECUTE]

IMPORTANT: This step MUST be executed for high-stakes operations.

Before generating code, confirm interpretation with user.

Display verification:

I understood you want:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Endpoint: {METHOD} {PATH}
Resource: {RESOURCE_NAME}
Framework: {FRAMEWORK} (detected from package.json / specified)
Auth required: {yes/no}
Validation needed: {yes/no}
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Assumptions I'm making:
- Using {VALIDATION_LIBRARY} for validation (detected from existing validators)
- Error handling follows existing pattern in {ERROR_HANDLER_PATH}
- Route will be registered at {ROUTE_PREFIX} prefix

Proceed with generation? [Y/n]

Skip verification if (HIGH-STAKES ONLY mode):

Simple CRUD operation (single resource, single path parameter)
User explicitly said "quick", "just do it", or "skip confirmation"
No custom authentication logic specified
Standard GET/POST/PUT/DELETE without complex business logic

Always verify if:

Multiple path parameters (e.g., /users/:userId/posts/:postId)
Custom authorization logic specified
Non-standard HTTP methods or patterns
GraphQL mutations with side effects
Endpoints involving financial or sensitive data

Step 1.8: Declare Belief State (Optional - ToM Anchor)

Before generating code, optionally declare explicit assumptions (enabled by tom_features.belief_anchors in config).

Display belief state anchor:

📌 BELIEF STATE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

What I know (from context):
✅ Framework: {FRAMEWORK} (from package.json)
✅ TypeScript: {strict/normal} mode (from tsconfig.json)
✅ Validation: {LIBRARY} (from existing validators/)

What I'm assuming (inference):
🔸 Error handler follows pattern in {PATH}
🔸 Routes registered at {PREFIX} prefix
🔸 Using {CONVENTION} commit messages

What I don't know (using defaults):
❓ Request logging preference (will include)
❓ Rate limiting requirements (will skip)
❓ Response envelope format (will use standard)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Adjustments needed before I proceed?

Skip belief anchor if:

tom_features.belief_anchors is false in config
User said "skip", "just do it", "quick"
Simple endpoint with no custom logic

Show belief anchor if:

Complex endpoint with multiple integrations
User profile indicates preference for detailed explanations
First endpoint in a new project (establishing patterns)

Step 2: Generate Route Handler

Based on HTTP method and framework:

Use predefined function: functions/endpoint_generator.py

python3 functions/endpoint_generator.py \
  --path "/api/users/:id" \
  --method "GET" \
  --resource "User" \
  --framework "express" \
  --auth true \
  --validation true \
  --template "templates/express-route-template.ts" \
  --output "src/routes/users.ts"

Template includes:

Route definition
Request validation middleware
Controller/handler function
Error handling
Response formatting
TypeScript types

Step 3: Generate Validation Schema

Use predefined function: functions/validation_generator.py

python3 functions/validation_generator.py \
  --resource "User" \
  --method "POST" \
  --fields "name:string:required,email:email:required,age:number:optional" \
  --library "zod" \
  --output "src/validators/user.validator.ts"

Supported validation libraries:

Zod (default, TypeScript-first)
Joi (JavaScript schema)
Yup (object schema)
Express-validator (middleware-based)

Output example (Zod):

import { z } from 'zod';

export const createUserSchema = z.object({
  name: z.string().min(1),
  email: z.string().email(),
  age: z.number().optional(),
});

export type CreateUserInput = z.infer<typeof createUserSchema>;

Step 4: Generate Error Handling Middleware

Use predefined function: functions/error_handler_generator.py

python3 functions/error_handler_generator.py \
  --framework "express" \
  --template "templates/error-handler-template.ts" \
  --output "src/middleware/errorHandler.ts"

Error handler includes:

HTTP status code mapping
Error response formatting
Logging integration
Development vs production modes
Validation error handling

Step 5: Generate Test File

Use predefined function: functions/test_generator.py

python3 functions/test_generator.py \
  --endpoint "/api/users/:id" \
  --method "GET" \
  --framework "express" \
  --template "templates/endpoint-test-template.spec.ts" \
  --output "tests/routes/users.test.ts"

Test template includes:

Success case (200/201)
Validation errors (400)
Not found (404)
Unauthorized (401)
Server errors (500)
Edge cases

Example test:

describe('GET /api/users/:id', () => {
  it('returns user when found', async () => {
    const response = await request(app)
      .get('/api/users/123')
      .expect(200);

    expect(response.body).toMatchObject({
      id: '123',
      name: expect.any(String),
    });
  });

  it('returns 404 when user not found', async () => {
    await request(app)
      .get('/api/users/999')
      .expect(404);
  });
});

Step 6: Generate API Documentation Comment

JSDoc or OpenAPI annotation:

/**
 * @route GET /api/users/:id
 * @description Get user by ID
 * @access Private
 * @param {string} id - User ID
 * @returns {User} User object
 * @throws {404} User not found
 * @throws {401} Unauthorized
 */

Step 7: Show Endpoint Summary

Display generated files and usage:

✅ Endpoint Created: GET /api/users/:id

Structure:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📁 src/
   ├── routes/users.ts                (Route handler)
   ├── validators/user.validator.ts   (Request validation)
   └── middleware/errorHandler.ts     (Error handling)

📁 tests/
   └── routes/users.test.ts           (Integration tests)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Route Registration:
import { userRoutes } from './routes/users';
app.use('/api', userRoutes);

Test:
curl http://localhost:3000/api/users/123
# or
npm test -- users.test.ts

Next Steps:
1. Implement business logic in controller
2. Connect to database/service layer
3. Run tests: npm test
4. Test with Postman/Thunder Client

Step 8: Emit Execution Summary (Graph Ingestion)

After Step 7, emit an execution_summary JSON block. This is the parity equivalent of the research_findings block emitted by navigator-research, ingested into the knowledge graph so future endpoint work can surface what we learned.

Output the block verbatim (replace placeholders with actual values):

{
  "execution_summary": {
    "skill": "backend-endpoint",
    "task": "{METHOD} {PATH}",
    "files_created": ["{route, validator, test paths}"],
    "files_modified": ["{router registration paths}"],
    "tests_added": ["{test file path}"],
    "stack_detected": "{e.g. express+typescript+zod}",
    "patterns_followed": [
      {"summary": "{convention applied — e.g. Zod schema for request validation}", "concepts": ["api"], "confidence": 0.8}
    ],
    "decisions_made": [
      {"summary": "{non-obvious choice — e.g. 404 over 422 because resource itself missing}", "concepts": ["api"], "confidence": 0.75, "evidence": "{path:line}"}
    ],
    "pitfalls_avoided": [
      {"summary": "{gotcha that future agents should know — e.g. middleware order matters: auth before validator}", "concepts": ["api"], "confidence": 0.85}
    ],
    "assumptions_made": ["{e.g. project uses Express middleware pattern (detected via package.json)}"]
  }
}

Ingestion (run from project root):

echo '<execution_summary JSON>' | python3 skills/nav-graph/functions/execution_to_graph.py -

Rules:

Only include non-obvious entries — empty/trivial blocks pollute the graph.
Skip the entire block if there's nothing notable to record.
Confidence ≥ 0.7 for first-hand execution; 0.75 is a reasonable default.

Predefined Functions

1. route_validator.py

Validates route path follows REST conventions.

Usage:

python3 functions/route_validator.py --path "/api/users/:id" --method "GET"

Checks:

RESTful naming (plural resources)
Path parameter syntax (:id or {id})
No trailing slashes
HTTP method matches intent

Returns: Valid path or error message

2. endpoint_generator.py

Generates endpoint handler from template.

Usage:

python3 functions/endpoint_generator.py \
  --path "/api/users/:id" \
  --method "GET" \
  --resource "User" \
  --framework "express" \
  --auth true \
  --validation true \
  --template "templates/express-route-template.ts"

Parameters:

--path: API endpoint path
--method: HTTP method
--resource: Resource name (singular, PascalCase)
--framework: Backend framework
--auth: Include auth middleware
--validation: Include validation middleware
--template: Template file path

Returns: Generated endpoint code

3. validation_generator.py

Generates request validation schema.

Usage:

python3 functions/validation_generator.py \
  --resource "User" \
  --method "POST" \
  --fields "name:string:required,email:email:required" \
  --library "zod"

Supported field types:

string, number, boolean
email, url, uuid
array, object
date, datetime

Returns: Validation schema code

4. error_handler_generator.py

Generates error handling middleware.

Usage:

python3 functions/error_handler_generator.py \
  --framework "express" \
  --template "templates/error-handler-template.ts"

Returns: Error handler middleware code

5. test_generator.py

Generates endpoint integration tests.

Usage:

python3 functions/test_generator.py \
  --endpoint "/api/users/:id" \
  --method "GET" \
  --framework "express" \
  --template "templates/endpoint-test-template.spec.ts"

Generates tests for:

Success responses
Validation errors
Authentication errors
Not found errors
Server errors

Returns: Generated test code

Templates

express-route-template.ts

Express.js route handler template.

Placeholders:

${ROUTE_PATH} - API endpoint path
${HTTP_METHOD} - HTTP method (lowercase)
${RESOURCE_NAME} - Resource name (PascalCase)
${VALIDATION_MIDDLEWARE} - Validation middleware
${AUTH_MIDDLEWARE} - Authentication middleware

nextjs-route-template.ts (collection)

Next.js App Router Route Handler for a collection endpoint — no dynamic segment.

When to use: package.json has "next" in deps and the path has no [id]. Output path: app/api/<resource>/route.ts. Exports GET (list) + POST (create).

nextjs-route-dynamic-template.ts (single resource)

Next.js App Router Route Handler for a single resource endpoint with a dynamic segment.

When to use: path includes [id] (or similar). Output path: app/api/<resource>/[id]/route.ts. Exports GET (read), PATCH (update), DELETE.

Picking between them:

POST /api/favourites → collection template
GET /api/favourites/[id] → dynamic template
If unsure, ask the user whether the endpoint operates on a list or a single resource

Both templates encode Next.js 15+/16 conventions:

Named async exports per HTTP method
params is a Promise<…> — await it (Next.js 15+ change), only on dynamic
Non-dynamic routes do not declare a context parameter (TypeScript infers Promise<{}> from the file path)
Returns NextResponse.json(...) with explicit status codes
Zod schema for body validation
See .agent/philosophy/NEXTJS-PATTERNS.md §E, §H

Prefer Server Actions over Route Handlers for mutations from your own UI (forms, buttons). Use Route Handlers for webhooks, third-party callers, and public REST endpoints. See NEXTJS-PATTERNS.md §F.

fastify-route-template.ts

Fastify route handler template (alternative).

graphql-resolver-template.ts

GraphQL resolver template (alternative).

validation-zod-template.ts

Zod validation schema template.

endpoint-test-template.spec.ts

Integration test template with supertest.

Placeholders:

${ENDPOINT_PATH} - Endpoint to test
${HTTP_METHOD} - HTTP method
${TEST_CASES} - Generated test cases

Examples

See examples/ directory for reference implementations:

users-get.ts - GET endpoint with auth
users-post.ts - POST endpoint with validation
graphql-resolver.ts - GraphQL mutation example

Each example includes:

Route/resolver implementation
Validation schema
Error handling
Test file
Usage documentation

Best Practices

REST API Design

Use plural nouns for resources (/users, not /user)
Use HTTP methods correctly (GET=read, POST=create, PUT/PATCH=update, DELETE=remove)
Nest resources properly (/users/:userId/posts/:postId)
Return proper status codes (200, 201, 400, 401, 404, 500)

Request Validation

Validate all inputs (body, params, query)
Fail fast (validate before business logic)
Clear error messages (tell user what's wrong)
Sanitize inputs (prevent injection attacks)

Error Handling

Centralized error handler (DRY principle)
Consistent error format (always same structure)
Don't expose internals (sanitize stack traces in production)
Log errors (for debugging)

Security

Authentication (verify identity)
Authorization (check permissions)
Rate limiting (prevent abuse)
Input sanitization (prevent XSS, SQL injection)

Testing

Test happy path (success cases)
Test error cases (validation, auth, not found)
Test edge cases (empty data, large data)
Mock external dependencies (database, APIs)

Troubleshooting

Route Not Found (404)

Problem: Endpoint returns 404 even though route is defined

Solutions:

Check route registration order (specific before generic)
Verify path matches exactly (case-sensitive)
Check middleware isn't blocking request
Validate HTTP method matches

Validation Always Fails

Problem: Valid requests fail validation

Solutions:

Check field names match exactly
Verify data types are correct
Check required vs optional fields
Inspect validation error message

Tests Failing

Problem: Integration tests don't pass

Solutions:

Ensure test database is seeded
Check test fixtures are correct
Verify mocks are set up properly
Run tests with --verbose flag

Success Criteria

This skill succeeds when:

Endpoint responds with correct status codes
Request validation catches invalid inputs
Error handling works consistently
Tests cover success and error cases
Code follows REST/GraphQL conventions
Documentation is clear and complete

Auto-invoke this skill when creating API endpoints to ensure consistency and security 🔒