--- title: API category: product entity_type: skill price: $15 canonical: https://forgehouse.ai/skills/api/ lang: en hreflang_alt: https://forgehouse.ai/tr/skiller/api/ last_updated: 2026-06-20 --- # API > Backend development patterns for API routes, endpoints, database operations, webhooks, and… A production-grade backend pattern library that runs every API endpoint through a four-layer pipeline: authenticate, validate, authorize, execute. It enforces OWASP-aware security, typed inputs and outputs, idempotency, and explicit error handling so you ship endpoints that don't leak data, erode types, or fail silently. Built for Next.js route handlers, server actions, and signed webhook receivers. ## Use cases - Building REST CRUD endpoints with auth, validation, and ownership checks - Writing server actions for form submissions and UI mutations - Implementing signed webhook receivers for payment and integration events - Adding rate limiting to public endpoints like signup or contact forms - Designing consistent error responses and correct HTTP status codes - Preventing N+1 queries and adding pagination to list endpoints ## Benefits - Endpoints that resist the OWASP API Top 10 by construction - No silent failures or leaked stack traces reaching the client - Retry-safe mutations through idempotency keys and webhook deduplication - A predictable, self-documenting response contract your frontend can rely on ## What’s included - The four-layer endpoint architecture with reference implementation - Complete CRUD, server action, and webhook handler templates - Zod validation, resource-ownership authorization, and transactional DB patterns - A runtime compatibility table for Node, Edge, and Bun - A pre-deploy security checklist and a red-flag pattern catalog - Idempotency, rate limiting, and N+1 prevention guidance ## Who it’s for Backend and full-stack developers building secure, typed API endpoints on Next.js and serverless runtimes. ## How it runs Rate limit, auth, validation, ownership, execution: that order is non-negotiable on every endpoint this skill produces. The full pipeline looks like this: 1. Runs the layered gate in strict order on every endpoint: rate limiter, auth check (session or JWT, 401 on fail), Zod safeParse on all input (400 with flattened details), resource ownership check returning 404 instead of 403 to hide existence, then try/catch execution with generic errors to the client. 2. Picks the right vehicle from the decision guide: form submissions and UI mutations become server actions, webhooks, external API access and third-party integrations become API routes. 3. Webhook handlers verify the signature first (Stripe constructEvent, HMAC SHA256 for Meta), then dedupe on event.id against a processed-events table before any business logic runs, so replays are no-ops. 4. Mutations get idempotency built in: Idempotency-Key headers or DB unique constraints with ON CONFLICT DO NOTHING, so client retries never double-charge or duplicate records. 5. Database access follows fixed rules: relations included against N+1, every list paginated with skip/take, multi-step writes wrapped in transactions, correct column types (TIMESTAMPTZ for time, DECIMAL for money). 6. Before ship, a 10-item checklist runs: auth path, safeParse everywhere, ownership verified, generic error messages, rate limiting, signature verification, idempotency, semantic HTTP status codes, consistent response shape, rollback path. ## FAQ ### I'm not on Next.js, will these patterns still fit my backend? The four-layer pipeline (authenticate, validate, authorize, execute) is framework-agnostic thinking, but the worked examples target Next.js and serverless runtimes. On Express or another stack you port the structure rather than copy the code. ### Do I really need all four layers on a simple read endpoint? Yes for anything touching user data, because skipping authorize is exactly how one user's records leak to another. For a truly public, unauthenticated read you can collapse layers, but the pipeline exists so you never forget the ownership check by accident. ### Will it write the actual endpoint logic for me? It handles the security envelope: auth, validation, authorization, idempotency, and error handling. The execute layer where your business logic lives is yours to fill; the pipeline makes that logic safe to expose, not unnecessary. ## Price $15, one-time, no subscription. VAT included. Related guide: [AI code review and developer workflow](https://forgehouse.ai/guides/ai-code-review/)