← IndexEntry № 024·coding

Design a RESTful API Endpoint Schema

Design a complete REST API schema with request/response bodies, status codes, and error cases.

Optimized for
ClaudeChatGPT
§ When to use this

This prompt puts the model in a senior backend engineer's seat and demands the full contract for each endpoint — method, path, params, request/response schemas, status codes, and at least two error cases — so you get something implementable rather than a sketch. Use it at the start of building a feature, when you want a reviewable API design before any code exists. The instruction to flag tricky tradeoffs is the high-value part: it surfaces the decisions a junior would silently get wrong.

§ The Prompt— fill in the fields, then copy or open in a tool
§ Customize0/1 fields filled
your prompt — fill the fields above
You are a senior backend engineer. Design the REST API for [FEATURE/RESOURCE]. For each endpoint provide: HTTP method, path, path/query parameters, request body schema (JSON), response body schema (JSON), success status code, and at least 2 error cases with status codes and error payloads. Follow RESTful conventions. Flag any tricky design decisions with a short explanation of the tradeoff.
Open with your prompt →ChatGPTClaudeSends your filled-in prompt straight into a new chat.
§ Example Output

What you can expect back

POST /teams/{teamId}/invitations
Path param: teamId (string)
Request body: { "email": "[email protected]", "role": "editor" }
Response 201: { "id": "inv_8f2", "email": "[email protected]", "role": "editor", "status": "pending", "expiresAt": "2026-06-22T00:00:00Z" }
Errors:
- 409 { "error": "already_member", "message": "User is already on this team." }
- 422 { "error": "invalid_role", "message": "Role must be one of admin, editor, viewer." }

POST /invitations/{token}/accept
Path param: token (opaque string from the email link)
Response 200: { "teamId": "team_31", "role": "editor" }
Errors:
- 410 { "error": "expired", "message": "This invitation has expired." }
- 404 { "error": "not_found", "message": "Invitation does not exist." }

Tradeoff: Accept is keyed by an opaque token rather than the invitation id, so an attacker who guesses an id can't accept on someone's behalf — at the cost of a separate non-RESTful-looking action path.

Illustrative example — your results will vary by tool and inputs.

§ Pro Tips

Get sharper results

  • 01State your auth model up front (JWT, session, API key) so the design includes 401 vs. 403 distinctions and ownership checks rather than leaving security implicit.
  • 02Specify pagination, filtering, and sorting expectations for any list endpoint, or the model will default to returning everything unbounded.
  • 03Ask it to use a consistent error envelope (e.g. always { error, message, details }) so your client can parse failures uniformly across endpoints.
  • 04Request idempotency handling for POST/create endpoints if duplicate submissions are a real risk — it'll suggest an Idempotency-Key header pattern.
  • 05Have it call out which fields are server-generated versus client-supplied so you don't accidentally let callers set ids or timestamps.
§ Variations

Adapt it for your case

Generate OpenAPI spec

Add 'output the result as a valid OpenAPI 3.1 YAML document' to get a machine-readable spec you can drop into Swagger.

GraphQL instead

Replace 'Design the REST API' with 'Design the GraphQL schema' and ask for types, queries, mutations, and error handling.

Versioning and deprecation

Append 'include a versioning strategy and show how you'd evolve an endpoint without breaking existing clients.'

Best For — Roles
Use For — Tasks
Tags#api#backend#design
§ FAQ

Common questions

Will the JSON schemas be valid and ready to use?

They're realistic examples, not validated against a schema engine. Run them through a linter or paste into your OpenAPI tooling before relying on them.

How do I make it match my existing API's style?

Paste one or two of your current endpoints as a reference and say 'match these conventions' — the model will mirror your naming, casing, and error format.

Does it handle authentication and authorization?

Only if you tell it your auth model. Without that it assumes open endpoints, so always state how requests are authenticated and who's allowed to do what.

§ Related Entries

You may also need