REST API Config Generator

API Design

The root path for your API (e.g., /api/v1). Always include a version.

- Which methods will this API endpoint support?

Features & Security

- Include standard rate limit configurations with headers.
- Include Cross-Origin Resource Sharing configuration.
api-config.json
1{
2 "api": {
3 "name": "Public API Configuration",
4 "version": "1.0.0",
5 "project_type": "Public API",
6 "base_url": "https://api.example.com/api/v1",
7 "versioning": {
8 "strategy": "URL Path",
9 "example": "/api/v1/resource"
10 }
11 },
12 "endpoints": [
13 {
14 "method": "GET",
15 "path": "/api/v1/resource",
16 "description": "List all resources",
17 "pagination": {
18 "type": "Cursor-based",
19 "params": {
20 "first": "number",
21 "after": "string (cursor)",
22 "last": "number",
23 "before": "string (cursor)"
24 },
25 "response": {
26 "edges": [
27 {
28 "cursor": "string",
29 "node": {}
30 }
31 ],
32 "pageInfo": {
33 "hasNextPage": "boolean",
34 "endCursor": "string"
35 },
36 "totalCount": "number"
37 }
38 },
39 "status_codes": [
40 200,
41 401,
42 429,
43 500
44 ]
45 },
46 {
47 "method": "GET",
48 "path": "/api/v1/resource/{id}",
49 "description": "Get a single resource by ID",
50 "path_params": [
51 {
52 "name": "id",
53 "type": "string",
54 "description": "Unique identifier"
55 }
56 ],
57 "status_codes": [
58 200,
59 401,
60 404,
61 429,
62 500
63 ]
64 },
65 {
66 "method": "POST",
67 "path": "/api/v1/resource",
68 "description": "Create a new resource",
69 "request_body": {
70 "required": true,
71 "content_type": "application/json",
72 "fields": [
73 {
74 "name": "name",
75 "type": "string",
76 "required": true
77 },
78 {
79 "name": "email",
80 "type": "string",
81 "required": true,
82 "format": "email"
83 }
84 ]
85 },
86 "status_codes": [
87 201,
88 400,
89 401,
90 409,
91 422,
92 429,
93 500
94 ]
95 },
96 {
97 "method": "PUT",
98 "path": "/api/v1/resource/{id}",
99 "description": "Replace a resource entirely",
100 "path_params": [
101 {
102 "name": "id",
103 "type": "string",
104 "description": "Unique identifier"
105 }
106 ],
107 "request_body": {
108 "required": true,
109 "content_type": "application/json",
110 "fields": [
111 {
112 "name": "name",
113 "type": "string",
114 "required": true
115 },
116 {
117 "name": "email",
118 "type": "string",
119 "required": true,
120 "format": "email"
121 }
122 ]
123 },
124 "status_codes": [
125 200,
126 400,
127 401,
128 404,
129 422,
130 429,
131 500
132 ]
133 },
134 {
135 "method": "DELETE",
136 "path": "/api/v1/resource/{id}",
137 "description": "Delete a resource",
138 "path_params": [
139 {
140 "name": "id",
141 "type": "string",
142 "description": "Unique identifier"
143 }
144 ],
145 "status_codes": [
146 204,
147 401,
148 404,
149 429,
150 500
151 ]
152 }
153 ],
154 "authentication": {
155 "type": "Bearer Token",
156 "description": "Include a valid JWT in the Authorization header.",
157 "header": "Authorization: Bearer <token>",
158 "placeholder": "YOUR_JWT_TOKEN_HERE"
159 },
160 "features": {
161 "pagination": "Cursor-based",
162 "rate_limiting": true,
163 "cors_enabled": true,
164 "error_format": "RFC 7807"
165 },
166 "rate_limiting": {
167 "enabled": true,
168 "headers": {
169 "X-RateLimit-Limit": "Maximum requests per window",
170 "X-RateLimit-Remaining": "Remaining requests in current window",
171 "X-RateLimit-Reset": "UTC epoch timestamp when window resets",
172 "Retry-After": "Seconds to wait (sent on 429 responses)"
173 },
174 "defaults": {
175 "window_ms": 60000,
176 "max_requests": 100,
177 "message": "Too many requests. Please try again later."
178 }
179 },
180 "cors": {
181 "enabled": true,
182 "allowed_origins": [
183 "https://yourdomain.com"
184 ],
185 "allowed_methods": [
186 "GET",
187 "POST",
188 "PUT",
189 "PATCH",
190 "DELETE",
191 "OPTIONS"
192 ],
193 "allowed_headers": [
194 "Content-Type",
195 "Authorization",
196 "X-API-Key",
197 "X-Request-ID"
198 ],
199 "expose_headers": [
200 "X-Request-ID",
201 "X-RateLimit-Limit",
202 "X-RateLimit-Remaining"
203 ],
204 "allow_credentials": true,
205 "max_age": 86400,
206 "warning": "Never use '*' for Access-Control-Allow-Origin when Allow-Credentials is true."
207 },
208 "error_responses": {
209 "success_200": {
210 "code": 200,
211 "body": {
212 "status": "success",
213 "data": {
214 "id": "example-id-123"
215 }
216 }
217 },
218 "created_201": {
219 "code": 201,
220 "body": {
221 "status": "success",
222 "data": {
223 "id": "example-id-123"
224 }
225 }
226 },
227 "no_content_204": {
228 "code": 204,
229 "body": null
230 },
231 "bad_request_400": {
232 "code": 400,
233 "body": {
234 "error": {
235 "code": "BAD_REQUEST",
236 "message": "The request was malformed."
237 }
238 }
239 },
240 "unauthorized_401": {
241 "code": 401,
242 "body": {
243 "error": {
244 "code": "UNAUTHORIZED",
245 "message": "Invalid or missing authentication token."
246 }
247 }
248 },
249 "forbidden_403": {
250 "code": 403,
251 "body": {
252 "error": {
253 "code": "FORBIDDEN",
254 "message": "You do not have permission to access this resource."
255 }
256 }
257 },
258 "not_found_404": {
259 "code": 404,
260 "body": {
261 "error": {
262 "code": "NOT_FOUND",
263 "message": "The requested resource was not found."
264 }
265 }
266 },
267 "validation_422": {
268 "code": 422,
269 "body": {
270 "error": {
271 "code": "VALIDATION_FAILED",
272 "message": "The provided payload is invalid.",
273 "details": []
274 }
275 }
276 },
277 "rate_limit_429": {
278 "code": 429,
279 "body": {
280 "error": {
281 "code": "RATE_LIMITED",
282 "message": "Too many requests. Please retry after the specified time."
283 }
284 }
285 },
286 "server_error_500": {
287 "code": 500,
288 "body": {
289 "error": {
290 "code": "INTERNAL_ERROR",
291 "message": "An unexpected error occurred. Please try again later."
292 }
293 }
294 }
295 },
296 "headers": {
297 "request": {
298 "Authorization": "Bearer {{YOUR_TOKEN}}",
299 "Content-Type": "application/json",
300 "X-Request-ID": "UUID for request correlation",
301 "Accept": "application/json"
302 },
303 "response": {
304 "Content-Type": "application/json",
305 "X-Request-ID": "Echo back the request ID",
306 "X-RateLimit-Limit": "100",
307 "X-RateLimit-Remaining": "99",
308 "X-RateLimit-Reset": "1640995200"
309 }
310 }
311}

Overview

REST API Configuration Generator

The REST API Config Generator helps architects and backend developers rapidly design production-ready API route schemas, define authentication requirements, and establish standard error formatting.

By defining your endpoints visually first, you ensure a consistent contract for frontend developers to build against before backend implementation is complete. The generator produces comprehensive output including JSON configuration files, Express.js route templates, cURL examples, and full API documentation.

Best Practices

  • Always include an explicit API version in your URL path (e.g., `/api/v1/`) to ensure backwards compatibility and enable safe deprecation of older versions.
  • Use standard HTTP methods correctly: GET for reading (idempotent), POST for creation, PUT for complete replacement, PATCH for partial updates, and DELETE for removal.
  • Implement RFC 7807 (Problem Details for HTTP APIs) for standardizing error responses across your entire microservice ecosystem.
  • Include request correlation IDs (X-Request-ID) in every API response to enable distributed tracing across microservices.

Common Mistakes

  • Returning HTTP 200 OK for every request and embedding the real error code inside the JSON payload instead of using proper HTTP status codes.
  • Forgetting to implement cursor-based pagination on list endpoints, causing slow queries when database tables grow large.
  • Using non-plural nouns for REST collections (e.g., `/user/123` instead of `/users/123`), violating REST naming conventions.

Security Recommendations

  • Never use wildcard CORS (`Access-Control-Allow-Origin: *`) on endpoints that accept credentials. Specify explicit trusted domains.
  • Implement rate limiting on every public API endpoint with standard rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset).
  • Ensure error responses never leak internal implementation details like stack traces, database queries, or file paths.

Frequently Asked Questions

What is the difference between PUT and PATCH?
PUT replaces the entire resource with the provided data (all fields required), while PATCH applies a partial update (only changed fields needed). Use PUT for complete replacements and PATCH for incremental updates.
Why should I use cursor-based pagination instead of offset-based?
Cursor-based pagination provides consistent results when data is being inserted or deleted during pagination. Offset-based pagination can skip or duplicate items when the dataset changes between page requests.
How do I version my REST API?
The most common approach is URL path versioning (e.g., /api/v1/). Alternative approaches include version headers (Accept-Version) and query parameters (?version=1). URL path versioning is the most widely adopted for its simplicity and visibility.

Related Generators