Development Skill
Angular Migration
Migrate from AngularJS to Angular using hybrid mode, incremental component rewriting, and…
$15
API
Backend development patterns for API routes, endpoints, database operations, webhooks, and…
A production-grade backend pattern library that runs every API endpoint through a four-layer pipeline: authenticate, validate, authorize, execute. It enforces OWASP-aware security, typed inputs and outputs, idempotency, and explicit error handling so you ship endpoints that don't leak data, erode types, or fail silently. Built for Next.js route handlers, server actions, and signed webhook receivers.
$15 one-time
Add to a kit → Prices include 20% VAT. · Forged on real agency work · one-time, no lock-in
- Type Skill
- Category Development
- Delivery Email · instant
- License One-time
Inside the run · no black box
See the actual work before you buy it.
Rate limit, auth, validation, ownership, execution: that order is non-negotiable on every endpoint this skill produces. The full pipeline looks like this:
- Runs the layered gate in strict order on every endpoint: rate limiter, auth check (session or JWT, 401 on fail), Zod safeParse on all input (400 with flattened details), resource ownership check returning 404 instead of 403 to hide existence, then try/catch execution with generic errors to the client.
- Picks the right vehicle from the decision guide: form submissions and UI mutations become server actions, webhooks, external API access and third-party integrations become API routes.
- Webhook handlers verify the signature first (Stripe constructEvent, HMAC SHA256 for Meta), then dedupe on event.id against a processed-events table before any business logic runs, so replays are no-ops.
- Mutations get idempotency built in: Idempotency-Key headers or DB unique constraints with ON CONFLICT DO NOTHING, so client retries never double-charge or duplicate records.
- Database access follows fixed rules: relations included against N+1, every list paginated with skip/take, multi-step writes wrapped in transactions, correct column types (TIMESTAMPTZ for time, DECIMAL for money).
- Before ship, a 10-item checklist runs: auth path, safeParse everywhere, ownership verified, generic error messages, rate limiting, signature verification, idempotency, semantic HTTP status codes, consistent response shape, rollback path.
One power source. 6 lines out.
api · core
core active · 6 lines
- ✓ building rest crud endpo…
Building REST CRUD endpoints with auth, validation, and ownership checks
- ✓ writing server actions for
Writing server actions for form submissions and UI mutations
- ✓ implementing signed webh…
Implementing signed webhook receivers for payment and integration events
- ✓ adding rate limiting to
Adding rate limiting to public endpoints like signup or contact forms
- ✓ designing consistent error
Designing consistent error responses and correct HTTP status codes
- ✓ preventing n+1 queries and
Preventing N+1 queries and adding pagination to list endpoints
Yours to keep.
Drag time forward. Watch what stays.
Forever
That's what owning means.
The rented stack
ai writing tool: subscription
expired · access lostanalytics suite: subscription
expired · access lostdesign platform: subscription
expired · access lost(nothing left)
Your forge
-
Endpoints that resist the OWASP API Top 10 by construction
license: perpetual -
No silent failures or leaked stack traces reaching the client
license: perpetual -
Retry-safe mutations through idempotency keys and webhook deduplication
license: perpetual -
A predictable, self-documenting response contract your frontend can rely on
license: perpetual
subscriptions expire · deeds don't
Everything in the box.
Pick a piece up. Watch it work.
The four-layer endpoint architecture with reference implementation
6 parts · one working system · ships instantly by email
This wasn't forged for everyone.
- Not for you if you'd rather rent a tool than own one.
- Not for you if you want someone else to run your stack.
- Not for you if you're happy guessing.
Backend and full-stack developers building secure, typed API endpoints on Next.js and serverless runtimes.
then this was forged for you.Works with
Universal by design: these run in any AI. Delivered in the open Agent Skills + MCP format (native in Claude); ChatGPT, Gemini, Cursor and Copilot adapt the same files their own way.
- Claude Native format
- ChatGPT Adapts via open standards
- Gemini Adapts via open standards
- Cursor Adapts via open standards
- Copilot Adapts via open standards
Catch what's on your mind.
the air is clear. nothing between you and the forge.
catch a spark: the forge will answer
-
I'm not on Next.js, will these patterns still fit my backend?
The four-layer pipeline (authenticate, validate, authorize, execute) is framework-agnostic thinking, but the worked examples target Next.js and serverless runtimes. On Express or another stack you port the structure rather than copy the code.
-
Do I really need all four layers on a simple read endpoint?
Yes for anything touching user data, because skipping authorize is exactly how one user's records leak to another. For a truly public, unauthenticated read you can collapse layers, but the pipeline exists so you never forget the ownership check by accident.
-
Will it write the actual endpoint logic for me?
It handles the security envelope: auth, validation, authorization, idempotency, and error handling. The execute layer where your business logic lives is yours to fill; the pipeline makes that logic safe to expose, not unnecessary.
-
How is it delivered?
By email right after purchase: ready to run, downloaded instantly, no setup wait.
-
One-time or subscription?
A one-time purchase; no subscription or hidden fees. VAT (20%) is included.
-
Can I get a refund?
As a digital product, it can’t be refunded once downloaded. That’s why we show exactly what’s inside and who it’s for, right here.