name: backend-core description: | Language-agnostic backend patterns: API design, authentication, security, databases. Use when: designing APIs, implementing auth, securing endpoints, modeling data. Triggers: "api design", "rest api", "graphql", "authentication", "jwt", "oauth", "security", "owasp", "database schema", "migrations", "sql".

Backend Core Patterns

Quick Reference

API Design Decision Tree

What type of API?
├─ Public API → REST + OpenAPI spec
├─ Internal microservices → gRPC (performance) or REST (simplicity)
├─ Real-time → WebSocket or SSE
└─ Complex queries → GraphQL

Auth Decision Tree

Auth method?
├─ SPA/Mobile → JWT (access + refresh tokens)
├─ Server-rendered → Session cookies
├─ Third-party login → OAuth 2.0 / OIDC
├─ Passwordless → Magic link (email) or WebAuthn
└─ API-to-API → API keys or mTLS

Security Essentials

Always:

• Validate all inputs at boundaries
• Use parameterized queries (never string concat SQL)
• Hash passwords with bcrypt/argon2 (cost ≥ 10)
• HTTPS everywhere, HSTS headers
• Rate limit auth endpoints

Never:

• Store secrets in code or git
• Trust client-side validation alone
• Log sensitive data (passwords, tokens, PII)
• Use MD5/SHA1 for passwords

Database Patterns

Schema design:
├─ Start normalized (3NF)
├─ Denormalize only for proven bottlenecks
├─ Always have created_at, updated_at
├─ Use UUIDs for public IDs, integers for internal FKs
└─ Soft delete (deleted_at) for important data

Anti-patterns