| name | integration-spec |
| description | Эксперт по интеграционным спецификациям. Используй для документирования интеграций, webhooks, event schemas и data flows. |
Integration Specification Writer
Expert in writing comprehensive integration specifications that serve as contracts between systems.
Essential Components
Every integration spec must include:
- Integration Overview: Purpose, scope, and high-level architecture
- Authentication & Authorization: Security mechanisms and token handling
- Endpoint Definitions: Complete API contract with request/response schemas
- Data Models: Structured definitions of all data objects
- Error Handling: Comprehensive error codes and recovery procedures
- Rate Limiting: Throttling rules and quota management
- Sequence Diagrams: Visual representation of interaction flows
- Testing Scenarios: Integration test cases and validation criteria
Integration Specification Template
# Integration Specification: [System A] ↔ [System B]
**Version:** 1.0.0
**Last Updated:** [Date]
**Authors:** [Names]
**Status:** [Draft/Review/Approved/Production]
## 1. Overview
### 1.1 Purpose
[Brief description of why this integration exists]
### 1.2 Scope
- In Scope: [What this integration covers]
- Out of Scope: [What this integration does not cover]
### 1.3 Architecture Diagram
[Include diagram showing systems, data flow, and key components]
## 2. Authentication & Authorization
### 2.1 Authentication Method
[OAuth 2.0 / API Key / JWT / mTLS]
### 2.2 Credential Management
[How credentials are obtained, stored, and rotated]
## 3. Endpoints
[Detailed endpoint specifications]
## 4. Data Models
[Complete schema definitions]
## 5. Error Handling
[Error codes and recovery procedures]
## 6. Rate Limiting
[Throttling rules and quotas]
## 7. Testing
[Test scenarios and validation criteria]
Authentication Specification
authentication:
type: "Bearer Token (OAuth 2.0)"
flow: "Client Credentials"
endpoints:
token:
url: "https://api.example.com/oauth/token"
method: "POST"
content_type: "application/x-www-form-urlencoded"
request:
grant_type: "client_credentials"
client_id: "{CLIENT_ID}"
client_secret: "{CLIENT_SECRET}"
scope: "read write"
response:
access_token: "string"
token_type: "Bearer"
expires_in: 3600
scope: "read write"
usage:
header: "Authorization: Bearer {access_token}"
content_type: "application/json"
token_refresh:
automatic: true
threshold_seconds: 300 # Refresh 5 min before expiry
retry_attempts: 3
retry_delay_seconds: 5
security_requirements:
- "Store credentials in secure vault (not in code)"
- "Use HTTPS for all requests"
- "Implement token caching to reduce auth calls"
- "Log authentication failures for monitoring"
Endpoint Documentation Standards
# POST /api/v1/orders
endpoint:
method: "POST"
path: "/api/v1/orders"
description: "Create a new order in the system"
headers:
required:
Authorization: "Bearer {access_token}"
Content-Type: "application/json"
X-Request-ID: "string (UUID) - for request tracing"
optional:
X-Idempotency-Key: "string - prevents duplicate processing"
request:
body:
type: "object"
required: ["customer_id", "items"]
properties:
customer_id:
type: "string"
description: "Unique customer identifier"
constraints: "max 50 characters, alphanumeric"
example: "CUST-12345"
items:
type: "array"
minItems: 1
maxItems: 100
items:
type: "object"
required: ["product_id", "quantity"]
properties:
product_id:
type: "string"
description: "Product SKU"
example: "SKU-001"
quantity:
type: "integer"
minimum: 1
maximum: 999
example: 2
unit_price:
type: "number"
format: "decimal"
description: "Price per unit (2 decimal places)"
example: 29.99
shipping_address:
type: "object"
required: ["street", "city", "postal_code", "country"]
properties:
street:
type: "string"
maxLength: 100
city:
type: "string"
maxLength: 50
postal_code:
type: "string"
pattern: "^\\d{5}(-\\d{4})?$"
country:
type: "string"
format: "ISO 3166-1 alpha-2"
responses:
201:
description: "Order created successfully"
body:
order_id: "ORD-12345678"
status: "pending"
total_amount: 299.99
currency: "USD"
created_at: "2024-01-15T10:30:00Z"
estimated_delivery: "2024-01-20T10:00:00Z"
tracking_url: "https://api.example.com/orders/ORD-12345678/track"
400:
description: "Invalid request"
body:
error_code: "VALIDATION_ERROR"
message: "Request validation failed"
details:
- field: "items[0].quantity"
error: "Must be between 1 and 999"
401:
description: "Authentication failed"
body:
error_code: "UNAUTHORIZED"
message: "Invalid or expired access token"
409:
description: "Conflict"
body:
error_code: "DUPLICATE_ORDER"
message: "Order with this idempotency key already exists"
existing_order_id: "ORD-12345678"
429:
description: "Rate limit exceeded"
headers:
Retry-After: "60"
X-RateLimit-Limit: "100"
X-RateLimit-Remaining: "0"
X-RateLimit-Reset: "1704067200"
Error Handling Specification
error_format:
standard_response:
error_code: "string - machine-readable error code"
message: "string - human-readable description"
details: "array - specific field errors (optional)"
request_id: "string - for support reference"
timestamp: "string - ISO 8601 datetime"
error_codes:
VALIDATION_ERROR:
http_status: 400
description: "Request body failed validation"
retry_strategy: "Do not retry - fix request and resubmit"
resolution: "Check error details for specific field issues"
INVALID_CUSTOMER:
http_status: 400
description: "Customer ID not found or inactive"
retry_strategy: "Do not retry - verify customer data"
resolution: "Validate customer exists and has active status"
UNAUTHORIZED:
http_status: 401
description: "Invalid or expired authentication"
retry_strategy: "Refresh token and retry once"
resolution: "Obtain new access token"
FORBIDDEN:
http_status: 403
description: "Insufficient permissions"
retry_strategy: "Do not retry"
resolution: "Contact admin to verify API scopes"
NOT_FOUND:
http_status: 404
description: "Requested resource does not exist"
retry_strategy: "Do not retry"
resolution: "Verify resource ID is correct"
CONFLICT:
http_status: 409
description: "Resource state conflict"
retry_strategy: "Fetch current state and reconcile"
resolution: "Check existing resource and merge changes"
RATE_LIMIT_EXCEEDED:
http_status: 429
description: "Too many requests"
retry_strategy: "Wait for Retry-After header duration"
resolution: "Implement exponential backoff"
headers:
Retry-After: "Seconds to wait before retry"
X-RateLimit-Reset: "Unix timestamp when limit resets"
INTERNAL_ERROR:
http_status: 500
description: "Unexpected server error"
retry_strategy: "Retry with exponential backoff (max 3 attempts)"
resolution: "If persists, contact support with request_id"
SERVICE_UNAVAILABLE:
http_status: 503
description: "Service temporarily unavailable"
retry_strategy: "Retry with exponential backoff"
resolution: "Check status page, retry after delay"
Webhook Specification
webhooks:
overview:
description: "Real-time event notifications via HTTP POST"
delivery: "At-least-once delivery guarantee"
format: "JSON payload with HMAC signature"
configuration:
endpoint_url: "Your HTTPS endpoint"
secret_key: "Shared secret for signature verification"
events: ["order.created", "order.updated", "order.cancelled"]
security:
signature_header: "X-Webhook-Signature"
signature_algorithm: "HMAC-SHA256"
timestamp_header: "X-Webhook-Timestamp"
replay_prevention: "Reject if timestamp > 5 minutes old"
verification_example:
python: |
import hmac
import hashlib
def verify_webhook(payload: bytes, signature: str, secret: str) -> bool:
expected = hmac.new(
secret.encode(),
payload,
hashlib.sha256
).hexdigest()
return hmac.compare_digest(f"sha256={expected}", signature)
payload_structure:
event_id: "string - unique event identifier"
event_type: "string - e.g., order.created"
timestamp: "string - ISO 8601"
data:
object_type: "string - e.g., order"
object_id: "string - resource identifier"
changes: "object - changed fields (for update events)"
retry_policy:
attempts: 5
schedule:
- "Immediate"
- "1 minute"
- "5 minutes"
- "30 minutes"
- "2 hours"
success_criteria: "HTTP 2xx response within 30 seconds"
failure_action: "Event logged, alert sent, manual retry available"
expected_response:
status: "2xx within 30 seconds"
body: "Optional - ignored"
events:
order.created:
description: "Fired when a new order is created"
payload:
order_id: "string"
customer_id: "string"
total_amount: "number"
items: "array"
created_at: "string"
order.updated:
description: "Fired when order status changes"
payload:
order_id: "string"
previous_status: "string"
current_status: "string"
updated_at: "string"
Rate Limiting Specification
rate_limits:
default:
requests_per_minute: 100
requests_per_day: 10000
burst_allowance: "150% for up to 30 seconds"
per_endpoint:
"/api/v1/orders":
method: "POST"
limit: "100 requests/minute"
reason: "Write operation - higher resource cost"
"/api/v1/orders":
method: "GET"
limit: "300 requests/minute"
reason: "Read operation - cached responses"
"/api/v1/search":
limit: "60 requests/minute"
reason: "Expensive search operation"
headers:
X-RateLimit-Limit: "Requests allowed per window"
X-RateLimit-Remaining: "Requests remaining"
X-RateLimit-Reset: "Unix timestamp when window resets"
exceeded_response:
status: 429
body:
error_code: "RATE_LIMIT_EXCEEDED"
message: "Rate limit exceeded"
retry_after: 60
best_practices:
- "Implement client-side rate limiting"
- "Use exponential backoff on 429 responses"
- "Cache responses where possible"
- "Batch operations when available"
Sequence Diagram Example
sequenceDiagram
participant Client
participant API Gateway
participant Order Service
participant Payment Service
participant Inventory Service
participant Notification Service
Client->>API Gateway: POST /api/v1/orders
API Gateway->>API Gateway: Validate Token
API Gateway->>Order Service: Create Order
Order Service->>Inventory Service: Reserve Items
Inventory Service-->>Order Service: Reservation Confirmed
Order Service->>Payment Service: Process Payment
Payment Service-->>Order Service: Payment Success
Order Service->>Order Service: Update Order Status
Order Service-->>API Gateway: Order Created (201)
API Gateway-->>Client: Order Response
Order Service--)Notification Service: order.created Event
Notification Service--)Client: Webhook: order.created
Testing Scenarios
test_scenarios:
happy_path:
name: "Successful order creation"
preconditions:
- "Valid customer account exists"
- "Products are in stock"
- "Payment method is valid"
request:
method: "POST"
path: "/api/v1/orders"
body: "{valid order payload}"
expected:
status: 201
response_contains: ["order_id", "status", "total_amount"]
postconditions:
- "Order record created in database"
- "Inventory reserved"
- "Payment processed"
- "Webhook sent"
validation_errors:
- name: "Missing required field"
request: "{order without customer_id}"
expected_status: 400
expected_error: "VALIDATION_ERROR"
- name: "Invalid quantity"
request: "{order with quantity: 0}"
expected_status: 400
expected_error: "VALIDATION_ERROR"
edge_cases:
- name: "Insufficient inventory"
setup: "Set product stock to 0"
expected_status: 409
expected_error: "INSUFFICIENT_INVENTORY"
- name: "Payment failure"
setup: "Configure payment service to decline"
expected_status: 402
expected_error: "PAYMENT_FAILED"
postcondition: "Inventory reservation released"
idempotency:
name: "Duplicate request handling"
steps:
- "Send order with X-Idempotency-Key: abc123"
- "Response: 201 Created, order_id: ORD-001"
- "Send same request with same idempotency key"
- "Response: 200 OK, order_id: ORD-001 (same order)"
Environment Configuration
environments:
sandbox:
base_url: "https://api-sandbox.example.com"
purpose: "Development and testing"
rate_limits: "10x production limits"
data: "Test data, reset daily at 00:00 UTC"
credentials: "Separate sandbox API keys"
staging:
base_url: "https://api-staging.example.com"
purpose: "Pre-production validation"
rate_limits: "Same as production"
data: "Anonymized production-like data"
production:
base_url: "https://api.example.com"
sla:
uptime: "99.9%"
response_time_p95: "<200ms"
response_time_p99: "<500ms"
maintenance_window: "Sundays 02:00-04:00 UTC"
support: "support@example.com"
Лучшие практики
- Version everything — версионирование в URL и заголовках
- Idempotency — документируйте идемпотентные операции
- Error detail — достаточно информации для отладки
- Rate limit transparency — всегда возвращайте лимиты в headers
- Webhook reliability — retry policy и signature verification
- Environment parity — sandbox максимально похож на production