| name | backend-core |
| description | Language-agnostic backend patterns: API design, authentication, security, databases.
Use when: designing APIs, implementing auth, securing endpoints, modeling data.
Triggers: "api design", "rest api", "graphql", "authentication", "jwt", "oauth",
"security", "owasp", "database schema", "migrations", "sql".
|
Backend Core Patterns
Quick Reference
| Topic |
When to Use |
Reference |
| API Design |
REST/GraphQL/gRPC endpoints |
api-design.md |
| Authentication |
JWT, OAuth, sessions, magic links |
authentication.md |
| Security |
Input validation, OWASP, rate limiting |
security.md |
| Databases |
Schema design, migrations, queries |
databases.md |
API Design Decision Tree
What type of API?
├─ Public API → REST + OpenAPI spec
├─ Internal microservices → gRPC (performance) or REST (simplicity)
├─ Real-time → WebSocket or SSE
└─ Complex queries → GraphQL
Auth Decision Tree
Auth method?
├─ SPA/Mobile → JWT (access + refresh tokens)
├─ Server-rendered → Session cookies
├─ Third-party login → OAuth 2.0 / OIDC
├─ Passwordless → Magic link (email) or WebAuthn
└─ API-to-API → API keys or mTLS
Security Essentials
Always:
- Validate all inputs at boundaries
- Use parameterized queries (never string concat SQL)
- Hash passwords with bcrypt/argon2 (cost ≥ 10)
- HTTPS everywhere, HSTS headers
- Rate limit auth endpoints
Never:
- Store secrets in code or git
- Trust client-side validation alone
- Log sensitive data (passwords, tokens, PII)
- Use MD5/SHA1 for passwords
Database Patterns
Schema design:
├─ Start normalized (3NF)
├─ Denormalize only for proven bottlenecks
├─ Always have created_at, updated_at
├─ Use UUIDs for public IDs, integers for internal FKs
└─ Soft delete (deleted_at) for important data
Anti-patterns
| Don't |
Do Instead |
| N+1 queries |
Eager load / batch queries |
| SELECT * |
Select only needed columns |
| No indexes on WHERE/JOIN columns |
Add indexes |
| Storing files in DB |
Use object storage (S3, R2) |
| God objects |
Bounded contexts, single responsibility |