api-design-security

What problem does it solve?

This skill addresses the challenge of building and maintaining secure admin APIs in Next.js 16 apps. It provides a proven pattern to enforce authentication, authorization, CSRF protection, multi-tenant data isolation, rate limiting, and comprehensive audit logging across critical admin routes.

Core Features & Use Cases

• Admin route wrappers: Use adminRead for reads and adminMutation for mutations to consistently apply security controls.
• RBAC & CSRF: Integrate role-based access control and cross-site request forgery protections across endpoints.
• Tenant isolation: Ensure all queries are scoped by tenantId to prevent cross-tenant data access.
• Audit & safety: Automatically audit privileged operations and enforce safe data selection to redact sensitive fields.

Quick Start

1. Choose the appropriate wrapper (adminRead for GET, adminMutation for writes).
2. Define input validation with Zod schemas.
3. Apply tenant scoping and use safe selects.
4. Implement security tests (CSRF, RBAC, audit logging). Example: export async function POST(req: NextRequest) { return adminMutation(req, { permissions: ["users.write"], audit: { action: "create_user", resource: "user" } }, async (user, body) => { const validatedData = createUserSchema.parse(body); // Implementation with tenant scoping and security }); }