Example Spec demonstrating API feature development
Version: 1.42.0
Last Updated: 2026-02-11
Spec Type: Example - API Feature
This Spec demonstrates how to structure requirements for a RESTful API feature. We'll build a simple task management API with JWT authentication, covering common API patterns like CRUD operations, authentication, authorization, and error handling.
Learning Points:
- API endpoint design
- Authentication and authorization
- Request/response formats
- Error handling
- API versioning
As a new user
I want to register an account with email and password
So that I can access the task management system
Acceptance Criteria:
- WHEN I POST to
/api/v1/auth/registerwith valid email and password THEN I receive a success response with user ID - WHEN I register with an existing email THEN I receive a 409 Conflict error
- WHEN I register with invalid email format THEN I receive a 400 Bad Request error
- WHEN I register with password < 8 characters THEN I receive a 400 Bad Request error
As a registered user
I want to log in with my credentials
So that I can access my tasks
Acceptance Criteria:
- WHEN I POST to
/api/v1/auth/loginwith valid credentials THEN I receive a JWT token - WHEN I login with invalid credentials THEN I receive a 401 Unauthorized error
- WHEN I login successfully THEN the token expires after 24 hours
- WHEN I use an expired token THEN I receive a 401 Unauthorized error
As an authenticated user
I want to create a new task
So that I can track my work
Acceptance Criteria:
- WHEN I POST to
/api/v1/taskswith valid token and task data THEN I receive the created task with ID - WHEN I create a task without authentication THEN I receive a 401 Unauthorized error
- WHEN I create a task with missing required fields THEN I receive a 400 Bad Request error
- WHEN I create a task successfully THEN it's associated with my user ID
As an authenticated user
I want to view all my tasks
So that I can see what I need to do
Acceptance Criteria:
- WHEN I GET
/api/v1/taskswith valid token THEN I receive a list of my tasks - WHEN I list tasks without authentication THEN I receive a 401 Unauthorized error
- WHEN I have no tasks THEN I receive an empty array
- WHEN I have multiple tasks THEN they are sorted by creation date (newest first)
As an authenticated user
I want to update a task's details
So that I can modify task information
Acceptance Criteria:
- WHEN I PUT
/api/v1/tasks/:idwith valid token and data THEN the task is updated - WHEN I update another user's task THEN I receive a 403 Forbidden error
- WHEN I update a non-existent task THEN I receive a 404 Not Found error
- WHEN I update with invalid data THEN I receive a 400 Bad Request error
As an authenticated user
I want to delete a task
So that I can remove completed or unwanted tasks
Acceptance Criteria:
- WHEN I DELETE
/api/v1/tasks/:idwith valid token THEN the task is deleted - WHEN I delete another user's task THEN I receive a 403 Forbidden error
- WHEN I delete a non-existent task THEN I receive a 404 Not Found error
- WHEN I delete successfully THEN I receive a 204 No Content response
The system must provide JWT-based authentication for API access.
Details:
- Support user registration with email and password
- Support user login with credentials
- Generate JWT tokens with 24-hour expiration
- Validate JWT tokens on protected endpoints
- Hash passwords using bcrypt (10 rounds)
The system must provide complete CRUD operations for tasks.
Details:
- Create: POST
/api/v1/tasks - Read (list): GET
/api/v1/tasks - Read (single): GET
/api/v1/tasks/:id - Update: PUT
/api/v1/tasks/:id - Delete: DELETE
/api/v1/tasks/:id
The system must enforce user-level authorization for task operations.
Details:
- Users can only access their own tasks
- Users cannot view, update, or delete other users' tasks
- Return 403 Forbidden for unauthorized access attempts
The system must validate all input data before processing.
Details:
- Email: Valid email format, max 255 characters
- Password: Minimum 8 characters, max 128 characters
- Task title: Required, max 200 characters
- Task description: Optional, max 2000 characters
- Task status: Enum (pending, in_progress, completed)
The system must provide consistent error responses.
Details:
- Use standard HTTP status codes
- Return JSON error responses with message and error code
- Include validation errors with field-specific messages
- Log errors for debugging
The system must support API versioning for future compatibility.
Details:
- All endpoints prefixed with
/api/v1/ - Version included in URL path
- Support for future versions without breaking existing clients
- API response time < 200ms for 95% of requests
- Support 100 concurrent users
- Database queries optimized with indexes
- Passwords hashed with bcrypt
- JWT tokens signed with secret key
- HTTPS required in production
- Rate limiting: 100 requests per minute per IP
- Input sanitization to prevent injection attacks
- 99.9% uptime
- Graceful error handling (no crashes)
- Database transactions for data consistency
- RESTful API design principles
- Consistent naming conventions
- Comprehensive API documentation
- Unit test coverage > 80%
- Stateless API design (horizontal scaling)
- Database connection pooling
- Caching for frequently accessed data
| Method | Endpoint | Auth Required | Description |
|---|---|---|---|
| POST | /api/v1/auth/register |
No | Register new user |
| POST | /api/v1/auth/login |
No | Login user |
| POST | /api/v1/tasks |
Yes | Create task |
| GET | /api/v1/tasks |
Yes | List all user's tasks |
| GET | /api/v1/tasks/:id |
Yes | Get single task |
| PUT | /api/v1/tasks/:id |
Yes | Update task |
| DELETE | /api/v1/tasks/:id |
Yes | Delete task |
{
"id": "uuid",
"email": "string (unique)",
"password": "string (hashed)",
"createdAt": "timestamp",
"updatedAt": "timestamp"
}{
"id": "uuid",
"userId": "uuid (foreign key)",
"title": "string",
"description": "string (optional)",
"status": "enum (pending, in_progress, completed)",
"createdAt": "timestamp",
"updatedAt": "timestamp"
}{
"error": {
"code": "ERROR_CODE",
"message": "Human-readable error message",
"details": {
"field": "Specific field error (for validation)"
}
}
}Error Codes:
INVALID_INPUT- Validation errorUNAUTHORIZED- Authentication requiredFORBIDDEN- Insufficient permissionsNOT_FOUND- Resource not foundCONFLICT- Resource already existsINTERNAL_ERROR- Server error
The following are explicitly out of scope for this Spec:
- ❌ Password reset functionality
- ❌ Email verification
- ❌ OAuth/social login
- ❌ Task sharing between users
- ❌ Task categories or tags
- ❌ File attachments
- ❌ Real-time notifications
- ❌ Admin panel
- Node.js 14+ - Runtime environment
- Express.js 4.x - Web framework
- PostgreSQL 13+ - Database
- jsonwebtoken - JWT implementation
- bcrypt - Password hashing
- express-validator - Input validation
This feature is considered complete when:
- ✅ All 7 API endpoints are implemented and working
- ✅ All acceptance criteria pass
- ✅ Unit test coverage > 80%
- ✅ Integration tests cover all endpoints
- ✅ API documentation is complete
- ✅ Security requirements are met
- ✅ Performance requirements are met
- Design Document - Technical design and architecture
- Tasks Document - Implementation plan
- API Documentation Guide - How to document APIs
Version: 1.42.0
Last Updated: 2026-02-11
Status: Example Spec