PromptBase
Upgrade
Close icon
General
Home
Marketplace
Create
Hire
Login
Chat
Sell
Explore

Prompt Details

Model
(claude-5-sonnet)
Token size
1,270
Example input
[API Name]: Supply Chain & Logistics Management API v2.5 [Describe what the API does]: Enterprise logistics orchestration platform enabling real-time shipment tracking, multi-carrier integration, warehouse management, customs/compliance documentation, route optimization, and proof-of-delivery coordination across global supply chains for 3PL providers and enterprise shippers [Node.js / Spring Boot / .NET / Laravel / Go / Python / etc.]: Python (Django REST Framework), PostgreSQL (relational), MongoDB (shipment documents), Redis (caching), Celery (async tasks), Apache Airflow (workflow orchestration), AWS (EC2, S3, SQS, CloudWatch), Elasticsearch (search indexing) [Slow Responses / Security Issues / Versioning / Scalability / Poor Documentation]: Shipment status update delays (12-45 seconds behind carrier systems), webhook delivery failures (4-7% failure rate), RBAC policy inconsistency across endpoints, customs document validation failures, complex shipment search timeouts (5-8 seconds for multi-filter queries), third-party carrier API integration brittle (failures cascade), data consistency issues during shipment state transitions [Architecture Review / Security Audit / Scalability / API Modernization / Developer Experience]: Performance optimization + webhook reliability + third-party integration resilience
Example output
## 📊 OUTPUT ### **SECTION 1 — Executive Architecture Assessment** • **API Maturity Level:** Stage 3.2/5 (Scaling) — handles volume but architectural debt emerging at scale • **Architectural Quality Score:** 6.3/10 • **Critical Findings:** - Shipment status update lag: 12-45 seconds vs carrier source (real-time requirement violated) - Webhook delivery: 4-7% failure rate, no exponential backoff or DLQ (dead letter queue) - Carrier integration fragility: single carrier API timeout cascades to entire shipment update flow - Custom search queries: Elasticsearch unoptimized, P95 latency 5-8 seconds (UI timeout at 5 seconds) • **Business Alignment:** 7.8/10 — comprehensive logistics features but reliability gaps limit enterprise expansion • **Maintainability Score:** 6.1/10 — Django codebase organized but SOAP legacy endpoints tangled with REST services, Airflow DAGs difficult to modify • **Operational Readiness:** 5.4/10 — monitoring coverage adequate but incident response procedures incomplete, carrier integration SLAs not tracked --- ### **🏗️ SECTION 2 — API Design Review** • **Resource Modeling Issues:** - Shipment endpoint: `/shipments/{id}` returns flat structure, but `/shipments/{id}/tracking` returns nested `current_status` object (inconsistent nesting) - Carrier integrations: `/carriers` vs `/carrier-integrations` (naming ambiguity) - Webhook payloads: include `shipment_id`, but `/shipments/{id}/events` endpoint returns `shipmentId` (inconsistency) • **Endpoint Consistency Gaps:** - Status list endpoints: `/shipments?status=in-transit` returns 50 results (hardcoded), `/shipments/search` returns 25 results (different default) - Filter parameter names: `created_after` (shipments) vs `createdFrom` (orders), `updated_before` vs `modifiedTo` (mixed conventions) - Response codes: some endpoints return 400 for validation errors, others return 422 (unstandard behavior) • **Request/Response Structure Problems:** - POST `/shipments` accepts `carrier` object (nested), but GET response returns `carrier_id` only (requires separate carrier lookup) - Timestamp format inconsistency: shipment creation returns ISO 8601 `created_at`, but tracking events use Unix milliseconds `timestamp` - Address fields: shipment pickup uses `sender_address`, delivery uses `recipient_address`, but carrier integrations use `pickup_point` / `delivery_point` • **Customs Documentation Issues:** - Endpoint: `/shipments/{id}/customs-docs` accepts `HS_CODE`, response returns `hs_code` (case inconsistency) - Document upload: multipart form data, but validation response returns JSON with path reference to S3 key (format inconsistency) - Schema validation: declared vs actual fields mismatch (response includes `broker_notes` field not documented in OpenAPI spec) • **Error Handling Deficiencies:** - Carrier integration failures: generic "Carrier API unavailable" message; customer cannot determine if FedEx timeout or permission denied - Webhook delivery failures: no error code distinction between rate limit, temporary network, or permanent carrier down - State transition errors: "Invalid status change" (ambiguous; unclear if customer lacks permission or shipment state wrong) • **Design Quality Score:** 5.4/10 --- ### **🔐 SECTION 3 — Security Assessment** **🔴 CRITICAL:** • **RBAC Policy Bypass:** Permission checks missing in `/shipments/{id}/audit-log` endpoint; any authenticated user can read full audit history including other customers' modifications • **Carrier API Credentials Exposure:** Third-party carrier credentials (FedEx API keys, UPS OAuth tokens) stored in PostgreSQL plaintext; accessible via database backup snapshots • **Insufficient Data Isolation:** Multi-tenant queries lack tenant filter in one Elasticsearch aggregation endpoint; customer A can query customer B's shipment statistics **🟠 HIGH:** • **Webhook Signature Validation:** Webhook payloads signed with static key (same for all customers); attacker can forge webhooks for any customer • **API Key Scope Creep:** API key scopes declared (read shipments, write shipments) but not enforced; key with `read` permission can execute `DELETE /shipments/{id}` (scope not validated at endpoint) • **Customs Document Data Leakage:** Customs forms include personal identification numbers (passport, tax ID); no field-level encryption, transmitted unencrypted to third-party brokers • **Insufficient Input Validation:** Tracking number field accepts arbitrary characters; SQL injection risk in legacy search filter (parameterization incomplete) **🟡 MEDIUM:** • **Rate Limiting Bypass:** Per-customer rate limits not synchronized across regions; customer can distribute requests across 3 regions (3× limit circumvention) • **Audit Logging Gaps:** Shipment modifications logged but not IP address; cannot trace who accessed sensitive data from which location • **Certificate Pinning:** Not implemented for third-party carrier API calls; vulnerable to MITM attacks on carrier data • **Webhook Retry Policy:** Exponential backoff not implemented; retries use fixed 5-minute interval, causing customer notification delays during carrier outages **🟢 LOW:** • **Weak Password Requirements:** OAuth2 client secret generation uses weak entropy (should be 256-bit, actual: 128-bit) • **CORS Policy:** `Access-Control-Allow-Origin: *.companydomain.com` allows subdomain wildcard (over-permissive) • **Security Assessment Score:** 4.0/10 --- ### **⚡ SECTION 4 — Performance & Scalability** • **Latency Analysis:** - Create shipment: P50 120ms, P95 680ms, P99 1,900ms (acceptable for sync operation) - Fetch shipment with tracking: P50 200ms, P95 1,200ms, P99 3,100ms (tracking data requires 2-3 sequential database queries) - Complex shipment search (multi-filter): P50 1,800ms, P95 5,400ms, P99 8,200ms (Elasticsearch unoptimized) • **Shipment Status Update Lag:** - Carrier webhook receipt → database write: <50ms (good) - Database write → shipment API response: 12-45 seconds (major delay) - Root cause: Carrier update processes asynchronously via Celery; queue backlog during peak (100,000+ updates/day) • **Throughput Limitations:** - REST API: 3,200 requests/sec before connection pool exhaustion - Database connections: 75 (undersized for microservice pattern) - Webhook queue (SQS): 1,000 deliveries/sec (bottleneck during bulk shipment status updates) - Carrier API integrations: serialized (one carrier call completes before next starts; 5-10 carriers per shipment = 50-100ms sequential overhead) • **Webhook Delivery Issues:** - Failure rate: 4-7% (causes: carrier timeout cascades, SQS rate limit, dead letter queue not configured) - Retry strategy: fixed 5-minute intervals (no exponential backoff) - DLQ monitoring: none (failed deliveries silently dropped after 4 retries) • **Search Performance:** - Elasticsearch queries: not optimized for multi-filter shipment search - Aggregations (shipments by status): scans full index (millions of documents) without time-based partitioning - P95 latency: 5,400ms (UI timeout triggers at 5s) • **Third-Party Integration Cascading:** - FedEx API timeout (30 seconds) blocks entire shipment update flow - No circuit breaker; subsequent requests immediately fail (no backoff) - Affects 10-15% of daily shipments during FedEx incidents • **Customs Documentation Processing:** - HS code validation: sequential lookup per line item (1,000-item shipment = 1,000 database round trips) - N+1 problem: fetching shipment includes fetching carrier details, warehouse details, customer details (4 sequential queries) • **Performance Score:** 5.1/10 --- ### **📖 SECTION 5 — API Documentation & Developer Experience** • **OpenAPI 2.0 Documentation:** 61% coverage - 39% of endpoints lack description fields - Webhook payload schemas: partially documented (3 of 8 event types described) - Error responses: 20% of endpoints lack error code documentation - Query parameter documentation: filter syntax not explained (developer guesswork on complex queries) • **Carrier Integration Docs:** Fragmented across multiple sources - FedEx integration: wiki page (outdated, references deprecated API v1) - UPS integration: GitHub wiki (incomplete, no error handling guide) - DHL integration: email chain (no formal documentation) - Missing: integration troubleshooting guide, retry policy explanation • **Customs Compliance Documentation:** Minimal - HS code validation: "use standard HS code" (no reference to HS code database) - Customs document requirements: country-specific rules not documented (trial and error required) - Broker integration: no guide on how to connect external customs brokers • **Endpoint Documentation Gaps:** - Shipment state machine: no flowchart; developers unsure of valid transitions (created → in-transit → delivered) - Webhook retry behavior: documented as "automatic retries" without details on backoff strategy - Search query syntax: `filter[status]=in-transit&filter[carrier]=fedex` (syntax not documented, discovered through trial) • **SDK Availability:** - Official SDKs: JavaScript only (2 months outdated, missing async/await support for Node 16+) - Community SDKs: Python (unmaintained, 1 year old), Java (incomplete, missing webhook parsing) - Missing: Go, Rust, TypeScript, mobile (Kotlin/Swift) • **Onboarding Experience:** - Setup: configure API keys, register webhook URL, test carrier integration (3-4 hours minimum) - Sandbox environment: available but populated with dummy data (cannot test real carrier integrations) - Quickstart: 12 pages, assumes shipping domain knowledge (no explanation of shipment lifecycle) - No interactive API explorer; must use Postman manually • **Developer Tools:** - Missing: shipment tracking simulator (cannot test webhook callbacks offline) - Missing: carrier integration mock server (requires live FedEx credentials to test) - API mocking: not available • **Developer Experience Score:** 4.9/10 --- ### **🔄 SECTION 6 — Versioning & Lifecycle Management** • **Versioning Strategy:** URL-based (`/v2.5/*`) with no formal versioning roadmap - Swagger spec: version number in URL (no semantic versioning) - SOAP legacy endpoints: still active (`/soap/v1/*`), never sunset despite REST migration plan 18 months ago • **Backward Compatibility Issues:** - 9 months ago: `shipment_status` field renamed to `status` without deprecation period - Legacy clients still using old field names: silent failure (API ignores unknown request fields) - Carrier integration breaking change: FedEx API field `reference_number` removed 6 months ago; old client code breaks • **Schema Evolution Gaps:** - Customs document schema changed 4 months ago (added `broker_id` field); old clients sending documents without field validation fails - Webhook event structure changed: new shipments include `metadata` field; old parsers crash on unknown field • **Deprecation Policy:** Informal (Slack announcement in #engineering channel) - No structured deprecation notice headers - SOAP endpoints marked `@deprecated` in code (not exposed to API consumers) - No timeline for v1 sunset (announced 18 months ago, still operating) • **Release Management:** - 2-week release cycle; hotfixes deployed without version increment - Feature flags: 12 active flags controlling shipment routing logic - Database migrations: executed during releases (downtime during peak hours) • **Carrier Integration Versioning:** No versioning discipline - FedEx integration: updated 8 times, each update changes response structure - Customers unsure which FedEx version they're connected to (discover via trial and error) • **Lifecycle Assessment Score:** 3.9/10 --- ### **📊 SECTION 7 — Observability & Operations** • **Logging Deficiencies:** - Correlation ID: implemented in REST layer but not propagated to Celery tasks (cannot trace async shipment updates) - Carrier API calls: only failures logged (successful calls invisible, difficult to debug integration logic) - Webhook delivery: logs scattered across multiple services (manual correlation required for incident investigation) - Log retention: 14 days (insufficient for compliance; PCI-DSS requires 90 days for payment-related shipments) • **Monitoring Gaps:** - Webhook delivery success rate not monitored (4-7% failure rate discovered via customer complaints, not proactive alerts) - Shipment status update lag: no latency SLA monitoring - Elasticsearch query performance: only slow queries (>1 second) logged, not tracked systematically - Carrier integration health: per-carrier error rate not monitored (cascade failures caught late) • **Distributed Tracing:** Partial implementation - REST layer traced (OpenTelemetry), but Celery async tasks not traced - Carrier API calls untraced (must correlate via logs manually) - Trace sampling: 10% (misses rare incidents) • **Metrics:** 42 metrics tracked (baseline adequate) - Missing: webhook delivery failure rate, carrier integration error rate by carrier, search query latency percentiles - Cardinality: per-customer shipment metrics limited to top 20 customers (long-tail visibility poor) - Time-series retention: 30 days (insufficient for capacity planning) • **Alerting:** Threshold-based only - Webhook failure threshold: triggers when >50 consecutive failures (too late; 1,000+ messages lost) - Carrier integration timeout: no alert (discovered via incident ticket hours later) - Alert noise: 180+ alerts/day with 38% false positive rate (alert fatigue) • **Incident Response:** Manual procedures - Shipment status delay incident: manual query to identify stuck records - Webhook delivery failure: no automated remediation; requires manual SQS queue inspection - Runbooks: incomplete (reference deprecated carrier API versions) • **Operational Readiness Score:** 4.3/10 --- ### **🚀 SECTION 8 — Modernization Strategy** • **API Gateway Layer:** - Deploy API Gateway (Kong or AWS API Gateway) for centralized rate limiting (region-synchronized) - Move RBAC enforcement to gateway (reduce per-endpoint permission checks) - Implement automatic API key rotation with grace period • **Event-Driven Architecture:** - Transition from Celery batch processing to Kafka event stream (real-time shipment status updates) - Event sourcing for shipment state machine (audit trail, replay capabilities) - Pub/sub for status changes: <1 second propagation vs 12-45 seconds current • **Third-Party Integration Resilience:** - Implement circuit breaker pattern for carrier APIs (fallback to cached data during outages) - Parallel carrier API calls (async/await) instead of sequential (reduce latency by 80%) - Carrier response caching with TTL (stale data acceptable during temporary outages) • **Search Optimization:** - Elasticsearch index partitioning by time (daily indices; aggregate only recent data) - Query optimization: use filters instead of aggregations for shipment counts - Add materialized views for frequently accessed aggregations • **Webhook Infrastructure:** - Implement exponential backoff retry strategy (replace fixed 5-minute intervals) - Dead letter queue with monitoring (no silent failures) - Webhook delivery SLA tracking and alerting • **OpenAPI Migration:** - Upgrade from OpenAPI 2.0 → 3.1.0 (modern spec, better tooling) - Automated spec generation from code (reduce documentation drift) - SDKs generated from spec (ensure consistency across languages) • **Data Isolation & Security:** - Field-level encryption for customs PII (AES-256) - Carrier credentials migration to AWS Secrets Manager (automatic rotation) - RBAC enforcement at database query layer (SQL row-level security) • **Async Processing Overhaul:** - Replace Celery with Kafka + consumer groups (better scaling, no task loss) - Implement backpressure handling (slow consumers don't block producers) --- ### **🧾 FINAL REPORT** **1. Executive Summary:** Supply Chain & Logistics Management API delivers comprehensive shipping orchestration but suffers from reliability gaps, security vulnerabilities, and architectural fragmentation (SOAP/REST duality). Shipment status update delays (12-45 seconds), webhook delivery failures (4-7%), and cascade failures from carrier integrations undermine mission-critical logistics operations. Urgent modernization required for enterprise reliability and compliance. **2. Architecture Score:** 5.8/10 **3. Design Quality Assessment:** 5.4/10 — Naming inconsistencies, nested object fragmentation, Elasticsearch integration poorly designed, SOAP/REST hybrid confusion **4. Security Assessment:** 4.0/10 — RBAC bypass critical, plaintext carrier credentials high-risk, multi-tenant data isolation gap, insufficient webhook signature validation **5. Performance & Scalability Score:** 5.1/10 — Status update lag, webhook delivery bottleneck, carrier cascade failures, search query unoptimized, N+1 query problems **6. Documentation & Developer Experience Score:** 4.9/10 — 61% API coverage, carrier integrations fragmented, customs compliance undocumented, SOAP legacy confusion **7. Versioning & Lifecycle Assessment:** 3.9/10 — SOAP endpoints unretired, breaking changes without migration, carrier integration versioning absent, informal deprecation **8. Operational Readiness Score:** 4.3/10 — Webhook delivery not monitored, correlation ID gaps across async boundary, carrier health invisible, incomplete runbooks **9. Top 10 Engineering Recommendations:** • **[CRITICAL]** Implement API Gateway with region-synchronized rate limiting and centralized RBAC enforcement (prevent rate limit bypass) • **[CRITICAL]** Migrate carrier credentials to AWS Secrets Manager; implement automatic rotation (eliminate plaintext exposure) • **[CRITICAL]** Deploy Kafka event stream for shipment status updates; reduce lag from 12-45s to <1s (real-time compliance) • **[HIGH]** Implement circuit breaker pattern for carrier APIs + parallel async calls (eliminate cascade failures, reduce latency 80%) • **[HIGH]** Redesign webhook delivery with exponential backoff + DLQ monitoring (reduce 4-7% failure rate to <0.1%) • **[HIGH]** Optimize Elasticsearch: time-based partitioning + materialized aggregation views (reduce P95 search latency from 5.4s to <800ms) • **[HIGH]** Implement RBAC enforcement at database query layer (SQL row-level security) + field-level encryption for PII • **[MEDIUM]** Sunset SOAP endpoints with 6-month deprecation notice; migrate legacy clients to REST • **[MEDIUM]** Upgrade OpenAPI spec to 3.1.0 with automated SDK generation (ensure documentation consistency) • **[MEDIUM]** Add distributed tracing across Celery → Kafka → carrier API boundaries (enable sub-second incident diagnosis) **10. Production API Improvement Roadmap:** • **Q3 2026:** API Gateway deployment + carrier credential migration + rate limit synchronization (weeks 1-5) • **Q3 2026:** Kafka event stream setup + shipment status update refactor (weeks 6-10) • **Q4 2026:** Webhook retry overhaul + DLQ implementation + circuit breaker integration (weeks 1-6) • **Q4 2026 — Q1 2027:** Elasticsearch optimization + RBAC database enforcement + SOAP deprecation (weeks 7-20)
🌀 Claude

Api Architecture Assessment Framework

Add to Cart
Instant accessInstant access
Usage rightsCommercial use
Money-back guaranteeMoney‑back
By purchasing this prompt, you agree to our terms of service
CLAUDE-5-SONNET
Tested icon
Guide icon
4 examples icon
Free credits icon
An API is more than a collection of endpoints—it's the foundation of modern software systems. ⚠️ This prompt acts as a Principal API Architect, performing a comprehensive assessment of REST, GraphQL, gRPC, or hybrid API architectures. It evaluates design consistency, security, scalability, performance,documentation,versioning, observability, and developer experience while generating a production-ready improvement roadmap. 🔌 Complete API architecture audit 🏗️ API design & consistency assessment
...more
Added 1 day ago
Report
Browse Marketplace