Panel1 uses tRPC for type-safe API development with end-to-end type safety between the backend and frontend.
- All API endpoints must be fully typed
- Use Zod for runtime validation
- Leverage TypeScript for compile-time checks
- Share types between frontend and backend
- Use standardized error types
- Include proper error codes
- Provide meaningful error messages
- Handle edge cases gracefully
- JWT-based authentication
- Include authorization headers
- Validate tokens on each request
- Handle token expiration
- Optimize database queries
- Use proper caching strategies
- Implement pagination
- Handle rate limiting
// Example router structure
export const catalogRouter = router({
list: publicProcedure
.input(z.object({...}))
.query(async ({ctx, input}) => {...}),
create: protectedProcedure
.input(z.object({...}))
.mutation(async ({ctx, input}) => {...}),
});publicProcedure: No authentication requiredprotectedProcedure: Requires authenticationadminProcedure: Requires admin privileges- Custom procedures for specific roles
- Use Zod schemas for all inputs
- Validate required fields
- Type check all parameters
- Handle invalid inputs gracefully
- Use descriptive names
- Follow REST-like patterns
- Be consistent across routers
- Use proper HTTP methods
// Standard success response
{
success: true,
data: T,
metadata?: {
count?: number,
page?: number,
// ... other metadata
}
}
// Standard error response
{
success: false,
error: {
code: string,
message: string,
details?: unknown
}
}- Use cursor-based pagination
- Include total counts
- Support limit/offset
- Handle empty results
- Secure token handling
- Proper session management
- Token refresh mechanism
- Logout handling
- Role-based access control
- Permission checking
- Tenant isolation
- Resource ownership
- Input sanitization
- SQL injection prevention
- XSS protection
- CSRF protection
export enum ErrorCode {
UNAUTHORIZED = 'UNAUTHORIZED',
FORBIDDEN = 'FORBIDDEN',
NOT_FOUND = 'NOT_FOUND',
VALIDATION_ERROR = 'VALIDATION_ERROR',
INTERNAL_ERROR = 'INTERNAL_ERROR',
// ... other error codes
}- Include stack traces in development
- Sanitize error messages in production
- Log errors appropriately
- Include request IDs
- Test each procedure independently
- Mock external dependencies
- Test error cases
- Verify type safety
- Test complete workflows
- Verify database operations
- Test authentication flow
- Check error handling
- Document all procedures
- Include example usage
- Document error cases
- Keep documentation updated
- Generate API documentation
- Include example requests/responses
- Document error codes
- Maintain changelog
- Use proper indexes
- Optimize JOIN operations
- Implement caching
- Monitor query performance
- Implement per-user limits
- Handle burst traffic
- Set appropriate timeouts
- Monitor API usage
- Semantic versioning
- Breaking changes handling
- Deprecation notices
- Migration guides
- Maintain compatibility
- Document changes
- Provide migration paths
- Support multiple versions
- Request/response logging
- Error logging
- Performance metrics
- Audit trails
- Response times
- Error rates
- Usage statistics
- Resource utilization
- Review type safety
- Check error handling
- Verify security measures
- Test coverage
- Staging environment
- Production deployment
- Rollback procedures
- Monitoring setup