APIs: design and build a production API

Design and build a small but production-grade public API for one domain (e.g. payments, orders, or a content feed) where resource modeling, status codes, cursor pagination, the OpenAPI contract, and rate limiting are all designed as one connected system — then prove the chain holds under a retry storm with before/after evidence.

• Model the domain as nouns: at least 3 resources with CRUD where it fits, and at least one non-CRUD action expressed as a sub-resource (e.g. POST /payments/{id}/refunds), with no database schema leaked into the URLs.
• Implement an honest status-code retry contract: 201 + Location on creation, 200 on a safe idempotent replay, 409 on a real conflict, 422 on validation failure, and an Idempotency-Key on every unsafe (POST) write so a retried create returns the original result instead of re-executing.
• Implement cursor (keyset) pagination on the largest list endpoint using a unique composite sort key (e.g. (created_at, id)), returning an opaque next-cursor; do not use OFFSET/LIMIT on that endpoint. Document why the endpoint qualifies.
• Author a spec-first OpenAPI 3.1 document as the source of truth, generate (or validate) the server stubs/types and at least one client from it, and ensure the running API matches the spec.
• Add a CI job that diffs the OpenAPI spec against the previous version and fails the build on a breaking change (removed/renamed field, tightened enum, type change), so additive changes pass and breaks are caught.
• Implement rate limiting that returns 429 with Retry-After and X-RateLimit-Limit/Remaining/Reset, with a documented quota; pick and justify a window algorithm (fixed window vs sliding window vs token bucket).
• Write a short ADR-style decision log: the protocol choice (REST + OpenAPI at the edge; note where gRPC would belong internally), the versioning policy (additive by default, version bump + Deprecation/Sunset on real breaks), and the pagination and rate-limit choices.

• An automated test proves idempotency: two identical POSTs with the same Idempotency-Key produce exactly one resource and the second returns the original result, not a duplicate.
• An automated test walks cursor pagination through inserts: paging the list while new rows are inserted neither skips nor duplicates rows, and deep pages cost the same as the first.
• The CI break-diff job is demonstrated both ways: an additive change passes the build and a breaking change fails it, with the diff output captured.
• A load run shows the rate limit working: over-quota requests get 429 + Retry-After (not silent drops or 500s), and a simulated retry storm against an unsafe write produces no duplicate side effects (idempotency + throttle together).
• A one-page write-up traces the cascade through your API: which modeling decision made which status code possible, and which guardrail (contract, pagination, rate limit) protects which downstream failure.